diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 4dec4b62bbe..fb2be810c8d 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -174,6 +174,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Add Filebeat envoyproxy module. {pull}11700[11700] - Add apache2(httpd) log path (`/var/log/httpd`) to make apache2 module work out of the box on Redhat-family OSes. {issue}11887[11887] {pull}11888[11888] - Add support to new MongoDB additional diagnostic information {pull}11952[11952] +- New module `palo_alto` for Palo Alto Networks PAN-OS logs. {pull}11999[11999] *Heartbeat* diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index 7638265ce1a..aa071c72395 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -40,6 +40,7 @@ grouped in the following categories: * <> * <> * <> +* <> * <> * <> * <> @@ -11822,6 +11823,247 @@ Unix timestamp of the event, in seconds since the epoch. Used for computing the String representation of the collection time, as formatted by osquery. +-- + +[[exported-fields-palo_alto]] +== palo_alto fields + +Module for Palo Alto Networks (PAN-OS) + + + +[float] +== palo_alto fields + +Fields from the palo_alto logs. + + + +[float] +== pan_os fields + +Fields for the Palo Alto Networks PAN-OS logs. + + + +*`palo_alto.pan_os.ruleset`*:: ++ +-- +type: keyword + +Name of the rule that matched this session. + + +-- + +[float] +== source fields + +Fields to extend the top-level source object. + + + +*`palo_alto.pan_os.source.zone`*:: ++ +-- +type: keyword + +Source zone for this session. + + +-- + +*`palo_alto.pan_os.source.interface`*:: ++ +-- +type: keyword + +Source interface for this session. + + +-- + +[float] +== nat fields + +Post-NAT source address, if source NAT is performed. + + + +*`palo_alto.pan_os.source.nat.ip`*:: ++ +-- +type: ip + +Post-NAT source IP. + + +-- + +*`palo_alto.pan_os.source.nat.port`*:: ++ +-- +type: long + +Post-NAT source port. + + +-- + +[float] +== destination fields + +Fields to extend the top-level destination object. + + + +*`palo_alto.pan_os.destination.zone`*:: ++ +-- +type: keyword + +Destination zone for this session. + + +-- + +*`palo_alto.pan_os.destination.interface`*:: ++ +-- +type: keyword + +Destination interface for this session. + + +-- + +[float] +== nat fields + +Post-NAT destination address, if destination NAT is performed. + + + +*`palo_alto.pan_os.destination.nat.ip`*:: ++ +-- +type: ip + +Post-NAT destination IP. + + +-- + +*`palo_alto.pan_os.destination.nat.port`*:: ++ +-- +type: long + +Post-NAT destination port. + + +-- + +[float] +== network fields + +Fields to extend the top-level network object. + + + +*`palo_alto.pan_os.network.pcap_id`*:: ++ +-- +type: keyword + +Packet capture ID for a threat. + + +-- + + +*`palo_alto.pan_os.network.nat.community_id`*:: ++ +-- +type: keyword + +Community ID flow-hash for the NAT 5-tuple. + + +-- + +[float] +== file fields + +Fields to extend the top-level file object. + + + +*`palo_alto.pan_os.file.hash`*:: ++ +-- +type: keyword + +Binary hash for a threat file sent to be analyzed by the WildFire service. + + +-- + +[float] +== url fields + +Fields to extend the top-level url object. + + + +*`palo_alto.pan_os.url.category`*:: ++ +-- +type: keyword + +For threat URLs, it's the URL category. For WildFire, the verdict on the file and is either 'malicious', 'grayware', or 'benign'. + + +-- + +*`palo_alto.pan_os.flow_id`*:: ++ +-- +type: keyword + +Internal numeric identifier for each session. + + +-- + +*`palo_alto.pan_os.sequence_number`*:: ++ +-- +type: long + +Log entry identifier that is incremented sequentially. Unique for each log type. + + +-- + +*`palo_alto.pan_os.threat_file_or_url`*:: ++ +-- +type: keyword + +URL or file name for a threat. + + +-- + +*`palo_alto.pan_os.threat_id`*:: ++ +-- +type: keyword + +Palo Alto Networks identifier for the threat. + + -- [[exported-fields-postgresql]] diff --git a/filebeat/docs/modules/palo_alto.asciidoc b/filebeat/docs/modules/palo_alto.asciidoc new file mode 100644 index 00000000000..9c0a1fc9c03 --- /dev/null +++ b/filebeat/docs/modules/palo_alto.asciidoc @@ -0,0 +1,188 @@ +//// +This file is generated! See scripts/docs_collector.py +//// + +[[filebeat-module-palo_alto]] +[role="xpack"] + +:modulename: palo_alto +:has-dashboards: true + +== Palo Alto Networks module + +This is a module for Palo Alto Networks PAN-OS firewall monitoring logs received +over Syslog or read from a file. It currently supports messages of Traffic and +Threat types. + +[float] +=== Compatibility + +This module has been tested with logs generated by devices running PAN-OS +versions 7.1 to 9.0 but limited compatibility is expected for earlier versions. + +The {plugins}/ingest-geoip.html[ingest-geoip] +Elasticsearch plugin is required to run this module. + +include::../include/running-modules.asciidoc[] + +[float] +=== ECS field mappings + +These are the PAN-OS to ECS field mappings as well as those fields still not +in ECS that are added under the `palo_alto` prefix: + +.Traffic log mappings +[options="header"] +|============== +| PAN-OS Field | ECS Field | Non-standard field +| Receive Time | event.created | +| Serial Number | observer.serial_number | +| Type | event.category | +| Subtype | event.action | +| Generated Time | `@timestamp` | +| Source IP | client.ip source.ip | +| Destination IP | server.ip destination.ip | +| NAT Source IP | | palo_alto.source.nat.ip +| NAT Destination IP | | palo_alto.destination.nat.ip +| Rule Name | | palo_alto.ruleset +| Source User | client.user.name source.user.name | +| Destination User | server.user.name destination.user.name | +| Application | network.application | +| Source Zone | | palo_alto.source.zone +| Destination Zone | | palo_alto.destination.zone +| Ingress Interface | | palo_alto.source.interface +| Egress Interface | | palo_alto.destination.interface +| Session ID | | palo_alto.flow_id +| Source Port | client.port source.port | +| Destination Port | destination.port server.port | +| NAT Source Port | | palo_alto.source.nat.port +| NAT Destination Port | | palo_alto.destination.nat.port +| Flags | labels | +| Protocol | network.transport | +| Action | event.outcome | +| Bytes | network.bytes | +| Bytes Sent | client.bytes destination.bytes | +| Bytes Received | server.bytes source.bytes | +| Packets | network.packets | +| Start Time | event.start | +| Elapsed Time | event.duration | +| Category | | palo_alto.url.category +| Sequence Number | | palo_alto.sequence_number +| Packets Sent | server.packets destination.packets | +| Packets Received | client.packets source.packets | +| Device Name | observer.hostname | +|============== + +.Threat logs mappings +[options="header"] +|============== +| PAN-OS Field | ECS Field | Non-standard field +| Receive Time | event.created | +| Serial Number | observer.serial_number | +| Type | event.category | +| Subtype | event.action | +| Generated Time | `@timestamp` | +| Source IP | client.ip source.ip | +| Destination IP | server.ip destination.ip | +| NAT Source IP | | palo_alto.source.nat.ip +| NAT Destination IP | | palo_alto.destination.nat.ip +| Rule Name | | palo_alto.ruleset +| Source User | client.user.name source.user.name | +| Destination User | server.user.name destination.user.name | +| Application | network.application | +| Source Zone | | palo_alto.source.zone +| Destination Zone | | palo_alto.destination.zone +| Ingress Interface | | palo_alto.source.interface +| Egress Interface | | palo_alto.destination.interface +| Session ID | | palo_alto.flow_id +| Source Port | client.port source.port | +| Destination Port | destination.port server.port | +| NAT Source Port | | palo_alto.source.nat.port +| NAT Destination Port | | palo_alto.destination.nat.port +| Flags | labels | +| Protocol | network.transport | +| Action | event.outcome | +| Miscellaneous | url.original | palo_alto.threat_file_or_url +| Threat ID | | palo_alto.threat_id +| Category | | palo_alto.url.category +| Severity | log.level | +| Direction | network.direction | +| Source Location | source.geo.country_iso_code | +| Destination Location | destination.geo.country_iso_code | +| PCAP_id | | palo_alto.network.pcap_id +| Filedigest | | palo_alto.file.hash +| User Agent | user_agent.original | +| File Type | file.type | +| X-Forwarded-For | network.forwarded_ip | +| Referer | http.request.referer | +| Sender | source.user.email | +| Subject | | palo_alto.subject +| Recipient | destination.user.email | +| Device Name | observer.hostname | +|============== + +// [float] +// === Example dashboard +// +// This module comes with a sample dashboard: +// +// (TODO) +// [role="screenshot"] +// image::./images/kibana-cisco-asa.png[] + +include::../include/configuring-intro.asciidoc[] + +The module is by default configured to run via syslog on port 9001. However +it can also be configured to read logs from a file. See the following example. + +["source","yaml",subs="attributes"] +----- +- module: palo_alto + pan_os: + enabled: true + var.paths: ["/var/log/pan-os.log"] + var.input: "file" +----- + +:fileset_ex: pan_os + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `pan_os` fileset settings + +Example config: + +[source,yaml] +---- + pan_os: + var.syslog_host: 0.0.0.0 + var.syslog_port: 514 +---- + +include::../include/var-paths.asciidoc[] + +*`var.syslog_host`*:: + +The interface to listen to UDP based syslog traffic. Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The UDP port to listen for syslog traffic. Defaults to `9001` + +NOTE: Ports below 1024 require {beatname_uc} to run as root. + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: + + +[float] +=== Fields + +For a description of each field in the module, see the +<> section. + diff --git a/filebeat/docs/modules_list.asciidoc b/filebeat/docs/modules_list.asciidoc index 7fce59f6641..470f06d5a2b 100644 --- a/filebeat/docs/modules_list.asciidoc +++ b/filebeat/docs/modules_list.asciidoc @@ -22,6 +22,7 @@ This file is generated! See scripts/docs_collector.py * <> * <> * <> + * <> * <> * <> * <> @@ -53,6 +54,7 @@ include::modules/nats.asciidoc[] include::modules/netflow.asciidoc[] include::modules/nginx.asciidoc[] include::modules/osquery.asciidoc[] +include::modules/palo_alto.asciidoc[] include::modules/postgresql.asciidoc[] include::modules/redis.asciidoc[] include::modules/santa.asciidoc[] diff --git a/x-pack/filebeat/filebeat.reference.yml b/x-pack/filebeat/filebeat.reference.yml index e5eb54cac2f..05b7cee914e 100644 --- a/x-pack/filebeat/filebeat.reference.yml +++ b/x-pack/filebeat/filebeat.reference.yml @@ -403,6 +403,18 @@ filebeat.modules: # of the document. The default is true. #var.use_namespace: true +#------------------------------ Palo_alto Module ------------------------------ +- module: palo_alto + pan_os: + enabled: true + + # Set which input to use between syslog (default) or file. + #var.input: + + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: + #------------------------------ PostgreSQL Module ------------------------------ #- module: postgresql # Logs diff --git a/x-pack/filebeat/include/list.go b/x-pack/filebeat/include/list.go index be8a433b9e3..3eac6f89214 100644 --- a/x-pack/filebeat/include/list.go +++ b/x-pack/filebeat/include/list.go @@ -14,6 +14,7 @@ import ( _ "github.com/elastic/beats/x-pack/filebeat/module/envoyproxy" _ "github.com/elastic/beats/x-pack/filebeat/module/iptables" _ "github.com/elastic/beats/x-pack/filebeat/module/netflow" + _ "github.com/elastic/beats/x-pack/filebeat/module/palo_alto" _ "github.com/elastic/beats/x-pack/filebeat/module/suricata" _ "github.com/elastic/beats/x-pack/filebeat/module/zeek" ) diff --git a/x-pack/filebeat/module/palo_alto/README.md b/x-pack/filebeat/module/palo_alto/README.md new file mode 100644 index 00000000000..2c391053826 --- /dev/null +++ b/x-pack/filebeat/module/palo_alto/README.md @@ -0,0 +1,6 @@ +# Palo Alto module + +## Caveats + +* Module is to be considered _beta_. + diff --git a/x-pack/filebeat/module/palo_alto/_meta/config.yml b/x-pack/filebeat/module/palo_alto/_meta/config.yml new file mode 100644 index 00000000000..e507060d2f0 --- /dev/null +++ b/x-pack/filebeat/module/palo_alto/_meta/config.yml @@ -0,0 +1,10 @@ +- module: palo_alto + pan_os: + enabled: true + + # Set which input to use between syslog (default) or file. + #var.input: + + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: diff --git a/x-pack/filebeat/module/palo_alto/_meta/docs.asciidoc b/x-pack/filebeat/module/palo_alto/_meta/docs.asciidoc new file mode 100644 index 00000000000..cbcc0098872 --- /dev/null +++ b/x-pack/filebeat/module/palo_alto/_meta/docs.asciidoc @@ -0,0 +1,175 @@ +[role="xpack"] + +:modulename: palo_alto +:has-dashboards: true + +== Palo Alto Networks module + +This is a module for Palo Alto Networks PAN-OS firewall monitoring logs received +over Syslog or read from a file. It currently supports messages of Traffic and +Threat types. + +[float] +=== Compatibility + +This module has been tested with logs generated by devices running PAN-OS +versions 7.1 to 9.0 but limited compatibility is expected for earlier versions. + +The {plugins}/ingest-geoip.html[ingest-geoip] +Elasticsearch plugin is required to run this module. + +include::../include/running-modules.asciidoc[] + +[float] +=== ECS field mappings + +These are the PAN-OS to ECS field mappings as well as those fields still not +in ECS that are added under the `palo_alto` prefix: + +.Traffic log mappings +[options="header"] +|============== +| PAN-OS Field | ECS Field | Non-standard field +| Receive Time | event.created | +| Serial Number | observer.serial_number | +| Type | event.category | +| Subtype | event.action | +| Generated Time | `@timestamp` | +| Source IP | client.ip source.ip | +| Destination IP | server.ip destination.ip | +| NAT Source IP | | palo_alto.source.nat.ip +| NAT Destination IP | | palo_alto.destination.nat.ip +| Rule Name | | palo_alto.ruleset +| Source User | client.user.name source.user.name | +| Destination User | server.user.name destination.user.name | +| Application | network.application | +| Source Zone | | palo_alto.source.zone +| Destination Zone | | palo_alto.destination.zone +| Ingress Interface | | palo_alto.source.interface +| Egress Interface | | palo_alto.destination.interface +| Session ID | | palo_alto.flow_id +| Source Port | client.port source.port | +| Destination Port | destination.port server.port | +| NAT Source Port | | palo_alto.source.nat.port +| NAT Destination Port | | palo_alto.destination.nat.port +| Flags | labels | +| Protocol | network.transport | +| Action | event.outcome | +| Bytes | network.bytes | +| Bytes Sent | client.bytes destination.bytes | +| Bytes Received | server.bytes source.bytes | +| Packets | network.packets | +| Start Time | event.start | +| Elapsed Time | event.duration | +| Category | | palo_alto.url.category +| Sequence Number | | palo_alto.sequence_number +| Packets Sent | server.packets destination.packets | +| Packets Received | client.packets source.packets | +| Device Name | observer.hostname | +|============== + +.Threat logs mappings +[options="header"] +|============== +| PAN-OS Field | ECS Field | Non-standard field +| Receive Time | event.created | +| Serial Number | observer.serial_number | +| Type | event.category | +| Subtype | event.action | +| Generated Time | `@timestamp` | +| Source IP | client.ip source.ip | +| Destination IP | server.ip destination.ip | +| NAT Source IP | | palo_alto.source.nat.ip +| NAT Destination IP | | palo_alto.destination.nat.ip +| Rule Name | | palo_alto.ruleset +| Source User | client.user.name source.user.name | +| Destination User | server.user.name destination.user.name | +| Application | network.application | +| Source Zone | | palo_alto.source.zone +| Destination Zone | | palo_alto.destination.zone +| Ingress Interface | | palo_alto.source.interface +| Egress Interface | | palo_alto.destination.interface +| Session ID | | palo_alto.flow_id +| Source Port | client.port source.port | +| Destination Port | destination.port server.port | +| NAT Source Port | | palo_alto.source.nat.port +| NAT Destination Port | | palo_alto.destination.nat.port +| Flags | labels | +| Protocol | network.transport | +| Action | event.outcome | +| Miscellaneous | url.original | palo_alto.threat_file_or_url +| Threat ID | | palo_alto.threat_id +| Category | | palo_alto.url.category +| Severity | log.level | +| Direction | network.direction | +| Source Location | source.geo.country_iso_code | +| Destination Location | destination.geo.country_iso_code | +| PCAP_id | | palo_alto.network.pcap_id +| Filedigest | | palo_alto.file.hash +| User Agent | user_agent.original | +| File Type | file.type | +| X-Forwarded-For | network.forwarded_ip | +| Referer | http.request.referer | +| Sender | source.user.email | +| Subject | | palo_alto.subject +| Recipient | destination.user.email | +| Device Name | observer.hostname | +|============== + +// [float] +// === Example dashboard +// +// This module comes with a sample dashboard: +// +// (TODO) +// [role="screenshot"] +// image::./images/kibana-cisco-asa.png[] + +include::../include/configuring-intro.asciidoc[] + +The module is by default configured to run via syslog on port 9001. However +it can also be configured to read logs from a file. See the following example. + +["source","yaml",subs="attributes"] +----- +- module: palo_alto + pan_os: + enabled: true + var.paths: ["/var/log/pan-os.log"] + var.input: "file" +----- + +:fileset_ex: pan_os + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `pan_os` fileset settings + +Example config: + +[source,yaml] +---- + pan_os: + var.syslog_host: 0.0.0.0 + var.syslog_port: 514 +---- + +include::../include/var-paths.asciidoc[] + +*`var.syslog_host`*:: + +The interface to listen to UDP based syslog traffic. Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The UDP port to listen for syslog traffic. Defaults to `9001` + +NOTE: Ports below 1024 require {beatname_uc} to run as root. + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: diff --git a/x-pack/filebeat/module/palo_alto/_meta/fields.yml b/x-pack/filebeat/module/palo_alto/_meta/fields.yml new file mode 100644 index 00000000000..c02e9c69aa1 --- /dev/null +++ b/x-pack/filebeat/module/palo_alto/_meta/fields.yml @@ -0,0 +1,10 @@ +- key: palo_alto + title: palo_alto + description: > + Module for Palo Alto Networks (PAN-OS) + fields: + - name: palo_alto + type: group + description: > + Fields from the palo_alto logs. + fields: diff --git a/x-pack/filebeat/module/palo_alto/fields.go b/x-pack/filebeat/module/palo_alto/fields.go new file mode 100644 index 00000000000..d192ec61b6e --- /dev/null +++ b/x-pack/filebeat/module/palo_alto/fields.go @@ -0,0 +1,23 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// Code generated by beats/dev-tools/cmd/asset/asset.go - DO NOT EDIT. + +package palo_alto + +import ( + "github.com/elastic/beats/libbeat/asset" +) + +func init() { + if err := asset.SetFields("filebeat", "palo_alto", asset.ModuleFieldsPri, AssetPaloAlto); err != nil { + panic(err) + } +} + +// AssetPaloAlto returns asset data. +// This is the base64 encoded gzipped contents of module/palo_alto. +func AssetPaloAlto() string { + return "eJzMmM9u4zYQxu95irm5BeLcesmhQNpFgABpauw26NGgqZHEhuJoh6O4ytMXpGVHtulItb1GeAsV8vvNn08iPYUXbG+hVpbmygpdAYgRi9tTGXrNphZD7hZ+vQIA+IOyxiLkxDBTluDOCsETypL4xcNPs7un6Z/ffr4CyA3azN/GRVNwqtrZOwxpa7yFgqmpu5mEYhj3cTPImSqQEt83AkuFv+n+ry8J27puTv59PqX8kfwWA3FESES/Cn4LKc3VQ+PGokfZlurwXrBdEmc7zz5iBIAnVSFQHhnD5iClEqiU6BIzkNJ48Oi9IXeTBPLUsMYkz166hmm6pAkB/ivosoglVE8tvqLtxIAW/6CWm53VqbT1Sd/I7XIO5W4EcRjfVlhBoKv3oaz1eYwT5FztJe+8UBuV/0Hm1G6DwYdFHUk0Iy/Tp7u/1mVUWcbo/TWYfD0VnhoPNXJOXGG2z3i4zr3MpgDXARx4OIJ/P4KHWQpw8xohTuVxDWLJFedDCWLvMEmrZujFOBX2vZBfe4qfzrRfemyfy7l9ss9o335V+x7uz59m5EErD5h5pIcOxJR29QhfDzr7NK4RFners8WF7N2pHWntWqt6blIeOYOHZkq/oIBWtTSM8PAl+keBlIzqUBbhRBONaWhNVdU4I2069DHhj0xBGL+v1WIGLC2npfLl5lAaOuyXqTS1xYHGyo291CEvSB3ZUiG44/rlN+MUt7DJzrpTVjQenQTeBYJyyrZvmK7Loo2x/G1sdm84rONXozH1OkkXOZn7hu2FUt+wPTLzWgkWxO2PcfN97NdYj+evj+FrIxMf2Z+/Pm6002/tsHZdkOu45hU5M1qAXPwzVli5DIxPboBGSmSYVMoabajxk2uYFKzapWKcXAMxTBboTOEmQyaytNy3/QmXt4dwOnDKgmsqZKPBZOjE5AY5djEqXe6fF9L3OPzeoNM4d021QE4yJr5rA4CPVAA64bZPFm+YxoNxmrFCJ5h18mKUtYk6PjvzvcH3kCwVEWkgplXLzEOB58TzQz46KvWh8YhXzRPUxnxfdrjO2QmJnxd2eiE6vaP7LwAA//+NIWzi" +} diff --git a/x-pack/filebeat/module/palo_alto/module.yml b/x-pack/filebeat/module/palo_alto/module.yml new file mode 100644 index 00000000000..b78832712d0 --- /dev/null +++ b/x-pack/filebeat/module/palo_alto/module.yml @@ -0,0 +1,3 @@ +dashboards: +# TODO + diff --git a/x-pack/filebeat/module/palo_alto/pan_os/_meta/fields.yml b/x-pack/filebeat/module/palo_alto/pan_os/_meta/fields.yml new file mode 100644 index 00000000000..0e7f15e7d39 --- /dev/null +++ b/x-pack/filebeat/module/palo_alto/pan_os/_meta/fields.yml @@ -0,0 +1,124 @@ + - name: pan_os + type: group + description: > + Fields for the Palo Alto Networks PAN-OS logs. + fields: + - name: ruleset + type: keyword + description: > + Name of the rule that matched this session. + - name: source + type: group + description: > + Fields to extend the top-level source object. + fields: + - name: zone + type: keyword + description: > + Source zone for this session. + - name: interface + type: keyword + description: > + Source interface for this session. + - name: nat + type: group + description: > + Post-NAT source address, if source NAT is performed. + fields: + - name: ip + type: ip + description: > + Post-NAT source IP. + - name: port + type: long + description: > + Post-NAT source port. + + - name: destination + type: group + description: > + Fields to extend the top-level destination object. + fields: + - name: zone + type: keyword + description: > + Destination zone for this session. + - name: interface + type: keyword + description: > + Destination interface for this session. + - name: nat + type: group + description: > + Post-NAT destination address, if destination NAT is performed. + fields: + - name: ip + type: ip + description: > + Post-NAT destination IP. + - name: port + type: long + description: > + Post-NAT destination port. + + - name: network + type: group + description: > + Fields to extend the top-level network object. + fields: + - name: pcap_id + type: keyword + description: > + Packet capture ID for a threat. + + - name: nat + type: group + fields: + - name: community_id + type: keyword + description: > + Community ID flow-hash for the NAT 5-tuple. + + - name: file + type: group + description: > + Fields to extend the top-level file object. + fields: + - name: hash + description: > + Binary hash for a threat file sent to be analyzed + by the WildFire service. + type: keyword + + - name: url + type: group + description: > + Fields to extend the top-level url object. + fields: + - name: category + type: keyword + description: > + For threat URLs, it's the URL category. + For WildFire, the verdict on the file and is + either 'malicious', 'grayware', or 'benign'. + + - name: flow_id + type: keyword + description: > + Internal numeric identifier for each session. + + - name: sequence_number + type: long + description: > + Log entry identifier that is incremented sequentially. + Unique for each log type. + + - name: threat_file_or_url + type: keyword + description: > + URL or file name for a threat. + + - name: threat_id + type: keyword + description: > + Palo Alto Networks identifier for the threat. diff --git a/x-pack/filebeat/module/palo_alto/pan_os/config/input.yml b/x-pack/filebeat/module/palo_alto/pan_os/config/input.yml new file mode 100644 index 00000000000..be15016ae31 --- /dev/null +++ b/x-pack/filebeat/module/palo_alto/pan_os/config/input.yml @@ -0,0 +1,160 @@ +{{ if eq .input "syslog" }} + +type: syslog +protocol.udp: + host: "{{.syslog_host}}:{{.syslog_port}}" + +{{ else if eq .input "file" }} + +type: log +paths: +{{ range $i, $path := .paths }} + - {{$path}} +{{ end }} +exclude_files: [".gz$"] + +{{ end }} + +tags: {{.tags}} + +processors: +{{ if .convert_timezone }} + - add_locale: ~ +{{ end }} + + - decode_csv_fields: + fields: + message: csv + + - extract_array: + field: csv + overwrite_keys: true + mappings: + event.created: 1 + observer.serial_number: 2 + _temp_.message_type: 3 + _temp_.message_subtype: 4 + _temp_.generated_time: 6 + + - extract_array: + when: + equals: + _temp_.message_type: TRAFFIC + field: csv + overwrite_keys: true + omit_empty: true + fail_on_error: false + mappings: + client.ip: 7 + source.ip: 7 + source.address: 7 + server.ip: 8 + destination.ip: 8 + destination.address: 8 + palo_alto.pan_os.source.nat.ip: 9 + palo_alto.pan_os.destination.nat.ip: 10 + palo_alto.pan_os.ruleset: 11 + client.user.name: 12 + source.user.name: 12 + server.user.name: 13 + destination.user.name: 13 + network.application: 14 + palo_alto.pan_os.source.zone: 16 + palo_alto.pan_os.destination.zone: 17 + palo_alto.pan_os.source.interface: 18 + palo_alto.pan_os.destination.interface: 19 + palo_alto.pan_os.flow_id: 22 + client.port: 24 + source.port: 24 + destination.port: 25 + server.port: 25 + palo_alto.pan_os.source.nat.port: 26 + palo_alto.pan_os.destination.nat.port: 27 + _temp_.labels: 28 + network.transport: 29 + event.outcome: 30 + network.bytes: 31 + client.bytes: 32 + destination.bytes: 32 + server.bytes: 33 + source.bytes: 33 + network.packets: 34 + event.start: 35 + event.duration: 36 + palo_alto.pan_os.url.category: 37 + palo_alto.pan_os.sequence_number: 39 + server.packets: 44 + destination.packets: 44 + client.packets: 45 + source.packets: 45 + observer.hostname: 52 + + - extract_array: + when: + equals: + _temp_.message_type: THREAT + field: csv + omit_empty: true + overwrite_keys: true + fail_on_error: false + mappings: + client.ip: 7 + source.ip: 7 + source.address: 7 + server.ip: 8 + destination.ip: 8 + destination.address: 8 + palo_alto.pan_os.source.nat.ip: 9 + palo_alto.pan_os.destination.nat.ip: 10 + palo_alto.pan_os.ruleset: 11 + client.user.name: 12 + source.user.name: 12 + server.user.name: 13 + destination.user.name: 13 + network.application: 14 + palo_alto.pan_os.source.zone: 16 + palo_alto.pan_os.destination.zone: 17 + palo_alto.pan_os.source.interface: 18 + palo_alto.pan_os.destination.interface: 19 + palo_alto.pan_os.flow_id: 22 + client.port: 24 + source.port: 24 + destination.port: 25 + server.port: 25 + palo_alto.pan_os.source.nat.port: 26 + palo_alto.pan_os.destination.nat.port: 27 + _temp_.labels: 28 + network.transport: 29 + event.outcome: 30 + palo_alto.pan_os.threat_file_or_url: 31 + url.original: 31 + palo_alto.pan_os.threat_id: 32 + palo_alto.pan_os.url.category: 33 + log.level: 34 + _temp_.direction: 35 + source.geo.country_iso_code: 38 + destination.geo.country_iso_code: 39 + palo_alto.pan_os.network.pcap_id: 42 + palo_alto.pan_os.file.hash: 43 + user_agent.original: 46 + file.type: 47 + network.forwarded_ip: 48 + http.request.referer: 49 + source.user.email: 50 + palo_alto.pan_os.subject: 51 + destination.user.email: 52 + observer.hostname: 59 + + - drop_fields: + fields: + - csv + + - community_id: ~ + + - community_id: + target: palo_alto.pan_os.network.nat.community_id + fields: + source_ip: palo_alto.pan_os.source.nat.ip + source_port: palo_alto.pan_os.source.nat.port + destination_ip: palo_alto.pan_os.destination.nat.ip + destination_port: palo_alto.pan_os.destination.nat.port diff --git a/x-pack/filebeat/module/palo_alto/pan_os/ingest/pipeline.yml b/x-pack/filebeat/module/palo_alto/pan_os/ingest/pipeline.yml new file mode 100644 index 00000000000..18da07007da --- /dev/null +++ b/x-pack/filebeat/module/palo_alto/pan_os/ingest/pipeline.yml @@ -0,0 +1,322 @@ +description: "Pipeline for Palo Alto PAN-OS Logs" +processors: + +# keep message as log.original. + - rename: + field: message + target_field: log.original + +# Set @timestamp to the time when the entry was generated at the data plane. + - date: + field: "_temp_.generated_time" + ignore_failure: true + #{< if .convert_timezone >} + timezone: "{{ event.timezone }}" + #{< end >} + formats: + - "yyyy/MM/dd HH:mm:ss" + +# event.created is the time the event was received at the management plane. + - date: + field: "event.created" + target_field: "event.created" + ignore_failure: true + #{< if .convert_timezone >} + timezone: "{{ event.timezone }}" + #{< end >} + formats: + - "yyyy/MM/dd HH:mm:ss" + +# event.start (traffic only) is the time the session started. + - date: + field: "event.start" + target_field: "event.start" + ignore_failure: true + #{< if .convert_timezone >} + timezone: "{{ event.timezone }}" + #{< end >} + formats: + - "yyyy/MM/dd HH:mm:ss" + +# convert integer fields as the output of the CSV processor is always a string. + - convert: { type: long, ignore_missing: true, field: client.bytes } + - convert: { type: long, ignore_missing: true, field: client.packets } + - convert: { type: long, ignore_missing: true, field: client.port } + - convert: { type: long, ignore_missing: true, field: server.bytes } + - convert: { type: long, ignore_missing: true, field: server.packets } + - convert: { type: long, ignore_missing: true, field: server.port } + - convert: { type: long, ignore_missing: true, field: source.bytes } + - convert: { type: long, ignore_missing: true, field: source.packets } + - convert: { type: long, ignore_missing: true, field: source.port } + - convert: { type: long, ignore_missing: true, field: destination.bytes } + - convert: { type: long, ignore_missing: true, field: destination.packets } + - convert: { type: long, ignore_missing: true, field: destination.port } + - convert: { type: long, ignore_missing: true, field: network.bytes } + - convert: { type: long, ignore_missing: true, field: network.packets } + - convert: { type: long, ignore_missing: true, field: event.duration } + - convert: { type: long, ignore_missing: true, field: _temp_.labels } + - convert: { type: long, ignore_missing: true, field: palo_alto.pan_os.sequence_number } + - convert: { type: long, ignore_missing: true, field: palo_alto.pan_os.source.nat.port } + - convert: { type: long, ignore_missing: true, field: palo_alto.pan_os.destination.nat.port } + +# Remove PCAP ID when zero (no packet capture). + - remove: + if: 'ctx?.palo_alto?.pan_os?.network?.pcap_id == "0"' + field: + - palo_alto.pan_os.network.pcap_id + +# Extract 'flags' bitfield into labels. + - script: + lang: painless + if: 'ctx?._temp_?.labels != null && ctx._temp_.labels != 0' + params: + pcap_included: 0x80000000 + ipv6_session: 0x02000000 + ssl_decrypted: 0x01000000 + url_filter_denied: 0x00800000 + nat_translated: 0x00400000 + captive_portal: 0x00200000 + x_forwarded_for: 0x00080000 + http_proxy: 0x00040000 + container_page: 0x00008000 + temporary_match: 0x00002000 + symmetric_return: 0x00000800 + source: > + def labels = ctx?.labels; + if (labels == null) { + labels = new HashMap(); + ctx['labels'] = labels; + } + long value = ctx._temp_.labels; + for (entry in params.entrySet()) { + if ((value & entry.getValue()) != 0) { + labels[entry.getKey()] = true; + } + } + +# normalize event.duration and determine event.end. + - script: + lang: painless + if: 'ctx?.event?.duration != null' + params: + NANOS_IN_A_SECOND: 1000000000 + source: > + long nanos = ctx['event']['duration'] * params.NANOS_IN_A_SECOND; + ctx['event']['duration'] = nanos; + def start = ctx.event?.start; + if (start != null) { + ctx.event['end'] = ZonedDateTime.parse(start).plusNanos(nanos); + } + +# Set network.direction using src/dst zone (traffic logs). + - set: + field: network.direction + value: inbound + if: 'ctx?._temp_?.message_type == "TRAFFIC" && ctx?.palo_alto?.pan_os?.source?.zone == "untrust" && ctx?.palo_alto?.pan_os?.destination?.zone == "trust"' + - set: + field: network.direction + value: outbound + if: 'ctx?._temp_?.message_type == "TRAFFIC" && ctx?.palo_alto?.pan_os?.source?.zone == "trust" && ctx?.palo_alto?.pan_os?.destination?.zone == "untrust"' + - set: + field: network.direction + value: internal + if: 'ctx?._temp_?.message_type == "TRAFFIC" && ctx?.palo_alto?.pan_os?.source?.zone == "trust" && ctx?.palo_alto?.pan_os?.destination?.zone == "trust"' + - set: + field: network.direction + value: external + if: 'ctx?._temp_?.message_type == "TRAFFIC" && ctx?.palo_alto?.pan_os?.source?.zone == "untrust" && ctx?.palo_alto?.pan_os?.destination?.zone == "untrust"' + - set: + field: network.direction + value: unknown + if: 'ctx?._temp_?.message_type == "TRAFFIC" && ((ctx?.palo_alto?.pan_os?.source?.zone != "trust" && ctx?.palo_alto?.pan_os?.source?.zone != "untrust") || (ctx?.palo_alto?.pan_os?.destination?.zone != "trust" && ctx?.palo_alto?.pan_os?.destination?.zone != "untrust"))' + +# Set network.direction from threat direction (Threat logs). + - set: + field: network.direction + value: inbound + if: 'ctx?._temp_?.message_type == "THREAT" && (ctx?._temp_?.direction == "0" || ctx?._temp_?.direction == "client-to-server")' + + - set: + field: network.direction + value: outbound + if: 'ctx?._temp_?.message_type == "THREAT" && (ctx?._temp_?.direction == "1" || ctx?._temp_?.direction == "server-to-client")' + + - set: + field: network.direction + value: unknown + if: 'ctx?._temp_?.message_type == "THREAT" && ctx?.network?.direction == null' + +# Set event.category depending on log type. + - set: + field: event.category + value: network_traffic + if: 'ctx?._temp_?.message_type == "TRAFFIC"' + - set: + field: event.category + value: security_threat + if: 'ctx?._temp_?.message_type == "THREAT"' + + - drop: + if: 'ctx?.event?.category == null' + +# event.action for traffic logs. + - set: + field: event.action + value: flow_started + if: 'ctx?._temp_?.message_subtype == "start"' + - set: + field: event.action + value: flow_terminated + if: 'ctx?._temp_?.message_subtype == "end"' + - set: + field: event.action + value: flow_dropped + if: 'ctx?._temp_?.message_subtype == "drop"' + - set: + field: event.action + value: flow_denied + if: 'ctx?._temp_?.message_subtype == "deny"' + +# event.action for threat logs. + - set: + field: event.action + value: data_match + if: 'ctx?._temp_?.message_subtype == "data"' + - set: + field: event.action + value: file_match + if: 'ctx?._temp_?.message_subtype == "file"' + - set: + field: event.action + value: flood_detected + if: 'ctx?._temp_?.message_subtype == "flood"' + - set: + field: event.action + value: packet_attack + if: 'ctx?._temp_?.message_subtype == "packet"' + - set: + field: event.action + value: scan_detected + if: 'ctx?._temp_?.message_subtype == "scan"' + - set: + field: event.action + value: spyware_detected + if: 'ctx?._temp_?.message_subtype == "spyware"' + - set: + field: event.action + value: url_filtering + if: 'ctx?._temp_?.message_subtype == "url"' + - set: + field: event.action + value: virus_detected + if: 'ctx?._temp_?.message_subtype == "virus"' + - set: + field: event.action + value: exploit_detected + if: 'ctx?._temp_?.message_subtype == "vulnerability"' + - set: + field: event.action + value: wildfire_veredict + if: 'ctx?._temp_?.message_subtype == "wildfire"' + - set: + field: event.action + value: wildfire_virus_detected + if: 'ctx?._temp_?.message_subtype == "wildfire-virus"' + + +# Set numeric log.level from event.severity. + - set: + field: "event.severity" + if: 'ctx.log.level == "critical"' + value: 1 + - set: + field: "event.severity" + if: 'ctx.log.level == "high"' + value: 2 + - set: + field: "event.severity" + if: 'ctx.log.level == "medium"' + value: 3 + - set: + field: "event.severity" + if: 'ctx.log.level == "low"' + value: 4 + - set: + field: "event.severity" + if: 'ctx.log.level == "informational"' + value: 5 + +# Normalize event.outcome. +# These values appear in the TRAFFIC docs but look like a mistake. + - set: + field: event.outcome + value: 'drop-icmp' + if: 'ctx?.event?.outcome == "drop icmp" || ctx?.event?.outcome == "drop ICMP"' + - set: + field: event.outcome + value: 'reset-both' + if: 'ctx?.event?.outcome == "reset both"' + - set: + field: event.outcome + value: 'reset-client' + if: 'ctx?.event?.outcome == "reset client"' + - set: + field: event.outcome + value: 'reset-server' + if: 'ctx?.event?.outcome == "reset server"' + +# Build related.ip array from src/dest/NAT IPs. + - append: + if: 'ctx?.source?.ip != null' + field: related.ip + value: + - '{{source.ip}}' + - append: + if: 'ctx?.destination?.ip != null' + field: related.ip + value: + - '{{destination.ip}}' + - append: + if: 'ctx?.palo_alto?.pan_os?.source?.nat?.ip != null' + field: related.ip + value: + - '{{palo_alto.pan_os.source.nat.ip}}' + - append: + if: 'ctx?.palo_alto?.pan_os?.destination?.nat?.ip != null' + field: related.ip + value: + - '{{palo_alto.pan_os.destination.nat.ip}}' + +# Geolocation for source. + - geoip: + if: 'ctx?.source?.ip != null' + field: source.ip + target_field: source.geo + +# Geolocation for destination. + - geoip: + if: 'ctx?.destination?.ip != null' + field: destination.ip + target_field: destination.geo + +# Append NAT community_id to network.community_id + - append: + if: 'ctx?.palo_alto?.pan_os?.network?.nat?.community_id != null && ctx.palo_alto.pan_os.network.nat.community_id != ctx?.network?.community_id' + field: network.community_id + value: + - '{{palo_alto.pan_os.network.nat.community_id}}' + +# Remove temporary fields. + - remove: + field: + - _temp_ + ignore_missing: true + +on_failure: + - set: + field: "error.message" + value: "{{ _ingest.on_failure_message }}" + - remove: + field: + - _temp_ + ignore_missing: true diff --git a/x-pack/filebeat/module/palo_alto/pan_os/manifest.yml b/x-pack/filebeat/module/palo_alto/pan_os/manifest.yml new file mode 100644 index 00000000000..f6265abad1e --- /dev/null +++ b/x-pack/filebeat/module/palo_alto/pan_os/manifest.yml @@ -0,0 +1,30 @@ +module_version: "1.0" + +var: + - name: paths + default: + - /var/log/pan-os.log + - name: tags + default: [pan-os] + - name: syslog_host + default: localhost + - name: syslog_port + default: 9001 + - name: input + default: syslog + - name: convert_timezone + default: false + # if ES < 6.1.0, this flag switches to false automatically when evaluating the + # pipeline + min_elasticsearch_version: + version: 6.1.0 + value: false + - name: community_id + default: true + +ingest_pipeline: ingest/pipeline.yml +input: config/input.yml + +requires.processors: +- name: geoip + plugin: ingest-geoip diff --git a/x-pack/filebeat/module/palo_alto/pan_os/test/pan_inc_other.log b/x-pack/filebeat/module/palo_alto/pan_os/test/pan_inc_other.log new file mode 100644 index 00000000000..421c6f796a6 --- /dev/null +++ b/x-pack/filebeat/module/palo_alto/pan_os/test/pan_inc_other.log @@ -0,0 +1,34 @@ +Mar 25 23:58:57 1,2013/03/25 23:58:57,1606001116,CONFIG,0,0,2012/02/25 00:51:50,192.168.0.2,,set,admin,Web,Succeeded, config shared local-user-database user badguy,0,0x0 +Mar 25 23:59:02 1,2013/03/25 23:59:02,1606001116,CONFIG,0,0,2012/02/25 00:53:22,192.168.0.2,,set,admin,Web,Succeeded, config mgt-config users badguy,0,0x0 +Mar 25 23:59:02 1,2013/03/25 23:59:02,1606001116,CONFIG,0,0,2012/02/25 00:53:40,192.168.0.2,,commit,admin,Web,Submitted,,0,0x0 +Mar 25 23:59:02 1,2013/03/25 23:59:02,1606001116,SYSTEM,routing,0,2012/02/25 00:53:53,,routed-config-p1-success,,0,0,general,informational,Route daemon configuration load phase-1 succeeded.,0,0x0 +Mar 25 23:59:02 1,2013/03/25 23:59:02,1606001116,SYSTEM,vpn,0,2012/02/25 00:53:56,,ike-config-p1-success,,0,0,general,informational,IKE daemon configuration load phase-1 succeeded.,0,0x0 +Mar 25 23:59:02 1,2013/03/25 23:59:02,1606001116,SYSTEM,routing,0,2012/02/25 00:54:16,,routed-config-p2-success,,0,0,general,informational,Route daemon configuration load phase-2 succeeded.,0,0x0 +Mar 25 23:59:02 1,2013/03/25 23:59:02,1606001116,SYSTEM,ras,0,2012/02/25 00:54:16,,rasmgr-config-p2-success,,0,0,general,informational,RASMGR daemon configuration load phase-2 succeeded.,0,0x0 +Mar 25 23:59:02 1,2013/03/25 23:59:02,1606001116,CONFIG,0,0,2012/02/25 00:57:17,192.168.0.2,,edit,badguy,Web,Succeeded, vsys vsys1 profiles url-filtering monzyspolicy,0,0x0 +Mar 25 23:59:02 1,2013/03/25 23:59:02,1606001116,CONFIG,0,0,2012/02/25 00:57:36,192.168.0.2,,commit,badguy,Web,Submitted,,0,0x0 +Mar 25 23:59:02 1,2013/03/25 23:59:02,1606001116,SYSTEM,routing,0,2012/02/25 00:57:49,,routed-config-p1-success,,0,0,general,informational,Route daemon configuration load phase-1 succeeded.,0,0x0 +Mar 25 23:59:02 1,2013/03/25 23:59:02,1606001116,SYSTEM,vpn,0,2012/02/25 00:57:52,,ike-config-p1-success,,0,0,general,informational,IKE daemon configuration load phase-1 succeeded.,0,0x0 +Mar 25 23:59:07 1,2013/03/25 23:59:07,1606001116,SYSTEM,routing,0,2012/02/25 00:58:12,,routed-config-p2-success,,0,0,general,informational,Route daemon configuration load phase-2 succeeded.,0,0x0 +Mar 25 23:59:07 1,2013/03/25 23:59:07,1606001116,SYSTEM,vpn,0,2012/02/25 00:58:12,,ike-config-p2-success,,0,0,general,informational,IKE daemon configuration load phase-2 succeeded.,0,0x0 +Mar 25 23:59:07 1,2013/03/25 23:59:07,1606001116,SYSTEM,ras,0,2012/02/25 00:58:12,,rasmgr-config-p2-success,,0,0,general,informational,RASMGR daemon configuration load phase-2 succeeded.,0,0x0 +Mar 25 23:59:07 1,2013/03/25 23:59:07,1606001116,SYSTEM,general,1,2012/02/25 00:58:14,,unknown,,0,0,general,informational,Config installed,909,0x0 +Mar 25 23:59:07 1,2013/03/25 23:59:07,1606001116,SYSTEM,general,0,2012/02/25 00:59:36,,general,,0,0,general,informational,Log type config cleared by user badguy ,0,0x0 +Mar 25 23:59:22 1,2013/03/25 23:59:22,01606001116,SYSTEM,general,1,2012/04/10 03:11:57,,unknown,,0,0,general,informational,Config installed,884,0x0 +Mar 25 23:59:22 1,2013/03/25 23:59:22,01606001116,SYSTEM,ras,0,2012/04/10 03:11:56,,rasmgr-config-p2-success,,0,0,general,informational,RASMGR daemon configuration load phase-2 succeeded.,0,0x0 +Mar 25 23:59:22 1,2013/03/25 23:59:22,01606001116,SYSTEM,vpn,0,2012/04/10 03:11:56,,ike-config-p2-success,,0,0,general,informational,IKE daemon configuration load phase-2 succeeded.,0,0x0 +Mar 25 23:59:22 1,2013/03/25 23:59:22,01606001116,SYSTEM,routing,0,2012/04/10 03:11:56,,routed-config-p2-success,,0,0,general,informational,Route daemon configuration load phase-2 succeeded.,0,0x0 +Mar 25 23:59:22 1,2013/03/25 23:59:22,01606001116,SYSTEM,ras,0,2012/04/10 03:06:11,,rasmgr-config-p1-success,,0,0,general,informational,RASMGR daemon configuration load phase-1 succeeded.,0,0x0 +Mar 25 23:59:27 1,2013/03/25 23:59:27,01606001116,SYSTEM,routing,0,2012/04/10 03:06:00,,routed-config-p1-success,,0,0,general,informational,Route daemon configuration load phase-1 succeeded.,0,0x0 +Mar 25 23:59:27 1,2013/03/25 23:59:27,01606001116,SYSTEM,general,1,2012/04/09 09:02:53,,unknown,,0,0,general,informational,Config installed,840,0x0 +Mar 25 23:59:27 1,2013/03/25 23:59:27,01606001116,SYSTEM,ras,0,2012/04/09 09:02:52,,rasmgr-config-p2-success,,0,0,general,informational,RASMGR daemon configuration load phase-2 succeeded.,0,0x0 +Mar 25 23:59:27 1,2013/03/25 23:59:27,01606001116,SYSTEM,vpn,0,2012/04/09 09:02:52,,ike-config-p2-success,,0,0,general,informational,IKE daemon configuration load phase-2 succeeded.,0,0x0 +Mar 25 23:59:27 1,2013/03/25 23:59:27,01606001116,SYSTEM,routing,0,2012/04/09 09:02:52,,routed-config-p2-success,,0,0,general,informational,Route daemon configuration load phase-2 succeeded.,0,0x0 +Mar 25 23:59:27 1,2013/03/25 23:59:27,01606001116,SYSTEM,ras,0,2012/04/09 09:00:55,,rasmgr-config-p1-success,,0,0,general,informational,RASMGR daemon configuration load phase-1 succeeded.,0,0x0 +Mar 25 23:59:27 1,2013/03/25 23:59:27,01606001116,SYSTEM,vpn,0,2012/04/09 09:00:52,,ike-config-p1-success,,0,0,general,informational,IKE daemon configuration load phase-1 succeeded.,0,0x0 +Mar 25 23:59:32 1,2013/03/25 23:59:32,01606001116,CONFIG,0,0,2012/04/09 09:00:35,192.168.0.2,,commit,admin,Web,Submitted,,0,0x0 +Mar 25 23:59:32 1,2013/03/25 23:59:32,01606001116,CONFIG,0,0,2012/04/09 09:00:20,192.168.0.2,,edit,admin,Web,Succeeded, vsys vsys1 profiles data-objects PII,0,0x0 +Mar 25 23:59:47 1,2013/03/25 23:59:47,01606001116,SYSTEM,general,1,2012/04/09 03:21:53,,unknown,,0,0,general,informational,Config installed,821,0x0 +Mar 25 23:59:47 1,2013/03/25 23:59:47,01606001116,SYSTEM,ras,0,2012/04/09 03:21:53,,rasmgr-config-p2-success,,0,0,general,informational,RASMGR daemon configuration load phase-2 succeeded.,0,0x0 +Mar 25 23:59:47 1,2013/03/25 23:59:47,01606001116,SYSTEM,vpn,0,2012/04/09 03:21:53,,ike-config-p2-success,,0,0,general,informational,IKE daemon configuration load phase-2 succeeded.,0,0x0 +Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:56,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,25149,1,59309,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:56,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 diff --git a/x-pack/filebeat/module/palo_alto/pan_os/test/pan_inc_other.log-expected.json b/x-pack/filebeat/module/palo_alto/pan_os/test/pan_inc_other.log-expected.json new file mode 100644 index 00000000000..45de9e62f21 --- /dev/null +++ b/x-pack/filebeat/module/palo_alto/pan_os/test/pan_inc_other.log-expected.json @@ -0,0 +1,75 @@ +[ + { + "@timestamp": "2012-04-10T04:39:56.000Z", + "client.bytes": 78, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 59309, + "client.user.name": "crusher", + "destination.address": "204.232.231.46", + "destination.bytes": 78, + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.packets": 1, + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2012-04-10T04:39:56.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:56.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 5853, + "log.original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:56,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,25149,1,59309,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:56,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "network.application": "web-browsing", + "network.bytes": 78, + "network.community_id": "1:mY2EPMYo0US42k87/2uTzjo/rGA=", + "network.direction": "outbound", + "network.packets": 1, + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "25149", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "204.232.231.46", + "server.packets": 1, + "server.port": 80, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 59309, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/palo_alto/pan_os/test/pan_inc_threat.log b/x-pack/filebeat/module/palo_alto/pan_os/test/pan_inc_threat.log new file mode 100644 index 00000000000..b493a709848 --- /dev/null +++ b/x-pack/filebeat/module/palo_alto/pan_os/test/pan_inc_threat.log @@ -0,0 +1,100 @@ +Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,THREAT,url,1,2012/04/10 04:39:56,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25149,1,59309,80,0,0,0x208000,tcp,alert,"lorexx.cn/loader.exe",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html +Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,THREAT,url,1,2012/04/10 04:39:56,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,26067,1,59313,80,0,0,0x208000,tcp,alert,"lsiu.info/evo/count.php?o=2",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html +Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,THREAT,url,1,2012/04/10 04:39:56,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,26522,1,59314,80,0,0,0x208000,tcp,alert,"lsiu.info/evo/count.php?o=5",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html +Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,THREAT,url,1,2012/04/10 04:39:57,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25112,1,59315,80,0,0,0x208000,tcp,alert,"lsiu.info/evo/count.php?o=7",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html +Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,THREAT,url,1,2012/04/10 04:39:57,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25179,1,59316,80,0,0,0x208000,tcp,alert,"lsiu.info/evo/exploits/x18.php?o=2&t=1241403746&i=1365814122",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html +Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,THREAT,url,1,2012/04/10 04:39:57,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25848,1,59317,80,0,0,0x208000,tcp,alert,"lsiu.info/evo/exploits/x19.php?o=2&t=1241403746&i=1365814122",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html +Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,THREAT,url,1,2012/04/10 04:39:54,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,24910,1,59302,80,0,0,0x208000,tcp,alert,"liteautobestguide.cn/load.php",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html +Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,THREAT,url,1,2012/04/10 04:39:54,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,26862,1,59301,80,0,0,0x208000,tcp,alert,"liteautobestguide.cn/index.php",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html +Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,THREAT,url,1,2012/04/10 04:39:55,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,22860,1,59303,80,0,0,0x208000,tcp,alert,"litetopdetect.cn/index.php",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html +Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,THREAT,url,1,2012/04/10 04:39:55,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,26360,1,59304,80,0,0,0x208000,tcp,alert,"lkmpmlm.com/fff9999.php?aid=0&uid=6cbbc5081e7548e276611ff5059df6ed30c8f8f1&os=513",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html +Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,THREAT,url,1,2012/04/10 04:39:52,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,25543,1,59297,80,0,0,0x208000,tcp,alert,"girlteenxxxfreemov.com/",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html +Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,THREAT,url,1,2012/04/10 04:39:53,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,25437,1,59299,80,0,0,0x208000,tcp,alert,"imagesrepository.com/resolution.php",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html +Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,THREAT,url,1,2012/04/10 04:39:53,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,26338,1,59298,80,0,0,0x208000,tcp,alert,"hottestfiles.com/search/search.php?q=xxx",(9999),search-engines,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html +Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,THREAT,url,1,2012/04/10 04:39:54,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,25713,1,59300,80,0,0,0x200000,tcp,block-url,"infodist1.com/in.cgi?11¶meter=404",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, +Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,THREAT,url,1,2012/04/10 04:39:51,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,25451,1,59295,80,0,0,0x208000,tcp,alert,"cls-softwares.com/suc.php",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html +Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,THREAT,url,1,2012/04/10 04:39:51,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,26414,1,59291,80,0,0,0x208000,tcp,alert,"cls-softwares.com/softwarefortubeview.40013.exe",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html +Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,THREAT,url,1,2012/04/10 04:39:52,192.168.0.2,78.159.99.224,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,26927,1,59296,80,0,0,0x200000,tcp,block-url,"findmorepill.com/klik/search.php?q=xxx",(9999),online-gambling,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Germany,0, +Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,THREAT,url,1,2012/04/10 04:39:48,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:51,26127,1,59280,80,0,0,0x208000,tcp,alert,"allowedwebsurfing.com/",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html +Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,THREAT,url,1,2012/04/10 04:39:49,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:51,25306,1,59281,80,0,0,0x208000,tcp,alert,"antivirus-remote.com/",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html +Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,THREAT,url,1,2012/04/10 04:39:49,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,24561,1,59282,80,0,0,0x208000,tcp,alert,"bklinkov.ru/hi/start.cfg",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html +Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,THREAT,url,1,2012/04/10 04:39:50,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,15099,1,59290,80,0,0,0x208000,tcp,alert,"blogsexnakedgirlxxx.com/",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html +Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,THREAT,url,1,2012/04/10 04:39:50,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,24955,1,59286,80,0,0,0x208000,tcp,alert,"bklinkov.ru/hi/start.exe",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html +Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,THREAT,url,1,2012/04/10 04:39:47,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:49,25398,1,59275,80,0,0,0x208000,tcp,alert,"-/",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html +Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,THREAT,url,1,2012/04/10 04:39:47,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:49,25945,1,59277,80,0,0,0x208000,tcp,alert,"-/",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html +Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,THREAT,url,1,2012/04/10 04:39:47,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:49,27111,1,59276,80,0,0,0x208000,tcp,alert,"-/",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html +Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,THREAT,url,1,2012/04/10 04:39:48,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,25871,1,59278,80,0,0,0x208000,tcp,alert,"-/",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html +Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,THREAT,url,1,2012/04/10 04:39:48,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,26251,1,59279,80,0,0,0x208000,tcp,alert,"-/",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html +Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,THREAT,url,1,2012/04/10 04:39:45,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:47,24816,1,59271,80,0,0,0x208000,tcp,alert,"-/",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html +Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,THREAT,url,1,2012/04/10 04:39:45,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:47,25062,1,59269,80,0,0,0x208000,tcp,alert,"-/",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html +Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,THREAT,url,1,2012/04/10 04:39:45,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:47,26266,1,59270,80,0,0,0x208000,tcp,alert,"-/",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html +Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,THREAT,url,1,2012/04/10 04:39:46,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:48,23898,1,59274,80,0,0,0x208000,tcp,alert,"-/",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html +Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,THREAT,url,1,2012/04/10 04:39:46,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:48,25259,1,59273,80,0,0,0x208000,tcp,alert,"-/",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html +Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,THREAT,url,1,2012/04/10 04:39:46,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:48,26466,1,59272,80,0,0,0x208000,tcp,alert,"-/",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html +Oct 30 09:46:47 1,2012/10/30 09:46:47,01606001116,THREAT,url,1,2012/04/10 04:39:43,192.168.0.2,69.43.161.167,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:44,4086,1,59261,80,0,0,0x200000,tcp,block-url,"wantfinest.com/tds/in.cgi?default",(9999),unknown,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, +Oct 30 09:47:02 1,2012/10/30 09:47:02,01606001116,THREAT,url,1,2012/04/10 04:39:38,192.168.0.2,202.31.187.154,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:39,26534,1,59248,80,0,0,0x200000,tcp,block-url,"sameshitasiteverwas.com/traf/tds/in.cgi?2",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Korea Republic Of,0, +Oct 30 09:47:02 1,2012/10/30 09:47:02,01606001116,THREAT,url,1,2012/04/10 04:39:39,192.168.0.2,89.111.176.67,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:40,26965,1,59251,80,0,0,0x200000,tcp,block-url,"svarkon.ru/update.exe",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Russian Federation,0, +Oct 30 09:47:12 1,2012/10/30 09:47:12,01606001116,THREAT,url,1,2012/04/10 04:39:36,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:37,26076,1,59244,80,0,0,0x200000,tcp,block-url,"onlinescanxpp.com/land/eurl/1.php?code=",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, +Oct 30 09:47:17 1,2012/10/30 09:47:17,01606001116,THREAT,url,1,2012/04/10 04:39:34,192.168.0.2,208.73.210.29,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:35,26198,1,59237,80,0,0,0x200000,tcp,block-url,"nolagtime.com/conn/?JKV_1RWbUUdIfRUWUaITfdIfbREdYEYdfTTRI-6XBB_1WQR-6GF5_1AU-6LC6_1Y-gW-gEUQQ-gE-tsDF6K5D_rpX51_rR-t-66FC_1Q_fQ_fQ_fQ_fQ_fQ_fQ_fQ-62BG_1Q-672V_1YOR-6N8J_1Q-6252_1WQRR-69LV_1-65GZ_1W-6",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, +Oct 30 09:47:17 1,2012/10/30 09:47:17,01606001116,THREAT,url,1,2012/04/10 04:39:35,192.168.0.2,208.73.210.29,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:36,26056,1,59238,80,0,0,0x200000,tcp,block-url,"nolagtime.com/gwc.txt",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, +Oct 30 09:51:03 1,2012/10/30 09:51:03,01606001116,THREAT,url,1,2012/04/10 04:38:19,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:38:20,25465,1,59010,80,0,0,0x200000,tcp,block-url,"karavan.us/bon/index.php",(9999),unknown,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, +Oct 30 09:51:23 1,2012/10/30 09:51:23,01606001116,THREAT,url,1,2012/04/10 04:38:14,192.168.0.2,208.73.210.29,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:38:15,24316,1,58969,80,0,0,0x200000,tcp,block-url,"findnolimits.com/go.php?sid=1",(9999),dead-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, +Oct 30 09:51:33 1,2012/10/30 09:51:33,01606001116,THREAT,url,1,2012/04/10 04:38:12,192.168.0.2,89.108.64.156,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:38:13,17258,1,58941,80,0,0,0x200000,tcp,block-url,"bizoplata.ru/moun.html",(9999),parked-domains,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Russian Federation,0, +Oct 30 09:51:33 1,2012/10/30 09:51:33,01606001116,THREAT,url,1,2012/04/10 04:38:12,192.168.0.2,89.108.64.156,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:38:13,24735,1,58942,80,0,0,0x200000,tcp,block-url,"bizoplata.ru/palast.html",(9999),parked-domains,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Russian Federation,0, +Oct 30 09:53:33 1,2012/10/30 09:53:33,01606001116,THREAT,spyware,1,2012/04/10 04:37:28,204.232.231.46,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,crusher,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:37:33,23497,1,80,58849,0,0,0x200000,tcp,drop-all-packets,"controller.php",Bredolab.Gen Command and Control Traffic(13024),any,critical,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, +Oct 30 09:53:38 1,2012/10/30 09:53:38,01606001116,THREAT,url,1,2012/04/10 04:37:32,192.168.0.2,216.8.179.25,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:37:32,23711,1,58856,80,0,0,0x200000,tcp,block-url,"www.15min.it/",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Canada,0, +Oct 30 09:53:48 1,2012/10/30 09:53:48,01606001116,THREAT,url,1,2012/04/10 04:37:27,192.168.0.2,69.43.161.154,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:37:27,23659,1,58847,80,0,0,0x200000,tcp,block-url,"tubemov.com/",(9999),adult-and-pornography,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, +Oct 30 09:53:58 1,2012/10/30 09:53:58,01606001116,THREAT,url,1,2012/04/10 04:37:25,192.168.0.2,208.91.196.252,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:37:25,23782,1,58841,80,0,0,0x200000,tcp,block-url,"pagesinxt.com/?dn=teenstube.us&flrdr=yes&nxte=js",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Virgin Islands British,0, +Oct 30 09:55:23 1,2012/10/30 09:55:23,01606001116,THREAT,url,1,2012/04/10 04:37:05,192.168.0.2,208.73.210.29,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:37:06,23239,1,58795,80,0,0,0x200000,tcp,block-url,"movfree.com/",(9999),spyware-and-adware,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, +Oct 30 09:56:23 1,2012/10/30 09:56:23,01606001116,THREAT,url,1,2012/04/10 04:36:51,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:36:52,22479,1,58753,80,0,0,0x200000,tcp,block-url,"gometascan.com/",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, +Oct 30 09:57:33 1,2012/10/30 09:57:33,01606001116,THREAT,url,1,2012/04/10 04:36:39,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:36:40,21458,1,58708,80,0,0,0x200000,tcp,block-url,"antivirus-powerful-scannerv2.com/download/Install_11-1.exe",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, +Oct 30 09:57:38 1,2012/10/30 09:57:38,01606001116,THREAT,url,1,2012/04/10 04:36:38,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:36:39,21577,1,58707,80,0,0,0x200000,tcp,block-url,"antivirus-powerful-scannerv2.com/1/?id=11-1&back==TQzyDTyMUQNMI=N",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, +Mar 25 23:58:52 1,2013/03/25 23:58:52,1606001116,THREAT,url,1,2012/04/10 04:36:27,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:36:28,21487,1,58603,80,0,0,0x200000,tcp,block-url,"basdzsdas.com/poker/config.bin",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, +Mar 25 23:58:52 1,2013/03/25 23:58:52,1606001116,THREAT,url,1,2012/04/10 04:36:27,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:36:28,21487,1,58603,80,0,0,0x200000,tcp,block-url,"basdzsdas.com/poker/config.bin",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, +Mar 25 23:58:57 1,2013/03/25 23:58:57,1606001116,THREAT,file,1,2012/04/10 04:19:59,173.236.179.57,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,crusher,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:20:05,64856,1,80,54431,0,0,0x200000,tcp,deny,"uLLGRaXP.exe",Windows Executable (EXE)(52020),any,low,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, +Mar 25 23:58:57 1,2013/03/25 23:58:57,1606001116,THREAT,url,1,2012/04/10 04:36:27,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:36:28,21487,1,58603,80,0,0,0x200000,tcp,block-url,"basdzsdas.com/poker/config.bin",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, +Mar 25 23:59:07 1,2013/03/25 23:59:07,01606001116,THREAT,file,1,2012/04/10 04:51:29,91.209.163.202,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,crusher,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:51:34,37983,1,80,61220,0,0,0x200000,tcp,deny,"FunkyEmoticons_setup.exe",Windows Executable (EXE)(52020),any,low,server-to-client,0,0x0,European Union,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:07 1,2013/03/25 23:59:07,01606001116,THREAT,file,1,2012/04/10 04:54:33,122.226.169.183,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,crusher,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:54:38,41989,1,80,61726,0,0,0x200000,tcp,deny,"52hxw.exe",Windows Executable (EXE)(52020),any,low,server-to-client,0,0x0,China,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:07 1,2013/03/25 23:59:07,01606001116,THREAT,url,1,2012/04/10 05:01:00,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 05:01:00,49238,1,63007,80,0,0,0x200000,tcp,block-url,"softsellfast.com/test/config.bin",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, +Mar 25 23:59:12 1,2013/03/25 23:59:12,01606001116,THREAT,file,1,2012/04/10 04:45:17,109.201.131.15,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,crusher,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:45:23,21592,1,80,60212,0,0,0x200000,tcp,deny,"setup.exe",Windows Executable (EXE)(52020),any,low,server-to-client,0,0x0,Netherlands,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:12 1,2013/03/25 23:59:12,01606001116,THREAT,file,1,2012/04/10 04:46:16,91.209.163.202,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,crusher,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:46:22,33760,1,80,60392,0,0,0x200000,tcp,deny,"Live-Player_setup.exe",Windows Executable (EXE)(52020),any,low,server-to-client,0,0x0,European Union,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:12 1,2013/03/25 23:59:12,01606001116,THREAT,url,1,2012/04/10 04:42:39,192.168.0.2,213.180.199.61,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:42:39,28723,1,59709,80,0,0,0x200000,tcp,block-url,"boialex.narod.ru/config.txt",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Russian Federation,0, +Mar 25 23:59:12 1,2013/03/25 23:59:12,01606001116,THREAT,url,1,2012/04/10 04:42:42,192.168.0.2,213.180.199.61,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:42:42,28932,1,59721,80,0,0,0x200000,tcp,block-url,"edw-melon.narod.ru/config.txt",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Russian Federation,0, +Mar 25 23:59:12 1,2013/03/25 23:59:12,01606001116,THREAT,url,1,2012/04/10 04:42:51,192.168.0.2,213.180.199.61,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:42:51,28953,1,59752,80,0,0,0x200000,tcp,block-url,"maximtushin.narod.ru/config.txt",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Russian Federation,0, +Mar 25 23:59:17 1,2013/03/25 23:59:17,01606001116,THREAT,file,1,2012/04/10 04:19:59,173.236.179.57,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,crusher,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:20:05,64856,1,80,54431,0,0,0x200000,tcp,deny,"uLLGRaXP.exe",Windows Executable (EXE)(52020),any,low,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:22 1,2013/03/25 23:59:22,01606001116,THREAT,url,1,2012/04/10 04:09:01,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:09:01,55402,1,63183,80,0,0,0x200000,tcp,block-url,"marketingsoluchion.biz/fkn/config.bin",(9999),unknown,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, +Mar 25 23:59:32 1,2013/03/25 23:59:32,01606001116,THREAT,data,1,2012/04/09 08:18:27,192.168.0.6,207.46.140.46,0.0.0.0,0.0.0.0,rule1,jordy,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:18:32,25217,1,1047,80,0,0,0x200000,tcp,alert,"default.aspx",PII(60000),any,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, +Mar 25 23:59:32 1,2013/03/25 23:59:32,01606001116,THREAT,data,1,2012/04/09 08:18:29,65.54.161.34,192.168.0.6,0.0.0.0,0.0.0.0,rule1,,jordy,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:18:34,25653,1,80,1039,0,0,0x200000,tcp,alert,"sck.aspx",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:32 1,2013/03/25 23:59:32,01606001116,THREAT,data,1,2012/04/09 08:18:32,65.55.5.231,192.168.0.6,0.0.0.0,0.0.0.0,rule1,,jordy,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:18:37,25717,3,80,1064,0,0,0x200000,tcp,alert,"ADSAdClient31.dll",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:32 1,2013/03/25 23:59:32,01606001116,THREAT,data,1,2012/04/09 08:18:33,192.168.0.6,65.54.71.11,0.0.0.0,0.0.0.0,rule1,jordy,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:18:38,25290,1,1048,80,0,0,0x200000,tcp,alert,"c.gif",PII(60000),any,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, +Mar 25 23:59:32 1,2013/03/25 23:59:32,01606001116,THREAT,data,1,2012/04/09 08:18:37,74.125.239.17,192.168.0.6,0.0.0.0,0.0.0.0,rule1,,jordy,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:18:42,25932,1,80,1071,0,0,0x200000,tcp,alert,"csi",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:32 1,2013/03/25 23:59:32,01606001116,THREAT,data,1,2012/04/09 08:50:12,192.168.0.2,208.85.40.48,0.0.0.0,0.0.0.0,rule1,picard,,pandora,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:50:17,28264,1,57502,80,0,0,0x200000,tcp,alert,"internal-tuner.pandora.com",PII(60000),any,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, +Mar 25 23:59:32 1,2013/03/25 23:59:32,01606001116,THREAT,data,1,2012/04/09 08:58:18,74.125.224.198,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:58:22,29312,1,80,57876,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:32 1,2013/03/25 23:59:32,01606001116,THREAT,file,1,2012/04/09 08:22:27,188.190.124.75,192.168.0.6,0.0.0.0,0.0.0.0,rule1,,jordy,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:22:31,26747,1,80,1082,0,0,0x200000,tcp,deny,"about.exe",Windows Executable (EXE)(52020),any,low,server-to-client,0,0x0,Ukraine,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 07:11:43,74.125.224.200,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 07:11:48,19205,1,80,50986,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 07:14:02,74.125.239.3,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 07:14:07,19360,1,80,51716,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 07:14:39,74.125.239.3,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 07:14:44,19696,1,80,52119,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 07:16:03,74.125.224.200,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 07:16:08,19679,1,80,52411,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 07:18:14,192.168.0.2,74.125.239.6,0.0.0.0,0.0.0.0,rule1,picard,,google-analytics,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 07:18:19,19448,1,52366,80,0,0,0x200000,tcp,alert,"__utm.gif",PII(60000),any,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, +Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 07:25:04,74.125.224.193,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 07:25:09,20422,1,80,53026,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 07:36:04,74.125.239.20,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 07:36:09,21267,1,80,53809,0,0,0x200000,tcp,alert,"nav_logo107.png",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 08:08:08,208.80.154.225,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:08:13,24567,1,80,55912,0,0,0x200000,tcp,alert,"Eadweard_Muybridge",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 08:08:44,208.80.154.234,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:08:49,24646,1,80,55916,0,0,0x200000,tcp,alert,"load.php",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 08:16:57,65.54.75.25,192.168.0.6,0.0.0.0,0.0.0.0,rule1,,jordy,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:17:01,25874,1,80,1046,0,0,0x200000,tcp,reset-both,"8fe44cb728c0f40750c64ee906eb72.css",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 04:06:41,74.125.224.206,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 04:06:46,2175,1,80,61734,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 04:12:52,74.125.224.195,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 04:12:57,3046,1,80,62292,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 06:07:49,207.178.96.34,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,rss,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:07:54,1560,1,80,64669,0,0,0x200000,tcp,alert,"appcast.xml",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 06:48:44,74.125.224.195,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:48:48,16852,1,80,65265,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 06:48:59,74.125.239.20,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:49:05,15948,1,80,64979,0,0,0x200000,tcp,alert,"csi",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 06:50:14,66.152.109.24,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:50:19,17028,1,80,49432,0,0,0x200000,tcp,alert,"index.php",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 06:51:34,74.125.224.200,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:51:39,15878,1,80,49722,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 06:53:41,192.168.0.2,74.125.224.201,0.0.0.0,0.0.0.0,rule1,picard,,google-analytics,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:53:47,16602,1,49681,80,0,0,0x200000,tcp,alert,"__utm.gif",PII(60000),any,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, +Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 06:54:35,74.125.224.200,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:54:41,17433,1,80,50108,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 06:54:55,74.125.224.200,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:55:00,17104,1,80,50387,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:47 1,2013/03/25 23:59:47,01606001116,THREAT,data,1,2012/04/09 03:44:49,192.168.0.2,208.85.40.48,0.0.0.0,0.0.0.0,rule1,jordy,,pandora,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 03:44:55,63706,1,59781,80,0,0,0x200000,tcp,alert,"internal-tuner.pandora.com",PII(60000),any,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0, +Mar 25 23:59:47 1,2013/03/25 23:59:47,01606001116,THREAT,data,1,2012/04/09 03:45:45,74.125.224.201,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 03:45:50,65257,1,80,60005,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:47 1,2013/03/25 23:59:47,01606001116,THREAT,data,1,2012/04/09 03:49:17,74.125.224.201,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 03:49:22,537,1,80,60443,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:47 1,2013/03/25 23:59:47,01606001116,THREAT,data,1,2012/04/09 03:53:41,74.125.224.200,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 03:53:45,914,1,80,60822,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:47 1,2013/03/25 23:59:47,01606001116,THREAT,data,1,2012/04/09 03:55:23,74.125.224.200,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 03:55:28,1475,1,80,61105,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:47 1,2013/03/25 23:59:47,01606001116,THREAT,data,1,2012/04/09 03:55:52,74.125.224.198,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-analytics,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 03:55:57,883,1,80,60782,0,0,0x200000,tcp,alert,"ga.js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, +Mar 25 23:59:47 1,2013/03/25 23:59:47,01606001116,THREAT,data,1,2012/04/09 04:03:55,74.125.224.200,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 04:04:00,1965,1,80,61470,0,0,0x200000,tcp,reset-both,"js",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0, diff --git a/x-pack/filebeat/module/palo_alto/pan_os/test/pan_inc_threat.log-expected.json b/x-pack/filebeat/module/palo_alto/pan_os/test/pan_inc_threat.log-expected.json new file mode 100644 index 00000000000..29373236d66 --- /dev/null +++ b/x-pack/filebeat/module/palo_alto/pan_os/test/pan_inc_threat.log-expected.json @@ -0,0 +1,6385 @@ +[ + { + "@timestamp": "2012-04-10T04:39:56.000Z", + "client.ip": "192.168.0.2", + "client.port": 59309, + "client.user.name": "crusher", + "destination.address": "204.232.231.46", + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "alert", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "labels.container_page": true, + "log.level": "informational", + "log.offset": 0, + "log.original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,THREAT,url,1,2012/04/10 04:39:56,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25149,1,59309,80,0,0,0x208000,tcp,alert,\"lorexx.cn/loader.exe\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", + "network.application": "web-browsing", + "network.community_id": "1:mY2EPMYo0US42k87/2uTzjo/rGA=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "25149", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "lorexx.cn/loader.exe", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "not-resolved", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "204.232.231.46", + "server.port": 80, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.0.2", + "source.port": 59309, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ], + "url.original": "lorexx.cn/loader.exe" + }, + { + "@timestamp": "2012-04-10T04:39:56.000Z", + "client.ip": "192.168.0.2", + "client.port": 59313, + "client.user.name": "crusher", + "destination.address": "204.232.231.46", + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "alert", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "labels.container_page": true, + "log.level": "informational", + "log.offset": 403, + "log.original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,THREAT,url,1,2012/04/10 04:39:56,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,26067,1,59313,80,0,0,0x208000,tcp,alert,\"lsiu.info/evo/count.php?o=2\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", + "network.application": "web-browsing", + "network.community_id": "1:0fIOSC1t62T9ExNKvZaxl657EVc=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "26067", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "lsiu.info/evo/count.php?o=2", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "not-resolved", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "204.232.231.46", + "server.port": 80, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.0.2", + "source.port": 59313, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ], + "url.original": "lsiu.info/evo/count.php?o=2" + }, + { + "@timestamp": "2012-04-10T04:39:56.000Z", + "client.ip": "192.168.0.2", + "client.port": 59314, + "client.user.name": "crusher", + "destination.address": "204.232.231.46", + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "alert", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "labels.container_page": true, + "log.level": "informational", + "log.offset": 813, + "log.original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,THREAT,url,1,2012/04/10 04:39:56,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,26522,1,59314,80,0,0,0x208000,tcp,alert,\"lsiu.info/evo/count.php?o=5\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", + "network.application": "web-browsing", + "network.community_id": "1:bZl1JgwyPgfsbSrD+z8I/hpbdc4=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "26522", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "lsiu.info/evo/count.php?o=5", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "not-resolved", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "204.232.231.46", + "server.port": 80, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.0.2", + "source.port": 59314, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ], + "url.original": "lsiu.info/evo/count.php?o=5" + }, + { + "@timestamp": "2012-04-10T04:39:57.000Z", + "client.ip": "192.168.0.2", + "client.port": 59315, + "client.user.name": "crusher", + "destination.address": "204.232.231.46", + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "alert", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "labels.container_page": true, + "log.level": "informational", + "log.offset": 1223, + "log.original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,THREAT,url,1,2012/04/10 04:39:57,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25112,1,59315,80,0,0,0x208000,tcp,alert,\"lsiu.info/evo/count.php?o=7\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", + "network.application": "web-browsing", + "network.community_id": "1:ghLw4NDj0JmAhH9lVtlhdQpqEQ0=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "25112", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "lsiu.info/evo/count.php?o=7", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "not-resolved", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "204.232.231.46", + "server.port": 80, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.0.2", + "source.port": 59315, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ], + "url.original": "lsiu.info/evo/count.php?o=7" + }, + { + "@timestamp": "2012-04-10T04:39:57.000Z", + "client.ip": "192.168.0.2", + "client.port": 59316, + "client.user.name": "crusher", + "destination.address": "204.232.231.46", + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "alert", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "labels.container_page": true, + "log.level": "informational", + "log.offset": 1633, + "log.original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,THREAT,url,1,2012/04/10 04:39:57,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25179,1,59316,80,0,0,0x208000,tcp,alert,\"lsiu.info/evo/exploits/x18.php?o=2&t=1241403746&i=1365814122\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", + "network.application": "web-browsing", + "network.community_id": "1:aiB5YppFUGX0pM/1Xtp3qOSFXJw=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "25179", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "lsiu.info/evo/exploits/x18.php?o=2&t=1241403746&i=1365814122", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "not-resolved", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "204.232.231.46", + "server.port": 80, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.0.2", + "source.port": 59316, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ], + "url.original": "lsiu.info/evo/exploits/x18.php?o=2&t=1241403746&i=1365814122" + }, + { + "@timestamp": "2012-04-10T04:39:57.000Z", + "client.ip": "192.168.0.2", + "client.port": 59317, + "client.user.name": "crusher", + "destination.address": "204.232.231.46", + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "alert", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "labels.container_page": true, + "log.level": "informational", + "log.offset": 2076, + "log.original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,THREAT,url,1,2012/04/10 04:39:57,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25848,1,59317,80,0,0,0x208000,tcp,alert,\"lsiu.info/evo/exploits/x19.php?o=2&t=1241403746&i=1365814122\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", + "network.application": "web-browsing", + "network.community_id": "1:GOqfpUTezPkpm6axBI22kY90kU4=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "25848", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "lsiu.info/evo/exploits/x19.php?o=2&t=1241403746&i=1365814122", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "not-resolved", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "204.232.231.46", + "server.port": 80, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.0.2", + "source.port": 59317, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ], + "url.original": "lsiu.info/evo/exploits/x19.php?o=2&t=1241403746&i=1365814122" + }, + { + "@timestamp": "2012-04-10T04:39:54.000Z", + "client.ip": "192.168.0.2", + "client.port": 59302, + "client.user.name": "crusher", + "destination.address": "204.232.231.46", + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "alert", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "labels.container_page": true, + "log.level": "informational", + "log.offset": 2519, + "log.original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,THREAT,url,1,2012/04/10 04:39:54,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,24910,1,59302,80,0,0,0x208000,tcp,alert,\"liteautobestguide.cn/load.php\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", + "network.application": "web-browsing", + "network.community_id": "1:22ouAyA1O0KgUQOEKP20E7gNa2U=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24910", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "liteautobestguide.cn/load.php", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "not-resolved", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "204.232.231.46", + "server.port": 80, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.0.2", + "source.port": 59302, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ], + "url.original": "liteautobestguide.cn/load.php" + }, + { + "@timestamp": "2012-04-10T04:39:54.000Z", + "client.ip": "192.168.0.2", + "client.port": 59301, + "client.user.name": "crusher", + "destination.address": "204.232.231.46", + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "alert", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "labels.container_page": true, + "log.level": "informational", + "log.offset": 2931, + "log.original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,THREAT,url,1,2012/04/10 04:39:54,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,26862,1,59301,80,0,0,0x208000,tcp,alert,\"liteautobestguide.cn/index.php\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", + "network.application": "web-browsing", + "network.community_id": "1:phQpgsVhj3YxNYzeNkqdzDgcMCg=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "26862", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "liteautobestguide.cn/index.php", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "not-resolved", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "204.232.231.46", + "server.port": 80, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.0.2", + "source.port": 59301, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ], + "url.original": "liteautobestguide.cn/index.php" + }, + { + "@timestamp": "2012-04-10T04:39:55.000Z", + "client.ip": "192.168.0.2", + "client.port": 59303, + "client.user.name": "crusher", + "destination.address": "204.232.231.46", + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "alert", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "labels.container_page": true, + "log.level": "informational", + "log.offset": 3344, + "log.original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,THREAT,url,1,2012/04/10 04:39:55,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,22860,1,59303,80,0,0,0x208000,tcp,alert,\"litetopdetect.cn/index.php\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", + "network.application": "web-browsing", + "network.community_id": "1:6kV576B7jMsBLC62npA6Dgi/zMI=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "22860", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "litetopdetect.cn/index.php", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "not-resolved", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "204.232.231.46", + "server.port": 80, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.0.2", + "source.port": 59303, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ], + "url.original": "litetopdetect.cn/index.php" + }, + { + "@timestamp": "2012-04-10T04:39:55.000Z", + "client.ip": "192.168.0.2", + "client.port": 59304, + "client.user.name": "crusher", + "destination.address": "204.232.231.46", + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "alert", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "labels.container_page": true, + "log.level": "informational", + "log.offset": 3753, + "log.original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,THREAT,url,1,2012/04/10 04:39:55,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,26360,1,59304,80,0,0,0x208000,tcp,alert,\"lkmpmlm.com/fff9999.php?aid=0&uid=6cbbc5081e7548e276611ff5059df6ed30c8f8f1&os=513\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", + "network.application": "web-browsing", + "network.community_id": "1:h+XKHvMK2Oz7QQvaJdhsJWE2c9E=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "26360", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "lkmpmlm.com/fff9999.php?aid=0&uid=6cbbc5081e7548e276611ff5059df6ed30c8f8f1&os=513", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "not-resolved", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "204.232.231.46", + "server.port": 80, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.0.2", + "source.port": 59304, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ], + "url.original": "lkmpmlm.com/fff9999.php?aid=0&uid=6cbbc5081e7548e276611ff5059df6ed30c8f8f1&os=513" + }, + { + "@timestamp": "2012-04-10T04:39:52.000Z", + "client.ip": "192.168.0.2", + "client.port": 59297, + "client.user.name": "crusher", + "destination.address": "204.232.231.46", + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "alert", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "labels.container_page": true, + "log.level": "informational", + "log.offset": 4217, + "log.original": "Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,THREAT,url,1,2012/04/10 04:39:52,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,25543,1,59297,80,0,0,0x208000,tcp,alert,\"girlteenxxxfreemov.com/\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", + "network.application": "web-browsing", + "network.community_id": "1:Sa+u435/AIAAeEelFduJmiGLOv0=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "25543", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "girlteenxxxfreemov.com/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "not-resolved", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "204.232.231.46", + "server.port": 80, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.0.2", + "source.port": 59297, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ], + "url.original": "girlteenxxxfreemov.com/" + }, + { + "@timestamp": "2012-04-10T04:39:53.000Z", + "client.ip": "192.168.0.2", + "client.port": 59299, + "client.user.name": "crusher", + "destination.address": "204.232.231.46", + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "alert", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "labels.container_page": true, + "log.level": "informational", + "log.offset": 4623, + "log.original": "Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,THREAT,url,1,2012/04/10 04:39:53,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,25437,1,59299,80,0,0,0x208000,tcp,alert,\"imagesrepository.com/resolution.php\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", + "network.application": "web-browsing", + "network.community_id": "1:C9009xCOuCuGvMPT4caMCizoYr0=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "25437", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "imagesrepository.com/resolution.php", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "not-resolved", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "204.232.231.46", + "server.port": 80, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.0.2", + "source.port": 59299, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ], + "url.original": "imagesrepository.com/resolution.php" + }, + { + "@timestamp": "2012-04-10T04:39:53.000Z", + "client.ip": "192.168.0.2", + "client.port": 59298, + "client.user.name": "crusher", + "destination.address": "204.232.231.46", + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "alert", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "labels.container_page": true, + "log.level": "informational", + "log.offset": 5041, + "log.original": "Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,THREAT,url,1,2012/04/10 04:39:53,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,26338,1,59298,80,0,0,0x208000,tcp,alert,\"hottestfiles.com/search/search.php?q=xxx\",(9999),search-engines,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", + "network.application": "web-browsing", + "network.community_id": "1:BG6Rk6e+H9jRcZHXqRPFG4iA3uU=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "26338", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "hottestfiles.com/search/search.php?q=xxx", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "search-engines", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "204.232.231.46", + "server.port": 80, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.0.2", + "source.port": 59298, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ], + "url.original": "hottestfiles.com/search/search.php?q=xxx" + }, + { + "@timestamp": "2012-04-10T04:39:54.000Z", + "client.ip": "192.168.0.2", + "client.port": 59300, + "client.user.name": "crusher", + "destination.address": "204.232.231.46", + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "informational", + "log.offset": 5466, + "log.original": "Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,THREAT,url,1,2012/04/10 04:39:54,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,25713,1,59300,80,0,0,0x200000,tcp,block-url,\"infodist1.com/in.cgi?11¶meter=404\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", + "network.application": "web-browsing", + "network.community_id": "1:YDMNSbru670DK5EMT3E28WFJPz4=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "25713", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "infodist1.com/in.cgi?11¶meter=404", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "malware-sites", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "204.232.231.46", + "server.port": 80, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.0.2", + "source.port": 59300, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ], + "url.original": "infodist1.com/in.cgi?11¶meter=404" + }, + { + "@timestamp": "2012-04-10T04:39:51.000Z", + "client.ip": "192.168.0.2", + "client.port": 59295, + "client.user.name": "crusher", + "destination.address": "204.232.231.46", + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "alert", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "labels.container_page": true, + "log.level": "informational", + "log.offset": 5882, + "log.original": "Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,THREAT,url,1,2012/04/10 04:39:51,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,25451,1,59295,80,0,0,0x208000,tcp,alert,\"cls-softwares.com/suc.php\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", + "network.application": "web-browsing", + "network.community_id": "1:AEtFqIuwxZ9TQ3w9m74nOrboCXE=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "25451", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "cls-softwares.com/suc.php", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "not-resolved", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "204.232.231.46", + "server.port": 80, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.0.2", + "source.port": 59295, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ], + "url.original": "cls-softwares.com/suc.php" + }, + { + "@timestamp": "2012-04-10T04:39:51.000Z", + "client.ip": "192.168.0.2", + "client.port": 59291, + "client.user.name": "crusher", + "destination.address": "204.232.231.46", + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "alert", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "labels.container_page": true, + "log.level": "informational", + "log.offset": 6290, + "log.original": "Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,THREAT,url,1,2012/04/10 04:39:51,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,26414,1,59291,80,0,0,0x208000,tcp,alert,\"cls-softwares.com/softwarefortubeview.40013.exe\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", + "network.application": "web-browsing", + "network.community_id": "1:AuQEAPptnfXLW8oL/ac3CM4Gnnw=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "26414", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "cls-softwares.com/softwarefortubeview.40013.exe", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "not-resolved", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "204.232.231.46", + "server.port": 80, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.0.2", + "source.port": 59291, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ], + "url.original": "cls-softwares.com/softwarefortubeview.40013.exe" + }, + { + "@timestamp": "2012-04-10T04:39:52.000Z", + "client.ip": "192.168.0.2", + "client.port": 59296, + "client.user.name": "crusher", + "destination.address": "78.159.99.224", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "DE", + "destination.geo.location.lat": 51.2993, + "destination.geo.location.lon": 9.491, + "destination.ip": "78.159.99.224", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "informational", + "log.offset": 6720, + "log.original": "Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,THREAT,url,1,2012/04/10 04:39:52,192.168.0.2,78.159.99.224,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,26927,1,59296,80,0,0,0x200000,tcp,block-url,\"findmorepill.com/klik/search.php?q=xxx\",(9999),online-gambling,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Germany,0,", + "network.application": "web-browsing", + "network.community_id": "1:v73LbTZDPLO+1dzNRixeZAmolJ0=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "26927", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "findmorepill.com/klik/search.php?q=xxx", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "online-gambling", + "related.ip": [ + "192.168.0.2", + "78.159.99.224", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "78.159.99.224", + "server.port": 80, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.0.2", + "source.port": 59296, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ], + "url.original": "findmorepill.com/klik/search.php?q=xxx" + }, + { + "@timestamp": "2012-04-10T04:39:48.000Z", + "client.ip": "192.168.0.2", + "client.port": 59280, + "client.user.name": "crusher", + "destination.address": "204.232.231.46", + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "alert", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "labels.container_page": true, + "log.level": "informational", + "log.offset": 7132, + "log.original": "Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,THREAT,url,1,2012/04/10 04:39:48,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:51,26127,1,59280,80,0,0,0x208000,tcp,alert,\"allowedwebsurfing.com/\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", + "network.application": "web-browsing", + "network.community_id": "1:IRI0j5xLyLhwaONpy7gVZdl/Qow=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "26127", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "allowedwebsurfing.com/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "not-resolved", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "204.232.231.46", + "server.port": 80, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.0.2", + "source.port": 59280, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ], + "url.original": "allowedwebsurfing.com/" + }, + { + "@timestamp": "2012-04-10T04:39:49.000Z", + "client.ip": "192.168.0.2", + "client.port": 59281, + "client.user.name": "crusher", + "destination.address": "204.232.231.46", + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "alert", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "labels.container_page": true, + "log.level": "informational", + "log.offset": 7537, + "log.original": "Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,THREAT,url,1,2012/04/10 04:39:49,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:51,25306,1,59281,80,0,0,0x208000,tcp,alert,\"antivirus-remote.com/\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", + "network.application": "web-browsing", + "network.community_id": "1:/tG+YfZ8qFKrUDfQ7EThCBXci9Y=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "25306", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "antivirus-remote.com/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "not-resolved", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "204.232.231.46", + "server.port": 80, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.0.2", + "source.port": 59281, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ], + "url.original": "antivirus-remote.com/" + }, + { + "@timestamp": "2012-04-10T04:39:49.000Z", + "client.ip": "192.168.0.2", + "client.port": 59282, + "client.user.name": "crusher", + "destination.address": "204.232.231.46", + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "alert", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "labels.container_page": true, + "log.level": "informational", + "log.offset": 7941, + "log.original": "Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,THREAT,url,1,2012/04/10 04:39:49,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,24561,1,59282,80,0,0,0x208000,tcp,alert,\"bklinkov.ru/hi/start.cfg\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", + "network.application": "web-browsing", + "network.community_id": "1:Vfi4CxQayypb3DoxclNfeNjXdjo=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24561", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "bklinkov.ru/hi/start.cfg", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "not-resolved", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "204.232.231.46", + "server.port": 80, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.0.2", + "source.port": 59282, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ], + "url.original": "bklinkov.ru/hi/start.cfg" + }, + { + "@timestamp": "2012-04-10T04:39:50.000Z", + "client.ip": "192.168.0.2", + "client.port": 59290, + "client.user.name": "crusher", + "destination.address": "204.232.231.46", + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "alert", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "labels.container_page": true, + "log.level": "informational", + "log.offset": 8348, + "log.original": "Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,THREAT,url,1,2012/04/10 04:39:50,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,15099,1,59290,80,0,0,0x208000,tcp,alert,\"blogsexnakedgirlxxx.com/\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", + "network.application": "web-browsing", + "network.community_id": "1:2UbFMV1DsXMB0b/AUotNCCsHm0s=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "15099", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "blogsexnakedgirlxxx.com/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "not-resolved", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "204.232.231.46", + "server.port": 80, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.0.2", + "source.port": 59290, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ], + "url.original": "blogsexnakedgirlxxx.com/" + }, + { + "@timestamp": "2012-04-10T04:39:50.000Z", + "client.ip": "192.168.0.2", + "client.port": 59286, + "client.user.name": "crusher", + "destination.address": "204.232.231.46", + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "alert", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "labels.container_page": true, + "log.level": "informational", + "log.offset": 8755, + "log.original": "Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,THREAT,url,1,2012/04/10 04:39:50,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,24955,1,59286,80,0,0,0x208000,tcp,alert,\"bklinkov.ru/hi/start.exe\",(9999),not-resolved,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", + "network.application": "web-browsing", + "network.community_id": "1:M8DHGZjrHyuCRpC9MNNfDUke5g4=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24955", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "bklinkov.ru/hi/start.exe", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "not-resolved", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "204.232.231.46", + "server.port": 80, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.0.2", + "source.port": 59286, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ], + "url.original": "bklinkov.ru/hi/start.exe" + }, + { + "@timestamp": "2012-04-10T04:39:47.000Z", + "client.ip": "192.168.0.2", + "client.port": 59275, + "client.user.name": "crusher", + "destination.address": "204.232.231.46", + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "alert", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "labels.container_page": true, + "log.level": "informational", + "log.offset": 9162, + "log.original": "Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,THREAT,url,1,2012/04/10 04:39:47,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:49,25398,1,59275,80,0,0,0x208000,tcp,alert,\"-/\",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", + "network.application": "web-browsing", + "network.community_id": "1:AVMiOufq2owuhWpcu/TfRJ38tv4=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "25398", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "-/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "private-ip-addresses", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "204.232.231.46", + "server.port": 80, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.0.2", + "source.port": 59275, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ], + "url.original": "-/" + }, + { + "@timestamp": "2012-04-10T04:39:47.000Z", + "client.ip": "192.168.0.2", + "client.port": 59277, + "client.user.name": "crusher", + "destination.address": "204.232.231.46", + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "alert", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "labels.container_page": true, + "log.level": "informational", + "log.offset": 9555, + "log.original": "Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,THREAT,url,1,2012/04/10 04:39:47,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:49,25945,1,59277,80,0,0,0x208000,tcp,alert,\"-/\",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", + "network.application": "web-browsing", + "network.community_id": "1:/+Opb16c1ye6uLeu1/TNC+SGnYs=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "25945", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "-/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "private-ip-addresses", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "204.232.231.46", + "server.port": 80, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.0.2", + "source.port": 59277, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ], + "url.original": "-/" + }, + { + "@timestamp": "2012-04-10T04:39:47.000Z", + "client.ip": "192.168.0.2", + "client.port": 59276, + "client.user.name": "crusher", + "destination.address": "204.232.231.46", + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "alert", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "labels.container_page": true, + "log.level": "informational", + "log.offset": 9948, + "log.original": "Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,THREAT,url,1,2012/04/10 04:39:47,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:49,27111,1,59276,80,0,0,0x208000,tcp,alert,\"-/\",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", + "network.application": "web-browsing", + "network.community_id": "1:uslltTePy/m8Gxhk/MgPbZfk6Rg=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "27111", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "-/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "private-ip-addresses", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "204.232.231.46", + "server.port": 80, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.0.2", + "source.port": 59276, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ], + "url.original": "-/" + }, + { + "@timestamp": "2012-04-10T04:39:48.000Z", + "client.ip": "192.168.0.2", + "client.port": 59278, + "client.user.name": "crusher", + "destination.address": "204.232.231.46", + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "alert", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "labels.container_page": true, + "log.level": "informational", + "log.offset": 10341, + "log.original": "Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,THREAT,url,1,2012/04/10 04:39:48,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,25871,1,59278,80,0,0,0x208000,tcp,alert,\"-/\",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", + "network.application": "web-browsing", + "network.community_id": "1:WiUImNtgjkeNDi1Qigg7+Y6pDAg=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "25871", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "-/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "private-ip-addresses", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "204.232.231.46", + "server.port": 80, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.0.2", + "source.port": 59278, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ], + "url.original": "-/" + }, + { + "@timestamp": "2012-04-10T04:39:48.000Z", + "client.ip": "192.168.0.2", + "client.port": 59279, + "client.user.name": "crusher", + "destination.address": "204.232.231.46", + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "alert", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "labels.container_page": true, + "log.level": "informational", + "log.offset": 10734, + "log.original": "Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,THREAT,url,1,2012/04/10 04:39:48,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,26251,1,59279,80,0,0,0x208000,tcp,alert,\"-/\",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", + "network.application": "web-browsing", + "network.community_id": "1:FmIwID3HJ4Q0574SjlhMHApz/Hs=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "26251", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "-/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "private-ip-addresses", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "204.232.231.46", + "server.port": 80, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.0.2", + "source.port": 59279, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ], + "url.original": "-/" + }, + { + "@timestamp": "2012-04-10T04:39:45.000Z", + "client.ip": "192.168.0.2", + "client.port": 59271, + "client.user.name": "crusher", + "destination.address": "204.232.231.46", + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "alert", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "labels.container_page": true, + "log.level": "informational", + "log.offset": 11127, + "log.original": "Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,THREAT,url,1,2012/04/10 04:39:45,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:47,24816,1,59271,80,0,0,0x208000,tcp,alert,\"-/\",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", + "network.application": "web-browsing", + "network.community_id": "1:6AuZBrHKsUJjLNgm/mJ5QToaPo8=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24816", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "-/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "private-ip-addresses", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "204.232.231.46", + "server.port": 80, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.0.2", + "source.port": 59271, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ], + "url.original": "-/" + }, + { + "@timestamp": "2012-04-10T04:39:45.000Z", + "client.ip": "192.168.0.2", + "client.port": 59269, + "client.user.name": "crusher", + "destination.address": "204.232.231.46", + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "alert", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "labels.container_page": true, + "log.level": "informational", + "log.offset": 11520, + "log.original": "Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,THREAT,url,1,2012/04/10 04:39:45,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:47,25062,1,59269,80,0,0,0x208000,tcp,alert,\"-/\",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", + "network.application": "web-browsing", + "network.community_id": "1:NwAT+gtzMjRwKS71Tn+YaKwyOvI=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "25062", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "-/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "private-ip-addresses", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "204.232.231.46", + "server.port": 80, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.0.2", + "source.port": 59269, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ], + "url.original": "-/" + }, + { + "@timestamp": "2012-04-10T04:39:45.000Z", + "client.ip": "192.168.0.2", + "client.port": 59270, + "client.user.name": "crusher", + "destination.address": "204.232.231.46", + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "alert", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "labels.container_page": true, + "log.level": "informational", + "log.offset": 11913, + "log.original": "Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,THREAT,url,1,2012/04/10 04:39:45,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:47,26266,1,59270,80,0,0,0x208000,tcp,alert,\"-/\",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", + "network.application": "web-browsing", + "network.community_id": "1:mTTbk9h6Dgx6lH3l4aEHguufZVE=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "26266", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "-/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "private-ip-addresses", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "204.232.231.46", + "server.port": 80, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.0.2", + "source.port": 59270, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ], + "url.original": "-/" + }, + { + "@timestamp": "2012-04-10T04:39:46.000Z", + "client.ip": "192.168.0.2", + "client.port": 59274, + "client.user.name": "crusher", + "destination.address": "204.232.231.46", + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "alert", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "labels.container_page": true, + "log.level": "informational", + "log.offset": 12306, + "log.original": "Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,THREAT,url,1,2012/04/10 04:39:46,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:48,23898,1,59274,80,0,0,0x208000,tcp,alert,\"-/\",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", + "network.application": "web-browsing", + "network.community_id": "1:/0xM0KlMLwieymkDApfqS3/WWiQ=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "23898", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "-/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "private-ip-addresses", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "204.232.231.46", + "server.port": 80, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.0.2", + "source.port": 59274, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ], + "url.original": "-/" + }, + { + "@timestamp": "2012-04-10T04:39:46.000Z", + "client.ip": "192.168.0.2", + "client.port": 59273, + "client.user.name": "crusher", + "destination.address": "204.232.231.46", + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "alert", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "labels.container_page": true, + "log.level": "informational", + "log.offset": 12699, + "log.original": "Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,THREAT,url,1,2012/04/10 04:39:46,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:48,25259,1,59273,80,0,0,0x208000,tcp,alert,\"-/\",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", + "network.application": "web-browsing", + "network.community_id": "1:VLKKVfau50s2qjTDcucU+VKCAqY=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "25259", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "-/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "private-ip-addresses", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "204.232.231.46", + "server.port": 80, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.0.2", + "source.port": 59273, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ], + "url.original": "-/" + }, + { + "@timestamp": "2012-04-10T04:39:46.000Z", + "client.ip": "192.168.0.2", + "client.port": 59272, + "client.user.name": "crusher", + "destination.address": "204.232.231.46", + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "alert", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "labels.container_page": true, + "log.level": "informational", + "log.offset": 13092, + "log.original": "Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,THREAT,url,1,2012/04/10 04:39:46,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:48,26466,1,59272,80,0,0,0x208000,tcp,alert,\"-/\",(9999),private-ip-addresses,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,text/html", + "network.application": "web-browsing", + "network.community_id": "1:jAvA0C85T0GFKryKA312lLEtKIM=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "26466", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "-/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "private-ip-addresses", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "204.232.231.46", + "server.port": 80, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.0.2", + "source.port": 59272, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ], + "url.original": "-/" + }, + { + "@timestamp": "2012-04-10T04:39:43.000Z", + "client.ip": "192.168.0.2", + "client.port": 59261, + "client.user.name": "crusher", + "destination.address": "69.43.161.167", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "69.43.161.167", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "informational", + "log.offset": 13485, + "log.original": "Oct 30 09:46:47 1,2012/10/30 09:46:47,01606001116,THREAT,url,1,2012/04/10 04:39:43,192.168.0.2,69.43.161.167,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:44,4086,1,59261,80,0,0,0x200000,tcp,block-url,\"wantfinest.com/tds/in.cgi?default\",(9999),unknown,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", + "network.application": "web-browsing", + "network.community_id": "1:Jqiwb/u74kolY3Y1yGkp+oMAxT4=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "4086", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "wantfinest.com/tds/in.cgi?default", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "unknown", + "related.ip": [ + "192.168.0.2", + "69.43.161.167", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "69.43.161.167", + "server.port": 80, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.0.2", + "source.port": 59261, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ], + "url.original": "wantfinest.com/tds/in.cgi?default" + }, + { + "@timestamp": "2012-04-10T04:39:38.000Z", + "client.ip": "192.168.0.2", + "client.port": 59248, + "client.user.name": "crusher", + "destination.address": "202.31.187.154", + "destination.geo.continent_name": "Asia", + "destination.geo.country_iso_code": "KR", + "destination.geo.location.lat": 37.5112, + "destination.geo.location.lon": 126.97409999999999, + "destination.ip": "202.31.187.154", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "informational", + "log.offset": 13889, + "log.original": "Oct 30 09:47:02 1,2012/10/30 09:47:02,01606001116,THREAT,url,1,2012/04/10 04:39:38,192.168.0.2,202.31.187.154,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:39,26534,1,59248,80,0,0,0x200000,tcp,block-url,\"sameshitasiteverwas.com/traf/tds/in.cgi?2\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Korea Republic Of,0,", + "network.application": "web-browsing", + "network.community_id": "1:q84mXt2kLt843wk0Y5vtvJwq+bc=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "26534", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "sameshitasiteverwas.com/traf/tds/in.cgi?2", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "malware-sites", + "related.ip": [ + "192.168.0.2", + "202.31.187.154", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "202.31.187.154", + "server.port": 80, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.0.2", + "source.port": 59248, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ], + "url.original": "sameshitasiteverwas.com/traf/tds/in.cgi?2" + }, + { + "@timestamp": "2012-04-10T04:39:39.000Z", + "client.ip": "192.168.0.2", + "client.port": 59251, + "client.user.name": "crusher", + "destination.address": "89.111.176.67", + "destination.geo.city_name": "Moscow", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "RU", + "destination.geo.location.lat": 55.7522, + "destination.geo.location.lon": 37.6156, + "destination.geo.region_iso_code": "RU-MOW", + "destination.geo.region_name": "Moscow", + "destination.ip": "89.111.176.67", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "informational", + "log.offset": 14313, + "log.original": "Oct 30 09:47:02 1,2012/10/30 09:47:02,01606001116,THREAT,url,1,2012/04/10 04:39:39,192.168.0.2,89.111.176.67,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:40,26965,1,59251,80,0,0,0x200000,tcp,block-url,\"svarkon.ru/update.exe\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Russian Federation,0,", + "network.application": "web-browsing", + "network.community_id": "1:1jDSU+BTdTOAQSrWGRbSjxehwNg=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "26965", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "svarkon.ru/update.exe", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "malware-sites", + "related.ip": [ + "192.168.0.2", + "89.111.176.67", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "89.111.176.67", + "server.port": 80, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.0.2", + "source.port": 59251, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ], + "url.original": "svarkon.ru/update.exe" + }, + { + "@timestamp": "2012-04-10T04:39:36.000Z", + "client.ip": "192.168.0.2", + "client.port": 59244, + "client.user.name": "crusher", + "destination.address": "204.232.231.46", + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "informational", + "log.offset": 14717, + "log.original": "Oct 30 09:47:12 1,2012/10/30 09:47:12,01606001116,THREAT,url,1,2012/04/10 04:39:36,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:37,26076,1,59244,80,0,0,0x200000,tcp,block-url,\"onlinescanxpp.com/land/eurl/1.php?code=\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", + "network.application": "web-browsing", + "network.community_id": "1:vGp9HpobYZmzzLGyDAG6oVAe4dg=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "26076", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "onlinescanxpp.com/land/eurl/1.php?code=", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "malware-sites", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "204.232.231.46", + "server.port": 80, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.0.2", + "source.port": 59244, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ], + "url.original": "onlinescanxpp.com/land/eurl/1.php?code=" + }, + { + "@timestamp": "2012-04-10T04:39:34.000Z", + "client.ip": "192.168.0.2", + "client.port": 59237, + "client.user.name": "crusher", + "destination.address": "208.73.210.29", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "208.73.210.29", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "informational", + "log.offset": 15135, + "log.original": "Oct 30 09:47:17 1,2012/10/30 09:47:17,01606001116,THREAT,url,1,2012/04/10 04:39:34,192.168.0.2,208.73.210.29,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:35,26198,1,59237,80,0,0,0x200000,tcp,block-url,\"nolagtime.com/conn/?JKV_1RWbUUdIfRUWUaITfdIfbREdYEYdfTTRI-6XBB_1WQR-6GF5_1AU-6LC6_1Y-gW-gEUQQ-gE-tsDF6K5D_rpX51_rR-t-66FC_1Q_fQ_fQ_fQ_fQ_fQ_fQ_fQ-62BG_1Q-672V_1YOR-6N8J_1Q-6252_1WQRR-69LV_1-65GZ_1W-6\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", + "network.application": "web-browsing", + "network.community_id": "1:8JiI5Ka3Oyz6yaLm3xObTqAo/Jw=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "26198", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "nolagtime.com/conn/?JKV_1RWbUUdIfRUWUaITfdIfbREdYEYdfTTRI-6XBB_1WQR-6GF5_1AU-6LC6_1Y-gW-gEUQQ-gE-tsDF6K5D_rpX51_rR-t-66FC_1Q_fQ_fQ_fQ_fQ_fQ_fQ_fQ-62BG_1Q-672V_1YOR-6N8J_1Q-6252_1WQRR-69LV_1-65GZ_1W-6", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "malware-sites", + "related.ip": [ + "192.168.0.2", + "208.73.210.29", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "208.73.210.29", + "server.port": 80, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.0.2", + "source.port": 59237, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ], + "url.original": "nolagtime.com/conn/?JKV_1RWbUUdIfRUWUaITfdIfbREdYEYdfTTRI-6XBB_1WQR-6GF5_1AU-6LC6_1Y-gW-gEUQQ-gE-tsDF6K5D_rpX51_rR-t-66FC_1Q_fQ_fQ_fQ_fQ_fQ_fQ_fQ-62BG_1Q-672V_1YOR-6N8J_1Q-6252_1WQRR-69LV_1-65GZ_1W-6" + }, + { + "@timestamp": "2012-04-10T04:39:35.000Z", + "client.ip": "192.168.0.2", + "client.port": 59238, + "client.user.name": "crusher", + "destination.address": "208.73.210.29", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "208.73.210.29", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "informational", + "log.offset": 15712, + "log.original": "Oct 30 09:47:17 1,2012/10/30 09:47:17,01606001116,THREAT,url,1,2012/04/10 04:39:35,192.168.0.2,208.73.210.29,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:36,26056,1,59238,80,0,0,0x200000,tcp,block-url,\"nolagtime.com/gwc.txt\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", + "network.application": "web-browsing", + "network.community_id": "1:lOdKYo+aMIHRMMJPawuXy8Bk2I0=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "26056", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "nolagtime.com/gwc.txt", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "malware-sites", + "related.ip": [ + "192.168.0.2", + "208.73.210.29", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "208.73.210.29", + "server.port": 80, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.0.2", + "source.port": 59238, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ], + "url.original": "nolagtime.com/gwc.txt" + }, + { + "@timestamp": "2012-04-10T04:38:19.000Z", + "client.ip": "192.168.0.2", + "client.port": 59010, + "client.user.name": "crusher", + "destination.address": "204.232.231.46", + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "informational", + "log.offset": 16111, + "log.original": "Oct 30 09:51:03 1,2012/10/30 09:51:03,01606001116,THREAT,url,1,2012/04/10 04:38:19,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:38:20,25465,1,59010,80,0,0,0x200000,tcp,block-url,\"karavan.us/bon/index.php\",(9999),unknown,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", + "network.application": "web-browsing", + "network.community_id": "1:rDRkkTH2aHta89i52OraqG5WcDI=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "25465", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "karavan.us/bon/index.php", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "unknown", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "204.232.231.46", + "server.port": 80, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.0.2", + "source.port": 59010, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ], + "url.original": "karavan.us/bon/index.php" + }, + { + "@timestamp": "2012-04-10T04:38:14.000Z", + "client.ip": "192.168.0.2", + "client.port": 58969, + "client.user.name": "crusher", + "destination.address": "208.73.210.29", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "208.73.210.29", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "informational", + "log.offset": 16508, + "log.original": "Oct 30 09:51:23 1,2012/10/30 09:51:23,01606001116,THREAT,url,1,2012/04/10 04:38:14,192.168.0.2,208.73.210.29,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:38:15,24316,1,58969,80,0,0,0x200000,tcp,block-url,\"findnolimits.com/go.php?sid=1\",(9999),dead-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", + "network.application": "web-browsing", + "network.community_id": "1:00fHGTkjtblnJQ9P4Wiw9QuDEpI=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24316", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "findnolimits.com/go.php?sid=1", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "dead-sites", + "related.ip": [ + "192.168.0.2", + "208.73.210.29", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "208.73.210.29", + "server.port": 80, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.0.2", + "source.port": 58969, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ], + "url.original": "findnolimits.com/go.php?sid=1" + }, + { + "@timestamp": "2012-04-10T04:38:12.000Z", + "client.ip": "192.168.0.2", + "client.port": 58941, + "client.user.name": "crusher", + "destination.address": "89.108.64.156", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "RU", + "destination.geo.location.lat": 55.7386, + "destination.geo.location.lon": 37.6068, + "destination.ip": "89.108.64.156", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "informational", + "log.offset": 16912, + "log.original": "Oct 30 09:51:33 1,2012/10/30 09:51:33,01606001116,THREAT,url,1,2012/04/10 04:38:12,192.168.0.2,89.108.64.156,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:38:13,17258,1,58941,80,0,0,0x200000,tcp,block-url,\"bizoplata.ru/moun.html\",(9999),parked-domains,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Russian Federation,0,", + "network.application": "web-browsing", + "network.community_id": "1:sQ6YL9T0OZftMg71BK+1IHpXIRM=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "17258", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "bizoplata.ru/moun.html", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "parked-domains", + "related.ip": [ + "192.168.0.2", + "89.108.64.156", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "89.108.64.156", + "server.port": 80, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.0.2", + "source.port": 58941, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ], + "url.original": "bizoplata.ru/moun.html" + }, + { + "@timestamp": "2012-04-10T04:38:12.000Z", + "client.ip": "192.168.0.2", + "client.port": 58942, + "client.user.name": "crusher", + "destination.address": "89.108.64.156", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "RU", + "destination.geo.location.lat": 55.7386, + "destination.geo.location.lon": 37.6068, + "destination.ip": "89.108.64.156", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "informational", + "log.offset": 17318, + "log.original": "Oct 30 09:51:33 1,2012/10/30 09:51:33,01606001116,THREAT,url,1,2012/04/10 04:38:12,192.168.0.2,89.108.64.156,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:38:13,24735,1,58942,80,0,0,0x200000,tcp,block-url,\"bizoplata.ru/palast.html\",(9999),parked-domains,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Russian Federation,0,", + "network.application": "web-browsing", + "network.community_id": "1:a3rlKRtYt43mps+uHBznJUtG3Qg=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24735", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "bizoplata.ru/palast.html", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "parked-domains", + "related.ip": [ + "192.168.0.2", + "89.108.64.156", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "89.108.64.156", + "server.port": 80, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.0.2", + "source.port": 58942, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ], + "url.original": "bizoplata.ru/palast.html" + }, + { + "@timestamp": "2012-04-10T04:37:28.000Z", + "client.ip": "204.232.231.46", + "client.port": 80, + "destination.address": "192.168.0.2", + "destination.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "destination.ip": "192.168.0.2", + "destination.port": 58849, + "destination.user.name": "crusher", + "ecs.version": "1.0.0", + "event.action": "spyware_detected", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "drop-all-packets", + "event.severity": 1, + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "critical", + "log.offset": 17726, + "log.original": "Oct 30 09:53:33 1,2012/10/30 09:53:33,01606001116,THREAT,spyware,1,2012/04/10 04:37:28,204.232.231.46,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,crusher,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:37:33,23497,1,80,58849,0,0,0x200000,tcp,drop-all-packets,\"controller.php\",Bredolab.Gen Command and Control Traffic(13024),any,critical,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", + "network.application": "web-browsing", + "network.community_id": "1:gfZAOGdC3xAoPZCFZCwHJJ7Iin4=", + "network.direction": "outbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "trust", + "palo_alto.pan_os.flow_id": "23497", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "untrust", + "palo_alto.pan_os.threat_file_or_url": "controller.php", + "palo_alto.pan_os.threat_id": "Bredolab.Gen Command and Control Traffic(13024)", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "204.232.231.46", + "192.168.0.2", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "192.168.0.2", + "server.port": 58849, + "server.user.name": "crusher", + "service.type": "palo_alto", + "source.address": "204.232.231.46", + "source.geo.city_name": "Charlotte", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 35.2344, + "source.geo.location.lon": -80.9091, + "source.geo.region_iso_code": "US-NC", + "source.geo.region_name": "North Carolina", + "source.ip": "204.232.231.46", + "source.port": 80, + "tags": [ + "pan-os" + ], + "url.original": "controller.php" + }, + { + "@timestamp": "2012-04-10T04:37:32.000Z", + "client.ip": "192.168.0.2", + "client.port": 58856, + "client.user.name": "crusher", + "destination.address": "216.8.179.25", + "destination.geo.city_name": "Tecumseh", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "CA", + "destination.geo.location.lat": 42.2946, + "destination.geo.location.lon": -82.8667, + "destination.geo.region_iso_code": "CA-ON", + "destination.geo.region_name": "Ontario", + "destination.ip": "216.8.179.25", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "informational", + "log.offset": 18156, + "log.original": "Oct 30 09:53:38 1,2012/10/30 09:53:38,01606001116,THREAT,url,1,2012/04/10 04:37:32,192.168.0.2,216.8.179.25,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:37:32,23711,1,58856,80,0,0,0x200000,tcp,block-url,\"www.15min.it/\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Canada,0,", + "network.application": "web-browsing", + "network.community_id": "1:VeoAydUSFUdh8ZddIqbsMY32sBU=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "23711", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "www.15min.it/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "malware-sites", + "related.ip": [ + "192.168.0.2", + "216.8.179.25", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "216.8.179.25", + "server.port": 80, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.0.2", + "source.port": 58856, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ], + "url.original": "www.15min.it/" + }, + { + "@timestamp": "2012-04-10T04:37:27.000Z", + "client.ip": "192.168.0.2", + "client.port": 58847, + "client.user.name": "crusher", + "destination.address": "69.43.161.154", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "69.43.161.154", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "informational", + "log.offset": 18539, + "log.original": "Oct 30 09:53:48 1,2012/10/30 09:53:48,01606001116,THREAT,url,1,2012/04/10 04:37:27,192.168.0.2,69.43.161.154,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:37:27,23659,1,58847,80,0,0,0x200000,tcp,block-url,\"tubemov.com/\",(9999),adult-and-pornography,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", + "network.application": "web-browsing", + "network.community_id": "1:ZsFVG8FJVifp8WmzI9Zj/lo+dB4=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "23659", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "tubemov.com/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "adult-and-pornography", + "related.ip": [ + "192.168.0.2", + "69.43.161.154", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "69.43.161.154", + "server.port": 80, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.0.2", + "source.port": 58847, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ], + "url.original": "tubemov.com/" + }, + { + "@timestamp": "2012-04-10T04:37:25.000Z", + "client.ip": "192.168.0.2", + "client.port": 58841, + "client.user.name": "crusher", + "destination.address": "208.91.196.252", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "VG", + "destination.geo.location.lat": 18.5, + "destination.geo.location.lon": -64.5, + "destination.ip": "208.91.196.252", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "informational", + "log.offset": 18937, + "log.original": "Oct 30 09:53:58 1,2012/10/30 09:53:58,01606001116,THREAT,url,1,2012/04/10 04:37:25,192.168.0.2,208.91.196.252,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:37:25,23782,1,58841,80,0,0,0x200000,tcp,block-url,\"pagesinxt.com/?dn=teenstube.us&flrdr=yes&nxte=js\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Virgin Islands British,0,", + "network.application": "web-browsing", + "network.community_id": "1:NAfQ33YdKJSvbcxpFK8HIhI39lk=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "23782", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "pagesinxt.com/?dn=teenstube.us&flrdr=yes&nxte=js", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "malware-sites", + "related.ip": [ + "192.168.0.2", + "208.91.196.252", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "208.91.196.252", + "server.port": 80, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.0.2", + "source.port": 58841, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ], + "url.original": "pagesinxt.com/?dn=teenstube.us&flrdr=yes&nxte=js" + }, + { + "@timestamp": "2012-04-10T04:37:05.000Z", + "client.ip": "192.168.0.2", + "client.port": 58795, + "client.user.name": "crusher", + "destination.address": "208.73.210.29", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "208.73.210.29", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "informational", + "log.offset": 19373, + "log.original": "Oct 30 09:55:23 1,2012/10/30 09:55:23,01606001116,THREAT,url,1,2012/04/10 04:37:05,192.168.0.2,208.73.210.29,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:37:06,23239,1,58795,80,0,0,0x200000,tcp,block-url,\"movfree.com/\",(9999),spyware-and-adware,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", + "network.application": "web-browsing", + "network.community_id": "1:AMcTUl91PN0z8TJr2QwdEOP+Fmo=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "23239", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "movfree.com/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "spyware-and-adware", + "related.ip": [ + "192.168.0.2", + "208.73.210.29", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "208.73.210.29", + "server.port": 80, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.0.2", + "source.port": 58795, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ], + "url.original": "movfree.com/" + }, + { + "@timestamp": "2012-04-10T04:36:51.000Z", + "client.ip": "192.168.0.2", + "client.port": 58753, + "client.user.name": "crusher", + "destination.address": "204.232.231.46", + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "informational", + "log.offset": 19768, + "log.original": "Oct 30 09:56:23 1,2012/10/30 09:56:23,01606001116,THREAT,url,1,2012/04/10 04:36:51,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:36:52,22479,1,58753,80,0,0,0x200000,tcp,block-url,\"gometascan.com/\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", + "network.application": "web-browsing", + "network.community_id": "1:7Tdwe73AJMSdJL4hxpQDyl5Lwn4=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "22479", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "gometascan.com/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "malware-sites", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "204.232.231.46", + "server.port": 80, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.0.2", + "source.port": 58753, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ], + "url.original": "gometascan.com/" + }, + { + "@timestamp": "2012-04-10T04:36:39.000Z", + "client.ip": "192.168.0.2", + "client.port": 58708, + "client.user.name": "crusher", + "destination.address": "204.232.231.46", + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "informational", + "log.offset": 20162, + "log.original": "Oct 30 09:57:33 1,2012/10/30 09:57:33,01606001116,THREAT,url,1,2012/04/10 04:36:39,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:36:40,21458,1,58708,80,0,0,0x200000,tcp,block-url,\"antivirus-powerful-scannerv2.com/download/Install_11-1.exe\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", + "network.application": "web-browsing", + "network.community_id": "1:q7ERSuCoAPSiI8xLXZCI+1M9B8I=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "21458", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "antivirus-powerful-scannerv2.com/download/Install_11-1.exe", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "malware-sites", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "204.232.231.46", + "server.port": 80, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.0.2", + "source.port": 58708, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ], + "url.original": "antivirus-powerful-scannerv2.com/download/Install_11-1.exe" + }, + { + "@timestamp": "2012-04-10T04:36:38.000Z", + "client.ip": "192.168.0.2", + "client.port": 58707, + "client.user.name": "crusher", + "destination.address": "204.232.231.46", + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "informational", + "log.offset": 20599, + "log.original": "Oct 30 09:57:38 1,2012/10/30 09:57:38,01606001116,THREAT,url,1,2012/04/10 04:36:38,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:36:39,21577,1,58707,80,0,0,0x200000,tcp,block-url,\"antivirus-powerful-scannerv2.com/1/?id=11-1&back==TQzyDTyMUQNMI=N\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", + "network.application": "web-browsing", + "network.community_id": "1:AsPpOgQhhKdBtPhY4zahdBuNcTc=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "21577", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "antivirus-powerful-scannerv2.com/1/?id=11-1&back==TQzyDTyMUQNMI=N", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "malware-sites", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "204.232.231.46", + "server.port": 80, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.0.2", + "source.port": 58707, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ], + "url.original": "antivirus-powerful-scannerv2.com/1/?id=11-1&back==TQzyDTyMUQNMI=N" + }, + { + "@timestamp": "2012-04-10T04:36:27.000Z", + "client.ip": "192.168.0.2", + "client.port": 58603, + "client.user.name": "crusher", + "destination.address": "204.232.231.46", + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "informational", + "log.offset": 21043, + "log.original": "Mar 25 23:58:52 1,2013/03/25 23:58:52,1606001116,THREAT,url,1,2012/04/10 04:36:27,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:36:28,21487,1,58603,80,0,0,0x200000,tcp,block-url,\"basdzsdas.com/poker/config.bin\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", + "network.application": "web-browsing", + "network.community_id": "1:Inta5pHrKZ+nIMo9QJjgmv1raGE=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.serial_number": "1606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "21487", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "basdzsdas.com/poker/config.bin", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "malware-sites", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "204.232.231.46", + "server.port": 80, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.0.2", + "source.port": 58603, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ], + "url.original": "basdzsdas.com/poker/config.bin" + }, + { + "@timestamp": "2012-04-10T04:36:27.000Z", + "client.ip": "192.168.0.2", + "client.port": 58603, + "client.user.name": "crusher", + "destination.address": "204.232.231.46", + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "informational", + "log.offset": 21451, + "log.original": "Mar 25 23:58:52 1,2013/03/25 23:58:52,1606001116,THREAT,url,1,2012/04/10 04:36:27,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:36:28,21487,1,58603,80,0,0,0x200000,tcp,block-url,\"basdzsdas.com/poker/config.bin\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", + "network.application": "web-browsing", + "network.community_id": "1:Inta5pHrKZ+nIMo9QJjgmv1raGE=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.serial_number": "1606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "21487", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "basdzsdas.com/poker/config.bin", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "malware-sites", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "204.232.231.46", + "server.port": 80, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.0.2", + "source.port": 58603, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ], + "url.original": "basdzsdas.com/poker/config.bin" + }, + { + "@timestamp": "2012-04-10T04:19:59.000Z", + "client.ip": "173.236.179.57", + "client.port": 80, + "destination.address": "192.168.0.2", + "destination.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "destination.ip": "192.168.0.2", + "destination.port": 54431, + "destination.user.name": "crusher", + "ecs.version": "1.0.0", + "event.action": "file_match", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "deny", + "event.severity": 4, + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "low", + "log.offset": 21859, + "log.original": "Mar 25 23:58:57 1,2013/03/25 23:58:57,1606001116,THREAT,file,1,2012/04/10 04:19:59,173.236.179.57,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,crusher,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:20:05,64856,1,80,54431,0,0,0x200000,tcp,deny,\"uLLGRaXP.exe\",Windows Executable (EXE)(52020),any,low,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", + "network.application": "web-browsing", + "network.community_id": "1:to6WA2KM9vqO74DfMPJ8+v0cKPs=", + "network.direction": "outbound", + "network.transport": "tcp", + "observer.serial_number": "1606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "trust", + "palo_alto.pan_os.flow_id": "64856", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "untrust", + "palo_alto.pan_os.threat_file_or_url": "uLLGRaXP.exe", + "palo_alto.pan_os.threat_id": "Windows Executable (EXE)(52020)", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "173.236.179.57", + "192.168.0.2", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "192.168.0.2", + "server.port": 54431, + "server.user.name": "crusher", + "service.type": "palo_alto", + "source.address": "173.236.179.57", + "source.geo.city_name": "Brea", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 33.9269, + "source.geo.location.lon": -117.8612, + "source.geo.region_iso_code": "US-CA", + "source.geo.region_name": "California", + "source.ip": "173.236.179.57", + "source.port": 80, + "tags": [ + "pan-os" + ], + "url.original": "uLLGRaXP.exe" + }, + { + "@timestamp": "2012-04-10T04:36:27.000Z", + "client.ip": "192.168.0.2", + "client.port": 58603, + "client.user.name": "crusher", + "destination.address": "204.232.231.46", + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "informational", + "log.offset": 22250, + "log.original": "Mar 25 23:58:57 1,2013/03/25 23:58:57,1606001116,THREAT,url,1,2012/04/10 04:36:27,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:36:28,21487,1,58603,80,0,0,0x200000,tcp,block-url,\"basdzsdas.com/poker/config.bin\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", + "network.application": "web-browsing", + "network.community_id": "1:Inta5pHrKZ+nIMo9QJjgmv1raGE=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.serial_number": "1606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "21487", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "basdzsdas.com/poker/config.bin", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "malware-sites", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "204.232.231.46", + "server.port": 80, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.0.2", + "source.port": 58603, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ], + "url.original": "basdzsdas.com/poker/config.bin" + }, + { + "@timestamp": "2012-04-10T04:51:29.000Z", + "client.ip": "91.209.163.202", + "client.port": 80, + "destination.address": "192.168.0.2", + "destination.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "destination.ip": "192.168.0.2", + "destination.port": 61220, + "destination.user.name": "crusher", + "ecs.version": "1.0.0", + "event.action": "file_match", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "deny", + "event.severity": 4, + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "low", + "log.offset": 22658, + "log.original": "Mar 25 23:59:07 1,2013/03/25 23:59:07,01606001116,THREAT,file,1,2012/04/10 04:51:29,91.209.163.202,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,crusher,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:51:34,37983,1,80,61220,0,0,0x200000,tcp,deny,\"FunkyEmoticons_setup.exe\",Windows Executable (EXE)(52020),any,low,server-to-client,0,0x0,European Union,192.168.0.0-192.168.255.255,0,", + "network.application": "web-browsing", + "network.community_id": "1:dHpseryW+AZk/t5IUvlyhaLSGI0=", + "network.direction": "outbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "trust", + "palo_alto.pan_os.flow_id": "37983", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "untrust", + "palo_alto.pan_os.threat_file_or_url": "FunkyEmoticons_setup.exe", + "palo_alto.pan_os.threat_id": "Windows Executable (EXE)(52020)", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "91.209.163.202", + "192.168.0.2", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "192.168.0.2", + "server.port": 61220, + "server.user.name": "crusher", + "service.type": "palo_alto", + "source.address": "91.209.163.202", + "source.geo.country_iso_code": "European Union", + "source.ip": "91.209.163.202", + "source.port": 80, + "tags": [ + "pan-os" + ], + "url.original": "FunkyEmoticons_setup.exe" + }, + { + "@timestamp": "2012-04-10T04:54:33.000Z", + "client.ip": "122.226.169.183", + "client.port": 80, + "destination.address": "192.168.0.2", + "destination.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "destination.ip": "192.168.0.2", + "destination.port": 61726, + "destination.user.name": "crusher", + "ecs.version": "1.0.0", + "event.action": "file_match", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "deny", + "event.severity": 4, + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "low", + "log.offset": 23063, + "log.original": "Mar 25 23:59:07 1,2013/03/25 23:59:07,01606001116,THREAT,file,1,2012/04/10 04:54:33,122.226.169.183,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,crusher,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:54:38,41989,1,80,61726,0,0,0x200000,tcp,deny,\"52hxw.exe\",Windows Executable (EXE)(52020),any,low,server-to-client,0,0x0,China,192.168.0.0-192.168.255.255,0,", + "network.application": "web-browsing", + "network.community_id": "1:lIp7rPLlF21gCwZ63WafZ2HbNKA=", + "network.direction": "outbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "trust", + "palo_alto.pan_os.flow_id": "41989", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "untrust", + "palo_alto.pan_os.threat_file_or_url": "52hxw.exe", + "palo_alto.pan_os.threat_id": "Windows Executable (EXE)(52020)", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "122.226.169.183", + "192.168.0.2", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "192.168.0.2", + "server.port": 61726, + "server.user.name": "crusher", + "service.type": "palo_alto", + "source.address": "122.226.169.183", + "source.geo.continent_name": "Asia", + "source.geo.country_iso_code": "CN", + "source.geo.location.lat": 30.2936, + "source.geo.location.lon": 120.1614, + "source.geo.region_iso_code": "CN-ZJ", + "source.geo.region_name": "Zhejiang", + "source.ip": "122.226.169.183", + "source.port": 80, + "tags": [ + "pan-os" + ], + "url.original": "52hxw.exe" + }, + { + "@timestamp": "2012-04-10T05:01:00.000Z", + "client.ip": "192.168.0.2", + "client.port": 63007, + "client.user.name": "crusher", + "destination.address": "204.232.231.46", + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "informational", + "log.offset": 23445, + "log.original": "Mar 25 23:59:07 1,2013/03/25 23:59:07,01606001116,THREAT,url,1,2012/04/10 05:01:00,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 05:01:00,49238,1,63007,80,0,0,0x200000,tcp,block-url,\"softsellfast.com/test/config.bin\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", + "network.application": "web-browsing", + "network.community_id": "1:n39Q6RPkLwPiDU/pfHT7uRZGkXY=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "49238", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "softsellfast.com/test/config.bin", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "malware-sites", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "204.232.231.46", + "server.port": 80, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.0.2", + "source.port": 63007, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ], + "url.original": "softsellfast.com/test/config.bin" + }, + { + "@timestamp": "2012-04-10T04:45:17.000Z", + "client.ip": "109.201.131.15", + "client.port": 80, + "destination.address": "192.168.0.2", + "destination.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "destination.ip": "192.168.0.2", + "destination.port": 60212, + "destination.user.name": "crusher", + "ecs.version": "1.0.0", + "event.action": "file_match", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "deny", + "event.severity": 4, + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "low", + "log.offset": 23856, + "log.original": "Mar 25 23:59:12 1,2013/03/25 23:59:12,01606001116,THREAT,file,1,2012/04/10 04:45:17,109.201.131.15,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,crusher,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:45:23,21592,1,80,60212,0,0,0x200000,tcp,deny,\"setup.exe\",Windows Executable (EXE)(52020),any,low,server-to-client,0,0x0,Netherlands,192.168.0.0-192.168.255.255,0,", + "network.application": "web-browsing", + "network.community_id": "1:69YGwS9/vtp36Khj80nU/Q0TTfM=", + "network.direction": "outbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "trust", + "palo_alto.pan_os.flow_id": "21592", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "untrust", + "palo_alto.pan_os.threat_file_or_url": "setup.exe", + "palo_alto.pan_os.threat_id": "Windows Executable (EXE)(52020)", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "109.201.131.15", + "192.168.0.2", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "192.168.0.2", + "server.port": 60212, + "server.user.name": "crusher", + "service.type": "palo_alto", + "source.address": "109.201.131.15", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "NL", + "source.geo.location.lat": 52.3824, + "source.geo.location.lon": 4.8995, + "source.ip": "109.201.131.15", + "source.port": 80, + "tags": [ + "pan-os" + ], + "url.original": "setup.exe" + }, + { + "@timestamp": "2012-04-10T04:46:16.000Z", + "client.ip": "91.209.163.202", + "client.port": 80, + "destination.address": "192.168.0.2", + "destination.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "destination.ip": "192.168.0.2", + "destination.port": 60392, + "destination.user.name": "crusher", + "ecs.version": "1.0.0", + "event.action": "file_match", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "deny", + "event.severity": 4, + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "low", + "log.offset": 24243, + "log.original": "Mar 25 23:59:12 1,2013/03/25 23:59:12,01606001116,THREAT,file,1,2012/04/10 04:46:16,91.209.163.202,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,crusher,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:46:22,33760,1,80,60392,0,0,0x200000,tcp,deny,\"Live-Player_setup.exe\",Windows Executable (EXE)(52020),any,low,server-to-client,0,0x0,European Union,192.168.0.0-192.168.255.255,0,", + "network.application": "web-browsing", + "network.community_id": "1:MKMWzixtfYaSoShU7T3wN6MLk5g=", + "network.direction": "outbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "trust", + "palo_alto.pan_os.flow_id": "33760", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "untrust", + "palo_alto.pan_os.threat_file_or_url": "Live-Player_setup.exe", + "palo_alto.pan_os.threat_id": "Windows Executable (EXE)(52020)", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "91.209.163.202", + "192.168.0.2", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "192.168.0.2", + "server.port": 60392, + "server.user.name": "crusher", + "service.type": "palo_alto", + "source.address": "91.209.163.202", + "source.geo.country_iso_code": "European Union", + "source.ip": "91.209.163.202", + "source.port": 80, + "tags": [ + "pan-os" + ], + "url.original": "Live-Player_setup.exe" + }, + { + "@timestamp": "2012-04-10T04:42:39.000Z", + "client.ip": "192.168.0.2", + "client.port": 59709, + "client.user.name": "crusher", + "destination.address": "213.180.199.61", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "RU", + "destination.geo.location.lat": 55.7386, + "destination.geo.location.lon": 37.6068, + "destination.ip": "213.180.199.61", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "informational", + "log.offset": 24645, + "log.original": "Mar 25 23:59:12 1,2013/03/25 23:59:12,01606001116,THREAT,url,1,2012/04/10 04:42:39,192.168.0.2,213.180.199.61,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:42:39,28723,1,59709,80,0,0,0x200000,tcp,block-url,\"boialex.narod.ru/config.txt\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Russian Federation,0,", + "network.application": "web-browsing", + "network.community_id": "1:J4hfLZVy8UJEkW68RkW2hMu84Wk=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28723", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "boialex.narod.ru/config.txt", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "malware-sites", + "related.ip": [ + "192.168.0.2", + "213.180.199.61", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "213.180.199.61", + "server.port": 80, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.0.2", + "source.port": 59709, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ], + "url.original": "boialex.narod.ru/config.txt" + }, + { + "@timestamp": "2012-04-10T04:42:42.000Z", + "client.ip": "192.168.0.2", + "client.port": 59721, + "client.user.name": "crusher", + "destination.address": "213.180.199.61", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "RU", + "destination.geo.location.lat": 55.7386, + "destination.geo.location.lon": 37.6068, + "destination.ip": "213.180.199.61", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "informational", + "log.offset": 25056, + "log.original": "Mar 25 23:59:12 1,2013/03/25 23:59:12,01606001116,THREAT,url,1,2012/04/10 04:42:42,192.168.0.2,213.180.199.61,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:42:42,28932,1,59721,80,0,0,0x200000,tcp,block-url,\"edw-melon.narod.ru/config.txt\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Russian Federation,0,", + "network.application": "web-browsing", + "network.community_id": "1:1211QM61Juawz4PBXLQBL9Q2FNA=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28932", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "edw-melon.narod.ru/config.txt", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "malware-sites", + "related.ip": [ + "192.168.0.2", + "213.180.199.61", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "213.180.199.61", + "server.port": 80, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.0.2", + "source.port": 59721, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ], + "url.original": "edw-melon.narod.ru/config.txt" + }, + { + "@timestamp": "2012-04-10T04:42:51.000Z", + "client.ip": "192.168.0.2", + "client.port": 59752, + "client.user.name": "crusher", + "destination.address": "213.180.199.61", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "RU", + "destination.geo.location.lat": 55.7386, + "destination.geo.location.lon": 37.6068, + "destination.ip": "213.180.199.61", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "informational", + "log.offset": 25469, + "log.original": "Mar 25 23:59:12 1,2013/03/25 23:59:12,01606001116,THREAT,url,1,2012/04/10 04:42:51,192.168.0.2,213.180.199.61,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:42:51,28953,1,59752,80,0,0,0x200000,tcp,block-url,\"maximtushin.narod.ru/config.txt\",(9999),malware-sites,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,Russian Federation,0,", + "network.application": "web-browsing", + "network.community_id": "1:MQfJlERz16LAn6Hn1YhCNKLOjjA=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28953", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "maximtushin.narod.ru/config.txt", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "malware-sites", + "related.ip": [ + "192.168.0.2", + "213.180.199.61", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "213.180.199.61", + "server.port": 80, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.0.2", + "source.port": 59752, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ], + "url.original": "maximtushin.narod.ru/config.txt" + }, + { + "@timestamp": "2012-04-10T04:19:59.000Z", + "client.ip": "173.236.179.57", + "client.port": 80, + "destination.address": "192.168.0.2", + "destination.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "destination.ip": "192.168.0.2", + "destination.port": 54431, + "destination.user.name": "crusher", + "ecs.version": "1.0.0", + "event.action": "file_match", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "deny", + "event.severity": 4, + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "low", + "log.offset": 25884, + "log.original": "Mar 25 23:59:17 1,2013/03/25 23:59:17,01606001116,THREAT,file,1,2012/04/10 04:19:59,173.236.179.57,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,crusher,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:20:05,64856,1,80,54431,0,0,0x200000,tcp,deny,\"uLLGRaXP.exe\",Windows Executable (EXE)(52020),any,low,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", + "network.application": "web-browsing", + "network.community_id": "1:to6WA2KM9vqO74DfMPJ8+v0cKPs=", + "network.direction": "outbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "trust", + "palo_alto.pan_os.flow_id": "64856", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "untrust", + "palo_alto.pan_os.threat_file_or_url": "uLLGRaXP.exe", + "palo_alto.pan_os.threat_id": "Windows Executable (EXE)(52020)", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "173.236.179.57", + "192.168.0.2", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "192.168.0.2", + "server.port": 54431, + "server.user.name": "crusher", + "service.type": "palo_alto", + "source.address": "173.236.179.57", + "source.geo.city_name": "Brea", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 33.9269, + "source.geo.location.lon": -117.8612, + "source.geo.region_iso_code": "US-CA", + "source.geo.region_name": "California", + "source.ip": "173.236.179.57", + "source.port": 80, + "tags": [ + "pan-os" + ], + "url.original": "uLLGRaXP.exe" + }, + { + "@timestamp": "2012-04-10T04:09:01.000Z", + "client.ip": "192.168.0.2", + "client.port": 63183, + "client.user.name": "crusher", + "destination.address": "204.232.231.46", + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "informational", + "log.offset": 26276, + "log.original": "Mar 25 23:59:22 1,2013/03/25 23:59:22,01606001116,THREAT,url,1,2012/04/10 04:09:01,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:09:01,55402,1,63183,80,0,0,0x200000,tcp,block-url,\"marketingsoluchion.biz/fkn/config.bin\",(9999),unknown,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", + "network.application": "web-browsing", + "network.community_id": "1:uO6RhHsqSUg1LHv5h+n+FE4cqrE=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "55402", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "marketingsoluchion.biz/fkn/config.bin", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "unknown", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "204.232.231.46", + "server.port": 80, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.0.2", + "source.port": 63183, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ], + "url.original": "marketingsoluchion.biz/fkn/config.bin" + }, + { + "@timestamp": "2012-04-09T08:18:27.000Z", + "client.ip": "192.168.0.6", + "client.port": 1047, + "client.user.name": "jordy", + "destination.address": "207.46.140.46", + "destination.geo.city_name": "Hong Kong", + "destination.geo.continent_name": "Asia", + "destination.geo.country_iso_code": "HK", + "destination.geo.location.lat": 22.2833, + "destination.geo.location.lon": 114.15, + "destination.geo.region_iso_code": "HK-HCW", + "destination.geo.region_name": "Central and Western District", + "destination.ip": "207.46.140.46", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "data_match", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "alert", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "informational", + "log.offset": 26686, + "log.original": "Mar 25 23:59:32 1,2013/03/25 23:59:32,01606001116,THREAT,data,1,2012/04/09 08:18:27,192.168.0.6,207.46.140.46,0.0.0.0,0.0.0.0,rule1,jordy,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:18:32,25217,1,1047,80,0,0,0x200000,tcp,alert,\"default.aspx\",PII(60000),any,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", + "network.application": "web-browsing", + "network.community_id": "1:KC3xpBK9CdouZqamG9S6Mjl6LIo=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "25217", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "default.aspx", + "palo_alto.pan_os.threat_id": "PII(60000)", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.0.6", + "207.46.140.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "207.46.140.46", + "server.port": 80, + "service.type": "palo_alto", + "source.address": "192.168.0.6", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.0.6", + "source.port": 1047, + "source.user.name": "jordy", + "tags": [ + "pan-os" + ], + "url.original": "default.aspx" + }, + { + "@timestamp": "2012-04-09T08:18:29.000Z", + "client.ip": "65.54.161.34", + "client.port": 80, + "destination.address": "192.168.0.6", + "destination.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "destination.ip": "192.168.0.6", + "destination.port": 1039, + "destination.user.name": "jordy", + "ecs.version": "1.0.0", + "event.action": "data_match", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "alert", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "informational", + "log.offset": 27064, + "log.original": "Mar 25 23:59:32 1,2013/03/25 23:59:32,01606001116,THREAT,data,1,2012/04/09 08:18:29,65.54.161.34,192.168.0.6,0.0.0.0,0.0.0.0,rule1,,jordy,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:18:34,25653,1,80,1039,0,0,0x200000,tcp,alert,\"sck.aspx\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", + "network.application": "web-browsing", + "network.community_id": "1:qtNTXnMjHLAldLWQ5/jdyuCV6Yk=", + "network.direction": "outbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "trust", + "palo_alto.pan_os.flow_id": "25653", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "untrust", + "palo_alto.pan_os.threat_file_or_url": "sck.aspx", + "palo_alto.pan_os.threat_id": "PII(60000)", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "65.54.161.34", + "192.168.0.6", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "192.168.0.6", + "server.port": 1039, + "server.user.name": "jordy", + "service.type": "palo_alto", + "source.address": "65.54.161.34", + "source.geo.city_name": "Redmond", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 47.6801, + "source.geo.location.lon": -122.1206, + "source.geo.region_iso_code": "US-WA", + "source.geo.region_name": "Washington", + "source.ip": "65.54.161.34", + "source.port": 80, + "tags": [ + "pan-os" + ], + "url.original": "sck.aspx" + }, + { + "@timestamp": "2012-04-09T08:18:32.000Z", + "client.ip": "65.55.5.231", + "client.port": 80, + "destination.address": "192.168.0.6", + "destination.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "destination.ip": "192.168.0.6", + "destination.port": 1064, + "destination.user.name": "jordy", + "ecs.version": "1.0.0", + "event.action": "data_match", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "alert", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "informational", + "log.offset": 27437, + "log.original": "Mar 25 23:59:32 1,2013/03/25 23:59:32,01606001116,THREAT,data,1,2012/04/09 08:18:32,65.55.5.231,192.168.0.6,0.0.0.0,0.0.0.0,rule1,,jordy,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:18:37,25717,3,80,1064,0,0,0x200000,tcp,alert,\"ADSAdClient31.dll\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", + "network.application": "web-browsing", + "network.community_id": "1:OSQCnxYE2CqKztyfnzJHya/llPw=", + "network.direction": "outbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "trust", + "palo_alto.pan_os.flow_id": "25717", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "untrust", + "palo_alto.pan_os.threat_file_or_url": "ADSAdClient31.dll", + "palo_alto.pan_os.threat_id": "PII(60000)", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "65.55.5.231", + "192.168.0.6", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "192.168.0.6", + "server.port": 1064, + "server.user.name": "jordy", + "service.type": "palo_alto", + "source.address": "65.55.5.231", + "source.geo.city_name": "Redmond", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 47.6801, + "source.geo.location.lon": -122.1206, + "source.geo.region_iso_code": "US-WA", + "source.geo.region_name": "Washington", + "source.ip": "65.55.5.231", + "source.port": 80, + "tags": [ + "pan-os" + ], + "url.original": "ADSAdClient31.dll" + }, + { + "@timestamp": "2012-04-09T08:18:33.000Z", + "client.ip": "192.168.0.6", + "client.port": 1048, + "client.user.name": "jordy", + "destination.address": "65.54.71.11", + "destination.geo.city_name": "Los Angeles", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 34.0544, + "destination.geo.location.lon": -118.244, + "destination.geo.region_iso_code": "US-CA", + "destination.geo.region_name": "California", + "destination.ip": "65.54.71.11", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "data_match", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "alert", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "informational", + "log.offset": 27818, + "log.original": "Mar 25 23:59:32 1,2013/03/25 23:59:32,01606001116,THREAT,data,1,2012/04/09 08:18:33,192.168.0.6,65.54.71.11,0.0.0.0,0.0.0.0,rule1,jordy,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:18:38,25290,1,1048,80,0,0,0x200000,tcp,alert,\"c.gif\",PII(60000),any,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", + "network.application": "web-browsing", + "network.community_id": "1:MeB0cefg5kMN7f+LW+cirwH2nA8=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "25290", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "c.gif", + "palo_alto.pan_os.threat_id": "PII(60000)", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.0.6", + "65.54.71.11", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "65.54.71.11", + "server.port": 80, + "service.type": "palo_alto", + "source.address": "192.168.0.6", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.0.6", + "source.port": 1048, + "source.user.name": "jordy", + "tags": [ + "pan-os" + ], + "url.original": "c.gif" + }, + { + "@timestamp": "2012-04-09T08:18:37.000Z", + "client.ip": "74.125.239.17", + "client.port": 80, + "destination.address": "192.168.0.6", + "destination.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "destination.ip": "192.168.0.6", + "destination.port": 1071, + "destination.user.name": "jordy", + "ecs.version": "1.0.0", + "event.action": "data_match", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "alert", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "informational", + "log.offset": 28187, + "log.original": "Mar 25 23:59:32 1,2013/03/25 23:59:32,01606001116,THREAT,data,1,2012/04/09 08:18:37,74.125.239.17,192.168.0.6,0.0.0.0,0.0.0.0,rule1,,jordy,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:18:42,25932,1,80,1071,0,0,0x200000,tcp,alert,\"csi\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", + "network.application": "web-browsing", + "network.community_id": "1:iDmf9CnG+CdUuHWmwVsmhee3/Qs=", + "network.direction": "outbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "trust", + "palo_alto.pan_os.flow_id": "25932", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "untrust", + "palo_alto.pan_os.threat_file_or_url": "csi", + "palo_alto.pan_os.threat_id": "PII(60000)", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "74.125.239.17", + "192.168.0.6", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "192.168.0.6", + "server.port": 1071, + "server.user.name": "jordy", + "service.type": "palo_alto", + "source.address": "74.125.239.17", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 37.751, + "source.geo.location.lon": -97.822, + "source.ip": "74.125.239.17", + "source.port": 80, + "tags": [ + "pan-os" + ], + "url.original": "csi" + }, + { + "@timestamp": "2012-04-09T08:50:12.000Z", + "client.ip": "192.168.0.2", + "client.port": 57502, + "client.user.name": "picard", + "destination.address": "208.85.40.48", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "208.85.40.48", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "data_match", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "alert", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "informational", + "log.offset": 28556, + "log.original": "Mar 25 23:59:32 1,2013/03/25 23:59:32,01606001116,THREAT,data,1,2012/04/09 08:50:12,192.168.0.2,208.85.40.48,0.0.0.0,0.0.0.0,rule1,picard,,pandora,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:50:17,28264,1,57502,80,0,0,0x200000,tcp,alert,\"internal-tuner.pandora.com\",PII(60000),any,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", + "network.application": "pandora", + "network.community_id": "1:c67I85z1uJV7VW6M9MR5Q8fjHQM=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28264", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "internal-tuner.pandora.com", + "palo_alto.pan_os.threat_id": "PII(60000)", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.0.2", + "208.85.40.48", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "208.85.40.48", + "server.port": 80, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.0.2", + "source.port": 57502, + "source.user.name": "picard", + "tags": [ + "pan-os" + ], + "url.original": "internal-tuner.pandora.com" + }, + { + "@timestamp": "2012-04-09T08:58:18.000Z", + "client.ip": "74.125.224.198", + "client.port": 80, + "destination.address": "192.168.0.2", + "destination.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "destination.ip": "192.168.0.2", + "destination.port": 57876, + "destination.user.name": "picard", + "ecs.version": "1.0.0", + "event.action": "data_match", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "reset-both", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "informational", + "log.offset": 28944, + "log.original": "Mar 25 23:59:32 1,2013/03/25 23:59:32,01606001116,THREAT,data,1,2012/04/09 08:58:18,74.125.224.198,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:58:22,29312,1,80,57876,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", + "network.application": "google-maps", + "network.community_id": "1:w5GKumufuJCv3Gw8bvP3vTxap24=", + "network.direction": "outbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "trust", + "palo_alto.pan_os.flow_id": "29312", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "untrust", + "palo_alto.pan_os.threat_file_or_url": "js", + "palo_alto.pan_os.threat_id": "PII(60000)", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "74.125.224.198", + "192.168.0.2", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "192.168.0.2", + "server.port": 57876, + "server.user.name": "picard", + "service.type": "palo_alto", + "source.address": "74.125.224.198", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 37.751, + "source.geo.location.lon": -97.822, + "source.ip": "74.125.224.198", + "source.port": 80, + "tags": [ + "pan-os" + ], + "url.original": "js" + }, + { + "@timestamp": "2012-04-09T08:22:27.000Z", + "client.ip": "188.190.124.75", + "client.port": 80, + "destination.address": "192.168.0.6", + "destination.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "destination.ip": "192.168.0.6", + "destination.port": 1082, + "destination.user.name": "jordy", + "ecs.version": "1.0.0", + "event.action": "file_match", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "deny", + "event.severity": 4, + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "low", + "log.offset": 29319, + "log.original": "Mar 25 23:59:32 1,2013/03/25 23:59:32,01606001116,THREAT,file,1,2012/04/09 08:22:27,188.190.124.75,192.168.0.6,0.0.0.0,0.0.0.0,rule1,,jordy,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:22:31,26747,1,80,1082,0,0,0x200000,tcp,deny,\"about.exe\",Windows Executable (EXE)(52020),any,low,server-to-client,0,0x0,Ukraine,192.168.0.0-192.168.255.255,0,", + "network.application": "web-browsing", + "network.community_id": "1:a7oyQr47OdJP8ZnG9SCELvH8aco=", + "network.direction": "outbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "trust", + "palo_alto.pan_os.flow_id": "26747", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "untrust", + "palo_alto.pan_os.threat_file_or_url": "about.exe", + "palo_alto.pan_os.threat_id": "Windows Executable (EXE)(52020)", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "188.190.124.75", + "192.168.0.6", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "192.168.0.6", + "server.port": 1082, + "server.user.name": "jordy", + "service.type": "palo_alto", + "source.address": "188.190.124.75", + "source.geo.country_iso_code": "Ukraine", + "source.ip": "188.190.124.75", + "source.port": 80, + "tags": [ + "pan-os" + ], + "url.original": "about.exe" + }, + { + "@timestamp": "2012-04-09T07:11:43.000Z", + "client.ip": "74.125.224.200", + "client.port": 80, + "destination.address": "192.168.0.2", + "destination.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "destination.ip": "192.168.0.2", + "destination.port": 50986, + "destination.user.name": "picard", + "ecs.version": "1.0.0", + "event.action": "data_match", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "reset-both", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "informational", + "log.offset": 29699, + "log.original": "Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 07:11:43,74.125.224.200,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 07:11:48,19205,1,80,50986,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", + "network.application": "google-maps", + "network.community_id": "1:yyAK8WOE46l0/k8dVOECI6qa2zQ=", + "network.direction": "outbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "trust", + "palo_alto.pan_os.flow_id": "19205", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "untrust", + "palo_alto.pan_os.threat_file_or_url": "js", + "palo_alto.pan_os.threat_id": "PII(60000)", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "74.125.224.200", + "192.168.0.2", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "192.168.0.2", + "server.port": 50986, + "server.user.name": "picard", + "service.type": "palo_alto", + "source.address": "74.125.224.200", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 37.751, + "source.geo.location.lon": -97.822, + "source.ip": "74.125.224.200", + "source.port": 80, + "tags": [ + "pan-os" + ], + "url.original": "js" + }, + { + "@timestamp": "2012-04-09T07:14:02.000Z", + "client.ip": "74.125.239.3", + "client.port": 80, + "destination.address": "192.168.0.2", + "destination.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "destination.ip": "192.168.0.2", + "destination.port": 51716, + "destination.user.name": "picard", + "ecs.version": "1.0.0", + "event.action": "data_match", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "reset-both", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "informational", + "log.offset": 30074, + "log.original": "Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 07:14:02,74.125.239.3,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 07:14:07,19360,1,80,51716,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", + "network.application": "google-maps", + "network.community_id": "1:15fj8zz0nlNi/Fnz8ibhS9Ihqdg=", + "network.direction": "outbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "trust", + "palo_alto.pan_os.flow_id": "19360", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "untrust", + "palo_alto.pan_os.threat_file_or_url": "js", + "palo_alto.pan_os.threat_id": "PII(60000)", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "74.125.239.3", + "192.168.0.2", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "192.168.0.2", + "server.port": 51716, + "server.user.name": "picard", + "service.type": "palo_alto", + "source.address": "74.125.239.3", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 37.751, + "source.geo.location.lon": -97.822, + "source.ip": "74.125.239.3", + "source.port": 80, + "tags": [ + "pan-os" + ], + "url.original": "js" + }, + { + "@timestamp": "2012-04-09T07:14:39.000Z", + "client.ip": "74.125.239.3", + "client.port": 80, + "destination.address": "192.168.0.2", + "destination.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "destination.ip": "192.168.0.2", + "destination.port": 52119, + "destination.user.name": "picard", + "ecs.version": "1.0.0", + "event.action": "data_match", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "reset-both", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "informational", + "log.offset": 30447, + "log.original": "Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 07:14:39,74.125.239.3,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 07:14:44,19696,1,80,52119,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", + "network.application": "google-maps", + "network.community_id": "1:fl9AVyrQeXPX/eoeKOy+6/UoR8M=", + "network.direction": "outbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "trust", + "palo_alto.pan_os.flow_id": "19696", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "untrust", + "palo_alto.pan_os.threat_file_or_url": "js", + "palo_alto.pan_os.threat_id": "PII(60000)", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "74.125.239.3", + "192.168.0.2", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "192.168.0.2", + "server.port": 52119, + "server.user.name": "picard", + "service.type": "palo_alto", + "source.address": "74.125.239.3", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 37.751, + "source.geo.location.lon": -97.822, + "source.ip": "74.125.239.3", + "source.port": 80, + "tags": [ + "pan-os" + ], + "url.original": "js" + }, + { + "@timestamp": "2012-04-09T07:16:03.000Z", + "client.ip": "74.125.224.200", + "client.port": 80, + "destination.address": "192.168.0.2", + "destination.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "destination.ip": "192.168.0.2", + "destination.port": 52411, + "destination.user.name": "picard", + "ecs.version": "1.0.0", + "event.action": "data_match", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "reset-both", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "informational", + "log.offset": 30820, + "log.original": "Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 07:16:03,74.125.224.200,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 07:16:08,19679,1,80,52411,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", + "network.application": "google-maps", + "network.community_id": "1:cHzYL+SCc86AntedL6fbRx+2wzE=", + "network.direction": "outbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "trust", + "palo_alto.pan_os.flow_id": "19679", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "untrust", + "palo_alto.pan_os.threat_file_or_url": "js", + "palo_alto.pan_os.threat_id": "PII(60000)", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "74.125.224.200", + "192.168.0.2", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "192.168.0.2", + "server.port": 52411, + "server.user.name": "picard", + "service.type": "palo_alto", + "source.address": "74.125.224.200", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 37.751, + "source.geo.location.lon": -97.822, + "source.ip": "74.125.224.200", + "source.port": 80, + "tags": [ + "pan-os" + ], + "url.original": "js" + }, + { + "@timestamp": "2012-04-09T07:18:14.000Z", + "client.ip": "192.168.0.2", + "client.port": 52366, + "client.user.name": "picard", + "destination.address": "74.125.239.6", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "74.125.239.6", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "data_match", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "alert", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "informational", + "log.offset": 31195, + "log.original": "Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 07:18:14,192.168.0.2,74.125.239.6,0.0.0.0,0.0.0.0,rule1,picard,,google-analytics,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 07:18:19,19448,1,52366,80,0,0,0x200000,tcp,alert,\"__utm.gif\",PII(60000),any,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", + "network.application": "google-analytics", + "network.community_id": "1:pRuFj5DzdmtFceU+OTawbYPhbJg=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "19448", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "__utm.gif", + "palo_alto.pan_os.threat_id": "PII(60000)", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.0.2", + "74.125.239.6", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "74.125.239.6", + "server.port": 80, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.0.2", + "source.port": 52366, + "source.user.name": "picard", + "tags": [ + "pan-os" + ], + "url.original": "__utm.gif" + }, + { + "@timestamp": "2012-04-09T07:25:04.000Z", + "client.ip": "74.125.224.193", + "client.port": 80, + "destination.address": "192.168.0.2", + "destination.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "destination.ip": "192.168.0.2", + "destination.port": 53026, + "destination.user.name": "picard", + "ecs.version": "1.0.0", + "event.action": "data_match", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "reset-both", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "informational", + "log.offset": 31575, + "log.original": "Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 07:25:04,74.125.224.193,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 07:25:09,20422,1,80,53026,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", + "network.application": "google-maps", + "network.community_id": "1:e27i7C6aBac+TOOJNFkXsvos7v0=", + "network.direction": "outbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "trust", + "palo_alto.pan_os.flow_id": "20422", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "untrust", + "palo_alto.pan_os.threat_file_or_url": "js", + "palo_alto.pan_os.threat_id": "PII(60000)", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "74.125.224.193", + "192.168.0.2", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "192.168.0.2", + "server.port": 53026, + "server.user.name": "picard", + "service.type": "palo_alto", + "source.address": "74.125.224.193", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 37.751, + "source.geo.location.lon": -97.822, + "source.ip": "74.125.224.193", + "source.port": 80, + "tags": [ + "pan-os" + ], + "url.original": "js" + }, + { + "@timestamp": "2012-04-09T07:36:04.000Z", + "client.ip": "74.125.239.20", + "client.port": 80, + "destination.address": "192.168.0.2", + "destination.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "destination.ip": "192.168.0.2", + "destination.port": 53809, + "destination.user.name": "picard", + "ecs.version": "1.0.0", + "event.action": "data_match", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "alert", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "informational", + "log.offset": 31950, + "log.original": "Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 07:36:04,74.125.239.20,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 07:36:09,21267,1,80,53809,0,0,0x200000,tcp,alert,\"nav_logo107.png\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", + "network.application": "web-browsing", + "network.community_id": "1:I0nRW7fXHKg0He8sWEMh90mqrd8=", + "network.direction": "outbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "trust", + "palo_alto.pan_os.flow_id": "21267", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "untrust", + "palo_alto.pan_os.threat_file_or_url": "nav_logo107.png", + "palo_alto.pan_os.threat_id": "PII(60000)", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "74.125.239.20", + "192.168.0.2", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "192.168.0.2", + "server.port": 53809, + "server.user.name": "picard", + "service.type": "palo_alto", + "source.address": "74.125.239.20", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 37.751, + "source.geo.location.lon": -97.822, + "source.ip": "74.125.239.20", + "source.port": 80, + "tags": [ + "pan-os" + ], + "url.original": "nav_logo107.png" + }, + { + "@timestamp": "2012-04-09T08:08:08.000Z", + "client.ip": "208.80.154.225", + "client.port": 80, + "destination.address": "192.168.0.2", + "destination.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "destination.ip": "192.168.0.2", + "destination.port": 55912, + "destination.user.name": "picard", + "ecs.version": "1.0.0", + "event.action": "data_match", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "alert", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "informational", + "log.offset": 32333, + "log.original": "Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 08:08:08,208.80.154.225,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:08:13,24567,1,80,55912,0,0,0x200000,tcp,alert,\"Eadweard_Muybridge\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", + "network.application": "web-browsing", + "network.community_id": "1:W08oA4XVHxagaCryNLen9OoTnPk=", + "network.direction": "outbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "trust", + "palo_alto.pan_os.flow_id": "24567", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "untrust", + "palo_alto.pan_os.threat_file_or_url": "Eadweard_Muybridge", + "palo_alto.pan_os.threat_id": "PII(60000)", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "208.80.154.225", + "192.168.0.2", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "192.168.0.2", + "server.port": 55912, + "server.user.name": "picard", + "service.type": "palo_alto", + "source.address": "208.80.154.225", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 37.751, + "source.geo.location.lon": -97.822, + "source.ip": "208.80.154.225", + "source.port": 80, + "tags": [ + "pan-os" + ], + "url.original": "Eadweard_Muybridge" + }, + { + "@timestamp": "2012-04-09T08:08:44.000Z", + "client.ip": "208.80.154.234", + "client.port": 80, + "destination.address": "192.168.0.2", + "destination.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "destination.ip": "192.168.0.2", + "destination.port": 55916, + "destination.user.name": "picard", + "ecs.version": "1.0.0", + "event.action": "data_match", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "alert", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "informational", + "log.offset": 32720, + "log.original": "Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 08:08:44,208.80.154.234,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:08:49,24646,1,80,55916,0,0,0x200000,tcp,alert,\"load.php\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", + "network.application": "web-browsing", + "network.community_id": "1:tvB7u/5+rW38IXXGXjbdYYdzJ5s=", + "network.direction": "outbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "trust", + "palo_alto.pan_os.flow_id": "24646", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "untrust", + "palo_alto.pan_os.threat_file_or_url": "load.php", + "palo_alto.pan_os.threat_id": "PII(60000)", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "208.80.154.234", + "192.168.0.2", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "192.168.0.2", + "server.port": 55916, + "server.user.name": "picard", + "service.type": "palo_alto", + "source.address": "208.80.154.234", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 37.751, + "source.geo.location.lon": -97.822, + "source.ip": "208.80.154.234", + "source.port": 80, + "tags": [ + "pan-os" + ], + "url.original": "load.php" + }, + { + "@timestamp": "2012-04-09T08:16:57.000Z", + "client.ip": "65.54.75.25", + "client.port": 80, + "destination.address": "192.168.0.6", + "destination.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "destination.ip": "192.168.0.6", + "destination.port": 1046, + "destination.user.name": "jordy", + "ecs.version": "1.0.0", + "event.action": "data_match", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "reset-both", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "informational", + "log.offset": 33097, + "log.original": "Mar 25 23:59:37 1,2013/03/25 23:59:37,01606001116,THREAT,data,1,2012/04/09 08:16:57,65.54.75.25,192.168.0.6,0.0.0.0,0.0.0.0,rule1,,jordy,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 08:17:01,25874,1,80,1046,0,0,0x200000,tcp,reset-both,\"8fe44cb728c0f40750c64ee906eb72.css\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", + "network.application": "web-browsing", + "network.community_id": "1:LvKTW1EWi7nem/oAlX14Sg2W9kU=", + "network.direction": "outbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "trust", + "palo_alto.pan_os.flow_id": "25874", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "untrust", + "palo_alto.pan_os.threat_file_or_url": "8fe44cb728c0f40750c64ee906eb72.css", + "palo_alto.pan_os.threat_id": "PII(60000)", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "65.54.75.25", + "192.168.0.6", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "192.168.0.6", + "server.port": 1046, + "server.user.name": "jordy", + "service.type": "palo_alto", + "source.address": "65.54.75.25", + "source.geo.city_name": "Los Angeles", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 34.0544, + "source.geo.location.lon": -118.244, + "source.geo.region_iso_code": "US-CA", + "source.geo.region_name": "California", + "source.ip": "65.54.75.25", + "source.port": 80, + "tags": [ + "pan-os" + ], + "url.original": "8fe44cb728c0f40750c64ee906eb72.css" + }, + { + "@timestamp": "2012-04-09T04:06:41.000Z", + "client.ip": "74.125.224.206", + "client.port": 80, + "destination.address": "192.168.0.2", + "destination.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "destination.ip": "192.168.0.2", + "destination.port": 61734, + "destination.user.name": "jordy", + "ecs.version": "1.0.0", + "event.action": "data_match", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "reset-both", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "informational", + "log.offset": 33500, + "log.original": "Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 04:06:41,74.125.224.206,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 04:06:46,2175,1,80,61734,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", + "network.application": "google-maps", + "network.community_id": "1:Iur0h7DmmxbVfmJ8EKqn0v73b88=", + "network.direction": "outbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "trust", + "palo_alto.pan_os.flow_id": "2175", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "untrust", + "palo_alto.pan_os.threat_file_or_url": "js", + "palo_alto.pan_os.threat_id": "PII(60000)", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "74.125.224.206", + "192.168.0.2", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "192.168.0.2", + "server.port": 61734, + "server.user.name": "jordy", + "service.type": "palo_alto", + "source.address": "74.125.224.206", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 37.751, + "source.geo.location.lon": -97.822, + "source.ip": "74.125.224.206", + "source.port": 80, + "tags": [ + "pan-os" + ], + "url.original": "js" + }, + { + "@timestamp": "2012-04-09T04:12:52.000Z", + "client.ip": "74.125.224.195", + "client.port": 80, + "destination.address": "192.168.0.2", + "destination.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "destination.ip": "192.168.0.2", + "destination.port": 62292, + "destination.user.name": "jordy", + "ecs.version": "1.0.0", + "event.action": "data_match", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "reset-both", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "informational", + "log.offset": 33873, + "log.original": "Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 04:12:52,74.125.224.195,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 04:12:57,3046,1,80,62292,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", + "network.application": "google-maps", + "network.community_id": "1:n3f9RX9U3DOM57vpn8aB1QSo2Yw=", + "network.direction": "outbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "trust", + "palo_alto.pan_os.flow_id": "3046", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "untrust", + "palo_alto.pan_os.threat_file_or_url": "js", + "palo_alto.pan_os.threat_id": "PII(60000)", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "74.125.224.195", + "192.168.0.2", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "192.168.0.2", + "server.port": 62292, + "server.user.name": "jordy", + "service.type": "palo_alto", + "source.address": "74.125.224.195", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 37.751, + "source.geo.location.lon": -97.822, + "source.ip": "74.125.224.195", + "source.port": 80, + "tags": [ + "pan-os" + ], + "url.original": "js" + }, + { + "@timestamp": "2012-04-09T06:07:49.000Z", + "client.ip": "207.178.96.34", + "client.port": 80, + "destination.address": "192.168.0.2", + "destination.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "destination.ip": "192.168.0.2", + "destination.port": 64669, + "destination.user.name": "jordy", + "ecs.version": "1.0.0", + "event.action": "data_match", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "alert", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "informational", + "log.offset": 34246, + "log.original": "Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 06:07:49,207.178.96.34,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,rss,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:07:54,1560,1,80,64669,0,0,0x200000,tcp,alert,\"appcast.xml\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", + "network.application": "rss", + "network.community_id": "1:K6mY9EnrwYs1/a01d++OZ3kna2g=", + "network.direction": "outbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "trust", + "palo_alto.pan_os.flow_id": "1560", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "untrust", + "palo_alto.pan_os.threat_file_or_url": "appcast.xml", + "palo_alto.pan_os.threat_id": "PII(60000)", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "207.178.96.34", + "192.168.0.2", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "192.168.0.2", + "server.port": 64669, + "server.user.name": "jordy", + "service.type": "palo_alto", + "source.address": "207.178.96.34", + "source.geo.city_name": "Wichita", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 37.6875, + "source.geo.location.lon": -97.338, + "source.geo.region_iso_code": "US-KS", + "source.geo.region_name": "Kansas", + "source.ip": "207.178.96.34", + "source.port": 80, + "tags": [ + "pan-os" + ], + "url.original": "appcast.xml" + }, + { + "@timestamp": "2012-04-09T06:48:44.000Z", + "client.ip": "74.125.224.195", + "client.port": 80, + "destination.address": "192.168.0.2", + "destination.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "destination.ip": "192.168.0.2", + "destination.port": 65265, + "destination.user.name": "picard", + "ecs.version": "1.0.0", + "event.action": "data_match", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "reset-both", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "informational", + "log.offset": 34614, + "log.original": "Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 06:48:44,74.125.224.195,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:48:48,16852,1,80,65265,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", + "network.application": "google-maps", + "network.community_id": "1:u89cWOeFF4sWlYYJHVB+nr6g6Qg=", + "network.direction": "outbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "trust", + "palo_alto.pan_os.flow_id": "16852", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "untrust", + "palo_alto.pan_os.threat_file_or_url": "js", + "palo_alto.pan_os.threat_id": "PII(60000)", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "74.125.224.195", + "192.168.0.2", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "192.168.0.2", + "server.port": 65265, + "server.user.name": "picard", + "service.type": "palo_alto", + "source.address": "74.125.224.195", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 37.751, + "source.geo.location.lon": -97.822, + "source.ip": "74.125.224.195", + "source.port": 80, + "tags": [ + "pan-os" + ], + "url.original": "js" + }, + { + "@timestamp": "2012-04-09T06:48:59.000Z", + "client.ip": "74.125.239.20", + "client.port": 80, + "destination.address": "192.168.0.2", + "destination.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "destination.ip": "192.168.0.2", + "destination.port": 64979, + "destination.user.name": "picard", + "ecs.version": "1.0.0", + "event.action": "data_match", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "alert", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "informational", + "log.offset": 34989, + "log.original": "Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 06:48:59,74.125.239.20,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:49:05,15948,1,80,64979,0,0,0x200000,tcp,alert,\"csi\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", + "network.application": "web-browsing", + "network.community_id": "1:QmMWJ0pdk04yRgDj9m6OAKnXpDY=", + "network.direction": "outbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "trust", + "palo_alto.pan_os.flow_id": "15948", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "untrust", + "palo_alto.pan_os.threat_file_or_url": "csi", + "palo_alto.pan_os.threat_id": "PII(60000)", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "74.125.239.20", + "192.168.0.2", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "192.168.0.2", + "server.port": 64979, + "server.user.name": "picard", + "service.type": "palo_alto", + "source.address": "74.125.239.20", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 37.751, + "source.geo.location.lon": -97.822, + "source.ip": "74.125.239.20", + "source.port": 80, + "tags": [ + "pan-os" + ], + "url.original": "csi" + }, + { + "@timestamp": "2012-04-09T06:50:14.000Z", + "client.ip": "66.152.109.24", + "client.port": 80, + "destination.address": "192.168.0.2", + "destination.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "destination.ip": "192.168.0.2", + "destination.port": 49432, + "destination.user.name": "picard", + "ecs.version": "1.0.0", + "event.action": "data_match", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "alert", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "informational", + "log.offset": 35360, + "log.original": "Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 06:50:14,66.152.109.24,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:50:19,17028,1,80,49432,0,0,0x200000,tcp,alert,\"index.php\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", + "network.application": "web-browsing", + "network.community_id": "1:d3Kvg96HWrCNAfAK3vx2Uqglkdo=", + "network.direction": "outbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "trust", + "palo_alto.pan_os.flow_id": "17028", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "untrust", + "palo_alto.pan_os.threat_file_or_url": "index.php", + "palo_alto.pan_os.threat_id": "PII(60000)", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "66.152.109.24", + "192.168.0.2", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "192.168.0.2", + "server.port": 49432, + "server.user.name": "picard", + "service.type": "palo_alto", + "source.address": "66.152.109.24", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 37.751, + "source.geo.location.lon": -97.822, + "source.ip": "66.152.109.24", + "source.port": 80, + "tags": [ + "pan-os" + ], + "url.original": "index.php" + }, + { + "@timestamp": "2012-04-09T06:51:34.000Z", + "client.ip": "74.125.224.200", + "client.port": 80, + "destination.address": "192.168.0.2", + "destination.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "destination.ip": "192.168.0.2", + "destination.port": 49722, + "destination.user.name": "picard", + "ecs.version": "1.0.0", + "event.action": "data_match", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "reset-both", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "informational", + "log.offset": 35737, + "log.original": "Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 06:51:34,74.125.224.200,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:51:39,15878,1,80,49722,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", + "network.application": "google-maps", + "network.community_id": "1:+c2DVc+anjtRZ3iRsjbG51UM+JA=", + "network.direction": "outbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "trust", + "palo_alto.pan_os.flow_id": "15878", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "untrust", + "palo_alto.pan_os.threat_file_or_url": "js", + "palo_alto.pan_os.threat_id": "PII(60000)", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "74.125.224.200", + "192.168.0.2", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "192.168.0.2", + "server.port": 49722, + "server.user.name": "picard", + "service.type": "palo_alto", + "source.address": "74.125.224.200", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 37.751, + "source.geo.location.lon": -97.822, + "source.ip": "74.125.224.200", + "source.port": 80, + "tags": [ + "pan-os" + ], + "url.original": "js" + }, + { + "@timestamp": "2012-04-09T06:53:41.000Z", + "client.ip": "192.168.0.2", + "client.port": 49681, + "client.user.name": "picard", + "destination.address": "74.125.224.201", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "74.125.224.201", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "data_match", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "alert", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "informational", + "log.offset": 36112, + "log.original": "Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 06:53:41,192.168.0.2,74.125.224.201,0.0.0.0,0.0.0.0,rule1,picard,,google-analytics,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:53:47,16602,1,49681,80,0,0,0x200000,tcp,alert,\"__utm.gif\",PII(60000),any,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", + "network.application": "google-analytics", + "network.community_id": "1:5z6QdMj01RaYM1NdZtQSRQgE9gk=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "16602", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "__utm.gif", + "palo_alto.pan_os.threat_id": "PII(60000)", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.0.2", + "74.125.224.201", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "74.125.224.201", + "server.port": 80, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.0.2", + "source.port": 49681, + "source.user.name": "picard", + "tags": [ + "pan-os" + ], + "url.original": "__utm.gif" + }, + { + "@timestamp": "2012-04-09T06:54:35.000Z", + "client.ip": "74.125.224.200", + "client.port": 80, + "destination.address": "192.168.0.2", + "destination.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "destination.ip": "192.168.0.2", + "destination.port": 50108, + "destination.user.name": "picard", + "ecs.version": "1.0.0", + "event.action": "data_match", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "reset-both", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "informational", + "log.offset": 36494, + "log.original": "Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 06:54:35,74.125.224.200,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:54:41,17433,1,80,50108,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", + "network.application": "google-maps", + "network.community_id": "1:Ut9W+vlgpMAH7M4p87nZ/gF7zO8=", + "network.direction": "outbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "trust", + "palo_alto.pan_os.flow_id": "17433", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "untrust", + "palo_alto.pan_os.threat_file_or_url": "js", + "palo_alto.pan_os.threat_id": "PII(60000)", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "74.125.224.200", + "192.168.0.2", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "192.168.0.2", + "server.port": 50108, + "server.user.name": "picard", + "service.type": "palo_alto", + "source.address": "74.125.224.200", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 37.751, + "source.geo.location.lon": -97.822, + "source.ip": "74.125.224.200", + "source.port": 80, + "tags": [ + "pan-os" + ], + "url.original": "js" + }, + { + "@timestamp": "2012-04-09T06:54:55.000Z", + "client.ip": "74.125.224.200", + "client.port": 80, + "destination.address": "192.168.0.2", + "destination.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "destination.ip": "192.168.0.2", + "destination.port": 50387, + "destination.user.name": "picard", + "ecs.version": "1.0.0", + "event.action": "data_match", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "reset-both", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "informational", + "log.offset": 36869, + "log.original": "Mar 25 23:59:42 1,2013/03/25 23:59:42,01606001116,THREAT,data,1,2012/04/09 06:54:55,74.125.224.200,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,picard,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 06:55:00,17104,1,80,50387,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", + "network.application": "google-maps", + "network.community_id": "1:MNjszUBgbVupAxKdr7W7OIvU2lo=", + "network.direction": "outbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "trust", + "palo_alto.pan_os.flow_id": "17104", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "untrust", + "palo_alto.pan_os.threat_file_or_url": "js", + "palo_alto.pan_os.threat_id": "PII(60000)", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "74.125.224.200", + "192.168.0.2", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "192.168.0.2", + "server.port": 50387, + "server.user.name": "picard", + "service.type": "palo_alto", + "source.address": "74.125.224.200", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 37.751, + "source.geo.location.lon": -97.822, + "source.ip": "74.125.224.200", + "source.port": 80, + "tags": [ + "pan-os" + ], + "url.original": "js" + }, + { + "@timestamp": "2012-04-09T03:44:49.000Z", + "client.ip": "192.168.0.2", + "client.port": 59781, + "client.user.name": "jordy", + "destination.address": "208.85.40.48", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "208.85.40.48", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "data_match", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "alert", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "informational", + "log.offset": 37244, + "log.original": "Mar 25 23:59:47 1,2013/03/25 23:59:47,01606001116,THREAT,data,1,2012/04/09 03:44:49,192.168.0.2,208.85.40.48,0.0.0.0,0.0.0.0,rule1,jordy,,pandora,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 03:44:55,63706,1,59781,80,0,0,0x200000,tcp,alert,\"internal-tuner.pandora.com\",PII(60000),any,informational,client-to-server,0,0x0,192.168.0.0-192.168.255.255,United States,0,", + "network.application": "pandora", + "network.community_id": "1:PzMJQoALQDxnDaqwOEEz4zxyhHU=", + "network.direction": "inbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "63706", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "internal-tuner.pandora.com", + "palo_alto.pan_os.threat_id": "PII(60000)", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.0.2", + "208.85.40.48", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "208.85.40.48", + "server.port": 80, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.0.2", + "source.port": 59781, + "source.user.name": "jordy", + "tags": [ + "pan-os" + ], + "url.original": "internal-tuner.pandora.com" + }, + { + "@timestamp": "2012-04-09T03:45:45.000Z", + "client.ip": "74.125.224.201", + "client.port": 80, + "destination.address": "192.168.0.2", + "destination.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "destination.ip": "192.168.0.2", + "destination.port": 60005, + "destination.user.name": "jordy", + "ecs.version": "1.0.0", + "event.action": "data_match", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "reset-both", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "informational", + "log.offset": 37631, + "log.original": "Mar 25 23:59:47 1,2013/03/25 23:59:47,01606001116,THREAT,data,1,2012/04/09 03:45:45,74.125.224.201,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 03:45:50,65257,1,80,60005,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", + "network.application": "google-maps", + "network.community_id": "1:ThkQfWduH5PZoI7qa/R4rWqT2VM=", + "network.direction": "outbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "trust", + "palo_alto.pan_os.flow_id": "65257", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "untrust", + "palo_alto.pan_os.threat_file_or_url": "js", + "palo_alto.pan_os.threat_id": "PII(60000)", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "74.125.224.201", + "192.168.0.2", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "192.168.0.2", + "server.port": 60005, + "server.user.name": "jordy", + "service.type": "palo_alto", + "source.address": "74.125.224.201", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 37.751, + "source.geo.location.lon": -97.822, + "source.ip": "74.125.224.201", + "source.port": 80, + "tags": [ + "pan-os" + ], + "url.original": "js" + }, + { + "@timestamp": "2012-04-09T03:49:17.000Z", + "client.ip": "74.125.224.201", + "client.port": 80, + "destination.address": "192.168.0.2", + "destination.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "destination.ip": "192.168.0.2", + "destination.port": 60443, + "destination.user.name": "jordy", + "ecs.version": "1.0.0", + "event.action": "data_match", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "reset-both", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "informational", + "log.offset": 38005, + "log.original": "Mar 25 23:59:47 1,2013/03/25 23:59:47,01606001116,THREAT,data,1,2012/04/09 03:49:17,74.125.224.201,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 03:49:22,537,1,80,60443,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", + "network.application": "google-maps", + "network.community_id": "1:Fd/TWc6RIS9q2bsgzztXrAAL4Ek=", + "network.direction": "outbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "trust", + "palo_alto.pan_os.flow_id": "537", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "untrust", + "palo_alto.pan_os.threat_file_or_url": "js", + "palo_alto.pan_os.threat_id": "PII(60000)", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "74.125.224.201", + "192.168.0.2", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "192.168.0.2", + "server.port": 60443, + "server.user.name": "jordy", + "service.type": "palo_alto", + "source.address": "74.125.224.201", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 37.751, + "source.geo.location.lon": -97.822, + "source.ip": "74.125.224.201", + "source.port": 80, + "tags": [ + "pan-os" + ], + "url.original": "js" + }, + { + "@timestamp": "2012-04-09T03:53:41.000Z", + "client.ip": "74.125.224.200", + "client.port": 80, + "destination.address": "192.168.0.2", + "destination.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "destination.ip": "192.168.0.2", + "destination.port": 60822, + "destination.user.name": "jordy", + "ecs.version": "1.0.0", + "event.action": "data_match", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "reset-both", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "informational", + "log.offset": 38377, + "log.original": "Mar 25 23:59:47 1,2013/03/25 23:59:47,01606001116,THREAT,data,1,2012/04/09 03:53:41,74.125.224.200,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 03:53:45,914,1,80,60822,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", + "network.application": "google-maps", + "network.community_id": "1:7gqxhjxtnxyQnsvGukcI+WZWzAY=", + "network.direction": "outbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "trust", + "palo_alto.pan_os.flow_id": "914", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "untrust", + "palo_alto.pan_os.threat_file_or_url": "js", + "palo_alto.pan_os.threat_id": "PII(60000)", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "74.125.224.200", + "192.168.0.2", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "192.168.0.2", + "server.port": 60822, + "server.user.name": "jordy", + "service.type": "palo_alto", + "source.address": "74.125.224.200", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 37.751, + "source.geo.location.lon": -97.822, + "source.ip": "74.125.224.200", + "source.port": 80, + "tags": [ + "pan-os" + ], + "url.original": "js" + }, + { + "@timestamp": "2012-04-09T03:55:23.000Z", + "client.ip": "74.125.224.200", + "client.port": 80, + "destination.address": "192.168.0.2", + "destination.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "destination.ip": "192.168.0.2", + "destination.port": 61105, + "destination.user.name": "jordy", + "ecs.version": "1.0.0", + "event.action": "data_match", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "reset-both", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "informational", + "log.offset": 38749, + "log.original": "Mar 25 23:59:47 1,2013/03/25 23:59:47,01606001116,THREAT,data,1,2012/04/09 03:55:23,74.125.224.200,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 03:55:28,1475,1,80,61105,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", + "network.application": "google-maps", + "network.community_id": "1:ZzHOd7AFzjbGqVCj9S3bTNHFX4Q=", + "network.direction": "outbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "trust", + "palo_alto.pan_os.flow_id": "1475", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "untrust", + "palo_alto.pan_os.threat_file_or_url": "js", + "palo_alto.pan_os.threat_id": "PII(60000)", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "74.125.224.200", + "192.168.0.2", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "192.168.0.2", + "server.port": 61105, + "server.user.name": "jordy", + "service.type": "palo_alto", + "source.address": "74.125.224.200", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 37.751, + "source.geo.location.lon": -97.822, + "source.ip": "74.125.224.200", + "source.port": 80, + "tags": [ + "pan-os" + ], + "url.original": "js" + }, + { + "@timestamp": "2012-04-09T03:55:52.000Z", + "client.ip": "74.125.224.198", + "client.port": 80, + "destination.address": "192.168.0.2", + "destination.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "destination.ip": "192.168.0.2", + "destination.port": 60782, + "destination.user.name": "jordy", + "ecs.version": "1.0.0", + "event.action": "data_match", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "alert", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "informational", + "log.offset": 39122, + "log.original": "Mar 25 23:59:47 1,2013/03/25 23:59:47,01606001116,THREAT,data,1,2012/04/09 03:55:52,74.125.224.198,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-analytics,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 03:55:57,883,1,80,60782,0,0,0x200000,tcp,alert,\"ga.js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", + "network.application": "google-analytics", + "network.community_id": "1:uH37XIov0Sgv5kARW8dP9vrOs7w=", + "network.direction": "outbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "trust", + "palo_alto.pan_os.flow_id": "883", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "untrust", + "palo_alto.pan_os.threat_file_or_url": "ga.js", + "palo_alto.pan_os.threat_id": "PII(60000)", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "74.125.224.198", + "192.168.0.2", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "192.168.0.2", + "server.port": 60782, + "server.user.name": "jordy", + "service.type": "palo_alto", + "source.address": "74.125.224.198", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 37.751, + "source.geo.location.lon": -97.822, + "source.ip": "74.125.224.198", + "source.port": 80, + "tags": [ + "pan-os" + ], + "url.original": "ga.js" + }, + { + "@timestamp": "2012-04-09T04:03:55.000Z", + "client.ip": "74.125.224.200", + "client.port": 80, + "destination.address": "192.168.0.2", + "destination.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "destination.ip": "192.168.0.2", + "destination.port": 61470, + "destination.user.name": "jordy", + "ecs.version": "1.0.0", + "event.action": "data_match", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "reset-both", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.level": "informational", + "log.offset": 39497, + "log.original": "Mar 25 23:59:47 1,2013/03/25 23:59:47,01606001116,THREAT,data,1,2012/04/09 04:03:55,74.125.224.200,192.168.0.2,0.0.0.0,0.0.0.0,rule1,,jordy,google-maps,vsys1,untrust,trust,ethernet1/2,ethernet1/1,forwardAll,2012/04/09 04:04:00,1965,1,80,61470,0,0,0x200000,tcp,reset-both,\"js\",PII(60000),any,informational,server-to-client,0,0x0,United States,192.168.0.0-192.168.255.255,0,", + "network.application": "google-maps", + "network.community_id": "1:9jnjFXERN6VFakI1U/qwzyqifzg=", + "network.direction": "outbound", + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "trust", + "palo_alto.pan_os.flow_id": "1965", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "untrust", + "palo_alto.pan_os.threat_file_or_url": "js", + "palo_alto.pan_os.threat_id": "PII(60000)", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "74.125.224.200", + "192.168.0.2", + "0.0.0.0", + "0.0.0.0" + ], + "server.ip": "192.168.0.2", + "server.port": 61470, + "server.user.name": "jordy", + "service.type": "palo_alto", + "source.address": "74.125.224.200", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 37.751, + "source.geo.location.lon": -97.822, + "source.ip": "74.125.224.200", + "source.port": 80, + "tags": [ + "pan-os" + ], + "url.original": "js" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/palo_alto/pan_os/test/pan_inc_traffic.log b/x-pack/filebeat/module/palo_alto/pan_os/test/pan_inc_traffic.log new file mode 100644 index 00000000000..70d2804a712 --- /dev/null +++ b/x-pack/filebeat/module/palo_alto/pan_os/test/pan_inc_traffic.log @@ -0,0 +1,100 @@ +Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:58,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:59,11449,1,59324,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:59,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:58,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:59,25572,1,54448,53,0,0,0x200000,udp,allow,76,76,0,1,2012/04/10 04:39:58,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:58,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:59,26208,1,53121,53,0,0,0x200000,udp,allow,76,76,0,1,2012/04/10 04:39:58,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:58,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:59,14931,1,59323,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:58,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:58,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:59,25544,1,59322,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:58,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:58,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:59,25308,1,55766,53,0,0,0x200000,udp,allow,74,74,0,1,2012/04/10 04:39:58,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:58,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:59,26376,1,55072,53,0,0,0x200000,udp,allow,74,74,0,1,2012/04/10 04:39:58,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,end,1,2012/04/10 04:39:58,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25118,1,59207,80,0,0,0x200000,tcp,allow,1355,549,806,10,2012/04/10 04:39:27,1,private-ip-addresses,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,6,4 +Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,end,1,2012/04/10 04:39:58,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,26146,1,59209,80,0,0,0x200000,tcp,allow,1355,549,806,10,2012/04/10 04:39:28,0,private-ip-addresses,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,6,4 +Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,end,1,2012/04/10 04:39:58,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25272,1,59208,80,0,0,0x200000,tcp,allow,1355,549,806,10,2012/04/10 04:39:27,1,private-ip-addresses,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,6,4 +Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:57,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,24069,1,59318,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:58,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:57,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25848,1,59317,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:57,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:57,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25179,1,59316,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:57,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:57,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25112,1,59315,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:57,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,end,1,2012/04/10 04:39:57,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,26161,1,59206,80,0,0,0x200000,tcp,allow,1355,549,806,10,2012/04/10 04:39:27,0,private-ip-addresses,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,6,4 +Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,end,1,2012/04/10 04:39:57,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,26000,1,59205,80,0,0,0x200000,tcp,allow,1355,549,806,10,2012/04/10 04:39:26,1,private-ip-addresses,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,6,4 +Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,end,1,2012/04/10 04:39:56,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,65184,1,56858,80,0,0,0x200000,tcp,allow,1910,1359,551,21,2012/04/10 04:29:54,512,malware-sites,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,18,3 +Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:56,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,26522,1,59314,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:56,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:56,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,26067,1,59313,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:56,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:56,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,26573,1,52139,53,0,0,0x200000,udp,allow,69,69,0,1,2012/04/10 04:39:56,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:56,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,26894,1,60592,53,0,0,0x200000,udp,allow,69,69,0,1,2012/04/10 04:39:56,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:56,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,25149,1,59309,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:56,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,end,1,2012/04/10 04:39:56,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,25258,1,57322,53,0,0,0x200000,udp,allow,164,66,98,2,2012/04/10 04:39:26,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,1 +Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,end,1,2012/04/10 04:39:56,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,25025,1,59204,80,0,0,0x200000,tcp,allow,1355,549,806,10,2012/04/10 04:39:26,0,private-ip-addresses,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,6,4 +Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,end,1,2012/04/10 04:39:56,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,26138,1,59203,80,0,0,0x200000,tcp,allow,1355,549,806,10,2012/04/10 04:39:26,0,private-ip-addresses,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,6,4 +Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:55,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,27175,1,59305,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:56,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:55,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,26261,1,64005,53,0,0,0x200000,udp,allow,69,69,0,1,2012/04/10 04:39:55,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:55,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,25022,1,58768,53,0,0,0x200000,udp,allow,69,69,0,1,2012/04/10 04:39:55,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:55,192.168.0.2,98.149.55.63,0.0.0.0,0.0.0.0,rule1,crusher,,skype,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,24027,1,47752,13069,0,0,0x200000,udp,allow,1008,504,504,16,2012/04/10 04:37:50,125,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,8,8 +Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:55,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,26360,1,59304,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:55,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,start,1,2012/04/10 04:39:55,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,26394,1,54533,53,0,0,0x200000,udp,allow,71,71,0,1,2012/04/10 04:39:55,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,end,1,2012/04/10 04:39:55,192.168.0.2,212.48.10.58,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,24917,1,59201,80,0,0,0x200000,tcp,allow,9967,837,9130,20,2012/04/10 04:39:24,1,search-engines,0,0,0x0,192.168.0.0-192.168.255.255,Italy,0,10,10 +Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,start,1,2012/04/10 04:39:54,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,22860,1,59303,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:55,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,start,1,2012/04/10 04:39:54,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,14146,1,50876,53,0,0,0x200000,udp,allow,76,76,0,1,2012/04/10 04:39:54,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,start,1,2012/04/10 04:39:54,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,25876,1,57657,53,0,0,0x200000,udp,allow,76,76,0,1,2012/04/10 04:39:54,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,start,1,2012/04/10 04:39:54,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,24910,1,59302,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:54,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,start,1,2012/04/10 04:39:54,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,26862,1,59301,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:54,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,start,1,2012/04/10 04:39:54,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,26222,1,64844,53,0,0,0x200000,udp,allow,80,80,0,1,2012/04/10 04:39:54,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,start,1,2012/04/10 04:39:54,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,26329,1,52257,53,0,0,0x200000,udp,allow,80,80,0,1,2012/04/10 04:39:54,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,end,1,2012/04/10 04:39:54,192.168.0.100,8.8.8.8,0.0.0.0,0.0.0.0,rule1,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,25142,1,38796,53,0,0,0x0,udp,allow,206,95,111,2,2012/04/10 04:39:24,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,1 +Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,end,1,2012/04/10 04:39:54,192.168.0.2,62.211.68.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,25095,1,59200,80,0,0,0x200000,tcp,allow,1503,597,906,13,2012/04/10 04:39:23,1,entertainment-and-arts,0,0,0x0,192.168.0.0-192.168.255.255,Italy,0,6,7 +Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,end,1,2012/04/10 04:39:54,192.168.0.100,50.19.102.116,0.0.0.0,0.0.0.0,rule1,,,paloalto-wildfire-cloud,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,24787,1,48412,443,0,0,0x0,tcp,allow,5817,804,5013,17,2012/04/10 04:39:24,0,computer-and-internet-security,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,10,7 +Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,end,1,2012/04/10 04:39:54,192.168.0.2,65.55.223.19,0.0.0.0,0.0.0.0,rule1,crusher,,skype-probe,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,25948,1,47752,40026,0,0,0x200000,udp,allow,286,187,99,2,2012/04/10 04:39:24,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,1 +Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,end,1,2012/04/10 04:39:54,192.168.0.2,65.55.223.24,0.0.0.0,0.0.0.0,rule1,crusher,,skype-probe,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,25444,1,47752,40029,0,0,0x200000,udp,allow,978,76,902,2,2012/04/10 04:39:24,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,1 +Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,end,1,2012/04/10 04:39:54,192.168.0.100,8.8.8.8,0.0.0.0,0.0.0.0,rule1,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,25349,1,52189,53,0,0,0x0,udp,allow,227,86,141,2,2012/04/10 04:39:24,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,1 +Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,start,1,2012/04/10 04:39:53,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,25713,1,59300,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:54,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:53,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,26499,1,54414,53,0,0,0x200000,udp,allow,73,73,0,1,2012/04/10 04:39:53,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:53,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,25437,1,59299,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:53,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:53,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,24848,1,60399,53,0,0,0x200000,udp,allow,80,80,0,1,2012/04/10 04:39:53,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,end,1,2012/04/10 04:39:53,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,24924,1,59626,53,0,0,0x200000,udp,allow,482,166,316,4,2012/04/10 04:39:22,1,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,2,2 +Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,end,1,2012/04/10 04:39:53,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,25899,1,51542,53,0,0,0x200000,udp,allow,196,75,121,2,2012/04/10 04:39:23,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,1 +Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,end,1,2012/04/10 04:39:53,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,26066,1,54182,53,0,0,0x200000,udp,allow,244,75,169,2,2012/04/10 04:39:23,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,1 +Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,end,1,2012/04/10 04:39:53,192.168.0.2,62.211.68.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,24908,1,59199,80,0,0,0x200000,tcp,allow,1548,594,954,13,2012/04/10 04:39:23,0,business-and-economy,0,0,0x0,192.168.0.0-192.168.255.255,Italy,0,6,7 +Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,end,1,2012/04/10 04:39:53,192.168.0.2,212.48.10.58,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,25105,1,59198,80,0,0,0x200000,tcp,allow,10135,1005,9130,22,2012/04/10 04:39:21,2,search-engines,0,0,0x0,192.168.0.0-192.168.255.255,Italy,0,12,10 +Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,end,1,2012/04/10 04:39:53,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,11964,1,56856,80,0,0,0x200000,tcp,allow,1918,1363,555,21,2012/04/10 04:29:51,512,malware-sites,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,18,3 +Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:53,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,26502,1,52489,53,0,0,0x200000,udp,allow,80,80,0,1,2012/04/10 04:39:53,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:52,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,26338,1,59298,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:53,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:52,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,24919,1,60185,53,0,0,0x200000,udp,allow,76,76,0,1,2012/04/10 04:39:52,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:52,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,26731,1,51817,53,0,0,0x200000,udp,allow,76,76,0,1,2012/04/10 04:39:52,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:52,192.168.0.2,65.55.223.31,0.0.0.0,0.0.0.0,rule1,crusher,,skype-probe,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,26504,1,47752,40043,0,0,0x200000,udp,allow,186,186,0,1,2012/04/10 04:39:52,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:52,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,25543,1,59297,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:52,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:52,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,21948,1,52537,53,0,0,0x200000,udp,allow,82,82,0,1,2012/04/10 04:39:52,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:52,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,26279,1,53155,53,0,0,0x200000,udp,allow,82,82,0,1,2012/04/10 04:39:52,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,end,1,2012/04/10 04:39:52,192.168.0.2,62.211.68.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,24894,1,59197,80,0,0,0x200000,tcp,allow,1487,581,906,13,2012/04/10 04:39:21,1,entertainment-and-arts,0,0,0x0,192.168.0.0-192.168.255.255,Italy,0,6,7 +Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,end,1,2012/04/10 04:39:52,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,24985,1,56995,53,0,0,0x200000,udp,allow,251,88,163,2,2012/04/10 04:39:22,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,1 +Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:51,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,25380,1,59069,53,0,0,0x200000,udp,allow,76,76,0,1,2012/04/10 04:39:51,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:51,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,24994,1,55697,53,0,0,0x200000,udp,allow,76,76,0,1,2012/04/10 04:39:51,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:51,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,25451,1,59295,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:51,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,end,1,2012/04/10 04:39:51,192.168.0.2,62.211.68.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:51,24866,1,59196,80,0,0,0x200000,tcp,allow,1500,578,922,13,2012/04/10 04:39:20,1,business-and-economy,0,0,0x0,192.168.0.0-192.168.255.255,Italy,0,6,7 +Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:50,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:51,26414,1,59291,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:51,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:50,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:51,26131,1,52858,53,0,0,0x200000,udp,allow,77,77,0,1,2012/04/10 04:39:50,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:50,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:51,26555,1,61383,53,0,0,0x200000,udp,allow,77,77,0,1,2012/04/10 04:39:50,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:50,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,15099,1,59290,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:50,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,end,1,2012/04/10 04:39:50,192.168.0.2,8.5.1.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,24980,1,59195,80,0,0,0x200000,tcp,allow,28096,1310,26786,39,2012/04/10 04:39:20,0,not-resolved,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,17,22 +Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:50,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,26215,1,49812,53,0,0,0x200000,udp,allow,83,83,0,1,2012/04/10 04:39:50,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:50,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,25881,1,50185,53,0,0,0x200000,udp,allow,83,83,0,1,2012/04/10 04:39:50,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:50,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,24955,1,59286,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:50,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,end,1,2012/04/10 04:39:50,192.168.0.2,192.168.0.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,24961,1,52531,53,0,0,0x200000,udp,allow,244,75,169,2,2012/04/10 04:39:20,0,any,0,0,0x0,192.168.0.0-192.168.255.255,192.168.0.0-192.168.255.255,0,1,1 +Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,end,1,2012/04/10 04:39:50,192.168.0.2,212.48.10.58,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,24226,1,59194,80,0,0,0x200000,tcp,allow,10097,1033,9064,21,2012/04/10 04:39:17,3,search-engines,0,0,0x0,192.168.0.0-192.168.255.255,Italy,0,12,9 +Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,end,1,2012/04/10 04:39:50,192.168.0.2,212.48.10.58,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,25129,1,59192,80,0,0,0x200000,tcp,allow,10105,981,9124,22,2012/04/10 04:39:13,7,search-engines,0,0,0x0,192.168.0.0-192.168.255.255,Italy,0,12,10 +Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,end,1,2012/04/10 04:39:50,192.168.0.2,192.168.0.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,25194,1,56463,53,0,0,0x200000,udp,allow,214,77,137,2,2012/04/10 04:39:20,0,any,0,0,0x0,192.168.0.0-192.168.255.255,192.168.0.0-192.168.255.255,0,1,1 +Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,end,1,2012/04/10 04:39:50,192.168.0.2,192.168.0.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,26257,1,55849,53,0,0,0x200000,udp,allow,170,77,93,2,2012/04/10 04:39:20,0,any,0,0,0x0,192.168.0.0-192.168.255.255,192.168.0.0-192.168.255.255,0,1,1 +Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,start,1,2012/04/10 04:39:49,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,24561,1,59282,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:49,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,start,1,2012/04/10 04:39:49,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,26150,1,57846,53,0,0,0x200000,udp,allow,71,71,0,1,2012/04/10 04:39:49,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,start,1,2012/04/10 04:39:49,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,25676,1,51008,53,0,0,0x200000,udp,allow,71,71,0,1,2012/04/10 04:39:49,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,start,1,2012/04/10 04:39:49,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,25306,1,59281,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:49,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,start,1,2012/04/10 04:39:49,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,26411,1,55252,53,0,0,0x200000,udp,allow,80,80,0,1,2012/04/10 04:39:49,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,end,1,2012/04/10 04:39:49,192.168.0.2,192.168.0.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,24844,1,56995,53,0,0,0x200000,udp,allow,176,176,0,2,2012/04/10 04:39:18,1,any,0,0,0x0,192.168.0.0-192.168.255.255,192.168.0.0-192.168.255.255,0,2,0 +Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,start,1,2012/04/10 04:39:49,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:49,26335,1,60989,53,0,0,0x200000,udp,allow,80,80,0,1,2012/04/10 04:39:49,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,start,1,2012/04/10 04:39:48,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:49,26127,1,59280,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:48,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,start,1,2012/04/10 04:39:48,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:49,25488,1,53766,53,0,0,0x200000,udp,allow,81,81,0,1,2012/04/10 04:39:48,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,start,1,2012/04/10 04:39:48,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:49,25269,1,56032,53,0,0,0x200000,udp,allow,81,81,0,1,2012/04/10 04:39:48,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,end,1,2012/04/10 04:39:48,192.168.0.2,62.211.68.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:48,25715,1,59193,80,0,0,0x200000,tcp,allow,1487,581,906,13,2012/04/10 04:39:17,1,entertainment-and-arts,0,0,0x0,192.168.0.0-192.168.255.255,Italy,0,6,7 +Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,TRAFFIC,start,1,2012/04/10 04:39:48,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:48,26251,1,59279,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:48,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,TRAFFIC,start,1,2012/04/10 04:39:47,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:48,25871,1,59278,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:48,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,TRAFFIC,start,1,2012/04/10 04:39:47,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:48,25945,1,59277,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:47,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 +Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,TRAFFIC,end,1,2012/04/10 04:39:47,192.168.0.2,192.168.0.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:48,25310,1,60026,53,0,0,0x200000,udp,allow,166,166,0,2,2012/04/10 04:39:16,1,any,0,0,0x0,192.168.0.0-192.168.255.255,192.168.0.0-192.168.255.255,0,2,0 +Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,TRAFFIC,start,1,2012/04/10 04:39:47,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:47,27111,1,59276,80,0,0,0x200000,tcp,allow,429,351,78,4,2012/04/10 04:39:47,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,3,1 +Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,TRAFFIC,start,1,2012/04/10 04:39:47,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:47,25398,1,59275,80,0,0,0x200000,tcp,allow,429,351,78,4,2012/04/10 04:39:47,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,3,1 +Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,TRAFFIC,start,1,2012/04/10 04:39:46,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:47,23898,1,59274,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:46,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0 diff --git a/x-pack/filebeat/module/palo_alto/pan_os/test/pan_inc_traffic.log-expected.json b/x-pack/filebeat/module/palo_alto/pan_os/test/pan_inc_traffic.log-expected.json new file mode 100644 index 00000000000..bdf2ad4d7ba --- /dev/null +++ b/x-pack/filebeat/module/palo_alto/pan_os/test/pan_inc_traffic.log-expected.json @@ -0,0 +1,7135 @@ +[ + { + "@timestamp": "2012-04-10T04:39:58.000Z", + "client.bytes": 78, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 59324, + "client.user.name": "crusher", + "destination.address": "204.232.231.46", + "destination.bytes": 78, + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.packets": 1, + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2012-04-10T04:39:59.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:59.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 0, + "log.original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:58,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:59,11449,1,59324,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:59,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "network.application": "web-browsing", + "network.bytes": 78, + "network.community_id": "1:MaqerLAYuvMg6JWjWKmIMO6QJ6s=", + "network.direction": "outbound", + "network.packets": 1, + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "11449", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "204.232.231.46", + "server.packets": 1, + "server.port": 80, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 59324, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:58.000Z", + "client.bytes": 76, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 54448, + "client.user.name": "crusher", + "destination.address": "205.171.2.25", + "destination.bytes": 76, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "205.171.2.25", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2012-04-10T04:39:58.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:58.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 364, + "log.original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:58,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:59,25572,1,54448,53,0,0,0x200000,udp,allow,76,76,0,1,2012/04/10 04:39:58,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "network.application": "dns", + "network.bytes": 76, + "network.community_id": "1:rmRctS0ZS56Ixay3V5beNERhPNc=", + "network.direction": "outbound", + "network.packets": 1, + "network.transport": "udp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "25572", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.0.2", + "205.171.2.25", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "205.171.2.25", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 54448, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:58.000Z", + "client.bytes": 76, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 53121, + "client.user.name": "crusher", + "destination.address": "205.171.2.25", + "destination.bytes": 76, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "205.171.2.25", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2012-04-10T04:39:58.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:58.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 717, + "log.original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:58,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:59,26208,1,53121,53,0,0,0x200000,udp,allow,76,76,0,1,2012/04/10 04:39:58,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "network.application": "dns", + "network.bytes": 76, + "network.community_id": "1:NmeRH4O3xNBaUjzIOpdGXeAJ/sg=", + "network.direction": "outbound", + "network.packets": 1, + "network.transport": "udp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "26208", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.0.2", + "205.171.2.25", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "205.171.2.25", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 53121, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:58.000Z", + "client.bytes": 78, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 59323, + "client.user.name": "crusher", + "destination.address": "204.232.231.46", + "destination.bytes": 78, + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.packets": 1, + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2012-04-10T04:39:58.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:58.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 1070, + "log.original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:58,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:59,14931,1,59323,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:58,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "network.application": "web-browsing", + "network.bytes": 78, + "network.community_id": "1:ej/0QPUwuraByxuNxWsOp2ouPuE=", + "network.direction": "outbound", + "network.packets": 1, + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "14931", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "204.232.231.46", + "server.packets": 1, + "server.port": 80, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 59323, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:58.000Z", + "client.bytes": 78, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 59322, + "client.user.name": "crusher", + "destination.address": "204.232.231.46", + "destination.bytes": 78, + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.packets": 1, + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2012-04-10T04:39:58.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:58.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 1434, + "log.original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:58,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:59,25544,1,59322,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:58,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "network.application": "web-browsing", + "network.bytes": 78, + "network.community_id": "1:XHKuVPA6enGOr0Qng8AJtYTgWAQ=", + "network.direction": "outbound", + "network.packets": 1, + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "25544", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "204.232.231.46", + "server.packets": 1, + "server.port": 80, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 59322, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:58.000Z", + "client.bytes": 74, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 55766, + "client.user.name": "crusher", + "destination.address": "205.171.2.25", + "destination.bytes": 74, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "205.171.2.25", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2012-04-10T04:39:58.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:58.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 1798, + "log.original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:58,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:59,25308,1,55766,53,0,0,0x200000,udp,allow,74,74,0,1,2012/04/10 04:39:58,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "network.application": "dns", + "network.bytes": 74, + "network.community_id": "1:bkpOCSg/r3P7zn1eVdfrSSHQMn0=", + "network.direction": "outbound", + "network.packets": 1, + "network.transport": "udp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "25308", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.0.2", + "205.171.2.25", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "205.171.2.25", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 55766, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:58.000Z", + "client.bytes": 74, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 55072, + "client.user.name": "crusher", + "destination.address": "205.171.2.25", + "destination.bytes": 74, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "205.171.2.25", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2012-04-10T04:39:58.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:58.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 2151, + "log.original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:58,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:59,26376,1,55072,53,0,0,0x200000,udp,allow,74,74,0,1,2012/04/10 04:39:58,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "network.application": "dns", + "network.bytes": 74, + "network.community_id": "1:f08UBDqcNW5jC3R+i40XfD1g8l8=", + "network.direction": "outbound", + "network.packets": 1, + "network.transport": "udp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "26376", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.0.2", + "205.171.2.25", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "205.171.2.25", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 55072, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:58.000Z", + "client.bytes": 549, + "client.ip": "192.168.0.2", + "client.packets": 4, + "client.port": 59207, + "client.user.name": "crusher", + "destination.address": "204.232.231.46", + "destination.bytes": 549, + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.packets": 6, + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 1000000000, + "event.end": "2012-04-10T04:39:28.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:27.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 2504, + "log.original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,end,1,2012/04/10 04:39:58,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25118,1,59207,80,0,0,0x200000,tcp,allow,1355,549,806,10,2012/04/10 04:39:27,1,private-ip-addresses,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,6,4", + "network.application": "web-browsing", + "network.bytes": 1355, + "network.community_id": "1:kGyE7FdnFLrk4Cc6NHaD5WeE81A=", + "network.direction": "outbound", + "network.packets": 10, + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "25118", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "private-ip-addresses", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 806, + "server.ip": "204.232.231.46", + "server.packets": 6, + "server.port": 80, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.bytes": 806, + "source.ip": "192.168.0.2", + "source.packets": 4, + "source.port": 59207, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:58.000Z", + "client.bytes": 549, + "client.ip": "192.168.0.2", + "client.packets": 4, + "client.port": 59209, + "client.user.name": "crusher", + "destination.address": "204.232.231.46", + "destination.bytes": 549, + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.packets": 6, + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2012-04-10T04:39:28.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:28.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 2889, + "log.original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,end,1,2012/04/10 04:39:58,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,26146,1,59209,80,0,0,0x200000,tcp,allow,1355,549,806,10,2012/04/10 04:39:28,0,private-ip-addresses,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,6,4", + "network.application": "web-browsing", + "network.bytes": 1355, + "network.community_id": "1:pxN/AvFcFozLjRgniFdZmScORYQ=", + "network.direction": "outbound", + "network.packets": 10, + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "26146", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "private-ip-addresses", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 806, + "server.ip": "204.232.231.46", + "server.packets": 6, + "server.port": 80, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.bytes": 806, + "source.ip": "192.168.0.2", + "source.packets": 4, + "source.port": 59209, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:58.000Z", + "client.bytes": 549, + "client.ip": "192.168.0.2", + "client.packets": 4, + "client.port": 59208, + "client.user.name": "crusher", + "destination.address": "204.232.231.46", + "destination.bytes": 549, + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.packets": 6, + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 1000000000, + "event.end": "2012-04-10T04:39:28.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:27.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 3274, + "log.original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,end,1,2012/04/10 04:39:58,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25272,1,59208,80,0,0,0x200000,tcp,allow,1355,549,806,10,2012/04/10 04:39:27,1,private-ip-addresses,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,6,4", + "network.application": "web-browsing", + "network.bytes": 1355, + "network.community_id": "1:HmuQtYxq+NpgJ0zVEIpz7zLNOKM=", + "network.direction": "outbound", + "network.packets": 10, + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "25272", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "private-ip-addresses", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 806, + "server.ip": "204.232.231.46", + "server.packets": 6, + "server.port": 80, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.bytes": 806, + "source.ip": "192.168.0.2", + "source.packets": 4, + "source.port": 59208, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:57.000Z", + "client.bytes": 78, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 59318, + "client.user.name": "crusher", + "destination.address": "204.232.231.46", + "destination.bytes": 78, + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.packets": 1, + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2012-04-10T04:39:58.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:58.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 3659, + "log.original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:57,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,24069,1,59318,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:58,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "network.application": "web-browsing", + "network.bytes": 78, + "network.community_id": "1:I7NZAEypUvCTVa5iVWyAsWeEWgY=", + "network.direction": "outbound", + "network.packets": 1, + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24069", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "204.232.231.46", + "server.packets": 1, + "server.port": 80, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 59318, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:57.000Z", + "client.bytes": 78, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 59317, + "client.user.name": "crusher", + "destination.address": "204.232.231.46", + "destination.bytes": 78, + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.packets": 1, + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2012-04-10T04:39:57.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:57.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 4023, + "log.original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:57,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25848,1,59317,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:57,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "network.application": "web-browsing", + "network.bytes": 78, + "network.community_id": "1:GOqfpUTezPkpm6axBI22kY90kU4=", + "network.direction": "outbound", + "network.packets": 1, + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "25848", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "204.232.231.46", + "server.packets": 1, + "server.port": 80, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 59317, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:57.000Z", + "client.bytes": 78, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 59316, + "client.user.name": "crusher", + "destination.address": "204.232.231.46", + "destination.bytes": 78, + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.packets": 1, + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2012-04-10T04:39:57.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:57.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 4387, + "log.original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:57,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25179,1,59316,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:57,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "network.application": "web-browsing", + "network.bytes": 78, + "network.community_id": "1:aiB5YppFUGX0pM/1Xtp3qOSFXJw=", + "network.direction": "outbound", + "network.packets": 1, + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "25179", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "204.232.231.46", + "server.packets": 1, + "server.port": 80, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 59316, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:57.000Z", + "client.bytes": 78, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 59315, + "client.user.name": "crusher", + "destination.address": "204.232.231.46", + "destination.bytes": 78, + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.packets": 1, + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2012-04-10T04:39:57.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:57.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 4751, + "log.original": "Oct 30 09:46:12 1,2012/10/30 09:46:12,01606001116,TRAFFIC,start,1,2012/04/10 04:39:57,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:58,25112,1,59315,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:57,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "network.application": "web-browsing", + "network.bytes": 78, + "network.community_id": "1:ghLw4NDj0JmAhH9lVtlhdQpqEQ0=", + "network.direction": "outbound", + "network.packets": 1, + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "25112", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "204.232.231.46", + "server.packets": 1, + "server.port": 80, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 59315, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:57.000Z", + "client.bytes": 549, + "client.ip": "192.168.0.2", + "client.packets": 4, + "client.port": 59206, + "client.user.name": "crusher", + "destination.address": "204.232.231.46", + "destination.bytes": 549, + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.packets": 6, + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2012-04-10T04:39:27.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:27.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 5115, + "log.original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,end,1,2012/04/10 04:39:57,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,26161,1,59206,80,0,0,0x200000,tcp,allow,1355,549,806,10,2012/04/10 04:39:27,0,private-ip-addresses,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,6,4", + "network.application": "web-browsing", + "network.bytes": 1355, + "network.community_id": "1:SIxV4kkvJlBljF+gLKAaihputgk=", + "network.direction": "outbound", + "network.packets": 10, + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "26161", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "private-ip-addresses", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 806, + "server.ip": "204.232.231.46", + "server.packets": 6, + "server.port": 80, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.bytes": 806, + "source.ip": "192.168.0.2", + "source.packets": 4, + "source.port": 59206, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:57.000Z", + "client.bytes": 549, + "client.ip": "192.168.0.2", + "client.packets": 4, + "client.port": 59205, + "client.user.name": "crusher", + "destination.address": "204.232.231.46", + "destination.bytes": 549, + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.packets": 6, + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 1000000000, + "event.end": "2012-04-10T04:39:27.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:26.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 5500, + "log.original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,end,1,2012/04/10 04:39:57,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,26000,1,59205,80,0,0,0x200000,tcp,allow,1355,549,806,10,2012/04/10 04:39:26,1,private-ip-addresses,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,6,4", + "network.application": "web-browsing", + "network.bytes": 1355, + "network.community_id": "1:rpU2pqp4ioYKgiuDEfjZitnLkow=", + "network.direction": "outbound", + "network.packets": 10, + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "26000", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "private-ip-addresses", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 806, + "server.ip": "204.232.231.46", + "server.packets": 6, + "server.port": 80, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.bytes": 806, + "source.ip": "192.168.0.2", + "source.packets": 4, + "source.port": 59205, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:56.000Z", + "client.bytes": 1359, + "client.ip": "192.168.0.2", + "client.packets": 3, + "client.port": 56858, + "client.user.name": "crusher", + "destination.address": "204.232.231.46", + "destination.bytes": 1359, + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.packets": 18, + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 512000000000, + "event.end": "2012-04-10T04:38:26.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:29:54.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 5885, + "log.original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,end,1,2012/04/10 04:39:56,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,65184,1,56858,80,0,0,0x200000,tcp,allow,1910,1359,551,21,2012/04/10 04:29:54,512,malware-sites,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,18,3", + "network.application": "web-browsing", + "network.bytes": 1910, + "network.community_id": "1:JuKJfhPs1pDZMiwy04nz1EsD7PA=", + "network.direction": "outbound", + "network.packets": 21, + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "65184", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "malware-sites", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 551, + "server.ip": "204.232.231.46", + "server.packets": 18, + "server.port": 80, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.bytes": 551, + "source.ip": "192.168.0.2", + "source.packets": 3, + "source.port": 56858, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:56.000Z", + "client.bytes": 78, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 59314, + "client.user.name": "crusher", + "destination.address": "204.232.231.46", + "destination.bytes": 78, + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.packets": 1, + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2012-04-10T04:39:56.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:56.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 6267, + "log.original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:56,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,26522,1,59314,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:56,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "network.application": "web-browsing", + "network.bytes": 78, + "network.community_id": "1:bZl1JgwyPgfsbSrD+z8I/hpbdc4=", + "network.direction": "outbound", + "network.packets": 1, + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "26522", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "204.232.231.46", + "server.packets": 1, + "server.port": 80, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 59314, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:56.000Z", + "client.bytes": 78, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 59313, + "client.user.name": "crusher", + "destination.address": "204.232.231.46", + "destination.bytes": 78, + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.packets": 1, + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2012-04-10T04:39:56.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:56.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 6631, + "log.original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:56,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,26067,1,59313,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:56,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "network.application": "web-browsing", + "network.bytes": 78, + "network.community_id": "1:0fIOSC1t62T9ExNKvZaxl657EVc=", + "network.direction": "outbound", + "network.packets": 1, + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "26067", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "204.232.231.46", + "server.packets": 1, + "server.port": 80, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 59313, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:56.000Z", + "client.bytes": 69, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 52139, + "client.user.name": "crusher", + "destination.address": "205.171.2.25", + "destination.bytes": 69, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "205.171.2.25", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2012-04-10T04:39:56.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:56.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 6995, + "log.original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:56,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,26573,1,52139,53,0,0,0x200000,udp,allow,69,69,0,1,2012/04/10 04:39:56,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "network.application": "dns", + "network.bytes": 69, + "network.community_id": "1:vFErz1cKNExckY21peQ3YAc8Tmk=", + "network.direction": "outbound", + "network.packets": 1, + "network.transport": "udp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "26573", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.0.2", + "205.171.2.25", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "205.171.2.25", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 52139, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:56.000Z", + "client.bytes": 69, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 60592, + "client.user.name": "crusher", + "destination.address": "205.171.2.25", + "destination.bytes": 69, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "205.171.2.25", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2012-04-10T04:39:56.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:56.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 7348, + "log.original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:56,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,26894,1,60592,53,0,0,0x200000,udp,allow,69,69,0,1,2012/04/10 04:39:56,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "network.application": "dns", + "network.bytes": 69, + "network.community_id": "1:i4rdWjY94ZjxNIBve+QH3YwdL04=", + "network.direction": "outbound", + "network.packets": 1, + "network.transport": "udp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "26894", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.0.2", + "205.171.2.25", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "205.171.2.25", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 60592, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:56.000Z", + "client.bytes": 78, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 59309, + "client.user.name": "crusher", + "destination.address": "204.232.231.46", + "destination.bytes": 78, + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.packets": 1, + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2012-04-10T04:39:56.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:56.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 7701, + "log.original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:56,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:57,25149,1,59309,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:56,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "network.application": "web-browsing", + "network.bytes": 78, + "network.community_id": "1:mY2EPMYo0US42k87/2uTzjo/rGA=", + "network.direction": "outbound", + "network.packets": 1, + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "25149", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "204.232.231.46", + "server.packets": 1, + "server.port": 80, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 59309, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:56.000Z", + "client.bytes": 66, + "client.ip": "192.168.0.2", + "client.packets": 1, + "client.port": 57322, + "client.user.name": "crusher", + "destination.address": "205.171.2.25", + "destination.bytes": 66, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "205.171.2.25", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2012-04-10T04:39:26.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:26.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 8065, + "log.original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,end,1,2012/04/10 04:39:56,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,25258,1,57322,53,0,0,0x200000,udp,allow,164,66,98,2,2012/04/10 04:39:26,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,1", + "network.application": "dns", + "network.bytes": 164, + "network.community_id": "1:GjCL7PEzM4X3r7frQ42mW+tNEIQ=", + "network.direction": "outbound", + "network.packets": 2, + "network.transport": "udp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "25258", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.0.2", + "205.171.2.25", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 98, + "server.ip": "205.171.2.25", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.bytes": 98, + "source.ip": "192.168.0.2", + "source.packets": 1, + "source.port": 57322, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:56.000Z", + "client.bytes": 549, + "client.ip": "192.168.0.2", + "client.packets": 4, + "client.port": 59204, + "client.user.name": "crusher", + "destination.address": "204.232.231.46", + "destination.bytes": 549, + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.packets": 6, + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2012-04-10T04:39:26.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:26.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 8418, + "log.original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,end,1,2012/04/10 04:39:56,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,25025,1,59204,80,0,0,0x200000,tcp,allow,1355,549,806,10,2012/04/10 04:39:26,0,private-ip-addresses,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,6,4", + "network.application": "web-browsing", + "network.bytes": 1355, + "network.community_id": "1:2+g5+FYJDJku+1Cl3ZbhVCYdAog=", + "network.direction": "outbound", + "network.packets": 10, + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "25025", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "private-ip-addresses", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 806, + "server.ip": "204.232.231.46", + "server.packets": 6, + "server.port": 80, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.bytes": 806, + "source.ip": "192.168.0.2", + "source.packets": 4, + "source.port": 59204, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:56.000Z", + "client.bytes": 549, + "client.ip": "192.168.0.2", + "client.packets": 4, + "client.port": 59203, + "client.user.name": "crusher", + "destination.address": "204.232.231.46", + "destination.bytes": 549, + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.packets": 6, + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2012-04-10T04:39:26.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:26.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 8803, + "log.original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,end,1,2012/04/10 04:39:56,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,26138,1,59203,80,0,0,0x200000,tcp,allow,1355,549,806,10,2012/04/10 04:39:26,0,private-ip-addresses,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,6,4", + "network.application": "web-browsing", + "network.bytes": 1355, + "network.community_id": "1:+ENVPObTW4uBLTLg/Gs7oB3/t0E=", + "network.direction": "outbound", + "network.packets": 10, + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "26138", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "private-ip-addresses", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 806, + "server.ip": "204.232.231.46", + "server.packets": 6, + "server.port": 80, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.bytes": 806, + "source.ip": "192.168.0.2", + "source.packets": 4, + "source.port": 59203, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:55.000Z", + "client.bytes": 78, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 59305, + "client.user.name": "crusher", + "destination.address": "204.232.231.46", + "destination.bytes": 78, + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.packets": 1, + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2012-04-10T04:39:56.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:56.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 9188, + "log.original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:55,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,27175,1,59305,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:56,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "network.application": "web-browsing", + "network.bytes": 78, + "network.community_id": "1:TPp8b1ubMhxmeJWRt0DCagjd7jA=", + "network.direction": "outbound", + "network.packets": 1, + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "27175", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "204.232.231.46", + "server.packets": 1, + "server.port": 80, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 59305, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:55.000Z", + "client.bytes": 69, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 64005, + "client.user.name": "crusher", + "destination.address": "205.171.2.25", + "destination.bytes": 69, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "205.171.2.25", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2012-04-10T04:39:55.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:55.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 9552, + "log.original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:55,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,26261,1,64005,53,0,0,0x200000,udp,allow,69,69,0,1,2012/04/10 04:39:55,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "network.application": "dns", + "network.bytes": 69, + "network.community_id": "1:9xSXx0HsnsbhZkZ6kFjNeIn1Aw8=", + "network.direction": "outbound", + "network.packets": 1, + "network.transport": "udp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "26261", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.0.2", + "205.171.2.25", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "205.171.2.25", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 64005, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:55.000Z", + "client.bytes": 69, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 58768, + "client.user.name": "crusher", + "destination.address": "205.171.2.25", + "destination.bytes": 69, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "205.171.2.25", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2012-04-10T04:39:55.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:55.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 9905, + "log.original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:55,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,25022,1,58768,53,0,0,0x200000,udp,allow,69,69,0,1,2012/04/10 04:39:55,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "network.application": "dns", + "network.bytes": 69, + "network.community_id": "1:Ukie7FwgRVUkTl4/hKbkxseBqj0=", + "network.direction": "outbound", + "network.packets": 1, + "network.transport": "udp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "25022", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.0.2", + "205.171.2.25", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "205.171.2.25", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 58768, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:55.000Z", + "client.bytes": 504, + "client.ip": "192.168.0.2", + "client.packets": 8, + "client.port": 47752, + "client.user.name": "crusher", + "destination.address": "98.149.55.63", + "destination.bytes": 504, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "98.149.55.63", + "destination.packets": 8, + "destination.port": 13069, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 125000000000, + "event.end": "2012-04-10T04:39:55.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:37:50.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 10258, + "log.original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:55,192.168.0.2,98.149.55.63,0.0.0.0,0.0.0.0,rule1,crusher,,skype,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,24027,1,47752,13069,0,0,0x200000,udp,allow,1008,504,504,16,2012/04/10 04:37:50,125,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,8,8", + "network.application": "skype", + "network.bytes": 1008, + "network.community_id": "1:7+CQvC/DGk2fhUdWzglWwYXYMZE=", + "network.direction": "outbound", + "network.packets": 16, + "network.transport": "udp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24027", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.0.2", + "98.149.55.63", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 504, + "server.ip": "98.149.55.63", + "server.packets": 8, + "server.port": 13069, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.bytes": 504, + "source.ip": "192.168.0.2", + "source.packets": 8, + "source.port": 47752, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:55.000Z", + "client.bytes": 78, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 59304, + "client.user.name": "crusher", + "destination.address": "204.232.231.46", + "destination.bytes": 78, + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.packets": 1, + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2012-04-10T04:39:55.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:55.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 10624, + "log.original": "Oct 30 09:46:17 1,2012/10/30 09:46:17,01606001116,TRAFFIC,start,1,2012/04/10 04:39:55,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,26360,1,59304,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:55,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "network.application": "web-browsing", + "network.bytes": 78, + "network.community_id": "1:h+XKHvMK2Oz7QQvaJdhsJWE2c9E=", + "network.direction": "outbound", + "network.packets": 1, + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "26360", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "204.232.231.46", + "server.packets": 1, + "server.port": 80, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 59304, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:55.000Z", + "client.bytes": 71, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 54533, + "client.user.name": "crusher", + "destination.address": "205.171.2.25", + "destination.bytes": 71, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "205.171.2.25", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2012-04-10T04:39:55.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:55.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 10988, + "log.original": "Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,start,1,2012/04/10 04:39:55,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:56,26394,1,54533,53,0,0,0x200000,udp,allow,71,71,0,1,2012/04/10 04:39:55,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "network.application": "dns", + "network.bytes": 71, + "network.community_id": "1:x/kpg5sNW5nn7RkabTWPIKsvO58=", + "network.direction": "outbound", + "network.packets": 1, + "network.transport": "udp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "26394", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.0.2", + "205.171.2.25", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "205.171.2.25", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 54533, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:55.000Z", + "client.bytes": 837, + "client.ip": "192.168.0.2", + "client.packets": 10, + "client.port": 59201, + "client.user.name": "crusher", + "destination.address": "212.48.10.58", + "destination.bytes": 837, + "destination.geo.city_name": "Milan", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "IT", + "destination.geo.location.lat": 45.4667, + "destination.geo.location.lon": 9.2, + "destination.geo.region_iso_code": "IT-MI", + "destination.geo.region_name": "Milan", + "destination.ip": "212.48.10.58", + "destination.packets": 10, + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 1000000000, + "event.end": "2012-04-10T04:39:25.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:24.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 11341, + "log.original": "Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,end,1,2012/04/10 04:39:55,192.168.0.2,212.48.10.58,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,24917,1,59201,80,0,0,0x200000,tcp,allow,9967,837,9130,20,2012/04/10 04:39:24,1,search-engines,0,0,0x0,192.168.0.0-192.168.255.255,Italy,0,10,10", + "network.application": "web-browsing", + "network.bytes": 9967, + "network.community_id": "1:GL6UBrkzpi/gQHrUyqxHb1jJeUU=", + "network.direction": "outbound", + "network.packets": 20, + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24917", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "search-engines", + "related.ip": [ + "192.168.0.2", + "212.48.10.58", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 9130, + "server.ip": "212.48.10.58", + "server.packets": 10, + "server.port": 80, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.bytes": 9130, + "source.ip": "192.168.0.2", + "source.packets": 10, + "source.port": 59201, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:54.000Z", + "client.bytes": 78, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 59303, + "client.user.name": "crusher", + "destination.address": "204.232.231.46", + "destination.bytes": 78, + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.packets": 1, + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2012-04-10T04:39:55.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:55.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 11713, + "log.original": "Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,start,1,2012/04/10 04:39:54,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,22860,1,59303,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:55,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "network.application": "web-browsing", + "network.bytes": 78, + "network.community_id": "1:6kV576B7jMsBLC62npA6Dgi/zMI=", + "network.direction": "outbound", + "network.packets": 1, + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "22860", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "204.232.231.46", + "server.packets": 1, + "server.port": 80, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 59303, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:54.000Z", + "client.bytes": 76, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 50876, + "client.user.name": "crusher", + "destination.address": "205.171.2.25", + "destination.bytes": 76, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "205.171.2.25", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2012-04-10T04:39:54.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:54.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 12077, + "log.original": "Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,start,1,2012/04/10 04:39:54,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,14146,1,50876,53,0,0,0x200000,udp,allow,76,76,0,1,2012/04/10 04:39:54,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "network.application": "dns", + "network.bytes": 76, + "network.community_id": "1:TuGe54F1FJdU+mNdTf97Ced2UmI=", + "network.direction": "outbound", + "network.packets": 1, + "network.transport": "udp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "14146", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.0.2", + "205.171.2.25", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "205.171.2.25", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 50876, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:54.000Z", + "client.bytes": 76, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 57657, + "client.user.name": "crusher", + "destination.address": "205.171.2.25", + "destination.bytes": 76, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "205.171.2.25", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2012-04-10T04:39:54.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:54.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 12430, + "log.original": "Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,start,1,2012/04/10 04:39:54,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,25876,1,57657,53,0,0,0x200000,udp,allow,76,76,0,1,2012/04/10 04:39:54,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "network.application": "dns", + "network.bytes": 76, + "network.community_id": "1:1yn57zVSr0UsUwbuL7XvzIWMbpM=", + "network.direction": "outbound", + "network.packets": 1, + "network.transport": "udp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "25876", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.0.2", + "205.171.2.25", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "205.171.2.25", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 57657, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:54.000Z", + "client.bytes": 78, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 59302, + "client.user.name": "crusher", + "destination.address": "204.232.231.46", + "destination.bytes": 78, + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.packets": 1, + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2012-04-10T04:39:54.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:54.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 12783, + "log.original": "Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,start,1,2012/04/10 04:39:54,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,24910,1,59302,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:54,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "network.application": "web-browsing", + "network.bytes": 78, + "network.community_id": "1:22ouAyA1O0KgUQOEKP20E7gNa2U=", + "network.direction": "outbound", + "network.packets": 1, + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24910", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "204.232.231.46", + "server.packets": 1, + "server.port": 80, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 59302, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:54.000Z", + "client.bytes": 78, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 59301, + "client.user.name": "crusher", + "destination.address": "204.232.231.46", + "destination.bytes": 78, + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.packets": 1, + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2012-04-10T04:39:54.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:54.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 13147, + "log.original": "Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,start,1,2012/04/10 04:39:54,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,26862,1,59301,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:54,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "network.application": "web-browsing", + "network.bytes": 78, + "network.community_id": "1:phQpgsVhj3YxNYzeNkqdzDgcMCg=", + "network.direction": "outbound", + "network.packets": 1, + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "26862", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "204.232.231.46", + "server.packets": 1, + "server.port": 80, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 59301, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:54.000Z", + "client.bytes": 80, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 64844, + "client.user.name": "crusher", + "destination.address": "205.171.2.25", + "destination.bytes": 80, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "205.171.2.25", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2012-04-10T04:39:54.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:54.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 13511, + "log.original": "Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,start,1,2012/04/10 04:39:54,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,26222,1,64844,53,0,0,0x200000,udp,allow,80,80,0,1,2012/04/10 04:39:54,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "network.application": "dns", + "network.bytes": 80, + "network.community_id": "1:SxifLhXvL8EiCuMvSbDcRARZyRw=", + "network.direction": "outbound", + "network.packets": 1, + "network.transport": "udp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "26222", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.0.2", + "205.171.2.25", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "205.171.2.25", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 64844, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:54.000Z", + "client.bytes": 80, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 52257, + "client.user.name": "crusher", + "destination.address": "205.171.2.25", + "destination.bytes": 80, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "205.171.2.25", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2012-04-10T04:39:54.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:54.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 13864, + "log.original": "Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,start,1,2012/04/10 04:39:54,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:55,26329,1,52257,53,0,0,0x200000,udp,allow,80,80,0,1,2012/04/10 04:39:54,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "network.application": "dns", + "network.bytes": 80, + "network.community_id": "1:QYDqyZAUrBKpnIVn+epBn1ew/so=", + "network.direction": "outbound", + "network.packets": 1, + "network.transport": "udp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "26329", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.0.2", + "205.171.2.25", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "205.171.2.25", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 52257, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:54.000Z", + "client.bytes": 95, + "client.ip": "192.168.0.100", + "client.packets": 1, + "client.port": 38796, + "destination.address": "8.8.8.8", + "destination.bytes": 95, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2012-04-10T04:39:24.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:24.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "log.offset": 14217, + "log.original": "Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,end,1,2012/04/10 04:39:54,192.168.0.100,8.8.8.8,0.0.0.0,0.0.0.0,rule1,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,25142,1,38796,53,0,0,0x0,udp,allow,206,95,111,2,2012/04/10 04:39:24,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,1", + "network.application": "dns", + "network.bytes": 206, + "network.community_id": "1:shHCpyazCigToSNjn/e4N7P4biU=", + "network.direction": "outbound", + "network.packets": 2, + "network.transport": "udp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "25142", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.0.100", + "8.8.8.8", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 111, + "server.ip": "8.8.8.8", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.address": "192.168.0.100", + "source.bytes": 111, + "source.ip": "192.168.0.100", + "source.packets": 1, + "source.port": 38796, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:54.000Z", + "client.bytes": 597, + "client.ip": "192.168.0.2", + "client.packets": 7, + "client.port": 59200, + "client.user.name": "crusher", + "destination.address": "62.211.68.12", + "destination.bytes": 597, + "destination.geo.city_name": "Latina", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "IT", + "destination.geo.location.lat": 41.4661, + "destination.geo.location.lon": 12.9043, + "destination.geo.region_iso_code": "IT-LT", + "destination.geo.region_name": "Provincia di Latina", + "destination.ip": "62.211.68.12", + "destination.packets": 6, + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 1000000000, + "event.end": "2012-04-10T04:39:24.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:23.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 14556, + "log.original": "Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,end,1,2012/04/10 04:39:54,192.168.0.2,62.211.68.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,25095,1,59200,80,0,0,0x200000,tcp,allow,1503,597,906,13,2012/04/10 04:39:23,1,entertainment-and-arts,0,0,0x0,192.168.0.0-192.168.255.255,Italy,0,6,7", + "network.application": "web-browsing", + "network.bytes": 1503, + "network.community_id": "1:cDqhuLJdpDu0NsYQNFC3GAMS3GQ=", + "network.direction": "outbound", + "network.packets": 13, + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "25095", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "entertainment-and-arts", + "related.ip": [ + "192.168.0.2", + "62.211.68.12", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 906, + "server.ip": "62.211.68.12", + "server.packets": 6, + "server.port": 80, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.bytes": 906, + "source.ip": "192.168.0.2", + "source.packets": 7, + "source.port": 59200, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:54.000Z", + "client.bytes": 804, + "client.ip": "192.168.0.100", + "client.packets": 7, + "client.port": 48412, + "destination.address": "50.19.102.116", + "destination.bytes": 804, + "destination.geo.city_name": "Ashburn", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 39.0481, + "destination.geo.location.lon": -77.4728, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": "50.19.102.116", + "destination.packets": 10, + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2012-04-10T04:39:24.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:24.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "log.offset": 14933, + "log.original": "Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,end,1,2012/04/10 04:39:54,192.168.0.100,50.19.102.116,0.0.0.0,0.0.0.0,rule1,,,paloalto-wildfire-cloud,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,24787,1,48412,443,0,0,0x0,tcp,allow,5817,804,5013,17,2012/04/10 04:39:24,0,computer-and-internet-security,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,10,7", + "network.application": "paloalto-wildfire-cloud", + "network.bytes": 5817, + "network.community_id": "1:uf1iUYRFFiUYttG2AFf4pcXOdjw=", + "network.direction": "outbound", + "network.packets": 17, + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24787", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "computer-and-internet-security", + "related.ip": [ + "192.168.0.100", + "50.19.102.116", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 5013, + "server.ip": "50.19.102.116", + "server.packets": 10, + "server.port": 443, + "service.type": "palo_alto", + "source.address": "192.168.0.100", + "source.bytes": 5013, + "source.ip": "192.168.0.100", + "source.packets": 7, + "source.port": 48412, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:54.000Z", + "client.bytes": 187, + "client.ip": "192.168.0.2", + "client.packets": 1, + "client.port": 47752, + "client.user.name": "crusher", + "destination.address": "65.55.223.19", + "destination.bytes": 187, + "destination.geo.city_name": "Washington", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 38.7163, + "destination.geo.location.lon": -78.1704, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": "65.55.223.19", + "destination.packets": 1, + "destination.port": 40026, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2012-04-10T04:39:24.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:24.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 15331, + "log.original": "Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,end,1,2012/04/10 04:39:54,192.168.0.2,65.55.223.19,0.0.0.0,0.0.0.0,rule1,crusher,,skype-probe,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,25948,1,47752,40026,0,0,0x200000,udp,allow,286,187,99,2,2012/04/10 04:39:24,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,1", + "network.application": "skype-probe", + "network.bytes": 286, + "network.community_id": "1:XF4dVSWPB46mtqr78f9EFUDEn6I=", + "network.direction": "outbound", + "network.packets": 2, + "network.transport": "udp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "25948", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.0.2", + "65.55.223.19", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 99, + "server.ip": "65.55.223.19", + "server.packets": 1, + "server.port": 40026, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.bytes": 99, + "source.ip": "192.168.0.2", + "source.packets": 1, + "source.port": 47752, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:54.000Z", + "client.bytes": 76, + "client.ip": "192.168.0.2", + "client.packets": 1, + "client.port": 47752, + "client.user.name": "crusher", + "destination.address": "65.55.223.24", + "destination.bytes": 76, + "destination.geo.city_name": "Washington", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 38.7163, + "destination.geo.location.lon": -78.1704, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": "65.55.223.24", + "destination.packets": 1, + "destination.port": 40029, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2012-04-10T04:39:24.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:24.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 15696, + "log.original": "Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,end,1,2012/04/10 04:39:54,192.168.0.2,65.55.223.24,0.0.0.0,0.0.0.0,rule1,crusher,,skype-probe,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,25444,1,47752,40029,0,0,0x200000,udp,allow,978,76,902,2,2012/04/10 04:39:24,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,1", + "network.application": "skype-probe", + "network.bytes": 978, + "network.community_id": "1:HEEGx0vjlpNA8Pw0s6pBr2v0rpo=", + "network.direction": "outbound", + "network.packets": 2, + "network.transport": "udp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "25444", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.0.2", + "65.55.223.24", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 902, + "server.ip": "65.55.223.24", + "server.packets": 1, + "server.port": 40029, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.bytes": 902, + "source.ip": "192.168.0.2", + "source.packets": 1, + "source.port": 47752, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:54.000Z", + "client.bytes": 86, + "client.ip": "192.168.0.100", + "client.packets": 1, + "client.port": 52189, + "destination.address": "8.8.8.8", + "destination.bytes": 86, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2012-04-10T04:39:24.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:24.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "log.offset": 16061, + "log.original": "Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,end,1,2012/04/10 04:39:54,192.168.0.100,8.8.8.8,0.0.0.0,0.0.0.0,rule1,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,25349,1,52189,53,0,0,0x0,udp,allow,227,86,141,2,2012/04/10 04:39:24,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,1", + "network.application": "dns", + "network.bytes": 227, + "network.community_id": "1:1CvVfwyezBZcR2u+VcrEzfuQK9s=", + "network.direction": "outbound", + "network.packets": 2, + "network.transport": "udp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "25349", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.0.100", + "8.8.8.8", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 141, + "server.ip": "8.8.8.8", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.address": "192.168.0.100", + "source.bytes": 141, + "source.ip": "192.168.0.100", + "source.packets": 1, + "source.port": 52189, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:53.000Z", + "client.bytes": 78, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 59300, + "client.user.name": "crusher", + "destination.address": "204.232.231.46", + "destination.bytes": 78, + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.packets": 1, + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2012-04-10T04:39:54.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:54.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 16400, + "log.original": "Oct 30 09:46:22 1,2012/10/30 09:46:22,01606001116,TRAFFIC,start,1,2012/04/10 04:39:53,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,25713,1,59300,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:54,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "network.application": "web-browsing", + "network.bytes": 78, + "network.community_id": "1:YDMNSbru670DK5EMT3E28WFJPz4=", + "network.direction": "outbound", + "network.packets": 1, + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "25713", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "204.232.231.46", + "server.packets": 1, + "server.port": 80, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 59300, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:53.000Z", + "client.bytes": 73, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 54414, + "client.user.name": "crusher", + "destination.address": "205.171.2.25", + "destination.bytes": 73, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "205.171.2.25", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2012-04-10T04:39:53.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:53.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 16764, + "log.original": "Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:53,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:54,26499,1,54414,53,0,0,0x200000,udp,allow,73,73,0,1,2012/04/10 04:39:53,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "network.application": "dns", + "network.bytes": 73, + "network.community_id": "1:K6PPTb7ohj/4wQV86uCrgAF1mcY=", + "network.direction": "outbound", + "network.packets": 1, + "network.transport": "udp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "26499", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.0.2", + "205.171.2.25", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "205.171.2.25", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 54414, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:53.000Z", + "client.bytes": 78, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 59299, + "client.user.name": "crusher", + "destination.address": "204.232.231.46", + "destination.bytes": 78, + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.packets": 1, + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2012-04-10T04:39:53.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:53.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 17117, + "log.original": "Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:53,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,25437,1,59299,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:53,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "network.application": "web-browsing", + "network.bytes": 78, + "network.community_id": "1:C9009xCOuCuGvMPT4caMCizoYr0=", + "network.direction": "outbound", + "network.packets": 1, + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "25437", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "204.232.231.46", + "server.packets": 1, + "server.port": 80, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 59299, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:53.000Z", + "client.bytes": 80, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 60399, + "client.user.name": "crusher", + "destination.address": "205.171.2.25", + "destination.bytes": 80, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "205.171.2.25", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2012-04-10T04:39:53.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:53.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 17481, + "log.original": "Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:53,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,24848,1,60399,53,0,0,0x200000,udp,allow,80,80,0,1,2012/04/10 04:39:53,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "network.application": "dns", + "network.bytes": 80, + "network.community_id": "1:BKNHj3e0QZpWJwLNiG4yqJnbrxk=", + "network.direction": "outbound", + "network.packets": 1, + "network.transport": "udp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24848", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.0.2", + "205.171.2.25", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "205.171.2.25", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 60399, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:53.000Z", + "client.bytes": 166, + "client.ip": "192.168.0.2", + "client.packets": 2, + "client.port": 59626, + "client.user.name": "crusher", + "destination.address": "205.171.2.25", + "destination.bytes": 166, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "205.171.2.25", + "destination.packets": 2, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 1000000000, + "event.end": "2012-04-10T04:39:23.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:22.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 17834, + "log.original": "Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,end,1,2012/04/10 04:39:53,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,24924,1,59626,53,0,0,0x200000,udp,allow,482,166,316,4,2012/04/10 04:39:22,1,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,2,2", + "network.application": "dns", + "network.bytes": 482, + "network.community_id": "1:RQ3lmwvSayYq24fFbjpDDqDG+Dg=", + "network.direction": "outbound", + "network.packets": 4, + "network.transport": "udp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24924", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.0.2", + "205.171.2.25", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 316, + "server.ip": "205.171.2.25", + "server.packets": 2, + "server.port": 53, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.bytes": 316, + "source.ip": "192.168.0.2", + "source.packets": 2, + "source.port": 59626, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:53.000Z", + "client.bytes": 75, + "client.ip": "192.168.0.2", + "client.packets": 1, + "client.port": 51542, + "client.user.name": "crusher", + "destination.address": "205.171.2.25", + "destination.bytes": 75, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "205.171.2.25", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2012-04-10T04:39:23.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:23.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 18189, + "log.original": "Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,end,1,2012/04/10 04:39:53,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,25899,1,51542,53,0,0,0x200000,udp,allow,196,75,121,2,2012/04/10 04:39:23,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,1", + "network.application": "dns", + "network.bytes": 196, + "network.community_id": "1:g5ixoTtR3QVz4le7g1L6PZ67CmU=", + "network.direction": "outbound", + "network.packets": 2, + "network.transport": "udp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "25899", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.0.2", + "205.171.2.25", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 121, + "server.ip": "205.171.2.25", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.bytes": 121, + "source.ip": "192.168.0.2", + "source.packets": 1, + "source.port": 51542, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:53.000Z", + "client.bytes": 75, + "client.ip": "192.168.0.2", + "client.packets": 1, + "client.port": 54182, + "client.user.name": "crusher", + "destination.address": "205.171.2.25", + "destination.bytes": 75, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "205.171.2.25", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2012-04-10T04:39:23.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:23.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 18543, + "log.original": "Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,end,1,2012/04/10 04:39:53,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,26066,1,54182,53,0,0,0x200000,udp,allow,244,75,169,2,2012/04/10 04:39:23,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,1", + "network.application": "dns", + "network.bytes": 244, + "network.community_id": "1:z0genl/l2JGIJaNTqaSLGCLTlo4=", + "network.direction": "outbound", + "network.packets": 2, + "network.transport": "udp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "26066", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.0.2", + "205.171.2.25", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 169, + "server.ip": "205.171.2.25", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.bytes": 169, + "source.ip": "192.168.0.2", + "source.packets": 1, + "source.port": 54182, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:53.000Z", + "client.bytes": 594, + "client.ip": "192.168.0.2", + "client.packets": 7, + "client.port": 59199, + "client.user.name": "crusher", + "destination.address": "62.211.68.12", + "destination.bytes": 594, + "destination.geo.city_name": "Latina", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "IT", + "destination.geo.location.lat": 41.4661, + "destination.geo.location.lon": 12.9043, + "destination.geo.region_iso_code": "IT-LT", + "destination.geo.region_name": "Provincia di Latina", + "destination.ip": "62.211.68.12", + "destination.packets": 6, + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2012-04-10T04:39:23.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:23.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 18897, + "log.original": "Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,end,1,2012/04/10 04:39:53,192.168.0.2,62.211.68.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,24908,1,59199,80,0,0,0x200000,tcp,allow,1548,594,954,13,2012/04/10 04:39:23,0,business-and-economy,0,0,0x0,192.168.0.0-192.168.255.255,Italy,0,6,7", + "network.application": "web-browsing", + "network.bytes": 1548, + "network.community_id": "1:cIfWskY1iVpg8gxVVTX1K8A7+MA=", + "network.direction": "outbound", + "network.packets": 13, + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24908", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "business-and-economy", + "related.ip": [ + "192.168.0.2", + "62.211.68.12", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 954, + "server.ip": "62.211.68.12", + "server.packets": 6, + "server.port": 80, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.bytes": 954, + "source.ip": "192.168.0.2", + "source.packets": 7, + "source.port": 59199, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:53.000Z", + "client.bytes": 1005, + "client.ip": "192.168.0.2", + "client.packets": 10, + "client.port": 59198, + "client.user.name": "crusher", + "destination.address": "212.48.10.58", + "destination.bytes": 1005, + "destination.geo.city_name": "Milan", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "IT", + "destination.geo.location.lat": 45.4667, + "destination.geo.location.lon": 9.2, + "destination.geo.region_iso_code": "IT-MI", + "destination.geo.region_name": "Milan", + "destination.ip": "212.48.10.58", + "destination.packets": 12, + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 2000000000, + "event.end": "2012-04-10T04:39:23.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:21.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 19272, + "log.original": "Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,end,1,2012/04/10 04:39:53,192.168.0.2,212.48.10.58,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,25105,1,59198,80,0,0,0x200000,tcp,allow,10135,1005,9130,22,2012/04/10 04:39:21,2,search-engines,0,0,0x0,192.168.0.0-192.168.255.255,Italy,0,12,10", + "network.application": "web-browsing", + "network.bytes": 10135, + "network.community_id": "1:UPWyVvocuULCMUmJlrn6XBha7JE=", + "network.direction": "outbound", + "network.packets": 22, + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "25105", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "search-engines", + "related.ip": [ + "192.168.0.2", + "212.48.10.58", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 9130, + "server.ip": "212.48.10.58", + "server.packets": 12, + "server.port": 80, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.bytes": 9130, + "source.ip": "192.168.0.2", + "source.packets": 10, + "source.port": 59198, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:53.000Z", + "client.bytes": 1363, + "client.ip": "192.168.0.2", + "client.packets": 3, + "client.port": 56856, + "client.user.name": "crusher", + "destination.address": "204.232.231.46", + "destination.bytes": 1363, + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.packets": 18, + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 512000000000, + "event.end": "2012-04-10T04:38:23.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:29:51.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 19646, + "log.original": "Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,end,1,2012/04/10 04:39:53,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,11964,1,56856,80,0,0,0x200000,tcp,allow,1918,1363,555,21,2012/04/10 04:29:51,512,malware-sites,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,18,3", + "network.application": "web-browsing", + "network.bytes": 1918, + "network.community_id": "1:jFqkUdvAr9S/yeKacw5dlE+0/o0=", + "network.direction": "outbound", + "network.packets": 21, + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "11964", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "malware-sites", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 555, + "server.ip": "204.232.231.46", + "server.packets": 18, + "server.port": 80, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.bytes": 555, + "source.ip": "192.168.0.2", + "source.packets": 3, + "source.port": 56856, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:53.000Z", + "client.bytes": 80, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 52489, + "client.user.name": "crusher", + "destination.address": "205.171.2.25", + "destination.bytes": 80, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "205.171.2.25", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2012-04-10T04:39:53.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:53.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 20028, + "log.original": "Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:53,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,26502,1,52489,53,0,0,0x200000,udp,allow,80,80,0,1,2012/04/10 04:39:53,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "network.application": "dns", + "network.bytes": 80, + "network.community_id": "1:dQTHsEW3omlFoTmdZu1fchcTb9c=", + "network.direction": "outbound", + "network.packets": 1, + "network.transport": "udp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "26502", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.0.2", + "205.171.2.25", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "205.171.2.25", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 52489, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:52.000Z", + "client.bytes": 78, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 59298, + "client.user.name": "crusher", + "destination.address": "204.232.231.46", + "destination.bytes": 78, + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.packets": 1, + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2012-04-10T04:39:53.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:53.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 20381, + "log.original": "Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:52,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,26338,1,59298,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:53,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "network.application": "web-browsing", + "network.bytes": 78, + "network.community_id": "1:BG6Rk6e+H9jRcZHXqRPFG4iA3uU=", + "network.direction": "outbound", + "network.packets": 1, + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "26338", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "204.232.231.46", + "server.packets": 1, + "server.port": 80, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 59298, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:52.000Z", + "client.bytes": 76, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 60185, + "client.user.name": "crusher", + "destination.address": "205.171.2.25", + "destination.bytes": 76, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "205.171.2.25", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2012-04-10T04:39:52.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:52.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 20745, + "log.original": "Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:52,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,24919,1,60185,53,0,0,0x200000,udp,allow,76,76,0,1,2012/04/10 04:39:52,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "network.application": "dns", + "network.bytes": 76, + "network.community_id": "1:eLVg5C7+4Gz+x6GBj4MlJHk/vyk=", + "network.direction": "outbound", + "network.packets": 1, + "network.transport": "udp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24919", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.0.2", + "205.171.2.25", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "205.171.2.25", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 60185, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:52.000Z", + "client.bytes": 76, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 51817, + "client.user.name": "crusher", + "destination.address": "205.171.2.25", + "destination.bytes": 76, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "205.171.2.25", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2012-04-10T04:39:52.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:52.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 21098, + "log.original": "Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:52,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,26731,1,51817,53,0,0,0x200000,udp,allow,76,76,0,1,2012/04/10 04:39:52,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "network.application": "dns", + "network.bytes": 76, + "network.community_id": "1:2v1FAVArMu9Fw0rZTZH/beAYGjs=", + "network.direction": "outbound", + "network.packets": 1, + "network.transport": "udp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "26731", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.0.2", + "205.171.2.25", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "205.171.2.25", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 51817, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:52.000Z", + "client.bytes": 186, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 47752, + "client.user.name": "crusher", + "destination.address": "65.55.223.31", + "destination.bytes": 186, + "destination.geo.city_name": "Washington", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 38.7163, + "destination.geo.location.lon": -78.1704, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": "65.55.223.31", + "destination.packets": 1, + "destination.port": 40043, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2012-04-10T04:39:52.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:52.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 21451, + "log.original": "Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:52,192.168.0.2,65.55.223.31,0.0.0.0,0.0.0.0,rule1,crusher,,skype-probe,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,26504,1,47752,40043,0,0,0x200000,udp,allow,186,186,0,1,2012/04/10 04:39:52,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "network.application": "skype-probe", + "network.bytes": 186, + "network.community_id": "1:2fa34ze5XsRR97Shg/2DWoWt57c=", + "network.direction": "outbound", + "network.packets": 1, + "network.transport": "udp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "26504", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.0.2", + "65.55.223.31", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "65.55.223.31", + "server.packets": 1, + "server.port": 40043, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 47752, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:52.000Z", + "client.bytes": 78, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 59297, + "client.user.name": "crusher", + "destination.address": "204.232.231.46", + "destination.bytes": 78, + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.packets": 1, + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2012-04-10T04:39:52.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:52.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 21817, + "log.original": "Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:52,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,25543,1,59297,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:52,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "network.application": "web-browsing", + "network.bytes": 78, + "network.community_id": "1:Sa+u435/AIAAeEelFduJmiGLOv0=", + "network.direction": "outbound", + "network.packets": 1, + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "25543", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "204.232.231.46", + "server.packets": 1, + "server.port": 80, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 59297, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:52.000Z", + "client.bytes": 82, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 52537, + "client.user.name": "crusher", + "destination.address": "205.171.2.25", + "destination.bytes": 82, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "205.171.2.25", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2012-04-10T04:39:52.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:52.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 22181, + "log.original": "Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:52,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:53,21948,1,52537,53,0,0,0x200000,udp,allow,82,82,0,1,2012/04/10 04:39:52,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "network.application": "dns", + "network.bytes": 82, + "network.community_id": "1:Uym9anPFBcnC+VaX8dVhkzw/pgg=", + "network.direction": "outbound", + "network.packets": 1, + "network.transport": "udp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "21948", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.0.2", + "205.171.2.25", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "205.171.2.25", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 52537, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:52.000Z", + "client.bytes": 82, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 53155, + "client.user.name": "crusher", + "destination.address": "205.171.2.25", + "destination.bytes": 82, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "205.171.2.25", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2012-04-10T04:39:52.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:52.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 22534, + "log.original": "Oct 30 09:46:27 1,2012/10/30 09:46:27,01606001116,TRAFFIC,start,1,2012/04/10 04:39:52,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,26279,1,53155,53,0,0,0x200000,udp,allow,82,82,0,1,2012/04/10 04:39:52,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "network.application": "dns", + "network.bytes": 82, + "network.community_id": "1:BWJpN5ucpEKzwxBd0yrkows1+X4=", + "network.direction": "outbound", + "network.packets": 1, + "network.transport": "udp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "26279", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.0.2", + "205.171.2.25", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "205.171.2.25", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 53155, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:52.000Z", + "client.bytes": 581, + "client.ip": "192.168.0.2", + "client.packets": 7, + "client.port": 59197, + "client.user.name": "crusher", + "destination.address": "62.211.68.12", + "destination.bytes": 581, + "destination.geo.city_name": "Latina", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "IT", + "destination.geo.location.lat": 41.4661, + "destination.geo.location.lon": 12.9043, + "destination.geo.region_iso_code": "IT-LT", + "destination.geo.region_name": "Provincia di Latina", + "destination.ip": "62.211.68.12", + "destination.packets": 6, + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 1000000000, + "event.end": "2012-04-10T04:39:22.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:21.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 22887, + "log.original": "Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,end,1,2012/04/10 04:39:52,192.168.0.2,62.211.68.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,24894,1,59197,80,0,0,0x200000,tcp,allow,1487,581,906,13,2012/04/10 04:39:21,1,entertainment-and-arts,0,0,0x0,192.168.0.0-192.168.255.255,Italy,0,6,7", + "network.application": "web-browsing", + "network.bytes": 1487, + "network.community_id": "1:k2B753fAG7GMJoQhAbMrDsOfDxA=", + "network.direction": "outbound", + "network.packets": 13, + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24894", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "entertainment-and-arts", + "related.ip": [ + "192.168.0.2", + "62.211.68.12", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 906, + "server.ip": "62.211.68.12", + "server.packets": 6, + "server.port": 80, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.bytes": 906, + "source.ip": "192.168.0.2", + "source.packets": 7, + "source.port": 59197, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:52.000Z", + "client.bytes": 88, + "client.ip": "192.168.0.2", + "client.packets": 1, + "client.port": 56995, + "client.user.name": "crusher", + "destination.address": "205.171.2.25", + "destination.bytes": 88, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "205.171.2.25", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2012-04-10T04:39:22.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:22.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 23264, + "log.original": "Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,end,1,2012/04/10 04:39:52,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,24985,1,56995,53,0,0,0x200000,udp,allow,251,88,163,2,2012/04/10 04:39:22,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,1", + "network.application": "dns", + "network.bytes": 251, + "network.community_id": "1:PkU1rpfXiwvVRig4MJMcDvEUEas=", + "network.direction": "outbound", + "network.packets": 2, + "network.transport": "udp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24985", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.0.2", + "205.171.2.25", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 163, + "server.ip": "205.171.2.25", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.bytes": 163, + "source.ip": "192.168.0.2", + "source.packets": 1, + "source.port": 56995, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:51.000Z", + "client.bytes": 76, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 59069, + "client.user.name": "crusher", + "destination.address": "205.171.2.25", + "destination.bytes": 76, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "205.171.2.25", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2012-04-10T04:39:51.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:51.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 23618, + "log.original": "Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:51,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,25380,1,59069,53,0,0,0x200000,udp,allow,76,76,0,1,2012/04/10 04:39:51,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "network.application": "dns", + "network.bytes": 76, + "network.community_id": "1:BYZjFq0Mi2hPewpUDaO1jY2UNnA=", + "network.direction": "outbound", + "network.packets": 1, + "network.transport": "udp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "25380", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.0.2", + "205.171.2.25", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "205.171.2.25", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 59069, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:51.000Z", + "client.bytes": 76, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 55697, + "client.user.name": "crusher", + "destination.address": "205.171.2.25", + "destination.bytes": 76, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "205.171.2.25", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2012-04-10T04:39:51.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:51.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 23971, + "log.original": "Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:51,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,24994,1,55697,53,0,0,0x200000,udp,allow,76,76,0,1,2012/04/10 04:39:51,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "network.application": "dns", + "network.bytes": 76, + "network.community_id": "1:l0WoNEsuwN4ml47IyB3IhM2NX6A=", + "network.direction": "outbound", + "network.packets": 1, + "network.transport": "udp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24994", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.0.2", + "205.171.2.25", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "205.171.2.25", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 55697, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:51.000Z", + "client.bytes": 78, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 59295, + "client.user.name": "crusher", + "destination.address": "204.232.231.46", + "destination.bytes": 78, + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.packets": 1, + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2012-04-10T04:39:51.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:51.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 24324, + "log.original": "Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:51,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:52,25451,1,59295,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:51,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "network.application": "web-browsing", + "network.bytes": 78, + "network.community_id": "1:AEtFqIuwxZ9TQ3w9m74nOrboCXE=", + "network.direction": "outbound", + "network.packets": 1, + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "25451", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "204.232.231.46", + "server.packets": 1, + "server.port": 80, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 59295, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:51.000Z", + "client.bytes": 578, + "client.ip": "192.168.0.2", + "client.packets": 7, + "client.port": 59196, + "client.user.name": "crusher", + "destination.address": "62.211.68.12", + "destination.bytes": 578, + "destination.geo.city_name": "Latina", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "IT", + "destination.geo.location.lat": 41.4661, + "destination.geo.location.lon": 12.9043, + "destination.geo.region_iso_code": "IT-LT", + "destination.geo.region_name": "Provincia di Latina", + "destination.ip": "62.211.68.12", + "destination.packets": 6, + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 1000000000, + "event.end": "2012-04-10T04:39:21.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:20.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 24688, + "log.original": "Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,end,1,2012/04/10 04:39:51,192.168.0.2,62.211.68.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:51,24866,1,59196,80,0,0,0x200000,tcp,allow,1500,578,922,13,2012/04/10 04:39:20,1,business-and-economy,0,0,0x0,192.168.0.0-192.168.255.255,Italy,0,6,7", + "network.application": "web-browsing", + "network.bytes": 1500, + "network.community_id": "1:t42FnU6e46qlRX0ij7ufkKPs3Co=", + "network.direction": "outbound", + "network.packets": 13, + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24866", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "business-and-economy", + "related.ip": [ + "192.168.0.2", + "62.211.68.12", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 922, + "server.ip": "62.211.68.12", + "server.packets": 6, + "server.port": 80, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.bytes": 922, + "source.ip": "192.168.0.2", + "source.packets": 7, + "source.port": 59196, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:50.000Z", + "client.bytes": 78, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 59291, + "client.user.name": "crusher", + "destination.address": "204.232.231.46", + "destination.bytes": 78, + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.packets": 1, + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2012-04-10T04:39:51.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:51.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 25063, + "log.original": "Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:50,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:51,26414,1,59291,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:51,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "network.application": "web-browsing", + "network.bytes": 78, + "network.community_id": "1:AuQEAPptnfXLW8oL/ac3CM4Gnnw=", + "network.direction": "outbound", + "network.packets": 1, + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "26414", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "204.232.231.46", + "server.packets": 1, + "server.port": 80, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 59291, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:50.000Z", + "client.bytes": 77, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 52858, + "client.user.name": "crusher", + "destination.address": "205.171.2.25", + "destination.bytes": 77, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "205.171.2.25", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2012-04-10T04:39:50.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:50.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 25427, + "log.original": "Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:50,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:51,26131,1,52858,53,0,0,0x200000,udp,allow,77,77,0,1,2012/04/10 04:39:50,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "network.application": "dns", + "network.bytes": 77, + "network.community_id": "1:ZVsgbE2ux52iF80QIxJN36vdI1M=", + "network.direction": "outbound", + "network.packets": 1, + "network.transport": "udp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "26131", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.0.2", + "205.171.2.25", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "205.171.2.25", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 52858, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:50.000Z", + "client.bytes": 77, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 61383, + "client.user.name": "crusher", + "destination.address": "205.171.2.25", + "destination.bytes": 77, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "205.171.2.25", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2012-04-10T04:39:50.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:50.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 25780, + "log.original": "Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:50,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:51,26555,1,61383,53,0,0,0x200000,udp,allow,77,77,0,1,2012/04/10 04:39:50,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "network.application": "dns", + "network.bytes": 77, + "network.community_id": "1:p68po3QtexuC2kor01hJgMDKiPM=", + "network.direction": "outbound", + "network.packets": 1, + "network.transport": "udp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "26555", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.0.2", + "205.171.2.25", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "205.171.2.25", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 61383, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:50.000Z", + "client.bytes": 78, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 59290, + "client.user.name": "crusher", + "destination.address": "204.232.231.46", + "destination.bytes": 78, + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.packets": 1, + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2012-04-10T04:39:50.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:50.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 26133, + "log.original": "Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:50,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,15099,1,59290,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:50,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "network.application": "web-browsing", + "network.bytes": 78, + "network.community_id": "1:2UbFMV1DsXMB0b/AUotNCCsHm0s=", + "network.direction": "outbound", + "network.packets": 1, + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "15099", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "204.232.231.46", + "server.packets": 1, + "server.port": 80, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 59290, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:50.000Z", + "client.bytes": 1310, + "client.ip": "192.168.0.2", + "client.packets": 22, + "client.port": 59195, + "client.user.name": "crusher", + "destination.address": "8.5.1.1", + "destination.bytes": 1310, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.5.1.1", + "destination.packets": 17, + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2012-04-10T04:39:20.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:20.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 26497, + "log.original": "Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,end,1,2012/04/10 04:39:50,192.168.0.2,8.5.1.1,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,24980,1,59195,80,0,0,0x200000,tcp,allow,28096,1310,26786,39,2012/04/10 04:39:20,0,not-resolved,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,17,22", + "network.application": "web-browsing", + "network.bytes": 28096, + "network.community_id": "1:J6pba/4Qby485gtIOBCJnQ0T04E=", + "network.direction": "outbound", + "network.packets": 39, + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24980", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "not-resolved", + "related.ip": [ + "192.168.0.2", + "8.5.1.1", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 26786, + "server.ip": "8.5.1.1", + "server.packets": 17, + "server.port": 80, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.bytes": 26786, + "source.ip": "192.168.0.2", + "source.packets": 22, + "source.port": 59195, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:50.000Z", + "client.bytes": 83, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 49812, + "client.user.name": "crusher", + "destination.address": "205.171.2.25", + "destination.bytes": 83, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "205.171.2.25", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2012-04-10T04:39:50.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:50.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 26873, + "log.original": "Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:50,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,26215,1,49812,53,0,0,0x200000,udp,allow,83,83,0,1,2012/04/10 04:39:50,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "network.application": "dns", + "network.bytes": 83, + "network.community_id": "1:iSTXT01g3/K5eC8sEHIzTaFShsA=", + "network.direction": "outbound", + "network.packets": 1, + "network.transport": "udp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "26215", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.0.2", + "205.171.2.25", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "205.171.2.25", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 49812, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:50.000Z", + "client.bytes": 83, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 50185, + "client.user.name": "crusher", + "destination.address": "205.171.2.25", + "destination.bytes": 83, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "205.171.2.25", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2012-04-10T04:39:50.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:50.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 27226, + "log.original": "Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:50,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,25881,1,50185,53,0,0,0x200000,udp,allow,83,83,0,1,2012/04/10 04:39:50,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "network.application": "dns", + "network.bytes": 83, + "network.community_id": "1:3UaggcKnXvkcjpVHqbTU3mCMT5E=", + "network.direction": "outbound", + "network.packets": 1, + "network.transport": "udp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "25881", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.0.2", + "205.171.2.25", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "205.171.2.25", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 50185, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:50.000Z", + "client.bytes": 78, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 59286, + "client.user.name": "crusher", + "destination.address": "204.232.231.46", + "destination.bytes": 78, + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.packets": 1, + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2012-04-10T04:39:50.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:50.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 27579, + "log.original": "Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,start,1,2012/04/10 04:39:50,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,24955,1,59286,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:50,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "network.application": "web-browsing", + "network.bytes": 78, + "network.community_id": "1:M8DHGZjrHyuCRpC9MNNfDUke5g4=", + "network.direction": "outbound", + "network.packets": 1, + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24955", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "204.232.231.46", + "server.packets": 1, + "server.port": 80, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 59286, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:50.000Z", + "client.bytes": 75, + "client.ip": "192.168.0.2", + "client.packets": 1, + "client.port": 52531, + "client.user.name": "crusher", + "destination.address": "192.168.0.1", + "destination.bytes": 75, + "destination.ip": "192.168.0.1", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2012-04-10T04:39:20.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:20.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 27943, + "log.original": "Oct 30 09:46:32 1,2012/10/30 09:46:32,01606001116,TRAFFIC,end,1,2012/04/10 04:39:50,192.168.0.2,192.168.0.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,24961,1,52531,53,0,0,0x200000,udp,allow,244,75,169,2,2012/04/10 04:39:20,0,any,0,0,0x0,192.168.0.0-192.168.255.255,192.168.0.0-192.168.255.255,0,1,1", + "network.application": "dns", + "network.bytes": 244, + "network.community_id": "1:aqHtUqeIwO72eo1M5ATE45cIze8=", + "network.direction": "outbound", + "network.packets": 2, + "network.transport": "udp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24961", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.0.2", + "192.168.0.1", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 169, + "server.ip": "192.168.0.1", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.bytes": 169, + "source.ip": "192.168.0.2", + "source.packets": 1, + "source.port": 52531, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:50.000Z", + "client.bytes": 1033, + "client.ip": "192.168.0.2", + "client.packets": 9, + "client.port": 59194, + "client.user.name": "crusher", + "destination.address": "212.48.10.58", + "destination.bytes": 1033, + "destination.geo.city_name": "Milan", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "IT", + "destination.geo.location.lat": 45.4667, + "destination.geo.location.lon": 9.2, + "destination.geo.region_iso_code": "IT-MI", + "destination.geo.region_name": "Milan", + "destination.ip": "212.48.10.58", + "destination.packets": 12, + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 3000000000, + "event.end": "2012-04-10T04:39:20.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:17.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 28310, + "log.original": "Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,end,1,2012/04/10 04:39:50,192.168.0.2,212.48.10.58,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,24226,1,59194,80,0,0,0x200000,tcp,allow,10097,1033,9064,21,2012/04/10 04:39:17,3,search-engines,0,0,0x0,192.168.0.0-192.168.255.255,Italy,0,12,9", + "network.application": "web-browsing", + "network.bytes": 10097, + "network.community_id": "1:ZM81iQMHQAIwuZHdw5tm5lXF25A=", + "network.direction": "outbound", + "network.packets": 21, + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24226", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "search-engines", + "related.ip": [ + "192.168.0.2", + "212.48.10.58", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 9064, + "server.ip": "212.48.10.58", + "server.packets": 12, + "server.port": 80, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.bytes": 9064, + "source.ip": "192.168.0.2", + "source.packets": 9, + "source.port": 59194, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:50.000Z", + "client.bytes": 981, + "client.ip": "192.168.0.2", + "client.packets": 10, + "client.port": 59192, + "client.user.name": "crusher", + "destination.address": "212.48.10.58", + "destination.bytes": 981, + "destination.geo.city_name": "Milan", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "IT", + "destination.geo.location.lat": 45.4667, + "destination.geo.location.lon": 9.2, + "destination.geo.region_iso_code": "IT-MI", + "destination.geo.region_name": "Milan", + "destination.ip": "212.48.10.58", + "destination.packets": 12, + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 7000000000, + "event.end": "2012-04-10T04:39:20.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:13.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 28683, + "log.original": "Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,end,1,2012/04/10 04:39:50,192.168.0.2,212.48.10.58,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,25129,1,59192,80,0,0,0x200000,tcp,allow,10105,981,9124,22,2012/04/10 04:39:13,7,search-engines,0,0,0x0,192.168.0.0-192.168.255.255,Italy,0,12,10", + "network.application": "web-browsing", + "network.bytes": 10105, + "network.community_id": "1:yYl3JBOjYyGDcmf0pDc+hxky9gU=", + "network.direction": "outbound", + "network.packets": 22, + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "25129", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "search-engines", + "related.ip": [ + "192.168.0.2", + "212.48.10.58", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 9124, + "server.ip": "212.48.10.58", + "server.packets": 12, + "server.port": 80, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.bytes": 9124, + "source.ip": "192.168.0.2", + "source.packets": 10, + "source.port": 59192, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:50.000Z", + "client.bytes": 77, + "client.ip": "192.168.0.2", + "client.packets": 1, + "client.port": 56463, + "client.user.name": "crusher", + "destination.address": "192.168.0.1", + "destination.bytes": 77, + "destination.ip": "192.168.0.1", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2012-04-10T04:39:20.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:20.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 29056, + "log.original": "Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,end,1,2012/04/10 04:39:50,192.168.0.2,192.168.0.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,25194,1,56463,53,0,0,0x200000,udp,allow,214,77,137,2,2012/04/10 04:39:20,0,any,0,0,0x0,192.168.0.0-192.168.255.255,192.168.0.0-192.168.255.255,0,1,1", + "network.application": "dns", + "network.bytes": 214, + "network.community_id": "1:VW3f2r1OUrbsOCF06MDfY/o+epU=", + "network.direction": "outbound", + "network.packets": 2, + "network.transport": "udp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "25194", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.0.2", + "192.168.0.1", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 137, + "server.ip": "192.168.0.1", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.bytes": 137, + "source.ip": "192.168.0.2", + "source.packets": 1, + "source.port": 56463, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:50.000Z", + "client.bytes": 77, + "client.ip": "192.168.0.2", + "client.packets": 1, + "client.port": 55849, + "client.user.name": "crusher", + "destination.address": "192.168.0.1", + "destination.bytes": 77, + "destination.ip": "192.168.0.1", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2012-04-10T04:39:20.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:20.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 29423, + "log.original": "Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,end,1,2012/04/10 04:39:50,192.168.0.2,192.168.0.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,26257,1,55849,53,0,0,0x200000,udp,allow,170,77,93,2,2012/04/10 04:39:20,0,any,0,0,0x0,192.168.0.0-192.168.255.255,192.168.0.0-192.168.255.255,0,1,1", + "network.application": "dns", + "network.bytes": 170, + "network.community_id": "1:yvOxIP48drmX6OmaQqFTRaGanko=", + "network.direction": "outbound", + "network.packets": 2, + "network.transport": "udp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "26257", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.0.2", + "192.168.0.1", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 93, + "server.ip": "192.168.0.1", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.bytes": 93, + "source.ip": "192.168.0.2", + "source.packets": 1, + "source.port": 55849, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:49.000Z", + "client.bytes": 78, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 59282, + "client.user.name": "crusher", + "destination.address": "204.232.231.46", + "destination.bytes": 78, + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.packets": 1, + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2012-04-10T04:39:49.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:49.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 29789, + "log.original": "Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,start,1,2012/04/10 04:39:49,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,24561,1,59282,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:49,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "network.application": "web-browsing", + "network.bytes": 78, + "network.community_id": "1:Vfi4CxQayypb3DoxclNfeNjXdjo=", + "network.direction": "outbound", + "network.packets": 1, + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24561", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "204.232.231.46", + "server.packets": 1, + "server.port": 80, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 59282, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:49.000Z", + "client.bytes": 71, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 57846, + "client.user.name": "crusher", + "destination.address": "205.171.2.25", + "destination.bytes": 71, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "205.171.2.25", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2012-04-10T04:39:49.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:49.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 30153, + "log.original": "Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,start,1,2012/04/10 04:39:49,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,26150,1,57846,53,0,0,0x200000,udp,allow,71,71,0,1,2012/04/10 04:39:49,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "network.application": "dns", + "network.bytes": 71, + "network.community_id": "1:cWkoifFGPLq+ZcxaNzzYym9H7jI=", + "network.direction": "outbound", + "network.packets": 1, + "network.transport": "udp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "26150", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.0.2", + "205.171.2.25", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "205.171.2.25", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 57846, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:49.000Z", + "client.bytes": 71, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 51008, + "client.user.name": "crusher", + "destination.address": "205.171.2.25", + "destination.bytes": 71, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "205.171.2.25", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2012-04-10T04:39:49.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:49.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 30506, + "log.original": "Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,start,1,2012/04/10 04:39:49,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,25676,1,51008,53,0,0,0x200000,udp,allow,71,71,0,1,2012/04/10 04:39:49,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "network.application": "dns", + "network.bytes": 71, + "network.community_id": "1:SicjKSp4oQCovx4rjFSg+IThGYA=", + "network.direction": "outbound", + "network.packets": 1, + "network.transport": "udp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "25676", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.0.2", + "205.171.2.25", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "205.171.2.25", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 51008, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:49.000Z", + "client.bytes": 78, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 59281, + "client.user.name": "crusher", + "destination.address": "204.232.231.46", + "destination.bytes": 78, + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.packets": 1, + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2012-04-10T04:39:49.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:49.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 30859, + "log.original": "Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,start,1,2012/04/10 04:39:49,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,25306,1,59281,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:49,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "network.application": "web-browsing", + "network.bytes": 78, + "network.community_id": "1:/tG+YfZ8qFKrUDfQ7EThCBXci9Y=", + "network.direction": "outbound", + "network.packets": 1, + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "25306", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "204.232.231.46", + "server.packets": 1, + "server.port": 80, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 59281, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:49.000Z", + "client.bytes": 80, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 55252, + "client.user.name": "crusher", + "destination.address": "205.171.2.25", + "destination.bytes": 80, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "205.171.2.25", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2012-04-10T04:39:49.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:49.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 31223, + "log.original": "Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,start,1,2012/04/10 04:39:49,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,26411,1,55252,53,0,0,0x200000,udp,allow,80,80,0,1,2012/04/10 04:39:49,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "network.application": "dns", + "network.bytes": 80, + "network.community_id": "1:cp0HVI5MHMB+G4/hIuKGoX1WWac=", + "network.direction": "outbound", + "network.packets": 1, + "network.transport": "udp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "26411", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.0.2", + "205.171.2.25", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "205.171.2.25", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 55252, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:49.000Z", + "client.bytes": 176, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 56995, + "client.user.name": "crusher", + "destination.address": "192.168.0.1", + "destination.bytes": 176, + "destination.ip": "192.168.0.1", + "destination.packets": 2, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 1000000000, + "event.end": "2012-04-10T04:39:19.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:18.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 31576, + "log.original": "Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,end,1,2012/04/10 04:39:49,192.168.0.2,192.168.0.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:50,24844,1,56995,53,0,0,0x200000,udp,allow,176,176,0,2,2012/04/10 04:39:18,1,any,0,0,0x0,192.168.0.0-192.168.255.255,192.168.0.0-192.168.255.255,0,2,0", + "network.application": "dns", + "network.bytes": 176, + "network.community_id": "1:X6pWtJqspZOnEXaF1nKblB/B3f4=", + "network.direction": "outbound", + "network.packets": 2, + "network.transport": "udp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24844", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.0.2", + "192.168.0.1", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "192.168.0.1", + "server.packets": 2, + "server.port": 53, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 56995, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:49.000Z", + "client.bytes": 80, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 60989, + "client.user.name": "crusher", + "destination.address": "205.171.2.25", + "destination.bytes": 80, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "205.171.2.25", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2012-04-10T04:39:49.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:49.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 31942, + "log.original": "Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,start,1,2012/04/10 04:39:49,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:49,26335,1,60989,53,0,0,0x200000,udp,allow,80,80,0,1,2012/04/10 04:39:49,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "network.application": "dns", + "network.bytes": 80, + "network.community_id": "1:bIf8k1Z5+8sNSsr63qo8XknzQDo=", + "network.direction": "outbound", + "network.packets": 1, + "network.transport": "udp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "26335", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.0.2", + "205.171.2.25", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "205.171.2.25", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 60989, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:48.000Z", + "client.bytes": 78, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 59280, + "client.user.name": "crusher", + "destination.address": "204.232.231.46", + "destination.bytes": 78, + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.packets": 1, + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2012-04-10T04:39:48.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:48.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 32295, + "log.original": "Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,start,1,2012/04/10 04:39:48,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:49,26127,1,59280,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:48,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "network.application": "web-browsing", + "network.bytes": 78, + "network.community_id": "1:IRI0j5xLyLhwaONpy7gVZdl/Qow=", + "network.direction": "outbound", + "network.packets": 1, + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "26127", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "204.232.231.46", + "server.packets": 1, + "server.port": 80, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 59280, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:48.000Z", + "client.bytes": 81, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 53766, + "client.user.name": "crusher", + "destination.address": "205.171.2.25", + "destination.bytes": 81, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "205.171.2.25", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2012-04-10T04:39:48.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:48.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 32659, + "log.original": "Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,start,1,2012/04/10 04:39:48,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:49,25488,1,53766,53,0,0,0x200000,udp,allow,81,81,0,1,2012/04/10 04:39:48,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "network.application": "dns", + "network.bytes": 81, + "network.community_id": "1:VJaNvIgkNIXRerGHtYQC0HUPZh8=", + "network.direction": "outbound", + "network.packets": 1, + "network.transport": "udp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "25488", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.0.2", + "205.171.2.25", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "205.171.2.25", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 53766, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:48.000Z", + "client.bytes": 81, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 56032, + "client.user.name": "crusher", + "destination.address": "205.171.2.25", + "destination.bytes": 81, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "205.171.2.25", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2012-04-10T04:39:48.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:48.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 33012, + "log.original": "Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,start,1,2012/04/10 04:39:48,192.168.0.2,205.171.2.25,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:49,25269,1,56032,53,0,0,0x200000,udp,allow,81,81,0,1,2012/04/10 04:39:48,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "network.application": "dns", + "network.bytes": 81, + "network.community_id": "1:fMeKYeqX7mnB812D1vOtHs7BRO4=", + "network.direction": "outbound", + "network.packets": 1, + "network.transport": "udp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "25269", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.0.2", + "205.171.2.25", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "205.171.2.25", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 56032, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:48.000Z", + "client.bytes": 581, + "client.ip": "192.168.0.2", + "client.packets": 7, + "client.port": 59193, + "client.user.name": "crusher", + "destination.address": "62.211.68.12", + "destination.bytes": 581, + "destination.geo.city_name": "Latina", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "IT", + "destination.geo.location.lat": 41.4661, + "destination.geo.location.lon": 12.9043, + "destination.geo.region_iso_code": "IT-LT", + "destination.geo.region_name": "Provincia di Latina", + "destination.ip": "62.211.68.12", + "destination.packets": 6, + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 1000000000, + "event.end": "2012-04-10T04:39:18.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:17.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 33365, + "log.original": "Oct 30 09:46:37 1,2012/10/30 09:46:37,01606001116,TRAFFIC,end,1,2012/04/10 04:39:48,192.168.0.2,62.211.68.12,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:48,25715,1,59193,80,0,0,0x200000,tcp,allow,1487,581,906,13,2012/04/10 04:39:17,1,entertainment-and-arts,0,0,0x0,192.168.0.0-192.168.255.255,Italy,0,6,7", + "network.application": "web-browsing", + "network.bytes": 1487, + "network.community_id": "1:2482BoM8NEujTrlI4lp2vfAxmus=", + "network.direction": "outbound", + "network.packets": 13, + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "25715", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "entertainment-and-arts", + "related.ip": [ + "192.168.0.2", + "62.211.68.12", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 906, + "server.ip": "62.211.68.12", + "server.packets": 6, + "server.port": 80, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.bytes": 906, + "source.ip": "192.168.0.2", + "source.packets": 7, + "source.port": 59193, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:48.000Z", + "client.bytes": 78, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 59279, + "client.user.name": "crusher", + "destination.address": "204.232.231.46", + "destination.bytes": 78, + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.packets": 1, + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2012-04-10T04:39:48.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:48.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 33742, + "log.original": "Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,TRAFFIC,start,1,2012/04/10 04:39:48,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:48,26251,1,59279,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:48,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "network.application": "web-browsing", + "network.bytes": 78, + "network.community_id": "1:FmIwID3HJ4Q0574SjlhMHApz/Hs=", + "network.direction": "outbound", + "network.packets": 1, + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "26251", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "204.232.231.46", + "server.packets": 1, + "server.port": 80, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 59279, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:47.000Z", + "client.bytes": 78, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 59278, + "client.user.name": "crusher", + "destination.address": "204.232.231.46", + "destination.bytes": 78, + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.packets": 1, + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2012-04-10T04:39:48.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:48.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 34106, + "log.original": "Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,TRAFFIC,start,1,2012/04/10 04:39:47,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:48,25871,1,59278,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:48,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "network.application": "web-browsing", + "network.bytes": 78, + "network.community_id": "1:WiUImNtgjkeNDi1Qigg7+Y6pDAg=", + "network.direction": "outbound", + "network.packets": 1, + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "25871", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "204.232.231.46", + "server.packets": 1, + "server.port": 80, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 59278, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:47.000Z", + "client.bytes": 78, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 59277, + "client.user.name": "crusher", + "destination.address": "204.232.231.46", + "destination.bytes": 78, + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.packets": 1, + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2012-04-10T04:39:47.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:47.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 34470, + "log.original": "Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,TRAFFIC,start,1,2012/04/10 04:39:47,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:48,25945,1,59277,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:47,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "network.application": "web-browsing", + "network.bytes": 78, + "network.community_id": "1:/+Opb16c1ye6uLeu1/TNC+SGnYs=", + "network.direction": "outbound", + "network.packets": 1, + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "25945", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "204.232.231.46", + "server.packets": 1, + "server.port": 80, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 59277, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:47.000Z", + "client.bytes": 166, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 60026, + "client.user.name": "crusher", + "destination.address": "192.168.0.1", + "destination.bytes": 166, + "destination.ip": "192.168.0.1", + "destination.packets": 2, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 1000000000, + "event.end": "2012-04-10T04:39:17.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:16.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 34834, + "log.original": "Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,TRAFFIC,end,1,2012/04/10 04:39:47,192.168.0.2,192.168.0.1,0.0.0.0,0.0.0.0,rule1,crusher,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:48,25310,1,60026,53,0,0,0x200000,udp,allow,166,166,0,2,2012/04/10 04:39:16,1,any,0,0,0x0,192.168.0.0-192.168.255.255,192.168.0.0-192.168.255.255,0,2,0", + "network.application": "dns", + "network.bytes": 166, + "network.community_id": "1:h46cgrbWRw4seDnSlCbWxjLRmqs=", + "network.direction": "outbound", + "network.packets": 2, + "network.transport": "udp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "25310", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.0.2", + "192.168.0.1", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "192.168.0.1", + "server.packets": 2, + "server.port": 53, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 60026, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:47.000Z", + "client.bytes": 351, + "client.ip": "192.168.0.2", + "client.packets": 1, + "client.port": 59276, + "client.user.name": "crusher", + "destination.address": "204.232.231.46", + "destination.bytes": 351, + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.packets": 3, + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2012-04-10T04:39:47.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:47.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 35200, + "log.original": "Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,TRAFFIC,start,1,2012/04/10 04:39:47,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:47,27111,1,59276,80,0,0,0x200000,tcp,allow,429,351,78,4,2012/04/10 04:39:47,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,3,1", + "network.application": "web-browsing", + "network.bytes": 429, + "network.community_id": "1:uslltTePy/m8Gxhk/MgPbZfk6Rg=", + "network.direction": "outbound", + "network.packets": 4, + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "27111", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 78, + "server.ip": "204.232.231.46", + "server.packets": 3, + "server.port": 80, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.bytes": 78, + "source.ip": "192.168.0.2", + "source.packets": 1, + "source.port": 59276, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:47.000Z", + "client.bytes": 351, + "client.ip": "192.168.0.2", + "client.packets": 1, + "client.port": 59275, + "client.user.name": "crusher", + "destination.address": "204.232.231.46", + "destination.bytes": 351, + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.packets": 3, + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2012-04-10T04:39:47.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:47.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 35567, + "log.original": "Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,TRAFFIC,start,1,2012/04/10 04:39:47,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:47,25398,1,59275,80,0,0,0x200000,tcp,allow,429,351,78,4,2012/04/10 04:39:47,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,3,1", + "network.application": "web-browsing", + "network.bytes": 429, + "network.community_id": "1:AVMiOufq2owuhWpcu/TfRJ38tv4=", + "network.direction": "outbound", + "network.packets": 4, + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "25398", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 78, + "server.ip": "204.232.231.46", + "server.packets": 3, + "server.port": 80, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.bytes": 78, + "source.ip": "192.168.0.2", + "source.packets": 1, + "source.port": 59275, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2012-04-10T04:39:46.000Z", + "client.bytes": 78, + "client.ip": "192.168.0.2", + "client.packets": 0, + "client.port": 59274, + "client.user.name": "crusher", + "destination.address": "204.232.231.46", + "destination.bytes": 78, + "destination.geo.city_name": "Charlotte", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 35.2344, + "destination.geo.location.lon": -80.9091, + "destination.geo.region_iso_code": "US-NC", + "destination.geo.region_name": "North Carolina", + "destination.ip": "204.232.231.46", + "destination.packets": 1, + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2012-04-10T04:39:46.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2012-04-10T04:39:46.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.captive_portal": true, + "log.offset": 35934, + "log.original": "Oct 30 09:46:42 1,2012/10/30 09:46:42,01606001116,TRAFFIC,start,1,2012/04/10 04:39:46,192.168.0.2,204.232.231.46,0.0.0.0,0.0.0.0,rule1,crusher,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,forwardAll,2012/04/10 04:39:47,23898,1,59274,80,0,0,0x200000,tcp,allow,78,78,0,1,2012/04/10 04:39:46,0,any,0,0,0x0,192.168.0.0-192.168.255.255,United States,0,1,0", + "network.application": "web-browsing", + "network.bytes": 78, + "network.community_id": "1:/0xM0KlMLwieymkDApfqS3/WWiQ=", + "network.direction": "outbound", + "network.packets": 1, + "network.transport": "tcp", + "observer.serial_number": "01606001116", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "0.0.0.0", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "23898", + "palo_alto.pan_os.ruleset": "rule1", + "palo_alto.pan_os.sequence_number": 0, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "0.0.0.0", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.0.2", + "204.232.231.46", + "0.0.0.0", + "0.0.0.0" + ], + "server.bytes": 0, + "server.ip": "204.232.231.46", + "server.packets": 1, + "server.port": 80, + "service.type": "palo_alto", + "source.address": "192.168.0.2", + "source.bytes": 0, + "source.ip": "192.168.0.2", + "source.packets": 0, + "source.port": 59274, + "source.user.name": "crusher", + "tags": [ + "pan-os" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/palo_alto/pan_os/test/threat.log b/x-pack/filebeat/module/palo_alto/pan_os/test/threat.log new file mode 100644 index 00000000000..2b6854cf5a5 --- /dev/null +++ b/x-pack/filebeat/module/palo_alto/pan_os/test/threat.log @@ -0,0 +1,76 @@ +Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28191,1,52984,443,37679,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7726,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28219,1,52983,443,28249,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7727,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,27723,1,52986,443,63898,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7728,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28172,1,52985,443,7515,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7729,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28151,1,52987,443,3225,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7730,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28076,1,52988,443,60449,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7731,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28173,1,52990,443,60559,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7732,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28186,1,52989,443,47414,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7733,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28192,1,52992,443,37673,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7734,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,27011,1,52991,443,8232,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7735,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:37 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28240,1,52994,443,32982,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7736,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:37 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28143,1,52993,443,10473,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7737,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:37 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28272,1,52995,443,20446,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7738,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:37 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28146,1,52996,443,34699,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7739,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:37 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28278,1,52997,443,22820,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7740,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:37 PA-220 1,2018/11/30 16:44:37,012801096514,THREAT,url,2049,2018/11/30 16:44:37,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:37,28185,1,52998,443,41060,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7741,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:37 PA-220 1,2018/11/30 16:44:37,012801096514,THREAT,url,2049,2018/11/30 16:44:37,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:37,28201,1,52999,443,9058,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7742,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:37 PA-220 1,2018/11/30 16:44:37,012801096514,THREAT,url,2049,2018/11/30 16:44:37,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:37,28148,1,53001,443,54846,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7743,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:37 PA-220 1,2018/11/30 16:44:37,012801096514,THREAT,url,2049,2018/11/30 16:44:37,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:37,28121,1,53002,443,52731,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7744,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:38 PA-220 1,2018/11/30 16:44:38,012801096514,THREAT,url,2049,2018/11/30 16:44:38,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:38,28228,1,53003,443,15165,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7745,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:38 PA-220 1,2018/11/30 16:44:38,012801096514,THREAT,url,2049,2018/11/30 16:44:38,192.168.15.224,23.72.137.131,192.168.1.63,23.72.137.131,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:38,28196,1,53004,443,53918,443,0x403000,tcp,block-url,"b.scorecardresearch.com/",(9999),business-and-economy,informational,client-to-server,7746,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:38 PA-220 1,2018/11/30 16:44:38,012801096514,THREAT,url,2049,2018/11/30 16:44:38,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:38,28007,1,53000,443,40792,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7747,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:46 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28117,1,53006,443,54044,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7748,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:46 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28109,1,53007,443,19544,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7749,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:46 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28260,1,53008,443,13462,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7750,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:46 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28275,1,53010,443,44892,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7752,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:46 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28266,1,53011,443,16487,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7753,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:46 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28294,1,53012,443,23952,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7754,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:46 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28248,1,53013,443,2810,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7755,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:46 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28274,1,53014,443,13272,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7756,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:47 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28285,1,53022,443,8663,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7762,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:47 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28306,1,53023,443,55738,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7763,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:47 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28116,1,53024,443,10650,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7764,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:47 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28214,1,53025,443,44087,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7765,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:47 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28080,1,53026,443,15915,443,0x403000,tcp,block-url,"consent.cmp.oath.com/",(9999),business-and-economy,informational,client-to-server,7766,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:53 PA-220 1,2018/11/30 16:44:53,012801096514,THREAT,url,2049,2018/11/30 16:44:53,192.168.15.224,151.101.2.2,192.168.1.63,151.101.2.2,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:53,28318,1,53041,443,41165,443,0x403000,tcp,block-url,"cdn.taboola.com/",(9999),business-and-economy,informational,client-to-server,7768,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:54 PA-220 1,2018/11/30 16:44:54,012801096514,THREAT,url,2049,2018/11/30 16:44:54,192.168.15.224,54.192.7.152,192.168.1.63,54.192.7.152,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:54,28300,1,53040,443,54133,443,0x403000,tcp,block-url,"rules.quantcount.com/",(9999),business-and-economy,informational,client-to-server,7769,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:59 PA-220 1,2018/11/30 16:44:58,012801096514,THREAT,url,2049,2018/11/30 16:44:58,192.168.15.224,52.4.120.175,192.168.1.63,52.4.120.175,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:58,28339,1,53093,443,8485,443,0x403000,tcp,block-url,"srv-2018-11-30-22.config.parsely.com/",(9999),business-and-economy,informational,client-to-server,7770,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:59 PA-220 1,2018/11/30 16:44:58,012801096514,THREAT,url,2049,2018/11/30 16:44:58,192.168.15.224,52.4.120.175,192.168.1.63,52.4.120.175,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:58,28299,1,53094,443,12496,443,0x403000,tcp,block-url,"srv-2018-11-30-22.config.parsely.com/",(9999),business-and-economy,informational,client-to-server,7771,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:59 PA-220 1,2018/11/30 16:44:58,012801096514,THREAT,url,2049,2018/11/30 16:44:58,192.168.15.224,52.4.120.175,192.168.1.63,52.4.120.175,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:58,28303,1,53095,443,17029,443,0x403000,tcp,block-url,"srv-2018-11-30-22.config.parsely.com/",(9999),business-and-economy,informational,client-to-server,7772,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:44:59 PA-220 1,2018/11/30 16:44:58,012801096514,THREAT,url,2049,2018/11/30 16:44:58,192.168.15.224,52.4.120.175,192.168.1.63,52.4.120.175,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:58,28390,1,53096,443,23696,443,0x403000,tcp,block-url,"srv-2018-11-30-22.config.parsely.com/",(9999),business-and-economy,informational,client-to-server,7773,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:00 PA-220 1,2018/11/30 16:44:59,012801096514,THREAT,url,2049,2018/11/30 16:44:59,192.168.15.224,52.4.120.175,192.168.1.63,52.4.120.175,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:59,28433,1,53097,443,34769,443,0x403000,tcp,block-url,"srv-2018-11-30-22.config.parsely.com/",(9999),business-and-economy,informational,client-to-server,7774,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:00 PA-220 1,2018/11/30 16:44:59,012801096514,THREAT,url,2049,2018/11/30 16:44:59,192.168.15.224,52.4.120.175,192.168.1.63,52.4.120.175,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:59,28380,1,53099,443,22486,443,0x403000,tcp,block-url,"srv-2018-11-30-22.config.parsely.com/",(9999),business-and-economy,informational,client-to-server,7775,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:00 PA-220 1,2018/11/30 16:44:59,012801096514,THREAT,url,2049,2018/11/30 16:44:59,192.168.15.224,52.4.120.175,192.168.1.63,52.4.120.175,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:59,28363,1,53100,443,12894,443,0x403000,tcp,block-url,"srv-2018-11-30-22.config.parsely.com/",(9999),business-and-economy,informational,client-to-server,7776,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:00 PA-220 1,2018/11/30 16:45:00,012801096514,THREAT,url,2049,2018/11/30 16:45:00,192.168.15.224,52.4.120.175,192.168.1.63,52.4.120.175,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:00,28349,1,53101,443,62348,443,0x403000,tcp,block-url,"srv-2018-11-30-22.config.parsely.com/",(9999),business-and-economy,informational,client-to-server,7777,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:00 PA-220 1,2018/11/30 16:45:00,012801096514,THREAT,url,2049,2018/11/30 16:45:00,192.168.15.224,52.4.120.175,192.168.1.63,52.4.120.175,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:00,28411,1,53104,443,6224,443,0x403000,tcp,block-url,"srv-2018-11-30-22.config.parsely.com/",(9999),business-and-economy,informational,client-to-server,7778,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:00 PA-220 1,2018/11/30 16:45:00,012801096514,THREAT,url,2049,2018/11/30 16:45:00,192.168.15.224,52.4.120.175,192.168.1.63,52.4.120.175,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:00,28397,1,53107,443,44120,443,0x403000,tcp,block-url,"srv-2018-11-30-22.config.parsely.com/",(9999),business-and-economy,informational,client-to-server,7779,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:00 PA-220 1,2018/11/30 16:45:00,012801096514,THREAT,url,2049,2018/11/30 16:45:00,192.168.15.224,52.4.120.175,192.168.1.63,52.4.120.175,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:00,28347,1,53108,443,44228,443,0x403000,tcp,block-url,"srv-2018-11-30-22.config.parsely.com/",(9999),business-and-economy,informational,client-to-server,7780,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:00 PA-220 1,2018/11/30 16:45:00,012801096514,THREAT,url,2049,2018/11/30 16:45:00,192.168.15.224,52.4.120.175,192.168.1.63,52.4.120.175,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:00,28443,1,53109,443,31322,443,0x403000,tcp,block-url,"srv-2018-11-30-22.config.parsely.com/",(9999),business-and-economy,informational,client-to-server,7781,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:14 PA-220 1,2018/11/30 16:45:13,012801096514,THREAT,url,2049,2018/11/30 16:45:13,192.168.15.224,216.58.194.98,192.168.1.63,216.58.194.98,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:13,28439,1,53118,443,1672,443,0x403000,tcp,block-url,"www.googleadservices.com/",(9999),business-and-economy,informational,client-to-server,7782,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:16 PA-220 1,2018/11/30 16:45:15,012801096514,THREAT,url,2049,2018/11/30 16:45:15,192.168.15.224,23.72.145.245,192.168.1.63,23.72.145.245,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:15,25958,1,53126,443,20801,443,0x403000,tcp,block-url,"service.maxymiser.net/",(9999),business-and-economy,informational,client-to-server,7783,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:16 PA-220 1,2018/11/30 16:45:15,012801096514,THREAT,url,2049,2018/11/30 16:45:15,192.168.15.224,23.72.145.245,192.168.1.63,23.72.145.245,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:15,28429,1,53127,443,24533,443,0x403000,tcp,block-url,"service.maxymiser.net/",(9999),business-and-economy,informational,client-to-server,7784,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:16 PA-220 1,2018/11/30 16:45:15,012801096514,THREAT,url,2049,2018/11/30 16:45:15,192.168.15.224,23.72.145.245,192.168.1.63,23.72.145.245,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:15,28465,1,53128,443,30150,443,0x403000,tcp,block-url,"service.maxymiser.net/",(9999),business-and-economy,informational,client-to-server,7785,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:16 PA-220 1,2018/11/30 16:45:15,012801096514,THREAT,url,2049,2018/11/30 16:45:15,192.168.15.224,23.72.145.245,192.168.1.63,23.72.145.245,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:15,28504,1,53129,443,36305,443,0x403000,tcp,block-url,"service.maxymiser.net/",(9999),business-and-economy,informational,client-to-server,7786,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:16 PA-220 1,2018/11/30 16:45:16,012801096514,THREAT,url,2049,2018/11/30 16:45:16,192.168.15.224,23.72.145.245,192.168.1.63,23.72.145.245,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:16,28458,1,53130,443,42682,443,0x403000,tcp,block-url,"service.maxymiser.net/",(9999),business-and-economy,informational,client-to-server,7787,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:16 PA-220 1,2018/11/30 16:45:16,012801096514,THREAT,url,2049,2018/11/30 16:45:16,192.168.15.224,23.72.145.245,192.168.1.63,23.72.145.245,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:16,28491,1,53131,443,22530,443,0x403000,tcp,block-url,"service.maxymiser.net/",(9999),business-and-economy,informational,client-to-server,7788,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:16 PA-220 1,2018/11/30 16:45:16,012801096514,THREAT,url,2049,2018/11/30 16:45:16,192.168.15.224,23.72.145.245,192.168.1.63,23.72.145.245,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:16,28520,1,53132,443,43713,443,0x403000,tcp,block-url,"service.maxymiser.net/",(9999),business-and-economy,informational,client-to-server,7789,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:16 PA-220 1,2018/11/30 16:45:16,012801096514,THREAT,url,2049,2018/11/30 16:45:16,192.168.15.224,23.72.145.245,192.168.1.63,23.72.145.245,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:16,28335,1,53133,443,60608,443,0x403000,tcp,block-url,"service.maxymiser.net/",(9999),business-and-economy,informational,client-to-server,7790,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:16 PA-220 1,2018/11/30 16:45:16,012801096514,THREAT,url,2049,2018/11/30 16:45:16,192.168.15.224,23.72.145.245,192.168.1.63,23.72.145.245,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:16,28414,1,53134,443,9302,443,0x403000,tcp,block-url,"service.maxymiser.net/",(9999),business-and-economy,informational,client-to-server,7791,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:17 PA-220 1,2018/11/30 16:45:16,012801096514,THREAT,url,2049,2018/11/30 16:45:16,192.168.15.224,23.72.145.245,192.168.1.63,23.72.145.245,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:16,28488,1,53135,443,11634,443,0x403000,tcp,block-url,"service.maxymiser.net/",(9999),business-and-economy,informational,client-to-server,7792,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:27 PA-220 1,2018/11/30 16:45:26,012801096514,THREAT,url,2049,2018/11/30 16:45:26,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:26,28469,1,53152,443,30818,443,0x403000,tcp,block-url,"segment-data.zqtk.net/",(9999),business-and-economy,informational,client-to-server,7793,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:27 PA-220 1,2018/11/30 16:45:26,012801096514,THREAT,url,2049,2018/11/30 16:45:26,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:26,28556,1,53155,443,64260,443,0x403000,tcp,block-url,"segment-data.zqtk.net/",(9999),business-and-economy,informational,client-to-server,7794,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:27 PA-220 1,2018/11/30 16:45:26,012801096514,THREAT,url,2049,2018/11/30 16:45:26,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:26,28558,1,53158,443,7071,443,0x403000,tcp,block-url,"segment-data.zqtk.net/",(9999),business-and-economy,informational,client-to-server,7795,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:27 PA-220 1,2018/11/30 16:45:26,012801096514,THREAT,url,2049,2018/11/30 16:45:26,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:26,28531,1,53160,443,4512,443,0x403000,tcp,block-url,"segment-data.zqtk.net/",(9999),business-and-economy,informational,client-to-server,7796,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:27 PA-220 1,2018/11/30 16:45:26,012801096514,THREAT,url,2049,2018/11/30 16:45:26,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:26,28580,1,53161,443,3422,443,0x403000,tcp,block-url,"segment-data.zqtk.net/",(9999),business-and-economy,informational,client-to-server,7797,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:27 PA-220 1,2018/11/30 16:45:27,012801096514,THREAT,url,2049,2018/11/30 16:45:27,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:27,28477,1,53162,443,4651,443,0x403000,tcp,block-url,"segment-data.zqtk.net/",(9999),business-and-economy,informational,client-to-server,7798,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:27 PA-220 1,2018/11/30 16:45:27,012801096514,THREAT,url,2049,2018/11/30 16:45:27,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:27,28484,1,53163,443,19068,443,0x403000,tcp,block-url,"segment-data.zqtk.net/",(9999),business-and-economy,informational,client-to-server,7799,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:27 PA-220 1,2018/11/30 16:45:27,012801096514,THREAT,url,2049,2018/11/30 16:45:27,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:27,28609,1,53164,443,5831,443,0x403000,tcp,block-url,"segment-data.zqtk.net/",(9999),business-and-economy,informational,client-to-server,7800,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:27 PA-220 1,2018/11/30 16:45:27,012801096514,THREAT,url,2049,2018/11/30 16:45:27,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:27,28564,1,53165,443,7084,443,0x403000,tcp,block-url,"segment-data.zqtk.net/",(9999),business-and-economy,informational,client-to-server,7801,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:27 PA-220 1,2018/11/30 16:45:27,012801096514,THREAT,url,2049,2018/11/30 16:45:27,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:27,28542,1,53166,443,18633,443,0x403000,tcp,block-url,"segment-data.zqtk.net/",(9999),business-and-economy,informational,client-to-server,7802,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:28 PA-220 1,2018/11/30 16:45:27,012801096514,THREAT,url,2049,2018/11/30 16:45:27,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:27,28590,1,53167,443,25557,443,0x403000,tcp,block-url,"segment-data.zqtk.net/",(9999),business-and-economy,informational,client-to-server,7803,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:28 PA-220 1,2018/11/30 16:45:27,012801096514,THREAT,url,2049,2018/11/30 16:45:27,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:27,28455,1,53150,443,20661,443,0x403000,tcp,block-url,"segment-data.zqtk.net/",(9999),business-and-economy,informational,client-to-server,7804,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:29 PA-220 1,2018/11/30 16:45:28,012801096514,THREAT,url,2049,2018/11/30 16:45:28,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:28,28585,1,53185,443,65438,443,0x403000,tcp,block-url,"segment-data.zqtk.net/",(9999),business-and-economy,informational,client-to-server,7805,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:29 PA-220 1,2018/11/30 16:45:28,012801096514,THREAT,url,2049,2018/11/30 16:45:28,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:28,28462,1,53187,443,53101,443,0x403000,tcp,block-url,"segment-data.zqtk.net/",(9999),business-and-economy,informational,client-to-server,7806,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:29 PA-220 1,2018/11/30 16:45:28,012801096514,THREAT,url,2049,2018/11/30 16:45:28,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:28,28839,1,53188,443,35463,443,0x403000,tcp,block-url,"segment-data.zqtk.net/",(9999),business-and-economy,informational,client-to-server,7807,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, +Nov 30 16:45:30 PA-220 1,2018/11/30 16:45:29,012801096514,THREAT,url,2049,2018/11/30 16:45:29,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:29,28400,1,53178,443,45769,443,0x403000,tcp,block-url,"segment-data.zqtk.net/",(9999),business-and-economy,informational,client-to-server,7808,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295, diff --git a/x-pack/filebeat/module/palo_alto/pan_os/test/threat.log-expected.json b/x-pack/filebeat/module/palo_alto/pan_os/test/threat.log-expected.json new file mode 100644 index 00000000000..0b4a7a42935 --- /dev/null +++ b/x-pack/filebeat/module/palo_alto/pan_os/test/threat.log-expected.json @@ -0,0 +1,5108 @@ +[ + { + "@timestamp": "2018-11-30T16:44:36.000Z", + "client.ip": "192.168.15.224", + "client.port": 52984, + "destination.address": "152.195.55.192", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "152.195.55.192", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 0, + "log.original": "Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28191,1,52984,443,37679,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7726,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": [ + "1:mDxnuNGkonQEEYcMT0Dur/FCt/I=", + "1:qjpdroY6VaRSEUbSXzSWtUX00kc=" + ], + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "152.195.55.192", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28191", + "palo_alto.pan_os.network.nat.community_id": "1:qjpdroY6VaRSEUbSXzSWtUX00kc=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 37679, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "consent.cmp.oath.com/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "152.195.55.192", + "192.168.1.63", + "152.195.55.192" + ], + "server.ip": "152.195.55.192", + "server.port": 443, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 52984, + "tags": [ + "pan-os" + ], + "url.original": "consent.cmp.oath.com/" + }, + { + "@timestamp": "2018-11-30T16:44:36.000Z", + "client.ip": "192.168.15.224", + "client.port": 52983, + "destination.address": "152.195.55.192", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "152.195.55.192", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 546, + "log.original": "Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28219,1,52983,443,28249,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7727,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": [ + "1:svoGHRUXQeOT1QlGYhMbEalRiPU=", + "1:j6so5fl9DGKhDhaNmjI+6ipOFyc=" + ], + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "152.195.55.192", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28219", + "palo_alto.pan_os.network.nat.community_id": "1:j6so5fl9DGKhDhaNmjI+6ipOFyc=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 28249, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "consent.cmp.oath.com/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "152.195.55.192", + "192.168.1.63", + "152.195.55.192" + ], + "server.ip": "152.195.55.192", + "server.port": 443, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 52983, + "tags": [ + "pan-os" + ], + "url.original": "consent.cmp.oath.com/" + }, + { + "@timestamp": "2018-11-30T16:44:36.000Z", + "client.ip": "192.168.15.224", + "client.port": 52986, + "destination.address": "152.195.55.192", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "152.195.55.192", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 1092, + "log.original": "Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,27723,1,52986,443,63898,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7728,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": [ + "1:cl1ZW9fCG1bKgQuAww26hYqxyq0=", + "1:c4Xs8aAPhIYB760P+BLmrzOvjv4=" + ], + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "152.195.55.192", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "27723", + "palo_alto.pan_os.network.nat.community_id": "1:c4Xs8aAPhIYB760P+BLmrzOvjv4=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 63898, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "consent.cmp.oath.com/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "152.195.55.192", + "192.168.1.63", + "152.195.55.192" + ], + "server.ip": "152.195.55.192", + "server.port": 443, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 52986, + "tags": [ + "pan-os" + ], + "url.original": "consent.cmp.oath.com/" + }, + { + "@timestamp": "2018-11-30T16:44:36.000Z", + "client.ip": "192.168.15.224", + "client.port": 52985, + "destination.address": "152.195.55.192", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "152.195.55.192", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 1638, + "log.original": "Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28172,1,52985,443,7515,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7729,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": [ + "1:0KdQcz2+OQg8Kuyqn3tvtzrtAtk=", + "1:RU/nMZByVkBbsckJ18XtpXhQlPg=" + ], + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "152.195.55.192", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28172", + "palo_alto.pan_os.network.nat.community_id": "1:RU/nMZByVkBbsckJ18XtpXhQlPg=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 7515, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "consent.cmp.oath.com/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "152.195.55.192", + "192.168.1.63", + "152.195.55.192" + ], + "server.ip": "152.195.55.192", + "server.port": 443, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 52985, + "tags": [ + "pan-os" + ], + "url.original": "consent.cmp.oath.com/" + }, + { + "@timestamp": "2018-11-30T16:44:36.000Z", + "client.ip": "192.168.15.224", + "client.port": 52987, + "destination.address": "152.195.55.192", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "152.195.55.192", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 2183, + "log.original": "Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28151,1,52987,443,3225,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7730,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": [ + "1:ZuULYSnnlQSsdqWsfJBHQTPqbJo=", + "1:FTVZK5v5Nqts17X+FJm/bQk1rwM=" + ], + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "152.195.55.192", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28151", + "palo_alto.pan_os.network.nat.community_id": "1:FTVZK5v5Nqts17X+FJm/bQk1rwM=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 3225, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "consent.cmp.oath.com/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "152.195.55.192", + "192.168.1.63", + "152.195.55.192" + ], + "server.ip": "152.195.55.192", + "server.port": 443, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 52987, + "tags": [ + "pan-os" + ], + "url.original": "consent.cmp.oath.com/" + }, + { + "@timestamp": "2018-11-30T16:44:36.000Z", + "client.ip": "192.168.15.224", + "client.port": 52988, + "destination.address": "152.195.55.192", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "152.195.55.192", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 2728, + "log.original": "Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28076,1,52988,443,60449,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7731,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": [ + "1:ovf/7i/MclKhY1UKalpHzmmlthk=", + "1:iHTY/vpQo2TsRYJW2n+lqb0w5f4=" + ], + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "152.195.55.192", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28076", + "palo_alto.pan_os.network.nat.community_id": "1:iHTY/vpQo2TsRYJW2n+lqb0w5f4=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 60449, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "consent.cmp.oath.com/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "152.195.55.192", + "192.168.1.63", + "152.195.55.192" + ], + "server.ip": "152.195.55.192", + "server.port": 443, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 52988, + "tags": [ + "pan-os" + ], + "url.original": "consent.cmp.oath.com/" + }, + { + "@timestamp": "2018-11-30T16:44:36.000Z", + "client.ip": "192.168.15.224", + "client.port": 52990, + "destination.address": "152.195.55.192", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "152.195.55.192", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 3274, + "log.original": "Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28173,1,52990,443,60559,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7732,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": [ + "1:K7vLQF60EynWhcmrB6/wjEG8qzI=", + "1:f+u5A73xp5gqmRCSN2kCCSbvBRg=" + ], + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "152.195.55.192", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28173", + "palo_alto.pan_os.network.nat.community_id": "1:f+u5A73xp5gqmRCSN2kCCSbvBRg=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 60559, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "consent.cmp.oath.com/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "152.195.55.192", + "192.168.1.63", + "152.195.55.192" + ], + "server.ip": "152.195.55.192", + "server.port": 443, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 52990, + "tags": [ + "pan-os" + ], + "url.original": "consent.cmp.oath.com/" + }, + { + "@timestamp": "2018-11-30T16:44:36.000Z", + "client.ip": "192.168.15.224", + "client.port": 52989, + "destination.address": "152.195.55.192", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "152.195.55.192", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 3820, + "log.original": "Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28186,1,52989,443,47414,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7733,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": [ + "1:nMc/XZ2HhyrMMpTfW7UK0Q7QRJM=", + "1:v4+MIeqiGJJ9Z3SUTNLFEoYtw74=" + ], + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "152.195.55.192", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28186", + "palo_alto.pan_os.network.nat.community_id": "1:v4+MIeqiGJJ9Z3SUTNLFEoYtw74=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 47414, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "consent.cmp.oath.com/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "152.195.55.192", + "192.168.1.63", + "152.195.55.192" + ], + "server.ip": "152.195.55.192", + "server.port": 443, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 52989, + "tags": [ + "pan-os" + ], + "url.original": "consent.cmp.oath.com/" + }, + { + "@timestamp": "2018-11-30T16:44:36.000Z", + "client.ip": "192.168.15.224", + "client.port": 52992, + "destination.address": "152.195.55.192", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "152.195.55.192", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 4366, + "log.original": "Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28192,1,52992,443,37673,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7734,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": [ + "1:UDkY52oWrSsYAqwPSTAKyKhwzvQ=", + "1:BilmVEwf9nQIXodvin3X6lZuVAc=" + ], + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "152.195.55.192", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28192", + "palo_alto.pan_os.network.nat.community_id": "1:BilmVEwf9nQIXodvin3X6lZuVAc=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 37673, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "consent.cmp.oath.com/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "152.195.55.192", + "192.168.1.63", + "152.195.55.192" + ], + "server.ip": "152.195.55.192", + "server.port": 443, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 52992, + "tags": [ + "pan-os" + ], + "url.original": "consent.cmp.oath.com/" + }, + { + "@timestamp": "2018-11-30T16:44:36.000Z", + "client.ip": "192.168.15.224", + "client.port": 52991, + "destination.address": "152.195.55.192", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "152.195.55.192", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 4912, + "log.original": "Nov 30 16:44:36 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,27011,1,52991,443,8232,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7735,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": [ + "1:pWCQCkwDKmw2APwAJ2GcT6QNXQg=", + "1:CmZ6KkZzaxpkJHXJn0lNskvvZLA=" + ], + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "152.195.55.192", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "27011", + "palo_alto.pan_os.network.nat.community_id": "1:CmZ6KkZzaxpkJHXJn0lNskvvZLA=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 8232, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "consent.cmp.oath.com/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "152.195.55.192", + "192.168.1.63", + "152.195.55.192" + ], + "server.ip": "152.195.55.192", + "server.port": 443, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 52991, + "tags": [ + "pan-os" + ], + "url.original": "consent.cmp.oath.com/" + }, + { + "@timestamp": "2018-11-30T16:44:36.000Z", + "client.ip": "192.168.15.224", + "client.port": 52994, + "destination.address": "152.195.55.192", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "152.195.55.192", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 5457, + "log.original": "Nov 30 16:44:37 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28240,1,52994,443,32982,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7736,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": [ + "1:3V7ODANn0gD6PFiGWb7LVZcr3TY=", + "1:Xy6vXuBmLPx1/PDpu/KMI1ZPnW0=" + ], + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "152.195.55.192", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28240", + "palo_alto.pan_os.network.nat.community_id": "1:Xy6vXuBmLPx1/PDpu/KMI1ZPnW0=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 32982, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "consent.cmp.oath.com/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "152.195.55.192", + "192.168.1.63", + "152.195.55.192" + ], + "server.ip": "152.195.55.192", + "server.port": 443, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 52994, + "tags": [ + "pan-os" + ], + "url.original": "consent.cmp.oath.com/" + }, + { + "@timestamp": "2018-11-30T16:44:36.000Z", + "client.ip": "192.168.15.224", + "client.port": 52993, + "destination.address": "152.195.55.192", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "152.195.55.192", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 6003, + "log.original": "Nov 30 16:44:37 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28143,1,52993,443,10473,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7737,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": [ + "1:7WQBEq/QCPNFLId7r93vN98nPHQ=", + "1:nmxmtIja0z/MV5rgbBnScsKtW0U=" + ], + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "152.195.55.192", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28143", + "palo_alto.pan_os.network.nat.community_id": "1:nmxmtIja0z/MV5rgbBnScsKtW0U=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 10473, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "consent.cmp.oath.com/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "152.195.55.192", + "192.168.1.63", + "152.195.55.192" + ], + "server.ip": "152.195.55.192", + "server.port": 443, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 52993, + "tags": [ + "pan-os" + ], + "url.original": "consent.cmp.oath.com/" + }, + { + "@timestamp": "2018-11-30T16:44:36.000Z", + "client.ip": "192.168.15.224", + "client.port": 52995, + "destination.address": "152.195.55.192", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "152.195.55.192", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 6549, + "log.original": "Nov 30 16:44:37 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28272,1,52995,443,20446,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7738,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": [ + "1:r3rve3ghPTa/BACcRlan0FEgZFw=", + "1:XNlHvX7cDGGCkvSS/aFHGg/RnAk=" + ], + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "152.195.55.192", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28272", + "palo_alto.pan_os.network.nat.community_id": "1:XNlHvX7cDGGCkvSS/aFHGg/RnAk=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 20446, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "consent.cmp.oath.com/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "152.195.55.192", + "192.168.1.63", + "152.195.55.192" + ], + "server.ip": "152.195.55.192", + "server.port": 443, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 52995, + "tags": [ + "pan-os" + ], + "url.original": "consent.cmp.oath.com/" + }, + { + "@timestamp": "2018-11-30T16:44:36.000Z", + "client.ip": "192.168.15.224", + "client.port": 52996, + "destination.address": "152.195.55.192", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "152.195.55.192", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 7095, + "log.original": "Nov 30 16:44:37 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28146,1,52996,443,34699,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7739,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": [ + "1:2A2PtRAEa2EIbgp0B+6pQMVyM1o=", + "1:DqCF4BufQU/spPG8UYok6IrChWo=" + ], + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "152.195.55.192", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28146", + "palo_alto.pan_os.network.nat.community_id": "1:DqCF4BufQU/spPG8UYok6IrChWo=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 34699, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "consent.cmp.oath.com/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "152.195.55.192", + "192.168.1.63", + "152.195.55.192" + ], + "server.ip": "152.195.55.192", + "server.port": 443, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 52996, + "tags": [ + "pan-os" + ], + "url.original": "consent.cmp.oath.com/" + }, + { + "@timestamp": "2018-11-30T16:44:36.000Z", + "client.ip": "192.168.15.224", + "client.port": 52997, + "destination.address": "152.195.55.192", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "152.195.55.192", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 7641, + "log.original": "Nov 30 16:44:37 PA-220 1,2018/11/30 16:44:36,012801096514,THREAT,url,2049,2018/11/30 16:44:36,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:36,28278,1,52997,443,22820,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7740,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": [ + "1:ttgSlbqHs+GKueSexHsquCbfjCk=", + "1:lJHLfl+/x95GohXozN52zokIxvA=" + ], + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "152.195.55.192", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28278", + "palo_alto.pan_os.network.nat.community_id": "1:lJHLfl+/x95GohXozN52zokIxvA=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 22820, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "consent.cmp.oath.com/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "152.195.55.192", + "192.168.1.63", + "152.195.55.192" + ], + "server.ip": "152.195.55.192", + "server.port": 443, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 52997, + "tags": [ + "pan-os" + ], + "url.original": "consent.cmp.oath.com/" + }, + { + "@timestamp": "2018-11-30T16:44:37.000Z", + "client.ip": "192.168.15.224", + "client.port": 52998, + "destination.address": "152.195.55.192", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "152.195.55.192", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 8187, + "log.original": "Nov 30 16:44:37 PA-220 1,2018/11/30 16:44:37,012801096514,THREAT,url,2049,2018/11/30 16:44:37,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:37,28185,1,52998,443,41060,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7741,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": [ + "1:h4Yhxi4lfeFiizTNiugYzEk9CM4=", + "1:OVE3ctnTt5X1L6qNDr4QILL0dFg=" + ], + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "152.195.55.192", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28185", + "palo_alto.pan_os.network.nat.community_id": "1:OVE3ctnTt5X1L6qNDr4QILL0dFg=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 41060, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "consent.cmp.oath.com/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "152.195.55.192", + "192.168.1.63", + "152.195.55.192" + ], + "server.ip": "152.195.55.192", + "server.port": 443, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 52998, + "tags": [ + "pan-os" + ], + "url.original": "consent.cmp.oath.com/" + }, + { + "@timestamp": "2018-11-30T16:44:37.000Z", + "client.ip": "192.168.15.224", + "client.port": 52999, + "destination.address": "152.195.55.192", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "152.195.55.192", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 8733, + "log.original": "Nov 30 16:44:37 PA-220 1,2018/11/30 16:44:37,012801096514,THREAT,url,2049,2018/11/30 16:44:37,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:37,28201,1,52999,443,9058,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7742,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": [ + "1:SsYXkesHdCi9Tx1qsjfCIH8mHm4=", + "1:bzhUSIQYpz+jY7TA+j8UmFOdJ08=" + ], + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "152.195.55.192", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28201", + "palo_alto.pan_os.network.nat.community_id": "1:bzhUSIQYpz+jY7TA+j8UmFOdJ08=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 9058, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "consent.cmp.oath.com/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "152.195.55.192", + "192.168.1.63", + "152.195.55.192" + ], + "server.ip": "152.195.55.192", + "server.port": 443, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 52999, + "tags": [ + "pan-os" + ], + "url.original": "consent.cmp.oath.com/" + }, + { + "@timestamp": "2018-11-30T16:44:37.000Z", + "client.ip": "192.168.15.224", + "client.port": 53001, + "destination.address": "152.195.55.192", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "152.195.55.192", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 9278, + "log.original": "Nov 30 16:44:37 PA-220 1,2018/11/30 16:44:37,012801096514,THREAT,url,2049,2018/11/30 16:44:37,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:37,28148,1,53001,443,54846,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7743,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": [ + "1:84WYKtahMlLwf+ZletWf/DNnE30=", + "1:NRiTxPYsIvfOnUXhwuF5KPucNf8=" + ], + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "152.195.55.192", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28148", + "palo_alto.pan_os.network.nat.community_id": "1:NRiTxPYsIvfOnUXhwuF5KPucNf8=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 54846, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "consent.cmp.oath.com/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "152.195.55.192", + "192.168.1.63", + "152.195.55.192" + ], + "server.ip": "152.195.55.192", + "server.port": 443, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 53001, + "tags": [ + "pan-os" + ], + "url.original": "consent.cmp.oath.com/" + }, + { + "@timestamp": "2018-11-30T16:44:37.000Z", + "client.ip": "192.168.15.224", + "client.port": 53002, + "destination.address": "152.195.55.192", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "152.195.55.192", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 9824, + "log.original": "Nov 30 16:44:37 PA-220 1,2018/11/30 16:44:37,012801096514,THREAT,url,2049,2018/11/30 16:44:37,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:37,28121,1,53002,443,52731,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7744,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": [ + "1:X4Zvg9D/bP0EYECRSLna3za4r68=", + "1:9noBCzeHKSZpuQWETkS7W5mOTT0=" + ], + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "152.195.55.192", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28121", + "palo_alto.pan_os.network.nat.community_id": "1:9noBCzeHKSZpuQWETkS7W5mOTT0=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 52731, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "consent.cmp.oath.com/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "152.195.55.192", + "192.168.1.63", + "152.195.55.192" + ], + "server.ip": "152.195.55.192", + "server.port": 443, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 53002, + "tags": [ + "pan-os" + ], + "url.original": "consent.cmp.oath.com/" + }, + { + "@timestamp": "2018-11-30T16:44:38.000Z", + "client.ip": "192.168.15.224", + "client.port": 53003, + "destination.address": "152.195.55.192", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "152.195.55.192", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 10370, + "log.original": "Nov 30 16:44:38 PA-220 1,2018/11/30 16:44:38,012801096514,THREAT,url,2049,2018/11/30 16:44:38,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:38,28228,1,53003,443,15165,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7745,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": [ + "1:greC2ffRfw5diAvjZvd+je5rhrk=", + "1:NQ3UU1pIt7hTJ2TYkbe6yjIVIsw=" + ], + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "152.195.55.192", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28228", + "palo_alto.pan_os.network.nat.community_id": "1:NQ3UU1pIt7hTJ2TYkbe6yjIVIsw=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 15165, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "consent.cmp.oath.com/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "152.195.55.192", + "192.168.1.63", + "152.195.55.192" + ], + "server.ip": "152.195.55.192", + "server.port": 443, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 53003, + "tags": [ + "pan-os" + ], + "url.original": "consent.cmp.oath.com/" + }, + { + "@timestamp": "2018-11-30T16:44:38.000Z", + "client.ip": "192.168.15.224", + "client.port": 53004, + "destination.address": "23.72.137.131", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "23.72.137.131", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 10916, + "log.original": "Nov 30 16:44:38 PA-220 1,2018/11/30 16:44:38,012801096514,THREAT,url,2049,2018/11/30 16:44:38,192.168.15.224,23.72.137.131,192.168.1.63,23.72.137.131,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:38,28196,1,53004,443,53918,443,0x403000,tcp,block-url,\"b.scorecardresearch.com/\",(9999),business-and-economy,informational,client-to-server,7746,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": [ + "1:EcYXcH6rGmgtHGDCjUQcmM+hR0c=", + "1:pzcUv98hFdzW07/5bQ15jcEOAAM=" + ], + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "23.72.137.131", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28196", + "palo_alto.pan_os.network.nat.community_id": "1:pzcUv98hFdzW07/5bQ15jcEOAAM=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 53918, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "b.scorecardresearch.com/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "23.72.137.131", + "192.168.1.63", + "23.72.137.131" + ], + "server.ip": "23.72.137.131", + "server.port": 443, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 53004, + "tags": [ + "pan-os" + ], + "url.original": "b.scorecardresearch.com/" + }, + { + "@timestamp": "2018-11-30T16:44:38.000Z", + "client.ip": "192.168.15.224", + "client.port": 53000, + "destination.address": "152.195.55.192", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "152.195.55.192", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 11463, + "log.original": "Nov 30 16:44:38 PA-220 1,2018/11/30 16:44:38,012801096514,THREAT,url,2049,2018/11/30 16:44:38,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:38,28007,1,53000,443,40792,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7747,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": [ + "1:OX20k3mW9JzBo4RmzVjTtvOawu4=", + "1:iHNZW72XqbNDDHf4ziF4MHkPsq8=" + ], + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "152.195.55.192", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28007", + "palo_alto.pan_os.network.nat.community_id": "1:iHNZW72XqbNDDHf4ziF4MHkPsq8=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 40792, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "consent.cmp.oath.com/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "152.195.55.192", + "192.168.1.63", + "152.195.55.192" + ], + "server.ip": "152.195.55.192", + "server.port": 443, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 53000, + "tags": [ + "pan-os" + ], + "url.original": "consent.cmp.oath.com/" + }, + { + "@timestamp": "2018-11-30T16:44:46.000Z", + "client.ip": "192.168.15.224", + "client.port": 53006, + "destination.address": "152.195.55.192", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "152.195.55.192", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 12009, + "log.original": "Nov 30 16:44:46 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28117,1,53006,443,54044,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7748,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": [ + "1:oWKucHrzLhzCpDmWJPLBELyMrzw=", + "1:WmnET8BZufXJpdVk04PIVGj+Kgk=" + ], + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "152.195.55.192", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28117", + "palo_alto.pan_os.network.nat.community_id": "1:WmnET8BZufXJpdVk04PIVGj+Kgk=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 54044, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "consent.cmp.oath.com/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "152.195.55.192", + "192.168.1.63", + "152.195.55.192" + ], + "server.ip": "152.195.55.192", + "server.port": 443, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 53006, + "tags": [ + "pan-os" + ], + "url.original": "consent.cmp.oath.com/" + }, + { + "@timestamp": "2018-11-30T16:44:46.000Z", + "client.ip": "192.168.15.224", + "client.port": 53007, + "destination.address": "152.195.55.192", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "152.195.55.192", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 12555, + "log.original": "Nov 30 16:44:46 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28109,1,53007,443,19544,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7749,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": [ + "1:63h3SPrH4/pr2GMJEkpg++zeJMU=", + "1:qCp/BEY5ANYRj3J+xhPpjW00kTA=" + ], + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "152.195.55.192", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28109", + "palo_alto.pan_os.network.nat.community_id": "1:qCp/BEY5ANYRj3J+xhPpjW00kTA=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 19544, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "consent.cmp.oath.com/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "152.195.55.192", + "192.168.1.63", + "152.195.55.192" + ], + "server.ip": "152.195.55.192", + "server.port": 443, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 53007, + "tags": [ + "pan-os" + ], + "url.original": "consent.cmp.oath.com/" + }, + { + "@timestamp": "2018-11-30T16:44:46.000Z", + "client.ip": "192.168.15.224", + "client.port": 53008, + "destination.address": "152.195.55.192", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "152.195.55.192", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 13101, + "log.original": "Nov 30 16:44:46 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28260,1,53008,443,13462,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7750,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": [ + "1:MpnxD3AYYy43RYm8rBQmgxv2NQ0=", + "1:QTdF07Qsc5riXT20oN+YWQ2Yt6U=" + ], + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "152.195.55.192", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28260", + "palo_alto.pan_os.network.nat.community_id": "1:QTdF07Qsc5riXT20oN+YWQ2Yt6U=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 13462, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "consent.cmp.oath.com/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "152.195.55.192", + "192.168.1.63", + "152.195.55.192" + ], + "server.ip": "152.195.55.192", + "server.port": 443, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 53008, + "tags": [ + "pan-os" + ], + "url.original": "consent.cmp.oath.com/" + }, + { + "@timestamp": "2018-11-30T16:44:46.000Z", + "client.ip": "192.168.15.224", + "client.port": 53010, + "destination.address": "152.195.55.192", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "152.195.55.192", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 13647, + "log.original": "Nov 30 16:44:46 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28275,1,53010,443,44892,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7752,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": [ + "1:kibVei9WSdxBMV8iUIg8nZMCiss=", + "1:v9tvyVPSkJni3/nd8jUVgcsqqQk=" + ], + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "152.195.55.192", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28275", + "palo_alto.pan_os.network.nat.community_id": "1:v9tvyVPSkJni3/nd8jUVgcsqqQk=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 44892, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "consent.cmp.oath.com/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "152.195.55.192", + "192.168.1.63", + "152.195.55.192" + ], + "server.ip": "152.195.55.192", + "server.port": 443, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 53010, + "tags": [ + "pan-os" + ], + "url.original": "consent.cmp.oath.com/" + }, + { + "@timestamp": "2018-11-30T16:44:46.000Z", + "client.ip": "192.168.15.224", + "client.port": 53011, + "destination.address": "152.195.55.192", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "152.195.55.192", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 14193, + "log.original": "Nov 30 16:44:46 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28266,1,53011,443,16487,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7753,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": [ + "1:l33FK2i+ASkvlnDYQYRCH4evHcI=", + "1:00oN9bToRGtVdpy+GQ742sbkpfI=" + ], + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "152.195.55.192", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28266", + "palo_alto.pan_os.network.nat.community_id": "1:00oN9bToRGtVdpy+GQ742sbkpfI=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 16487, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "consent.cmp.oath.com/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "152.195.55.192", + "192.168.1.63", + "152.195.55.192" + ], + "server.ip": "152.195.55.192", + "server.port": 443, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 53011, + "tags": [ + "pan-os" + ], + "url.original": "consent.cmp.oath.com/" + }, + { + "@timestamp": "2018-11-30T16:44:46.000Z", + "client.ip": "192.168.15.224", + "client.port": 53012, + "destination.address": "152.195.55.192", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "152.195.55.192", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 14739, + "log.original": "Nov 30 16:44:46 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28294,1,53012,443,23952,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7754,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": [ + "1:cSD3ZfDTv0BFEStL/v2rRm0wow0=", + "1:AmJtkqyAyzgRUMxNGxjT3hhwb8c=" + ], + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "152.195.55.192", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28294", + "palo_alto.pan_os.network.nat.community_id": "1:AmJtkqyAyzgRUMxNGxjT3hhwb8c=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 23952, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "consent.cmp.oath.com/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "152.195.55.192", + "192.168.1.63", + "152.195.55.192" + ], + "server.ip": "152.195.55.192", + "server.port": 443, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 53012, + "tags": [ + "pan-os" + ], + "url.original": "consent.cmp.oath.com/" + }, + { + "@timestamp": "2018-11-30T16:44:46.000Z", + "client.ip": "192.168.15.224", + "client.port": 53013, + "destination.address": "152.195.55.192", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "152.195.55.192", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 15285, + "log.original": "Nov 30 16:44:46 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28248,1,53013,443,2810,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7755,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": [ + "1:l8cnTJWO0qdKrXtvCBWHbQUpvgE=", + "1:CzGrIa22/gNrIvkcJMIh6eWNjFI=" + ], + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "152.195.55.192", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28248", + "palo_alto.pan_os.network.nat.community_id": "1:CzGrIa22/gNrIvkcJMIh6eWNjFI=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 2810, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "consent.cmp.oath.com/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "152.195.55.192", + "192.168.1.63", + "152.195.55.192" + ], + "server.ip": "152.195.55.192", + "server.port": 443, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 53013, + "tags": [ + "pan-os" + ], + "url.original": "consent.cmp.oath.com/" + }, + { + "@timestamp": "2018-11-30T16:44:46.000Z", + "client.ip": "192.168.15.224", + "client.port": 53014, + "destination.address": "152.195.55.192", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "152.195.55.192", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 15830, + "log.original": "Nov 30 16:44:46 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28274,1,53014,443,13272,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7756,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": [ + "1:2dLIQC1NuJw/6kPkSukOc7rN5UE=", + "1:b3MpSidntZseAvCtO89765ETlyI=" + ], + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "152.195.55.192", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28274", + "palo_alto.pan_os.network.nat.community_id": "1:b3MpSidntZseAvCtO89765ETlyI=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 13272, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "consent.cmp.oath.com/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "152.195.55.192", + "192.168.1.63", + "152.195.55.192" + ], + "server.ip": "152.195.55.192", + "server.port": 443, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 53014, + "tags": [ + "pan-os" + ], + "url.original": "consent.cmp.oath.com/" + }, + { + "@timestamp": "2018-11-30T16:44:46.000Z", + "client.ip": "192.168.15.224", + "client.port": 53022, + "destination.address": "152.195.55.192", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "152.195.55.192", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 16376, + "log.original": "Nov 30 16:44:47 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28285,1,53022,443,8663,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7762,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": [ + "1:39KkS/Y1cEc0OLIWR3+26TPoFhQ=", + "1:wug3mTERsDOMF1R52vDi6SpWbMc=" + ], + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "152.195.55.192", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28285", + "palo_alto.pan_os.network.nat.community_id": "1:wug3mTERsDOMF1R52vDi6SpWbMc=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 8663, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "consent.cmp.oath.com/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "152.195.55.192", + "192.168.1.63", + "152.195.55.192" + ], + "server.ip": "152.195.55.192", + "server.port": 443, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 53022, + "tags": [ + "pan-os" + ], + "url.original": "consent.cmp.oath.com/" + }, + { + "@timestamp": "2018-11-30T16:44:46.000Z", + "client.ip": "192.168.15.224", + "client.port": 53023, + "destination.address": "152.195.55.192", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "152.195.55.192", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 16921, + "log.original": "Nov 30 16:44:47 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28306,1,53023,443,55738,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7763,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": [ + "1:IFLzwMkLmz8UfCYPFfRgTIBIzSI=", + "1:ktdKYACJa2q76tdS55sj5QaeMBs=" + ], + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "152.195.55.192", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28306", + "palo_alto.pan_os.network.nat.community_id": "1:ktdKYACJa2q76tdS55sj5QaeMBs=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 55738, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "consent.cmp.oath.com/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "152.195.55.192", + "192.168.1.63", + "152.195.55.192" + ], + "server.ip": "152.195.55.192", + "server.port": 443, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 53023, + "tags": [ + "pan-os" + ], + "url.original": "consent.cmp.oath.com/" + }, + { + "@timestamp": "2018-11-30T16:44:46.000Z", + "client.ip": "192.168.15.224", + "client.port": 53024, + "destination.address": "152.195.55.192", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "152.195.55.192", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 17467, + "log.original": "Nov 30 16:44:47 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28116,1,53024,443,10650,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7764,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": [ + "1:spPQtp0F92JeXKXtvGndU6vymNo=", + "1:sWvGFBOOisURcvYe5nB5HUSa6B8=" + ], + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "152.195.55.192", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28116", + "palo_alto.pan_os.network.nat.community_id": "1:sWvGFBOOisURcvYe5nB5HUSa6B8=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 10650, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "consent.cmp.oath.com/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "152.195.55.192", + "192.168.1.63", + "152.195.55.192" + ], + "server.ip": "152.195.55.192", + "server.port": 443, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 53024, + "tags": [ + "pan-os" + ], + "url.original": "consent.cmp.oath.com/" + }, + { + "@timestamp": "2018-11-30T16:44:46.000Z", + "client.ip": "192.168.15.224", + "client.port": 53025, + "destination.address": "152.195.55.192", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "152.195.55.192", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 18013, + "log.original": "Nov 30 16:44:47 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28214,1,53025,443,44087,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7765,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": [ + "1:xBwOt7zrEs9oyuV1oEHKLKXdg1Q=", + "1:LHZawFx+zgZPTd01rJqX/31kNmE=" + ], + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "152.195.55.192", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28214", + "palo_alto.pan_os.network.nat.community_id": "1:LHZawFx+zgZPTd01rJqX/31kNmE=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 44087, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "consent.cmp.oath.com/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "152.195.55.192", + "192.168.1.63", + "152.195.55.192" + ], + "server.ip": "152.195.55.192", + "server.port": 443, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 53025, + "tags": [ + "pan-os" + ], + "url.original": "consent.cmp.oath.com/" + }, + { + "@timestamp": "2018-11-30T16:44:46.000Z", + "client.ip": "192.168.15.224", + "client.port": 53026, + "destination.address": "152.195.55.192", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "152.195.55.192", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 18559, + "log.original": "Nov 30 16:44:47 PA-220 1,2018/11/30 16:44:46,012801096514,THREAT,url,2049,2018/11/30 16:44:46,192.168.15.224,152.195.55.192,192.168.1.63,152.195.55.192,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:46,28080,1,53026,443,15915,443,0x403000,tcp,block-url,\"consent.cmp.oath.com/\",(9999),business-and-economy,informational,client-to-server,7766,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": [ + "1:z5jHjldbSP1U0TqDWR9Uox2k3Js=", + "1:XcghkvaiKIQS/KgINx7Mb5Vvn3M=" + ], + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "152.195.55.192", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28080", + "palo_alto.pan_os.network.nat.community_id": "1:XcghkvaiKIQS/KgINx7Mb5Vvn3M=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 15915, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "consent.cmp.oath.com/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "152.195.55.192", + "192.168.1.63", + "152.195.55.192" + ], + "server.ip": "152.195.55.192", + "server.port": 443, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 53026, + "tags": [ + "pan-os" + ], + "url.original": "consent.cmp.oath.com/" + }, + { + "@timestamp": "2018-11-30T16:44:53.000Z", + "client.ip": "192.168.15.224", + "client.port": 53041, + "destination.address": "151.101.2.2", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "151.101.2.2", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 19105, + "log.original": "Nov 30 16:44:53 PA-220 1,2018/11/30 16:44:53,012801096514,THREAT,url,2049,2018/11/30 16:44:53,192.168.15.224,151.101.2.2,192.168.1.63,151.101.2.2,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:53,28318,1,53041,443,41165,443,0x403000,tcp,block-url,\"cdn.taboola.com/\",(9999),business-and-economy,informational,client-to-server,7768,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": [ + "1:tQxUFWF1PJh9XS+U53oZgNQELoA=", + "1:XdO4yHx+1HZM4GcutRTyur9ixdM=" + ], + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "151.101.2.2", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28318", + "palo_alto.pan_os.network.nat.community_id": "1:XdO4yHx+1HZM4GcutRTyur9ixdM=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 41165, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "cdn.taboola.com/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "151.101.2.2", + "192.168.1.63", + "151.101.2.2" + ], + "server.ip": "151.101.2.2", + "server.port": 443, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 53041, + "tags": [ + "pan-os" + ], + "url.original": "cdn.taboola.com/" + }, + { + "@timestamp": "2018-11-30T16:44:54.000Z", + "client.ip": "192.168.15.224", + "client.port": 53040, + "destination.address": "54.192.7.152", + "destination.geo.city_name": "Seattle", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 47.6103, + "destination.geo.location.lon": -122.3341, + "destination.geo.region_iso_code": "US-WA", + "destination.geo.region_name": "Washington", + "destination.ip": "54.192.7.152", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 19640, + "log.original": "Nov 30 16:44:54 PA-220 1,2018/11/30 16:44:54,012801096514,THREAT,url,2049,2018/11/30 16:44:54,192.168.15.224,54.192.7.152,192.168.1.63,54.192.7.152,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:54,28300,1,53040,443,54133,443,0x403000,tcp,block-url,\"rules.quantcount.com/\",(9999),business-and-economy,informational,client-to-server,7769,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": [ + "1:J9ymoylt3wkbcwWFUbTc1FK8W6k=", + "1:kCzU3MoZUMh7VlhTewngoP1twbw=" + ], + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "54.192.7.152", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28300", + "palo_alto.pan_os.network.nat.community_id": "1:kCzU3MoZUMh7VlhTewngoP1twbw=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 54133, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "rules.quantcount.com/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "54.192.7.152", + "192.168.1.63", + "54.192.7.152" + ], + "server.ip": "54.192.7.152", + "server.port": 443, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 53040, + "tags": [ + "pan-os" + ], + "url.original": "rules.quantcount.com/" + }, + { + "@timestamp": "2018-11-30T16:44:58.000Z", + "client.ip": "192.168.15.224", + "client.port": 53093, + "destination.address": "52.4.120.175", + "destination.geo.city_name": "Ashburn", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 39.0481, + "destination.geo.location.lon": -77.4728, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": "52.4.120.175", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 20182, + "log.original": "Nov 30 16:44:59 PA-220 1,2018/11/30 16:44:58,012801096514,THREAT,url,2049,2018/11/30 16:44:58,192.168.15.224,52.4.120.175,192.168.1.63,52.4.120.175,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:58,28339,1,53093,443,8485,443,0x403000,tcp,block-url,\"srv-2018-11-30-22.config.parsely.com/\",(9999),business-and-economy,informational,client-to-server,7770,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": [ + "1:DDpR8PTbIvvnd+7Hcre+jZQVtaY=", + "1:fj3W3hxHPqT4snZlcRibDiqLNvs=" + ], + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "52.4.120.175", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28339", + "palo_alto.pan_os.network.nat.community_id": "1:fj3W3hxHPqT4snZlcRibDiqLNvs=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 8485, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "srv-2018-11-30-22.config.parsely.com/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "52.4.120.175", + "192.168.1.63", + "52.4.120.175" + ], + "server.ip": "52.4.120.175", + "server.port": 443, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 53093, + "tags": [ + "pan-os" + ], + "url.original": "srv-2018-11-30-22.config.parsely.com/" + }, + { + "@timestamp": "2018-11-30T16:44:58.000Z", + "client.ip": "192.168.15.224", + "client.port": 53094, + "destination.address": "52.4.120.175", + "destination.geo.city_name": "Ashburn", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 39.0481, + "destination.geo.location.lon": -77.4728, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": "52.4.120.175", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 20739, + "log.original": "Nov 30 16:44:59 PA-220 1,2018/11/30 16:44:58,012801096514,THREAT,url,2049,2018/11/30 16:44:58,192.168.15.224,52.4.120.175,192.168.1.63,52.4.120.175,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:58,28299,1,53094,443,12496,443,0x403000,tcp,block-url,\"srv-2018-11-30-22.config.parsely.com/\",(9999),business-and-economy,informational,client-to-server,7771,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": [ + "1:1dccHKUcnMkeYh68uGS1Jhl6+Hk=", + "1:HLMiinoD9jzLzaYU394wqKksBUE=" + ], + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "52.4.120.175", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28299", + "palo_alto.pan_os.network.nat.community_id": "1:HLMiinoD9jzLzaYU394wqKksBUE=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 12496, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "srv-2018-11-30-22.config.parsely.com/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "52.4.120.175", + "192.168.1.63", + "52.4.120.175" + ], + "server.ip": "52.4.120.175", + "server.port": 443, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 53094, + "tags": [ + "pan-os" + ], + "url.original": "srv-2018-11-30-22.config.parsely.com/" + }, + { + "@timestamp": "2018-11-30T16:44:58.000Z", + "client.ip": "192.168.15.224", + "client.port": 53095, + "destination.address": "52.4.120.175", + "destination.geo.city_name": "Ashburn", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 39.0481, + "destination.geo.location.lon": -77.4728, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": "52.4.120.175", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 21297, + "log.original": "Nov 30 16:44:59 PA-220 1,2018/11/30 16:44:58,012801096514,THREAT,url,2049,2018/11/30 16:44:58,192.168.15.224,52.4.120.175,192.168.1.63,52.4.120.175,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:58,28303,1,53095,443,17029,443,0x403000,tcp,block-url,\"srv-2018-11-30-22.config.parsely.com/\",(9999),business-and-economy,informational,client-to-server,7772,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": [ + "1:URFNGbFKOwT3Iaugo33D1mB/ndw=", + "1:pNMLPgDpZv2+S840jW/Ggq8ng2I=" + ], + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "52.4.120.175", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28303", + "palo_alto.pan_os.network.nat.community_id": "1:pNMLPgDpZv2+S840jW/Ggq8ng2I=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 17029, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "srv-2018-11-30-22.config.parsely.com/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "52.4.120.175", + "192.168.1.63", + "52.4.120.175" + ], + "server.ip": "52.4.120.175", + "server.port": 443, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 53095, + "tags": [ + "pan-os" + ], + "url.original": "srv-2018-11-30-22.config.parsely.com/" + }, + { + "@timestamp": "2018-11-30T16:44:58.000Z", + "client.ip": "192.168.15.224", + "client.port": 53096, + "destination.address": "52.4.120.175", + "destination.geo.city_name": "Ashburn", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 39.0481, + "destination.geo.location.lon": -77.4728, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": "52.4.120.175", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 21855, + "log.original": "Nov 30 16:44:59 PA-220 1,2018/11/30 16:44:58,012801096514,THREAT,url,2049,2018/11/30 16:44:58,192.168.15.224,52.4.120.175,192.168.1.63,52.4.120.175,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:58,28390,1,53096,443,23696,443,0x403000,tcp,block-url,\"srv-2018-11-30-22.config.parsely.com/\",(9999),business-and-economy,informational,client-to-server,7773,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": [ + "1:/KMTfFetIlydTraxch89t5PYve0=", + "1:l6AkSmB92aDAHpLhiSCR28J+ANI=" + ], + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "52.4.120.175", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28390", + "palo_alto.pan_os.network.nat.community_id": "1:l6AkSmB92aDAHpLhiSCR28J+ANI=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 23696, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "srv-2018-11-30-22.config.parsely.com/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "52.4.120.175", + "192.168.1.63", + "52.4.120.175" + ], + "server.ip": "52.4.120.175", + "server.port": 443, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 53096, + "tags": [ + "pan-os" + ], + "url.original": "srv-2018-11-30-22.config.parsely.com/" + }, + { + "@timestamp": "2018-11-30T16:44:59.000Z", + "client.ip": "192.168.15.224", + "client.port": 53097, + "destination.address": "52.4.120.175", + "destination.geo.city_name": "Ashburn", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 39.0481, + "destination.geo.location.lon": -77.4728, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": "52.4.120.175", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 22413, + "log.original": "Nov 30 16:45:00 PA-220 1,2018/11/30 16:44:59,012801096514,THREAT,url,2049,2018/11/30 16:44:59,192.168.15.224,52.4.120.175,192.168.1.63,52.4.120.175,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:59,28433,1,53097,443,34769,443,0x403000,tcp,block-url,\"srv-2018-11-30-22.config.parsely.com/\",(9999),business-and-economy,informational,client-to-server,7774,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": [ + "1:Z8gFtZEJJ5xho2+kyaSyoXp1O/I=", + "1:33ah/rOB1xL3Yy0FUH0sEGuRvx8=" + ], + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "52.4.120.175", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28433", + "palo_alto.pan_os.network.nat.community_id": "1:33ah/rOB1xL3Yy0FUH0sEGuRvx8=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 34769, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "srv-2018-11-30-22.config.parsely.com/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "52.4.120.175", + "192.168.1.63", + "52.4.120.175" + ], + "server.ip": "52.4.120.175", + "server.port": 443, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 53097, + "tags": [ + "pan-os" + ], + "url.original": "srv-2018-11-30-22.config.parsely.com/" + }, + { + "@timestamp": "2018-11-30T16:44:59.000Z", + "client.ip": "192.168.15.224", + "client.port": 53099, + "destination.address": "52.4.120.175", + "destination.geo.city_name": "Ashburn", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 39.0481, + "destination.geo.location.lon": -77.4728, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": "52.4.120.175", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 22971, + "log.original": "Nov 30 16:45:00 PA-220 1,2018/11/30 16:44:59,012801096514,THREAT,url,2049,2018/11/30 16:44:59,192.168.15.224,52.4.120.175,192.168.1.63,52.4.120.175,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:59,28380,1,53099,443,22486,443,0x403000,tcp,block-url,\"srv-2018-11-30-22.config.parsely.com/\",(9999),business-and-economy,informational,client-to-server,7775,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": [ + "1:dS0Vb9L/suztc58TuCJc5kLrnd4=", + "1:zOzoB9ZSg+/QZ7bt4sM6/I2TOXc=" + ], + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "52.4.120.175", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28380", + "palo_alto.pan_os.network.nat.community_id": "1:zOzoB9ZSg+/QZ7bt4sM6/I2TOXc=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 22486, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "srv-2018-11-30-22.config.parsely.com/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "52.4.120.175", + "192.168.1.63", + "52.4.120.175" + ], + "server.ip": "52.4.120.175", + "server.port": 443, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 53099, + "tags": [ + "pan-os" + ], + "url.original": "srv-2018-11-30-22.config.parsely.com/" + }, + { + "@timestamp": "2018-11-30T16:44:59.000Z", + "client.ip": "192.168.15.224", + "client.port": 53100, + "destination.address": "52.4.120.175", + "destination.geo.city_name": "Ashburn", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 39.0481, + "destination.geo.location.lon": -77.4728, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": "52.4.120.175", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 23529, + "log.original": "Nov 30 16:45:00 PA-220 1,2018/11/30 16:44:59,012801096514,THREAT,url,2049,2018/11/30 16:44:59,192.168.15.224,52.4.120.175,192.168.1.63,52.4.120.175,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:44:59,28363,1,53100,443,12894,443,0x403000,tcp,block-url,\"srv-2018-11-30-22.config.parsely.com/\",(9999),business-and-economy,informational,client-to-server,7776,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": [ + "1:ZWPOx8XRihDI9+WqUDIHe1OyInQ=", + "1:l+VVTNzHKEhzOIqE/8PVt4xidPQ=" + ], + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "52.4.120.175", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28363", + "palo_alto.pan_os.network.nat.community_id": "1:l+VVTNzHKEhzOIqE/8PVt4xidPQ=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 12894, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "srv-2018-11-30-22.config.parsely.com/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "52.4.120.175", + "192.168.1.63", + "52.4.120.175" + ], + "server.ip": "52.4.120.175", + "server.port": 443, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 53100, + "tags": [ + "pan-os" + ], + "url.original": "srv-2018-11-30-22.config.parsely.com/" + }, + { + "@timestamp": "2018-11-30T16:45:00.000Z", + "client.ip": "192.168.15.224", + "client.port": 53101, + "destination.address": "52.4.120.175", + "destination.geo.city_name": "Ashburn", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 39.0481, + "destination.geo.location.lon": -77.4728, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": "52.4.120.175", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 24087, + "log.original": "Nov 30 16:45:00 PA-220 1,2018/11/30 16:45:00,012801096514,THREAT,url,2049,2018/11/30 16:45:00,192.168.15.224,52.4.120.175,192.168.1.63,52.4.120.175,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:00,28349,1,53101,443,62348,443,0x403000,tcp,block-url,\"srv-2018-11-30-22.config.parsely.com/\",(9999),business-and-economy,informational,client-to-server,7777,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": [ + "1:T7UcACShDtZytIaufQKjiQ8jkhM=", + "1:/GTSxrH684FoBXpyEBepCy2M81Q=" + ], + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "52.4.120.175", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28349", + "palo_alto.pan_os.network.nat.community_id": "1:/GTSxrH684FoBXpyEBepCy2M81Q=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 62348, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "srv-2018-11-30-22.config.parsely.com/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "52.4.120.175", + "192.168.1.63", + "52.4.120.175" + ], + "server.ip": "52.4.120.175", + "server.port": 443, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 53101, + "tags": [ + "pan-os" + ], + "url.original": "srv-2018-11-30-22.config.parsely.com/" + }, + { + "@timestamp": "2018-11-30T16:45:00.000Z", + "client.ip": "192.168.15.224", + "client.port": 53104, + "destination.address": "52.4.120.175", + "destination.geo.city_name": "Ashburn", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 39.0481, + "destination.geo.location.lon": -77.4728, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": "52.4.120.175", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 24645, + "log.original": "Nov 30 16:45:00 PA-220 1,2018/11/30 16:45:00,012801096514,THREAT,url,2049,2018/11/30 16:45:00,192.168.15.224,52.4.120.175,192.168.1.63,52.4.120.175,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:00,28411,1,53104,443,6224,443,0x403000,tcp,block-url,\"srv-2018-11-30-22.config.parsely.com/\",(9999),business-and-economy,informational,client-to-server,7778,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": [ + "1:v2q2MvHECPCP6FDhZOfU9EhWDmw=", + "1:z/innn6bIUB0vbGtF+NoTKxtaCQ=" + ], + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "52.4.120.175", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28411", + "palo_alto.pan_os.network.nat.community_id": "1:z/innn6bIUB0vbGtF+NoTKxtaCQ=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 6224, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "srv-2018-11-30-22.config.parsely.com/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "52.4.120.175", + "192.168.1.63", + "52.4.120.175" + ], + "server.ip": "52.4.120.175", + "server.port": 443, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 53104, + "tags": [ + "pan-os" + ], + "url.original": "srv-2018-11-30-22.config.parsely.com/" + }, + { + "@timestamp": "2018-11-30T16:45:00.000Z", + "client.ip": "192.168.15.224", + "client.port": 53107, + "destination.address": "52.4.120.175", + "destination.geo.city_name": "Ashburn", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 39.0481, + "destination.geo.location.lon": -77.4728, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": "52.4.120.175", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 25202, + "log.original": "Nov 30 16:45:00 PA-220 1,2018/11/30 16:45:00,012801096514,THREAT,url,2049,2018/11/30 16:45:00,192.168.15.224,52.4.120.175,192.168.1.63,52.4.120.175,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:00,28397,1,53107,443,44120,443,0x403000,tcp,block-url,\"srv-2018-11-30-22.config.parsely.com/\",(9999),business-and-economy,informational,client-to-server,7779,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": [ + "1:/FL+10fyEBLqVR4oJrH3NBEx/pg=", + "1:7H4lb05cbTOpCa4pIgruj3M2WrY=" + ], + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "52.4.120.175", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28397", + "palo_alto.pan_os.network.nat.community_id": "1:7H4lb05cbTOpCa4pIgruj3M2WrY=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 44120, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "srv-2018-11-30-22.config.parsely.com/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "52.4.120.175", + "192.168.1.63", + "52.4.120.175" + ], + "server.ip": "52.4.120.175", + "server.port": 443, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 53107, + "tags": [ + "pan-os" + ], + "url.original": "srv-2018-11-30-22.config.parsely.com/" + }, + { + "@timestamp": "2018-11-30T16:45:00.000Z", + "client.ip": "192.168.15.224", + "client.port": 53108, + "destination.address": "52.4.120.175", + "destination.geo.city_name": "Ashburn", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 39.0481, + "destination.geo.location.lon": -77.4728, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": "52.4.120.175", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 25760, + "log.original": "Nov 30 16:45:00 PA-220 1,2018/11/30 16:45:00,012801096514,THREAT,url,2049,2018/11/30 16:45:00,192.168.15.224,52.4.120.175,192.168.1.63,52.4.120.175,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:00,28347,1,53108,443,44228,443,0x403000,tcp,block-url,\"srv-2018-11-30-22.config.parsely.com/\",(9999),business-and-economy,informational,client-to-server,7780,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": [ + "1:abQPCp6V8x2Fumiz5x/+vZnuNfM=", + "1:G3GfJYWnCjo8Ato/aBgr49UKGTI=" + ], + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "52.4.120.175", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28347", + "palo_alto.pan_os.network.nat.community_id": "1:G3GfJYWnCjo8Ato/aBgr49UKGTI=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 44228, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "srv-2018-11-30-22.config.parsely.com/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "52.4.120.175", + "192.168.1.63", + "52.4.120.175" + ], + "server.ip": "52.4.120.175", + "server.port": 443, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 53108, + "tags": [ + "pan-os" + ], + "url.original": "srv-2018-11-30-22.config.parsely.com/" + }, + { + "@timestamp": "2018-11-30T16:45:00.000Z", + "client.ip": "192.168.15.224", + "client.port": 53109, + "destination.address": "52.4.120.175", + "destination.geo.city_name": "Ashburn", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 39.0481, + "destination.geo.location.lon": -77.4728, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": "52.4.120.175", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 26318, + "log.original": "Nov 30 16:45:00 PA-220 1,2018/11/30 16:45:00,012801096514,THREAT,url,2049,2018/11/30 16:45:00,192.168.15.224,52.4.120.175,192.168.1.63,52.4.120.175,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:00,28443,1,53109,443,31322,443,0x403000,tcp,block-url,\"srv-2018-11-30-22.config.parsely.com/\",(9999),business-and-economy,informational,client-to-server,7781,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": [ + "1:Ix3Fldb6W5hQx30Bw7Vd5/lm8hw=", + "1:Ni0ZlLTDuNH8F3hFm9nLZkj/SKI=" + ], + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "52.4.120.175", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28443", + "palo_alto.pan_os.network.nat.community_id": "1:Ni0ZlLTDuNH8F3hFm9nLZkj/SKI=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 31322, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "srv-2018-11-30-22.config.parsely.com/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "52.4.120.175", + "192.168.1.63", + "52.4.120.175" + ], + "server.ip": "52.4.120.175", + "server.port": 443, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 53109, + "tags": [ + "pan-os" + ], + "url.original": "srv-2018-11-30-22.config.parsely.com/" + }, + { + "@timestamp": "2018-11-30T16:45:13.000Z", + "client.ip": "192.168.15.224", + "client.port": 53118, + "destination.address": "216.58.194.98", + "destination.geo.city_name": "Mountain View", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.386, + "destination.geo.location.lon": -122.0838, + "destination.geo.region_iso_code": "US-CA", + "destination.geo.region_name": "California", + "destination.ip": "216.58.194.98", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 26876, + "log.original": "Nov 30 16:45:14 PA-220 1,2018/11/30 16:45:13,012801096514,THREAT,url,2049,2018/11/30 16:45:13,192.168.15.224,216.58.194.98,192.168.1.63,216.58.194.98,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:13,28439,1,53118,443,1672,443,0x403000,tcp,block-url,\"www.googleadservices.com/\",(9999),business-and-economy,informational,client-to-server,7782,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": [ + "1:iBwlaPm6awPJaLJMdMMVOH9f5RU=", + "1:WQC21tSR1QNUhWYgrcbgaLyTkos=" + ], + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "216.58.194.98", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28439", + "palo_alto.pan_os.network.nat.community_id": "1:WQC21tSR1QNUhWYgrcbgaLyTkos=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 1672, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "www.googleadservices.com/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "216.58.194.98", + "192.168.1.63", + "216.58.194.98" + ], + "server.ip": "216.58.194.98", + "server.port": 443, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 53118, + "tags": [ + "pan-os" + ], + "url.original": "www.googleadservices.com/" + }, + { + "@timestamp": "2018-11-30T16:45:15.000Z", + "client.ip": "192.168.15.224", + "client.port": 53126, + "destination.address": "23.72.145.245", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "23.72.145.245", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 27423, + "log.original": "Nov 30 16:45:16 PA-220 1,2018/11/30 16:45:15,012801096514,THREAT,url,2049,2018/11/30 16:45:15,192.168.15.224,23.72.145.245,192.168.1.63,23.72.145.245,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:15,25958,1,53126,443,20801,443,0x403000,tcp,block-url,\"service.maxymiser.net/\",(9999),business-and-economy,informational,client-to-server,7783,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": [ + "1:0TIOUPyQekmpFSgX6VlMP7asdJs=", + "1:hYoXMUwV0cAKhYUb4hSHsLUSo1s=" + ], + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "23.72.145.245", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "25958", + "palo_alto.pan_os.network.nat.community_id": "1:hYoXMUwV0cAKhYUb4hSHsLUSo1s=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 20801, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "service.maxymiser.net/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "23.72.145.245", + "192.168.1.63", + "23.72.145.245" + ], + "server.ip": "23.72.145.245", + "server.port": 443, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 53126, + "tags": [ + "pan-os" + ], + "url.original": "service.maxymiser.net/" + }, + { + "@timestamp": "2018-11-30T16:45:15.000Z", + "client.ip": "192.168.15.224", + "client.port": 53127, + "destination.address": "23.72.145.245", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "23.72.145.245", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 27968, + "log.original": "Nov 30 16:45:16 PA-220 1,2018/11/30 16:45:15,012801096514,THREAT,url,2049,2018/11/30 16:45:15,192.168.15.224,23.72.145.245,192.168.1.63,23.72.145.245,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:15,28429,1,53127,443,24533,443,0x403000,tcp,block-url,\"service.maxymiser.net/\",(9999),business-and-economy,informational,client-to-server,7784,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": [ + "1:5CeaDtLLJAW4qpNe5rR3zJ3u1KM=", + "1:al192CljLcXBQ5a9fXhiLM+uAKg=" + ], + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "23.72.145.245", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28429", + "palo_alto.pan_os.network.nat.community_id": "1:al192CljLcXBQ5a9fXhiLM+uAKg=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 24533, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "service.maxymiser.net/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "23.72.145.245", + "192.168.1.63", + "23.72.145.245" + ], + "server.ip": "23.72.145.245", + "server.port": 443, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 53127, + "tags": [ + "pan-os" + ], + "url.original": "service.maxymiser.net/" + }, + { + "@timestamp": "2018-11-30T16:45:15.000Z", + "client.ip": "192.168.15.224", + "client.port": 53128, + "destination.address": "23.72.145.245", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "23.72.145.245", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 28513, + "log.original": "Nov 30 16:45:16 PA-220 1,2018/11/30 16:45:15,012801096514,THREAT,url,2049,2018/11/30 16:45:15,192.168.15.224,23.72.145.245,192.168.1.63,23.72.145.245,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:15,28465,1,53128,443,30150,443,0x403000,tcp,block-url,\"service.maxymiser.net/\",(9999),business-and-economy,informational,client-to-server,7785,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": [ + "1:HYgrk1tiJGzjAjdHLQJ54QqqEH0=", + "1:qI8dj7I/HOk1zkz/wkZBjQ/igsw=" + ], + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "23.72.145.245", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28465", + "palo_alto.pan_os.network.nat.community_id": "1:qI8dj7I/HOk1zkz/wkZBjQ/igsw=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 30150, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "service.maxymiser.net/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "23.72.145.245", + "192.168.1.63", + "23.72.145.245" + ], + "server.ip": "23.72.145.245", + "server.port": 443, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 53128, + "tags": [ + "pan-os" + ], + "url.original": "service.maxymiser.net/" + }, + { + "@timestamp": "2018-11-30T16:45:15.000Z", + "client.ip": "192.168.15.224", + "client.port": 53129, + "destination.address": "23.72.145.245", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "23.72.145.245", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 29058, + "log.original": "Nov 30 16:45:16 PA-220 1,2018/11/30 16:45:15,012801096514,THREAT,url,2049,2018/11/30 16:45:15,192.168.15.224,23.72.145.245,192.168.1.63,23.72.145.245,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:15,28504,1,53129,443,36305,443,0x403000,tcp,block-url,\"service.maxymiser.net/\",(9999),business-and-economy,informational,client-to-server,7786,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": [ + "1:8k83tpdWoK7nNJrq4t81UXuScHA=", + "1:NTrpQ6lfrWcfRCXSB/tQ49z7sOQ=" + ], + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "23.72.145.245", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28504", + "palo_alto.pan_os.network.nat.community_id": "1:NTrpQ6lfrWcfRCXSB/tQ49z7sOQ=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 36305, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "service.maxymiser.net/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "23.72.145.245", + "192.168.1.63", + "23.72.145.245" + ], + "server.ip": "23.72.145.245", + "server.port": 443, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 53129, + "tags": [ + "pan-os" + ], + "url.original": "service.maxymiser.net/" + }, + { + "@timestamp": "2018-11-30T16:45:16.000Z", + "client.ip": "192.168.15.224", + "client.port": 53130, + "destination.address": "23.72.145.245", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "23.72.145.245", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 29603, + "log.original": "Nov 30 16:45:16 PA-220 1,2018/11/30 16:45:16,012801096514,THREAT,url,2049,2018/11/30 16:45:16,192.168.15.224,23.72.145.245,192.168.1.63,23.72.145.245,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:16,28458,1,53130,443,42682,443,0x403000,tcp,block-url,\"service.maxymiser.net/\",(9999),business-and-economy,informational,client-to-server,7787,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": [ + "1:Ob0VEjF8YeGq1hR7SbX0pZ+5/EI=", + "1:93oplAL+YibXq75Qng9iomHp97k=" + ], + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "23.72.145.245", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28458", + "palo_alto.pan_os.network.nat.community_id": "1:93oplAL+YibXq75Qng9iomHp97k=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 42682, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "service.maxymiser.net/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "23.72.145.245", + "192.168.1.63", + "23.72.145.245" + ], + "server.ip": "23.72.145.245", + "server.port": 443, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 53130, + "tags": [ + "pan-os" + ], + "url.original": "service.maxymiser.net/" + }, + { + "@timestamp": "2018-11-30T16:45:16.000Z", + "client.ip": "192.168.15.224", + "client.port": 53131, + "destination.address": "23.72.145.245", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "23.72.145.245", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 30148, + "log.original": "Nov 30 16:45:16 PA-220 1,2018/11/30 16:45:16,012801096514,THREAT,url,2049,2018/11/30 16:45:16,192.168.15.224,23.72.145.245,192.168.1.63,23.72.145.245,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:16,28491,1,53131,443,22530,443,0x403000,tcp,block-url,\"service.maxymiser.net/\",(9999),business-and-economy,informational,client-to-server,7788,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": [ + "1:WlDGM7WbDrN83JffZtwB6PNK3Y8=", + "1:uhEHJXnnMaxBL0QYfNxS8lxZkls=" + ], + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "23.72.145.245", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28491", + "palo_alto.pan_os.network.nat.community_id": "1:uhEHJXnnMaxBL0QYfNxS8lxZkls=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 22530, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "service.maxymiser.net/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "23.72.145.245", + "192.168.1.63", + "23.72.145.245" + ], + "server.ip": "23.72.145.245", + "server.port": 443, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 53131, + "tags": [ + "pan-os" + ], + "url.original": "service.maxymiser.net/" + }, + { + "@timestamp": "2018-11-30T16:45:16.000Z", + "client.ip": "192.168.15.224", + "client.port": 53132, + "destination.address": "23.72.145.245", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "23.72.145.245", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 30693, + "log.original": "Nov 30 16:45:16 PA-220 1,2018/11/30 16:45:16,012801096514,THREAT,url,2049,2018/11/30 16:45:16,192.168.15.224,23.72.145.245,192.168.1.63,23.72.145.245,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:16,28520,1,53132,443,43713,443,0x403000,tcp,block-url,\"service.maxymiser.net/\",(9999),business-and-economy,informational,client-to-server,7789,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": [ + "1:U5qBRasQ13RQONeFOyA2+9QbWK8=", + "1:KtlZO5BbsoCg/ymqE05xAvw/iIA=" + ], + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "23.72.145.245", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28520", + "palo_alto.pan_os.network.nat.community_id": "1:KtlZO5BbsoCg/ymqE05xAvw/iIA=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 43713, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "service.maxymiser.net/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "23.72.145.245", + "192.168.1.63", + "23.72.145.245" + ], + "server.ip": "23.72.145.245", + "server.port": 443, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 53132, + "tags": [ + "pan-os" + ], + "url.original": "service.maxymiser.net/" + }, + { + "@timestamp": "2018-11-30T16:45:16.000Z", + "client.ip": "192.168.15.224", + "client.port": 53133, + "destination.address": "23.72.145.245", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "23.72.145.245", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 31238, + "log.original": "Nov 30 16:45:16 PA-220 1,2018/11/30 16:45:16,012801096514,THREAT,url,2049,2018/11/30 16:45:16,192.168.15.224,23.72.145.245,192.168.1.63,23.72.145.245,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:16,28335,1,53133,443,60608,443,0x403000,tcp,block-url,\"service.maxymiser.net/\",(9999),business-and-economy,informational,client-to-server,7790,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": [ + "1:S99EiT3uXg1VHeNM5TVPoeW1Zrk=", + "1:4MqfykfAOpIQmtvXcxzLNXqgyTs=" + ], + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "23.72.145.245", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28335", + "palo_alto.pan_os.network.nat.community_id": "1:4MqfykfAOpIQmtvXcxzLNXqgyTs=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 60608, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "service.maxymiser.net/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "23.72.145.245", + "192.168.1.63", + "23.72.145.245" + ], + "server.ip": "23.72.145.245", + "server.port": 443, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 53133, + "tags": [ + "pan-os" + ], + "url.original": "service.maxymiser.net/" + }, + { + "@timestamp": "2018-11-30T16:45:16.000Z", + "client.ip": "192.168.15.224", + "client.port": 53134, + "destination.address": "23.72.145.245", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "23.72.145.245", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 31783, + "log.original": "Nov 30 16:45:16 PA-220 1,2018/11/30 16:45:16,012801096514,THREAT,url,2049,2018/11/30 16:45:16,192.168.15.224,23.72.145.245,192.168.1.63,23.72.145.245,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:16,28414,1,53134,443,9302,443,0x403000,tcp,block-url,\"service.maxymiser.net/\",(9999),business-and-economy,informational,client-to-server,7791,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": [ + "1:IMZ08eMrtDP/qCq8+cruyYo5r98=", + "1:Qj+AYB26PhFUPHkeHTP+u0XmR3A=" + ], + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "23.72.145.245", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28414", + "palo_alto.pan_os.network.nat.community_id": "1:Qj+AYB26PhFUPHkeHTP+u0XmR3A=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 9302, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "service.maxymiser.net/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "23.72.145.245", + "192.168.1.63", + "23.72.145.245" + ], + "server.ip": "23.72.145.245", + "server.port": 443, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 53134, + "tags": [ + "pan-os" + ], + "url.original": "service.maxymiser.net/" + }, + { + "@timestamp": "2018-11-30T16:45:16.000Z", + "client.ip": "192.168.15.224", + "client.port": 53135, + "destination.address": "23.72.145.245", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "23.72.145.245", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 32327, + "log.original": "Nov 30 16:45:17 PA-220 1,2018/11/30 16:45:16,012801096514,THREAT,url,2049,2018/11/30 16:45:16,192.168.15.224,23.72.145.245,192.168.1.63,23.72.145.245,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:16,28488,1,53135,443,11634,443,0x403000,tcp,block-url,\"service.maxymiser.net/\",(9999),business-and-economy,informational,client-to-server,7792,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": [ + "1:Z6zBvBoA+0NQryjJ96nYaFcOuXw=", + "1:BQw3RXiNvT4NW4kw0J5Ol6rFN5A=" + ], + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "23.72.145.245", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28488", + "palo_alto.pan_os.network.nat.community_id": "1:BQw3RXiNvT4NW4kw0J5Ol6rFN5A=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 11634, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "service.maxymiser.net/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "23.72.145.245", + "192.168.1.63", + "23.72.145.245" + ], + "server.ip": "23.72.145.245", + "server.port": 443, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 53135, + "tags": [ + "pan-os" + ], + "url.original": "service.maxymiser.net/" + }, + { + "@timestamp": "2018-11-30T16:45:26.000Z", + "client.ip": "192.168.15.224", + "client.port": 53152, + "destination.address": "54.209.101.70", + "destination.geo.city_name": "Ashburn", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 39.0481, + "destination.geo.location.lon": -77.4728, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": "54.209.101.70", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 32872, + "log.original": "Nov 30 16:45:27 PA-220 1,2018/11/30 16:45:26,012801096514,THREAT,url,2049,2018/11/30 16:45:26,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:26,28469,1,53152,443,30818,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7793,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": [ + "1:Qo8vSWzvn9QN5ADlmHxjJft+bxA=", + "1:1XJhGS1EujYy5wSCA64wjjK7hwA=" + ], + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "54.209.101.70", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28469", + "palo_alto.pan_os.network.nat.community_id": "1:1XJhGS1EujYy5wSCA64wjjK7hwA=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 30818, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "segment-data.zqtk.net/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "54.209.101.70", + "192.168.1.63", + "54.209.101.70" + ], + "server.ip": "54.209.101.70", + "server.port": 443, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 53152, + "tags": [ + "pan-os" + ], + "url.original": "segment-data.zqtk.net/" + }, + { + "@timestamp": "2018-11-30T16:45:26.000Z", + "client.ip": "192.168.15.224", + "client.port": 53155, + "destination.address": "54.209.101.70", + "destination.geo.city_name": "Ashburn", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 39.0481, + "destination.geo.location.lon": -77.4728, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": "54.209.101.70", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 33417, + "log.original": "Nov 30 16:45:27 PA-220 1,2018/11/30 16:45:26,012801096514,THREAT,url,2049,2018/11/30 16:45:26,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:26,28556,1,53155,443,64260,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7794,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": [ + "1:N2DPhwTnklulMwYKpcc4j0nLwu4=", + "1:YHN6cU700Mp7622M1rIzbnPQ+ik=" + ], + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "54.209.101.70", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28556", + "palo_alto.pan_os.network.nat.community_id": "1:YHN6cU700Mp7622M1rIzbnPQ+ik=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 64260, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "segment-data.zqtk.net/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "54.209.101.70", + "192.168.1.63", + "54.209.101.70" + ], + "server.ip": "54.209.101.70", + "server.port": 443, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 53155, + "tags": [ + "pan-os" + ], + "url.original": "segment-data.zqtk.net/" + }, + { + "@timestamp": "2018-11-30T16:45:26.000Z", + "client.ip": "192.168.15.224", + "client.port": 53158, + "destination.address": "54.209.101.70", + "destination.geo.city_name": "Ashburn", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 39.0481, + "destination.geo.location.lon": -77.4728, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": "54.209.101.70", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 33962, + "log.original": "Nov 30 16:45:27 PA-220 1,2018/11/30 16:45:26,012801096514,THREAT,url,2049,2018/11/30 16:45:26,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:26,28558,1,53158,443,7071,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7795,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": [ + "1:j5m21kfahBuP4jLMiqVnsVTJZ+Q=", + "1:o5UB5uvp2ThXPXChyc7lgvBMH0s=" + ], + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "54.209.101.70", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28558", + "palo_alto.pan_os.network.nat.community_id": "1:o5UB5uvp2ThXPXChyc7lgvBMH0s=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 7071, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "segment-data.zqtk.net/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "54.209.101.70", + "192.168.1.63", + "54.209.101.70" + ], + "server.ip": "54.209.101.70", + "server.port": 443, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 53158, + "tags": [ + "pan-os" + ], + "url.original": "segment-data.zqtk.net/" + }, + { + "@timestamp": "2018-11-30T16:45:26.000Z", + "client.ip": "192.168.15.224", + "client.port": 53160, + "destination.address": "54.209.101.70", + "destination.geo.city_name": "Ashburn", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 39.0481, + "destination.geo.location.lon": -77.4728, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": "54.209.101.70", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 34506, + "log.original": "Nov 30 16:45:27 PA-220 1,2018/11/30 16:45:26,012801096514,THREAT,url,2049,2018/11/30 16:45:26,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:26,28531,1,53160,443,4512,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7796,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": [ + "1:8jQcqVCl+Q8N6jDNJlJwuydmDsA=", + "1:RRfOKybSMc/qYj1QHLEpuh+r0Eg=" + ], + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "54.209.101.70", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28531", + "palo_alto.pan_os.network.nat.community_id": "1:RRfOKybSMc/qYj1QHLEpuh+r0Eg=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 4512, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "segment-data.zqtk.net/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "54.209.101.70", + "192.168.1.63", + "54.209.101.70" + ], + "server.ip": "54.209.101.70", + "server.port": 443, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 53160, + "tags": [ + "pan-os" + ], + "url.original": "segment-data.zqtk.net/" + }, + { + "@timestamp": "2018-11-30T16:45:26.000Z", + "client.ip": "192.168.15.224", + "client.port": 53161, + "destination.address": "54.209.101.70", + "destination.geo.city_name": "Ashburn", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 39.0481, + "destination.geo.location.lon": -77.4728, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": "54.209.101.70", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 35050, + "log.original": "Nov 30 16:45:27 PA-220 1,2018/11/30 16:45:26,012801096514,THREAT,url,2049,2018/11/30 16:45:26,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:26,28580,1,53161,443,3422,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7797,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": [ + "1:zcJ3HhZj3urz6vGwVhseviLv7kY=", + "1:KhCfFcRk3sovsTfN9pRRfgjsP84=" + ], + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "54.209.101.70", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28580", + "palo_alto.pan_os.network.nat.community_id": "1:KhCfFcRk3sovsTfN9pRRfgjsP84=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 3422, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "segment-data.zqtk.net/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "54.209.101.70", + "192.168.1.63", + "54.209.101.70" + ], + "server.ip": "54.209.101.70", + "server.port": 443, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 53161, + "tags": [ + "pan-os" + ], + "url.original": "segment-data.zqtk.net/" + }, + { + "@timestamp": "2018-11-30T16:45:27.000Z", + "client.ip": "192.168.15.224", + "client.port": 53162, + "destination.address": "54.209.101.70", + "destination.geo.city_name": "Ashburn", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 39.0481, + "destination.geo.location.lon": -77.4728, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": "54.209.101.70", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 35594, + "log.original": "Nov 30 16:45:27 PA-220 1,2018/11/30 16:45:27,012801096514,THREAT,url,2049,2018/11/30 16:45:27,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:27,28477,1,53162,443,4651,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7798,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": [ + "1:DJHoN3ahXiIF4S4aGocL7KS/AhY=", + "1:hZhkH3fz7n30Q+zsXnQejsna14Q=" + ], + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "54.209.101.70", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28477", + "palo_alto.pan_os.network.nat.community_id": "1:hZhkH3fz7n30Q+zsXnQejsna14Q=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 4651, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "segment-data.zqtk.net/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "54.209.101.70", + "192.168.1.63", + "54.209.101.70" + ], + "server.ip": "54.209.101.70", + "server.port": 443, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 53162, + "tags": [ + "pan-os" + ], + "url.original": "segment-data.zqtk.net/" + }, + { + "@timestamp": "2018-11-30T16:45:27.000Z", + "client.ip": "192.168.15.224", + "client.port": 53163, + "destination.address": "54.209.101.70", + "destination.geo.city_name": "Ashburn", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 39.0481, + "destination.geo.location.lon": -77.4728, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": "54.209.101.70", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 36138, + "log.original": "Nov 30 16:45:27 PA-220 1,2018/11/30 16:45:27,012801096514,THREAT,url,2049,2018/11/30 16:45:27,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:27,28484,1,53163,443,19068,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7799,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": [ + "1:oQCUvcNDUq8NlFsOiIljRD/md2E=", + "1:lFuLGvzKiGz77tAPKRWLQ7eIBNw=" + ], + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "54.209.101.70", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28484", + "palo_alto.pan_os.network.nat.community_id": "1:lFuLGvzKiGz77tAPKRWLQ7eIBNw=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 19068, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "segment-data.zqtk.net/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "54.209.101.70", + "192.168.1.63", + "54.209.101.70" + ], + "server.ip": "54.209.101.70", + "server.port": 443, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 53163, + "tags": [ + "pan-os" + ], + "url.original": "segment-data.zqtk.net/" + }, + { + "@timestamp": "2018-11-30T16:45:27.000Z", + "client.ip": "192.168.15.224", + "client.port": 53164, + "destination.address": "54.209.101.70", + "destination.geo.city_name": "Ashburn", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 39.0481, + "destination.geo.location.lon": -77.4728, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": "54.209.101.70", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 36683, + "log.original": "Nov 30 16:45:27 PA-220 1,2018/11/30 16:45:27,012801096514,THREAT,url,2049,2018/11/30 16:45:27,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:27,28609,1,53164,443,5831,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7800,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": [ + "1:DjIyvY/MLQ8U4RrMwFVhfq30m6g=", + "1:lXgqW6uer7QCnFv+5qVbgX4vM6E=" + ], + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "54.209.101.70", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28609", + "palo_alto.pan_os.network.nat.community_id": "1:lXgqW6uer7QCnFv+5qVbgX4vM6E=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 5831, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "segment-data.zqtk.net/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "54.209.101.70", + "192.168.1.63", + "54.209.101.70" + ], + "server.ip": "54.209.101.70", + "server.port": 443, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 53164, + "tags": [ + "pan-os" + ], + "url.original": "segment-data.zqtk.net/" + }, + { + "@timestamp": "2018-11-30T16:45:27.000Z", + "client.ip": "192.168.15.224", + "client.port": 53165, + "destination.address": "54.209.101.70", + "destination.geo.city_name": "Ashburn", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 39.0481, + "destination.geo.location.lon": -77.4728, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": "54.209.101.70", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 37227, + "log.original": "Nov 30 16:45:27 PA-220 1,2018/11/30 16:45:27,012801096514,THREAT,url,2049,2018/11/30 16:45:27,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:27,28564,1,53165,443,7084,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7801,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": [ + "1:fsi7g4zFbrFG09Mvo8P/WofCEKc=", + "1:SDf7YJ4JLx2oja8SY0iCD/f9ZYk=" + ], + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "54.209.101.70", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28564", + "palo_alto.pan_os.network.nat.community_id": "1:SDf7YJ4JLx2oja8SY0iCD/f9ZYk=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 7084, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "segment-data.zqtk.net/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "54.209.101.70", + "192.168.1.63", + "54.209.101.70" + ], + "server.ip": "54.209.101.70", + "server.port": 443, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 53165, + "tags": [ + "pan-os" + ], + "url.original": "segment-data.zqtk.net/" + }, + { + "@timestamp": "2018-11-30T16:45:27.000Z", + "client.ip": "192.168.15.224", + "client.port": 53166, + "destination.address": "54.209.101.70", + "destination.geo.city_name": "Ashburn", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 39.0481, + "destination.geo.location.lon": -77.4728, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": "54.209.101.70", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 37771, + "log.original": "Nov 30 16:45:27 PA-220 1,2018/11/30 16:45:27,012801096514,THREAT,url,2049,2018/11/30 16:45:27,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:27,28542,1,53166,443,18633,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7802,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": [ + "1:wICcAfDG87s8YdjIhDgBqv6mTws=", + "1:/wf94ECkqPez+fxVgk+3KErtaBQ=" + ], + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "54.209.101.70", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28542", + "palo_alto.pan_os.network.nat.community_id": "1:/wf94ECkqPez+fxVgk+3KErtaBQ=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 18633, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "segment-data.zqtk.net/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "54.209.101.70", + "192.168.1.63", + "54.209.101.70" + ], + "server.ip": "54.209.101.70", + "server.port": 443, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 53166, + "tags": [ + "pan-os" + ], + "url.original": "segment-data.zqtk.net/" + }, + { + "@timestamp": "2018-11-30T16:45:27.000Z", + "client.ip": "192.168.15.224", + "client.port": 53167, + "destination.address": "54.209.101.70", + "destination.geo.city_name": "Ashburn", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 39.0481, + "destination.geo.location.lon": -77.4728, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": "54.209.101.70", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 38316, + "log.original": "Nov 30 16:45:28 PA-220 1,2018/11/30 16:45:27,012801096514,THREAT,url,2049,2018/11/30 16:45:27,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:27,28590,1,53167,443,25557,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7803,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": [ + "1:L9I6mLjr15WmWcGfC1vPrN0NmY0=", + "1:lGMn2sEJLK3qbOX02axD1srH/FY=" + ], + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "54.209.101.70", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28590", + "palo_alto.pan_os.network.nat.community_id": "1:lGMn2sEJLK3qbOX02axD1srH/FY=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 25557, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "segment-data.zqtk.net/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "54.209.101.70", + "192.168.1.63", + "54.209.101.70" + ], + "server.ip": "54.209.101.70", + "server.port": 443, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 53167, + "tags": [ + "pan-os" + ], + "url.original": "segment-data.zqtk.net/" + }, + { + "@timestamp": "2018-11-30T16:45:27.000Z", + "client.ip": "192.168.15.224", + "client.port": 53150, + "destination.address": "54.209.101.70", + "destination.geo.city_name": "Ashburn", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 39.0481, + "destination.geo.location.lon": -77.4728, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": "54.209.101.70", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 38861, + "log.original": "Nov 30 16:45:28 PA-220 1,2018/11/30 16:45:27,012801096514,THREAT,url,2049,2018/11/30 16:45:27,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:27,28455,1,53150,443,20661,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7804,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": [ + "1:pvzPjqjqA6kLTjxiRDVSDxuidwg=", + "1:O1zDnt5d52xTreiMgL/sHMRHiXA=" + ], + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "54.209.101.70", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28455", + "palo_alto.pan_os.network.nat.community_id": "1:O1zDnt5d52xTreiMgL/sHMRHiXA=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 20661, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "segment-data.zqtk.net/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "54.209.101.70", + "192.168.1.63", + "54.209.101.70" + ], + "server.ip": "54.209.101.70", + "server.port": 443, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 53150, + "tags": [ + "pan-os" + ], + "url.original": "segment-data.zqtk.net/" + }, + { + "@timestamp": "2018-11-30T16:45:28.000Z", + "client.ip": "192.168.15.224", + "client.port": 53185, + "destination.address": "54.209.101.70", + "destination.geo.city_name": "Ashburn", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 39.0481, + "destination.geo.location.lon": -77.4728, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": "54.209.101.70", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 39406, + "log.original": "Nov 30 16:45:29 PA-220 1,2018/11/30 16:45:28,012801096514,THREAT,url,2049,2018/11/30 16:45:28,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:28,28585,1,53185,443,65438,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7805,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": [ + "1:hu8p8gkxiimZqTLhIkgVfSePEqk=", + "1:CwNRTMQumfdoC3msd4z5PIYkKLU=" + ], + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "54.209.101.70", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28585", + "palo_alto.pan_os.network.nat.community_id": "1:CwNRTMQumfdoC3msd4z5PIYkKLU=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 65438, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "segment-data.zqtk.net/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "54.209.101.70", + "192.168.1.63", + "54.209.101.70" + ], + "server.ip": "54.209.101.70", + "server.port": 443, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 53185, + "tags": [ + "pan-os" + ], + "url.original": "segment-data.zqtk.net/" + }, + { + "@timestamp": "2018-11-30T16:45:28.000Z", + "client.ip": "192.168.15.224", + "client.port": 53187, + "destination.address": "54.209.101.70", + "destination.geo.city_name": "Ashburn", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 39.0481, + "destination.geo.location.lon": -77.4728, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": "54.209.101.70", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 39951, + "log.original": "Nov 30 16:45:29 PA-220 1,2018/11/30 16:45:28,012801096514,THREAT,url,2049,2018/11/30 16:45:28,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:28,28462,1,53187,443,53101,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7806,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": [ + "1:z12wzV1bKYppHPfC9LypWH+RtE4=", + "1:0YBp8myYbHSoKWG2HvxutMfose0=" + ], + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "54.209.101.70", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28462", + "palo_alto.pan_os.network.nat.community_id": "1:0YBp8myYbHSoKWG2HvxutMfose0=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 53101, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "segment-data.zqtk.net/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "54.209.101.70", + "192.168.1.63", + "54.209.101.70" + ], + "server.ip": "54.209.101.70", + "server.port": 443, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 53187, + "tags": [ + "pan-os" + ], + "url.original": "segment-data.zqtk.net/" + }, + { + "@timestamp": "2018-11-30T16:45:28.000Z", + "client.ip": "192.168.15.224", + "client.port": 53188, + "destination.address": "54.209.101.70", + "destination.geo.city_name": "Ashburn", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 39.0481, + "destination.geo.location.lon": -77.4728, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": "54.209.101.70", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 40496, + "log.original": "Nov 30 16:45:29 PA-220 1,2018/11/30 16:45:28,012801096514,THREAT,url,2049,2018/11/30 16:45:28,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:28,28839,1,53188,443,35463,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7807,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": [ + "1:eJYKKiIqzYxe5ja/6/hDB3CgzSI=", + "1:CQrsQ2CJN8/aVtRj6kkSqGiLA4w=" + ], + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "54.209.101.70", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28839", + "palo_alto.pan_os.network.nat.community_id": "1:CQrsQ2CJN8/aVtRj6kkSqGiLA4w=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 35463, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "segment-data.zqtk.net/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "54.209.101.70", + "192.168.1.63", + "54.209.101.70" + ], + "server.ip": "54.209.101.70", + "server.port": 443, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 53188, + "tags": [ + "pan-os" + ], + "url.original": "segment-data.zqtk.net/" + }, + { + "@timestamp": "2018-11-30T16:45:29.000Z", + "client.ip": "192.168.15.224", + "client.port": 53178, + "destination.address": "54.209.101.70", + "destination.geo.city_name": "Ashburn", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 39.0481, + "destination.geo.location.lon": -77.4728, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": "54.209.101.70", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "url_filtering", + "event.category": "security_threat", + "event.dataset": "palo_alto.pan_os", + "event.module": "palo_alto", + "event.outcome": "block-url", + "event.severity": 5, + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "labels.temporary_match": true, + "log.level": "informational", + "log.offset": 41041, + "log.original": "Nov 30 16:45:30 PA-220 1,2018/11/30 16:45:29,012801096514,THREAT,url,2049,2018/11/30 16:45:29,192.168.15.224,54.209.101.70,192.168.1.63,54.209.101.70,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:45:29,28400,1,53178,443,45769,443,0x403000,tcp,block-url,\"segment-data.zqtk.net/\",(9999),business-and-economy,informational,client-to-server,7808,0x2000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,", + "network.application": "ssl", + "network.community_id": [ + "1:f+00RNTWn2IGrM2JmEAnEPoRwDg=", + "1:vbknc+k7pE33+aNpIggpIzlC7MY=" + ], + "network.direction": "inbound", + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "54.209.101.70", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "28400", + "palo_alto.pan_os.network.nat.community_id": "1:vbknc+k7pE33+aNpIggpIzlC7MY=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 45769, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.threat_file_or_url": "segment-data.zqtk.net/", + "palo_alto.pan_os.threat_id": "(9999)", + "palo_alto.pan_os.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "54.209.101.70", + "192.168.1.63", + "54.209.101.70" + ], + "server.ip": "54.209.101.70", + "server.port": 443, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.geo.country_iso_code": "192.168.0.0-192.168.255.255", + "source.ip": "192.168.15.224", + "source.port": 53178, + "tags": [ + "pan-os" + ], + "url.original": "segment-data.zqtk.net/" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/palo_alto/pan_os/test/traffic.log b/x-pack/filebeat/module/palo_alto/pan_os/test/traffic.log new file mode 100644 index 00000000000..c3e74310f06 --- /dev/null +++ b/x-pack/filebeat/module/palo_alto/pan_os/test/traffic.log @@ -0,0 +1,100 @@ +Nov 30 16:09:08 PA-220 1,2018/11/30 16:09:07,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:07,192.168.15.207,184.51.253.152,192.168.1.63,184.51.253.152,new_outbound_from_trust,,,apple-maps,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:07,22751,1,55113,443,16418,443,0x400053,tcp,allow,7734,1758,5976,36,2018/11/30 15:59:04,586,computer-and-internet-info,0,32091112,0x0,192.168.0.0-192.168.255.255,United States,0,16,20,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:10 PA-220 1,2018/11/30 16:09:09,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:09,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:09,24223,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:08:55,0,any,0,32091113,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:10 PA-220 1,2018/11/30 16:09:09,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:09,192.168.15.207,17.253.3.202,192.168.1.63,17.253.3.202,new_outbound_from_trust,,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:09,24138,1,55114,80,51990,80,0x40001c,tcp,allow,1574,539,1035,11,2018/11/30 16:08:51,1,computer-and-internet-info,0,32091114,0x0,192.168.0.0-192.168.255.255,United States,0,6,5,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:16 PA-220 1,2018/11/30 16:09:15,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:15,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:15,24043,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:09:01,0,any,0,32091115,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:16 PA-220 1,2018/11/30 16:09:15,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:15,192.168.15.196,216.58.194.99,192.168.1.63,216.58.194.99,new_outbound_from_trust,,,quic,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:15,23003,1,46774,443,15252,443,0x400019,udp,allow,3627,2014,1613,8,2018/11/30 16:07:13,0,any,0,32091116,0x0,192.168.0.0-192.168.255.255,United States,0,5,3,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:16 PA-220 1,2018/11/30 16:09:15,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:15,192.168.15.224,209.234.224.22,192.168.1.63,209.234.224.22,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:15,23919,1,52408,443,40763,443,0x400053,tcp,allow,41753,20642,21111,113,2018/11/30 16:07:33,85,web-advertisements,0,32091117,0x0,192.168.0.0-192.168.255.255,United States,0,62,51,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:22 PA-220 1,2018/11/30 16:09:21,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:21,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:21,21394,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:09:07,0,any,0,32091118,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:22 PA-220 1,2018/11/30 16:09:21,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:21,192.168.15.224,172.217.2.238,192.168.1.63,172.217.2.238,new_outbound_from_trust,,,quic,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:21,23698,1,59190,443,52881,443,0x400019,udp,allow,7097,3365,3732,16,2018/11/30 16:07:04,15,any,0,32091119,0x0,192.168.0.0-192.168.255.255,United States,0,7,9,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:23 PA-220 1,2018/11/30 16:09:22,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:22,192.168.15.207,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:22,24179,1,49728,53,26654,53,0x400019,udp,allow,301,80,221,2,2018/11/30 16:08:50,0,any,0,32091120,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:24 PA-220 1,2018/11/30 16:09:23,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:23,192.168.15.207,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:23,23933,1,50500,53,2486,53,0x400019,udp,allow,298,77,221,2,2018/11/30 16:08:51,0,any,0,32091121,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:25 PA-220 1,2018/11/30 16:09:24,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:24,192.168.15.207,17.249.60.78,192.168.1.63,17.249.60.78,new_outbound_from_trust,,,apple-push-notifications,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:24,22662,1,55112,443,42021,443,0x400053,tcp,allow,9978,4509,5469,32,2018/11/30 15:58:59,593,computer-and-internet-info,0,32091122,0x0,192.168.0.0-192.168.255.255,United States,0,16,16,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:25 PA-220 1,2018/11/30 16:09:24,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:24,192.168.15.207,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:24,24161,1,57632,53,24377,53,0x400019,udp,allow,297,73,224,2,2018/11/30 16:08:52,0,any,0,32091123,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:25 PA-220 1,2018/11/30 16:09:24,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:24,192.168.15.207,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:24,24107,1,50271,53,48792,53,0x400019,udp,allow,186,69,117,2,2018/11/30 16:08:52,0,any,0,32091124,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:25 PA-220 1,2018/11/30 16:09:24,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:24,192.168.15.207,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:24,24063,1,54061,53,2987,53,0x400019,udp,allow,392,85,307,2,2018/11/30 16:08:52,0,any,0,32091125,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:25 PA-220 1,2018/11/30 16:09:24,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:24,192.168.15.207,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:24,24145,1,52701,53,6945,53,0x400019,udp,allow,440,75,365,2,2018/11/30 16:08:52,0,any,0,32091126,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:28 PA-220 1,2018/11/30 16:09:27,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:27,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:27,24245,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:09:13,0,any,0,32091127,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:28 PA-220 1,2018/11/30 16:09:27,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:27,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:27,24167,1,62503,53,42208,53,0x400019,udp,allow,258,97,161,2,2018/11/30 16:08:54,1,any,0,32091128,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:29 PA-220 1,2018/11/30 16:09:28,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:28,192.168.15.224,98.138.49.44,192.168.1.63,98.138.49.44,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:28,24212,1,52442,443,14660,443,0x40001c,tcp,allow,9891,2086,7805,27,2018/11/30 16:08:54,17,web-advertisements,0,32091129,0x0,192.168.0.0-192.168.255.255,United States,0,14,13,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:29 PA-220 1,2018/11/30 16:09:28,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:28,192.168.15.224,72.30.3.43,192.168.1.63,72.30.3.43,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:28,24149,1,52441,443,16483,443,0x40001c,tcp,allow,8460,2354,6106,24,2018/11/30 16:08:54,17,web-advertisements,0,32091130,0x0,192.168.0.0-192.168.255.255,United States,0,13,11,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:30 PA-220 1,2018/11/30 16:09:29,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:29,192.168.15.196,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:29,24185,2,0,0,0,0,0x500019,icmp,allow,392,196,196,4,2018/11/30 16:09:15,0,any,0,32091131,0x0,192.168.0.0-192.168.255.255,United States,0,2,2,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:30 PA-220 1,2018/11/30 16:09:29,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:29,192.168.15.224,172.217.9.142,192.168.1.63,172.217.9.142,new_outbound_from_trust,,,ocsp,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:29,23856,1,52355,80,5570,80,0x40001c,tcp,allow,5790,2545,3245,36,2018/11/30 16:07:16,116,computer-and-internet-info,0,32091132,0x0,192.168.0.0-192.168.255.255,United States,0,19,17,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:30 PA-220 1,2018/11/30 16:09:29,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:29,192.168.15.207,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:29,24173,1,50196,53,24430,53,0x400019,udp,allow,261,82,179,2,2018/11/30 16:08:57,0,any,0,32091133,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:31 PA-220 1,2018/11/30 16:09:30,012801096514,TRAFFIC,start,2049,2018/11/30 16:09:30,192.168.15.224,54.84.80.198,192.168.1.63,54.84.80.198,new_outbound_from_trust,,,traps-management-service,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:30,24257,1,52454,443,12122,443,0x400053,tcp,allow,6295,1758,4537,25,2018/11/30 16:09:13,0,computer-and-internet-info,0,32091134,0x0,192.168.0.0-192.168.255.255,United States,0,13,12,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:33 PA-220 1,2018/11/30 16:09:32,012801096514,TRAFFIC,drop,2049,2018/11/30 16:09:32,192.168.15.224,199.167.55.52,192.168.1.63,199.167.55.52,new_outbound_from_trust,,,incomplete,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:32,24090,1,52445,4282,49145,4282,0x400019,tcp,allow,624,624,0,8,2018/11/30 16:09:12,13,any,0,32091135,0x0,192.168.0.0-192.168.255.255,United States,0,8,0,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:34 PA-220 1,2018/11/30 16:09:33,012801096514,TRAFFIC,deny,2049,2018/11/30 16:09:33,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:33,24242,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:09:19,0,any,0,32091136,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:35 PA-220 1,2018/11/30 16:09:34,012801096514,TRAFFIC,,2049,2018/11/30 16:09:34,192.168.15.210,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:34,24190,1,35485,53,33110,53,0x400019,udp,allow,215,85,130,2,2018/11/30 16:09:02,0,any,0,32091137,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:38 PA-220 1,2018/11/30 16:09:37,012801096514,TRAFFIC,test,2049,2018/11/30 16:09:37,192.168.15.224,172.217.9.142,192.168.1.63,172.217.9.142,new_outbound_from_trust,,,quic,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:37,23892,1,62730,443,9299,443,0x400019,udp,allow,4867,2876,1991,12,2018/11/30 16:07:20,15,any,0,32091138,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:39 PA-220 1,2018/11/30 16:09:38,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:38,192.168.15.224,151.101.2.2,192.168.1.63,151.101.2.2,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:38,24360,1,52506,443,47194,443,0x40001c,tcp,allow,1623,1100,523,13,2018/11/30 16:09:21,0,business-and-economy,0,32091139,0x0,192.168.0.0-192.168.255.255,United States,0,8,5,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:39 PA-220 1,2018/11/30 16:09:38,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:38,192.168.15.224,216.58.194.66,192.168.1.63,216.58.194.66,new_outbound_from_trust,,,quic,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:38,23952,1,60596,443,62921,443,0x400019,udp,allow,4405,1977,2428,9,2018/11/30 16:07:36,0,any,0,32091140,0x0,192.168.0.0-192.168.255.255,United States,0,5,4,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:40 PA-220 1,2018/11/30 16:09:39,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:39,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:39,24328,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:09:25,0,any,0,32091141,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:40 PA-220 1,2018/11/30 16:09:39,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:39,192.168.15.210,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:39,24385,2,0,0,0,0,0x500019,icmp,allow,392,196,196,4,2018/11/30 16:09:25,0,any,0,32091142,0x0,192.168.0.0-192.168.255.255,United States,0,2,2,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:40 PA-220 1,2018/11/30 16:09:39,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:39,192.168.15.224,184.51.253.193,192.168.1.63,184.51.253.193,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:39,24172,1,52514,443,41958,443,0x40001c,tcp,allow,7231,2228,5003,22,2018/11/30 16:09:22,0,web-advertisements,0,32091143,0x0,192.168.0.0-192.168.255.255,United States,0,12,10,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:41 PA-220 1,2018/11/30 16:09:40,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:40,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:40,24131,1,55155,53,51374,53,0x400019,udp,allow,267,96,171,2,2018/11/30 16:09:08,0,any,0,32091144,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:41 PA-220 1,2018/11/30 16:09:40,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:40,192.168.15.224,199.167.55.52,192.168.1.63,199.167.55.52,new_outbound_from_trust,,,incomplete,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:40,24393,1,52445,4282,25566,4282,0x400019,tcp,allow,78,78,0,1,2018/11/30 16:09:33,0,any,0,32091145,0x0,192.168.0.0-192.168.255.255,United States,0,1,0,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:43 PA-220 1,2018/11/30 16:09:42,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:42,192.168.15.224,199.167.52.219,192.168.1.63,199.167.52.219,new_outbound_from_trust,,,tanium,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:42,24976,1,52516,17472,63757,17472,0x40005e,tcp,allow,3402,1086,2316,20,2018/11/30 16:09:25,0,any,0,32091146,0x0,192.168.0.0-192.168.255.255,United States,0,11,9,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:43 PA-220 1,2018/11/30 16:09:42,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:42,192.168.15.224,52.71.117.196,192.168.1.63,52.71.117.196,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:42,24348,1,52511,443,3803,443,0x400053,tcp,allow,16594,2628,13966,38,2018/11/30 16:09:21,4,computer-and-internet-info,0,32091147,0x0,192.168.0.0-192.168.255.255,United States,0,19,19,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24046,1,3018,53,34994,53,0x400019,udp,allow,323,79,244,2,2018/11/30 16:09:12,0,any,0,32091148,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24196,1,16569,53,38064,53,0x400019,udp,allow,300,95,205,2,2018/11/30 16:09:12,0,any,0,32091149,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,35.186.194.41,192.168.1.63,35.186.194.41,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24264,1,52479,443,42924,443,0x400053,tcp,allow,6598,4296,2302,44,2018/11/30 16:09:19,8,insufficient-content,0,32091150,0x0,192.168.0.0-192.168.255.255,United States,0,24,20,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,35.201.124.9,192.168.1.63,35.201.124.9,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24248,1,52478,443,58977,443,0x400053,tcp,allow,65588,58831,6757,104,2018/11/30 16:09:19,8,insufficient-content,0,32091151,0x0,192.168.0.0-192.168.255.255,Asia Pacific Region,0,63,41,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,100.24.131.237,192.168.1.63,100.24.131.237,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24268,1,52502,443,64732,443,0x400053,tcp,allow,13076,4069,9007,32,2018/11/30 16:09:21,6,business-and-economy,0,32091152,0x0,192.168.0.0-192.168.255.255,United States,0,17,15,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,184.51.252.247,192.168.1.63,184.51.252.247,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24175,1,52458,443,58292,443,0x40001c,tcp,allow,1761,1100,661,15,2018/11/30 16:09:14,13,computer-and-internet-info,0,32091153,0x0,192.168.0.0-192.168.255.255,United States,0,8,7,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,35.190.88.148,192.168.1.63,35.190.88.148,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24312,1,52484,443,32209,443,0x400053,tcp,allow,14732,3596,11136,31,2018/11/30 16:09:19,8,computer-and-internet-info,0,32091154,0x0,192.168.0.0-192.168.255.255,United States,0,15,16,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,35.186.243.83,192.168.1.63,35.186.243.83,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24164,1,52482,443,38822,443,0x400053,tcp,allow,14732,3596,11136,31,2018/11/30 16:09:19,8,computer-and-internet-info,0,32091155,0x0,192.168.0.0-192.168.255.255,United States,0,15,16,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,untrust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24198,1,33769,53,16044,53,0x400019,udp,allow,266,84,182,2,2018/11/30 16:09:12,0,any,0,32091156,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,trust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24184,1,14106,53,56614,53,0x400019,udp,allow,164,74,90,2,2018/11/30 16:09:12,0,any,0,32091157,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,100.24.165.74,192.168.1.63,100.24.165.74,new_outbound_from_trust,,,ssl,vsys1,untrust,trust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24314,1,52503,443,53168,443,0x400053,tcp,allow,9400,2731,6669,30,2018/11/30 16:09:21,6,business-and-economy,0,32091158,0x0,192.168.0.0-192.168.255.255,United States,0,17,13,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,184.51.252.247,192.168.1.63,184.51.252.247,new_outbound_from_trust,,,ssl,vsys1,xtrust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24204,1,52459,443,28012,443,0x40001c,tcp,allow,1761,1100,661,15,2018/11/30 16:09:14,13,computer-and-internet-info,0,32091159,0x0,192.168.0.0-192.168.255.255,United States,0,8,7,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,35.201.94.140,192.168.1.63,35.201.94.140,new_outbound_from_trust,,,ssl,vsys1,trust,xuntrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24234,1,52483,443,16050,443,0x400053,tcp,allow,14732,3596,11136,31,2018/11/30 16:09:19,8,computer-and-internet-info,0,32091160,0x0,192.168.0.0-192.168.255.255,Asia Pacific Region,0,15,16,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,ping,vsys1,,,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24390,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:09:31,0,any,0,32091161,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24093,1,38663,53,61722,53,0x400019,udp,allow,228,84,144,2,2018/11/30 16:09:13,0,any,0,32091162,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24117,1,50443,53,14247,53,0x400019,udp,allow,337,131,206,2,2018/11/30 16:09:13,0,any,0,32091163,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24142,1,54215,53,33580,53,0x400019,udp,allow,337,131,206,2,2018/11/30 16:09:13,0,any,0,32091164,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24195,1,35827,53,13498,53,0x400019,udp,allow,252,83,169,2,2018/11/30 16:09:13,0,any,0,32091165,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24124,1,60609,53,20365,53,0x400019,udp,allow,232,100,132,2,2018/11/30 16:09:13,0,any,0,32091166,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24153,1,3248,53,61464,53,0x400019,udp,allow,206,79,127,2,2018/11/30 16:09:13,0,any,0,32091167,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.196,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24122,1,49284,53,42877,53,0x400019,udp,allow,194,89,105,2,2018/11/30 16:09:13,0,any,0,32091168,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24171,1,57732,53,5918,53,0x400019,udp,allow,269,97,172,2,2018/11/30 16:09:13,0,any,0,32091169,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24069,1,49195,53,28944,53,0x400019,udp,allow,212,78,134,2,2018/11/30 16:09:13,0,any,0,32091170,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24282,1,17266,53,13415,53,0x400019,udp,allow,252,73,179,2,2018/11/30 16:09:13,0,any,0,32091171,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24218,1,48631,53,2489,53,0x400019,udp,allow,308,90,218,2,2018/11/30 16:09:13,0,any,0,32091172,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24200,1,58540,53,49328,53,0x400019,udp,allow,249,77,172,2,2018/11/30 16:09:13,0,any,0,32091173,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24224,1,42678,53,36036,53,0x400019,udp,allow,379,74,305,2,2018/11/30 16:09:13,0,any,0,32091174,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,66.28.0.45,192.168.1.63,66.28.0.45,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24240,1,16576,53,33744,53,0x400019,udp,allow,603,76,527,2,2018/11/30 16:09:14,0,any,0,32091175,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24183,1,39830,53,45809,53,0x400019,udp,allow,242,89,153,2,2018/11/30 16:09:14,0,any,0,32091176,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24211,1,6185,53,3675,53,0x400019,udp,allow,240,71,169,2,2018/11/30 16:09:14,0,any,0,32091177,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24253,1,8781,53,5787,53,0x400019,udp,allow,208,80,128,2,2018/11/30 16:09:14,0,any,0,32091178,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24221,1,16788,53,12342,53,0x400019,udp,allow,253,72,181,2,2018/11/30 16:09:14,0,any,0,32091179,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24310,1,45307,53,18729,53,0x400019,udp,allow,197,76,121,2,2018/11/30 16:09:14,0,any,0,32091180,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,23.52.174.25,192.168.1.63,23.52.174.25,new_outbound_from_trust,,,ocsp,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24326,1,52520,80,57858,80,0x400053,tcp,allow,1927,681,1246,11,2018/11/30 16:09:29,0,computer-and-internet-info,0,32091181,0x0,192.168.0.0-192.168.255.255,United States,0,6,5,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24201,1,8503,53,2722,53,0x400019,udp,allow,394,79,315,2,2018/11/30 16:09:13,1,any,0,32091182,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24130,1,6910,53,6674,53,0x400019,udp,allow,212,82,130,2,2018/11/30 16:09:14,0,any,0,32091183,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,54.230.5.228,192.168.1.63,54.230.5.228,new_outbound_from_trust,,,incomplete,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24237,1,52475,443,37427,443,0x40001c,tcp,allow,642,354,288,9,2018/11/30 16:09:17,12,any,0,32091184,0x0,192.168.0.0-192.168.255.255,United States,0,5,4,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24108,1,14342,53,22408,53,0x400019,udp,allow,225,76,149,2,2018/11/30 16:09:14,0,any,0,32091185,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:48 PA-220 1,2018/11/30 16:09:48,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:48,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:48,24247,1,48197,53,27899,53,0x400019,udp,allow,273,71,202,2,2018/11/30 16:09:15,0,any,0,32091186,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:48 PA-220 1,2018/11/30 16:09:48,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:48,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:48,24098,1,32296,53,52939,53,0x400019,udp,allow,270,75,195,2,2018/11/30 16:09:15,0,any,0,32091187,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:48 PA-220 1,2018/11/30 16:09:48,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:48,192.168.15.195,208.83.246.20,192.168.1.63,208.83.246.20,new_outbound_from_trust,,,ntp,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:48,24263,1,33870,123,42907,123,0x400053,udp,allow,180,90,90,2,2018/11/30 16:09:15,0,any,0,32091188,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:49 PA-220 1,2018/11/30 16:09:49,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:49,192.168.15.196,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:49,24258,1,54659,53,19658,53,0x400019,udp,drop ICMP,340,148,192,4,2018/11/30 16:09:16,0,any,0,32091189,0x0,192.168.0.0-192.168.255.255,United States,0,2,2,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:49 PA-220 1,2018/11/30 16:09:49,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:49,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:49,24155,1,57446,53,64352,53,0x400019,udp,reset client,291,83,208,2,2018/11/30 16:09:16,0,any,0,32091190,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:49 PA-220 1,2018/11/30 16:09:49,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:49,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:49,24232,1,22655,53,60126,53,0x400019,udp,reset server,184,84,100,2,2018/11/30 16:09:16,0,any,0,32091191,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:49 PA-220 1,2018/11/30 16:09:49,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:49,192.168.15.224,35.185.88.112,192.168.1.63,35.185.88.112,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:49,24330,1,52509,443,59771,443,0x40001a,tcp,reset both,9290,2053,7237,24,2018/11/30 16:09:21,10,business-and-economy,0,32091192,0x0,192.168.0.0-192.168.255.255,United States,0,13,11,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:49 PA-220 1,2018/11/30 16:09:49,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:49,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:49,23960,1,27192,53,35748,53,0x400019,udp,allow,202,93,109,2,2018/11/30 16:09:16,0,any,0,32091193,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:49 PA-220 1,2018/11/30 16:09:49,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:49,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:49,24236,1,30221,53,63701,53,0x400019,udp,allow,200,84,116,2,2018/11/30 16:09:16,0,any,0,32091194,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:49 PA-220 1,2018/11/30 16:09:49,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:49,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:49,24276,1,30570,53,57872,53,0x400019,udp,allow,160,64,96,2,2018/11/30 16:09:16,0,any,0,32091195,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:50 PA-220 1,2018/11/30 16:09:50,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:50,192.168.15.224,50.19.85.24,192.168.1.63,50.19.85.24,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24299,1,52497,443,37581,443,0x40001c,tcp,allow,1754,1100,654,15,2018/11/30 16:09:21,11,business-and-economy,0,32091196,0x0,192.168.0.0-192.168.255.255,United States,0,8,7,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:50 PA-220 1,2018/11/30 16:09:50,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:50,192.168.15.224,50.19.85.24,192.168.1.63,50.19.85.24,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24229,1,52498,443,19226,443,0x40001c,tcp,allow,1754,1100,654,15,2018/11/30 16:09:21,11,business-and-economy,0,32091197,0x0,192.168.0.0-192.168.255.255,United States,0,8,7,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:50 PA-220 1,2018/11/30 16:09:50,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:50,192.168.15.224,50.19.85.24,192.168.1.63,50.19.85.24,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24283,1,52496,443,61721,443,0x40001c,tcp,allow,1754,1100,654,15,2018/11/30 16:09:21,11,business-and-economy,0,32091198,0x0,192.168.0.0-192.168.255.255,United States,0,8,7,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:50 PA-220 1,2018/11/30 16:09:50,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:50,192.168.15.224,104.254.150.9,192.168.1.63,104.254.150.9,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24369,1,52510,443,10098,443,0x40001a,tcp,allow,10511,2691,7820,22,2018/11/30 16:09:21,11,web-advertisements,0,32091199,0x0,192.168.0.0-192.168.255.255,United States,0,12,10,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:50 PA-220 1,2018/11/30 16:09:50,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:50,192.168.15.224,50.19.85.24,192.168.1.63,50.19.85.24,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24354,1,52495,443,4564,443,0x40001c,tcp,allow,1754,1100,654,15,2018/11/30 16:09:21,11,business-and-economy,0,32091200,0x0,192.168.0.0-192.168.255.255,United States,0,8,7,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:50 PA-220 1,2018/11/30 16:09:50,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:50,192.168.15.224,52.0.218.108,192.168.1.63,52.0.218.108,new_outbound_from_trust,,,incomplete,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24254,1,52486,443,32104,443,0x40001c,tcp,allow,490,276,214,7,2018/11/30 16:09:20,12,any,0,32091201,0x0,192.168.0.0-192.168.255.255,United States,0,4,3,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:50 PA-220 1,2018/11/30 16:09:50,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:50,192.168.15.224,52.6.117.19,192.168.1.63,52.6.117.19,new_outbound_from_trust,,,incomplete,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24246,1,52489,443,14172,443,0x40001c,tcp,allow,490,276,214,7,2018/11/30 16:09:20,12,any,0,32091202,0x0,192.168.0.0-192.168.255.255,United States,0,4,3,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:50 PA-220 1,2018/11/30 16:09:50,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:50,192.168.15.224,34.238.96.22,192.168.1.63,34.238.96.22,new_outbound_from_trust,,,incomplete,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24343,1,52490,443,10286,443,0x40001c,tcp,allow,490,276,214,7,2018/11/30 16:09:20,12,any,0,32091203,0x0,192.168.0.0-192.168.255.255,United States,0,4,3,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:50 PA-220 1,2018/11/30 16:09:50,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:50,192.168.15.224,130.211.47.17,192.168.1.63,130.211.47.17,new_outbound_from_trust,,,incomplete,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24262,1,52493,443,30799,443,0x40001c,tcp,allow,556,276,280,8,2018/11/30 16:09:20,12,any,0,32091204,0x0,192.168.0.0-192.168.255.255,United States,0,4,4,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:51 PA-220 1,2018/11/30 16:09:51,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:51,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:51,24281,1,59320,53,13490,53,0x400019,udp,allow,269,97,172,2,2018/11/30 16:09:18,0,any,0,32091205,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:52 PA-220 1,2018/11/30 16:09:52,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:52,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:52,24424,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:09:37,0,any,0,32091206,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:52 PA-220 1,2018/11/30 16:09:52,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:52,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:52,24230,1,13076,53,53751,53,0x400019,udp,allow,172,78,94,2,2018/11/30 16:09:19,0,any,0,32091207,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:52 PA-220 1,2018/11/30 16:09:52,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:52,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:52,24243,1,5511,53,21643,53,0x400019,udp,allow,242,72,170,2,2018/11/30 16:09:19,0,any,0,32091208,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:52 PA-220 1,2018/11/30 16:09:52,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:52,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:52,24077,1,9799,53,22446,53,0x400019,udp,allow,172,78,94,2,2018/11/30 16:09:19,0,any,0,32091209,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:52 PA-220 1,2018/11/30 16:09:52,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:52,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:52,24266,1,39169,53,22301,53,0x400019,udp,allow,172,78,94,2,2018/11/30 16:09:19,0,any,0,32091210,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 +Nov 30 16:09:52 PA-220 1,2018/11/30 16:09:52,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:52,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:52,24269,1,42476,53,58124,53,0x400019,udp,allow,238,72,166,2,2018/11/30 16:09:19,0,any,0,32091211,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0 diff --git a/x-pack/filebeat/module/palo_alto/pan_os/test/traffic.log-expected.json b/x-pack/filebeat/module/palo_alto/pan_os/test/traffic.log-expected.json new file mode 100644 index 00000000000..755e84659bf --- /dev/null +++ b/x-pack/filebeat/module/palo_alto/pan_os/test/traffic.log-expected.json @@ -0,0 +1,7364 @@ +[ + { + "@timestamp": "2018-11-30T16:09:07.000Z", + "client.bytes": 1758, + "client.ip": "192.168.15.207", + "client.packets": 20, + "client.port": 55113, + "destination.address": "184.51.253.152", + "destination.bytes": 1758, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "184.51.253.152", + "destination.packets": 16, + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 586000000000, + "event.end": "2018-11-30T16:08:50.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T15:59:04.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 0, + "log.original": "Nov 30 16:09:08 PA-220 1,2018/11/30 16:09:07,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:07,192.168.15.207,184.51.253.152,192.168.1.63,184.51.253.152,new_outbound_from_trust,,,apple-maps,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:07,22751,1,55113,443,16418,443,0x400053,tcp,allow,7734,1758,5976,36,2018/11/30 15:59:04,586,computer-and-internet-info,0,32091112,0x0,192.168.0.0-192.168.255.255,United States,0,16,20,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "apple-maps", + "network.bytes": 7734, + "network.community_id": [ + "1:MhgXJlTEvCKgoyqMC+Xo7qMVGqc=", + "1:D1fZ8H3SfYS5p3yDzVdiwbnGJlU=" + ], + "network.direction": "outbound", + "network.packets": 36, + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "184.51.253.152", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "22751", + "palo_alto.pan_os.network.nat.community_id": "1:D1fZ8H3SfYS5p3yDzVdiwbnGJlU=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091112, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 16418, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "computer-and-internet-info", + "related.ip": [ + "192.168.15.207", + "184.51.253.152", + "192.168.1.63", + "184.51.253.152" + ], + "server.bytes": 5976, + "server.ip": "184.51.253.152", + "server.packets": 16, + "server.port": 443, + "service.type": "palo_alto", + "source.address": "192.168.15.207", + "source.bytes": 5976, + "source.ip": "192.168.15.207", + "source.packets": 20, + "source.port": 55113, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:09.000Z", + "client.bytes": 588, + "client.ip": "192.168.15.224", + "client.packets": 6, + "client.port": 0, + "destination.address": "8.8.8.8", + "destination.bytes": 588, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 6, + "destination.port": 0, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2018-11-30T16:08:55.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:08:55.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 503, + "log.original": "Nov 30 16:09:10 PA-220 1,2018/11/30 16:09:09,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:09,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:09,24223,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:08:55,0,any,0,32091113,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "ping", + "network.bytes": 1176, + "network.community_id": [ + "1:iNhLzwoKKarTKCq59Sts/hhZN7Q=", + "1:QVXHpdoObbzEeqP6DGULYxqYgAY=" + ], + "network.direction": "outbound", + "network.packets": 12, + "network.transport": "icmp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "8.8.8.8", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24223", + "palo_alto.pan_os.network.nat.community_id": "1:QVXHpdoObbzEeqP6DGULYxqYgAY=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091113, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.15.224", + "8.8.8.8", + "192.168.1.63", + "8.8.8.8" + ], + "server.bytes": 588, + "server.ip": "8.8.8.8", + "server.packets": 6, + "server.port": 0, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.bytes": 588, + "source.ip": "192.168.15.224", + "source.packets": 6, + "source.port": 0, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:09.000Z", + "client.bytes": 539, + "client.ip": "192.168.15.207", + "client.packets": 5, + "client.port": 55114, + "destination.address": "17.253.3.202", + "destination.bytes": 539, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "17.253.3.202", + "destination.packets": 6, + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 1000000000, + "event.end": "2018-11-30T16:08:52.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:08:51.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 947, + "log.original": "Nov 30 16:09:10 PA-220 1,2018/11/30 16:09:09,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:09,192.168.15.207,17.253.3.202,192.168.1.63,17.253.3.202,new_outbound_from_trust,,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:09,24138,1,55114,80,51990,80,0x40001c,tcp,allow,1574,539,1035,11,2018/11/30 16:08:51,1,computer-and-internet-info,0,32091114,0x0,192.168.0.0-192.168.255.255,United States,0,6,5,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "web-browsing", + "network.bytes": 1574, + "network.community_id": [ + "1:L9wP4JYo+V/38JhXYBMQf/hWYoQ=", + "1:VnGCPYRgvHZCFJBmPOwtCg7/sMY=" + ], + "network.direction": "outbound", + "network.packets": 11, + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "17.253.3.202", + "palo_alto.pan_os.destination.nat.port": 80, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24138", + "palo_alto.pan_os.network.nat.community_id": "1:VnGCPYRgvHZCFJBmPOwtCg7/sMY=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091114, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 51990, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "computer-and-internet-info", + "related.ip": [ + "192.168.15.207", + "17.253.3.202", + "192.168.1.63", + "17.253.3.202" + ], + "server.bytes": 1035, + "server.ip": "17.253.3.202", + "server.packets": 6, + "server.port": 80, + "service.type": "palo_alto", + "source.address": "192.168.15.207", + "source.bytes": 1035, + "source.ip": "192.168.15.207", + "source.packets": 5, + "source.port": 55114, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:15.000Z", + "client.bytes": 588, + "client.ip": "192.168.15.224", + "client.packets": 6, + "client.port": 0, + "destination.address": "8.8.8.8", + "destination.bytes": 588, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 6, + "destination.port": 0, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2018-11-30T16:09:01.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:01.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 1441, + "log.original": "Nov 30 16:09:16 PA-220 1,2018/11/30 16:09:15,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:15,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:15,24043,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:09:01,0,any,0,32091115,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "ping", + "network.bytes": 1176, + "network.community_id": [ + "1:iNhLzwoKKarTKCq59Sts/hhZN7Q=", + "1:QVXHpdoObbzEeqP6DGULYxqYgAY=" + ], + "network.direction": "outbound", + "network.packets": 12, + "network.transport": "icmp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "8.8.8.8", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24043", + "palo_alto.pan_os.network.nat.community_id": "1:QVXHpdoObbzEeqP6DGULYxqYgAY=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091115, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.15.224", + "8.8.8.8", + "192.168.1.63", + "8.8.8.8" + ], + "server.bytes": 588, + "server.ip": "8.8.8.8", + "server.packets": 6, + "server.port": 0, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.bytes": 588, + "source.ip": "192.168.15.224", + "source.packets": 6, + "source.port": 0, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:15.000Z", + "client.bytes": 2014, + "client.ip": "192.168.15.196", + "client.packets": 3, + "client.port": 46774, + "destination.address": "216.58.194.99", + "destination.bytes": 2014, + "destination.geo.city_name": "Mountain View", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.386, + "destination.geo.location.lon": -122.0838, + "destination.geo.region_iso_code": "US-CA", + "destination.geo.region_name": "California", + "destination.ip": "216.58.194.99", + "destination.packets": 5, + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2018-11-30T16:07:13.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:07:13.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 1885, + "log.original": "Nov 30 16:09:16 PA-220 1,2018/11/30 16:09:15,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:15,192.168.15.196,216.58.194.99,192.168.1.63,216.58.194.99,new_outbound_from_trust,,,quic,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:15,23003,1,46774,443,15252,443,0x400019,udp,allow,3627,2014,1613,8,2018/11/30 16:07:13,0,any,0,32091116,0x0,192.168.0.0-192.168.255.255,United States,0,5,3,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "quic", + "network.bytes": 3627, + "network.community_id": [ + "1:bfDHy9SG4Mhm/ohGXQNZR3yF5sI=", + "1:pvg9sIAzBs2eyqMclcdCIYEBO1Q=" + ], + "network.direction": "outbound", + "network.packets": 8, + "network.transport": "udp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "216.58.194.99", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "23003", + "palo_alto.pan_os.network.nat.community_id": "1:pvg9sIAzBs2eyqMclcdCIYEBO1Q=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091116, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 15252, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.15.196", + "216.58.194.99", + "192.168.1.63", + "216.58.194.99" + ], + "server.bytes": 1613, + "server.ip": "216.58.194.99", + "server.packets": 5, + "server.port": 443, + "service.type": "palo_alto", + "source.address": "192.168.15.196", + "source.bytes": 1613, + "source.ip": "192.168.15.196", + "source.packets": 3, + "source.port": 46774, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:15.000Z", + "client.bytes": 20642, + "client.ip": "192.168.15.224", + "client.packets": 51, + "client.port": 52408, + "destination.address": "209.234.224.22", + "destination.bytes": 20642, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "209.234.224.22", + "destination.packets": 62, + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 85000000000, + "event.end": "2018-11-30T16:08:58.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:07:33.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 2353, + "log.original": "Nov 30 16:09:16 PA-220 1,2018/11/30 16:09:15,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:15,192.168.15.224,209.234.224.22,192.168.1.63,209.234.224.22,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:15,23919,1,52408,443,40763,443,0x400053,tcp,allow,41753,20642,21111,113,2018/11/30 16:07:33,85,web-advertisements,0,32091117,0x0,192.168.0.0-192.168.255.255,United States,0,62,51,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "ssl", + "network.bytes": 41753, + "network.community_id": [ + "1:A+0qkq/2rxZS/+I/sm0SFOWOkwY=", + "1:u81/Ahz4HsL4LAVrUEiPkbXlX9A=" + ], + "network.direction": "outbound", + "network.packets": 113, + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "209.234.224.22", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "23919", + "palo_alto.pan_os.network.nat.community_id": "1:u81/Ahz4HsL4LAVrUEiPkbXlX9A=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091117, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 40763, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "web-advertisements", + "related.ip": [ + "192.168.15.224", + "209.234.224.22", + "192.168.1.63", + "209.234.224.22" + ], + "server.bytes": 21111, + "server.ip": "209.234.224.22", + "server.packets": 62, + "server.port": 443, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.bytes": 21111, + "source.ip": "192.168.15.224", + "source.packets": 51, + "source.port": 52408, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:21.000Z", + "client.bytes": 588, + "client.ip": "192.168.15.224", + "client.packets": 6, + "client.port": 0, + "destination.address": "8.8.8.8", + "destination.bytes": 588, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 6, + "destination.port": 0, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2018-11-30T16:09:07.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:07.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 2844, + "log.original": "Nov 30 16:09:22 PA-220 1,2018/11/30 16:09:21,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:21,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:21,21394,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:09:07,0,any,0,32091118,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "ping", + "network.bytes": 1176, + "network.community_id": [ + "1:iNhLzwoKKarTKCq59Sts/hhZN7Q=", + "1:QVXHpdoObbzEeqP6DGULYxqYgAY=" + ], + "network.direction": "outbound", + "network.packets": 12, + "network.transport": "icmp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "8.8.8.8", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "21394", + "palo_alto.pan_os.network.nat.community_id": "1:QVXHpdoObbzEeqP6DGULYxqYgAY=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091118, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.15.224", + "8.8.8.8", + "192.168.1.63", + "8.8.8.8" + ], + "server.bytes": 588, + "server.ip": "8.8.8.8", + "server.packets": 6, + "server.port": 0, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.bytes": 588, + "source.ip": "192.168.15.224", + "source.packets": 6, + "source.port": 0, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:21.000Z", + "client.bytes": 3365, + "client.ip": "192.168.15.224", + "client.packets": 9, + "client.port": 59190, + "destination.address": "172.217.2.238", + "destination.bytes": 3365, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "172.217.2.238", + "destination.packets": 7, + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 15000000000, + "event.end": "2018-11-30T16:07:19.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:07:04.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 3288, + "log.original": "Nov 30 16:09:22 PA-220 1,2018/11/30 16:09:21,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:21,192.168.15.224,172.217.2.238,192.168.1.63,172.217.2.238,new_outbound_from_trust,,,quic,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:21,23698,1,59190,443,52881,443,0x400019,udp,allow,7097,3365,3732,16,2018/11/30 16:07:04,15,any,0,32091119,0x0,192.168.0.0-192.168.255.255,United States,0,7,9,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "quic", + "network.bytes": 7097, + "network.community_id": [ + "1:q1tj6dPFkb+U8mUSdFp3CbUFXUk=", + "1:DoBKpBbAds/XQwbKPGjMrcuHTGo=" + ], + "network.direction": "outbound", + "network.packets": 16, + "network.transport": "udp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "172.217.2.238", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "23698", + "palo_alto.pan_os.network.nat.community_id": "1:DoBKpBbAds/XQwbKPGjMrcuHTGo=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091119, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 52881, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.15.224", + "172.217.2.238", + "192.168.1.63", + "172.217.2.238" + ], + "server.bytes": 3732, + "server.ip": "172.217.2.238", + "server.packets": 7, + "server.port": 443, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.bytes": 3732, + "source.ip": "192.168.15.224", + "source.packets": 9, + "source.port": 59190, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:22.000Z", + "client.bytes": 80, + "client.ip": "192.168.15.207", + "client.packets": 1, + "client.port": 49728, + "destination.address": "8.8.8.8", + "destination.bytes": 80, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2018-11-30T16:08:50.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:08:50.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 3758, + "log.original": "Nov 30 16:09:23 PA-220 1,2018/11/30 16:09:22,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:22,192.168.15.207,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:22,24179,1,49728,53,26654,53,0x400019,udp,allow,301,80,221,2,2018/11/30 16:08:50,0,any,0,32091120,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "dns", + "network.bytes": 301, + "network.community_id": [ + "1:l1lEn2QIKjwJgww02PEndRveudE=", + "1:viuINkmqZ3Q7wH9NHmhVu6rZuOs=" + ], + "network.direction": "outbound", + "network.packets": 2, + "network.transport": "udp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "8.8.8.8", + "palo_alto.pan_os.destination.nat.port": 53, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24179", + "palo_alto.pan_os.network.nat.community_id": "1:viuINkmqZ3Q7wH9NHmhVu6rZuOs=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091120, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 26654, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.15.207", + "8.8.8.8", + "192.168.1.63", + "8.8.8.8" + ], + "server.bytes": 221, + "server.ip": "8.8.8.8", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.address": "192.168.15.207", + "source.bytes": 221, + "source.ip": "192.168.15.207", + "source.packets": 1, + "source.port": 49728, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:23.000Z", + "client.bytes": 77, + "client.ip": "192.168.15.207", + "client.packets": 1, + "client.port": 50500, + "destination.address": "8.8.8.8", + "destination.bytes": 77, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2018-11-30T16:08:51.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:08:51.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 4207, + "log.original": "Nov 30 16:09:24 PA-220 1,2018/11/30 16:09:23,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:23,192.168.15.207,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:23,23933,1,50500,53,2486,53,0x400019,udp,allow,298,77,221,2,2018/11/30 16:08:51,0,any,0,32091121,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "dns", + "network.bytes": 298, + "network.community_id": [ + "1:RK6Ut4Rb0DTrl9IRf27cop79UwI=", + "1:wR8JpmqlhC4f7BvxdzxRlKdkPiQ=" + ], + "network.direction": "outbound", + "network.packets": 2, + "network.transport": "udp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "8.8.8.8", + "palo_alto.pan_os.destination.nat.port": 53, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "23933", + "palo_alto.pan_os.network.nat.community_id": "1:wR8JpmqlhC4f7BvxdzxRlKdkPiQ=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091121, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 2486, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.15.207", + "8.8.8.8", + "192.168.1.63", + "8.8.8.8" + ], + "server.bytes": 221, + "server.ip": "8.8.8.8", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.address": "192.168.15.207", + "source.bytes": 221, + "source.ip": "192.168.15.207", + "source.packets": 1, + "source.port": 50500, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:24.000Z", + "client.bytes": 4509, + "client.ip": "192.168.15.207", + "client.packets": 16, + "client.port": 55112, + "destination.address": "17.249.60.78", + "destination.bytes": 4509, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "17.249.60.78", + "destination.packets": 16, + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 593000000000, + "event.end": "2018-11-30T16:08:52.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T15:58:59.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 4655, + "log.original": "Nov 30 16:09:25 PA-220 1,2018/11/30 16:09:24,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:24,192.168.15.207,17.249.60.78,192.168.1.63,17.249.60.78,new_outbound_from_trust,,,apple-push-notifications,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:24,22662,1,55112,443,42021,443,0x400053,tcp,allow,9978,4509,5469,32,2018/11/30 15:58:59,593,computer-and-internet-info,0,32091122,0x0,192.168.0.0-192.168.255.255,United States,0,16,16,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "apple-push-notifications", + "network.bytes": 9978, + "network.community_id": [ + "1:89DsXq0JlAcm8a60Q9a+OELsT0Y=", + "1:JuPhgq+FyomxcGW/tt851C0l4Hg=" + ], + "network.direction": "outbound", + "network.packets": 32, + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "17.249.60.78", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "22662", + "palo_alto.pan_os.network.nat.community_id": "1:JuPhgq+FyomxcGW/tt851C0l4Hg=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091122, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 42021, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "computer-and-internet-info", + "related.ip": [ + "192.168.15.207", + "17.249.60.78", + "192.168.1.63", + "17.249.60.78" + ], + "server.bytes": 5469, + "server.ip": "17.249.60.78", + "server.packets": 16, + "server.port": 443, + "service.type": "palo_alto", + "source.address": "192.168.15.207", + "source.bytes": 5469, + "source.ip": "192.168.15.207", + "source.packets": 16, + "source.port": 55112, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:24.000Z", + "client.bytes": 73, + "client.ip": "192.168.15.207", + "client.packets": 1, + "client.port": 57632, + "destination.address": "8.8.8.8", + "destination.bytes": 73, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2018-11-30T16:08:52.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:08:52.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 5180, + "log.original": "Nov 30 16:09:25 PA-220 1,2018/11/30 16:09:24,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:24,192.168.15.207,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:24,24161,1,57632,53,24377,53,0x400019,udp,allow,297,73,224,2,2018/11/30 16:08:52,0,any,0,32091123,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "dns", + "network.bytes": 297, + "network.community_id": [ + "1:5lGtGtzRH+NHOqMOFVuXwxg5nCo=", + "1:rsDXUIQYGBC2VYTxep2/bVIc3Xs=" + ], + "network.direction": "outbound", + "network.packets": 2, + "network.transport": "udp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "8.8.8.8", + "palo_alto.pan_os.destination.nat.port": 53, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24161", + "palo_alto.pan_os.network.nat.community_id": "1:rsDXUIQYGBC2VYTxep2/bVIc3Xs=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091123, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 24377, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.15.207", + "8.8.8.8", + "192.168.1.63", + "8.8.8.8" + ], + "server.bytes": 224, + "server.ip": "8.8.8.8", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.address": "192.168.15.207", + "source.bytes": 224, + "source.ip": "192.168.15.207", + "source.packets": 1, + "source.port": 57632, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:24.000Z", + "client.bytes": 69, + "client.ip": "192.168.15.207", + "client.packets": 1, + "client.port": 50271, + "destination.address": "8.8.8.8", + "destination.bytes": 69, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2018-11-30T16:08:52.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:08:52.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 5629, + "log.original": "Nov 30 16:09:25 PA-220 1,2018/11/30 16:09:24,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:24,192.168.15.207,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:24,24107,1,50271,53,48792,53,0x400019,udp,allow,186,69,117,2,2018/11/30 16:08:52,0,any,0,32091124,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "dns", + "network.bytes": 186, + "network.community_id": [ + "1:WbAIgVVT23pzqAJkSDF68HGSPY4=", + "1:ewaPydF3S4wOU8oEi8ykj+ETSIY=" + ], + "network.direction": "outbound", + "network.packets": 2, + "network.transport": "udp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "8.8.8.8", + "palo_alto.pan_os.destination.nat.port": 53, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24107", + "palo_alto.pan_os.network.nat.community_id": "1:ewaPydF3S4wOU8oEi8ykj+ETSIY=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091124, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 48792, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.15.207", + "8.8.8.8", + "192.168.1.63", + "8.8.8.8" + ], + "server.bytes": 117, + "server.ip": "8.8.8.8", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.address": "192.168.15.207", + "source.bytes": 117, + "source.ip": "192.168.15.207", + "source.packets": 1, + "source.port": 50271, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:24.000Z", + "client.bytes": 85, + "client.ip": "192.168.15.207", + "client.packets": 1, + "client.port": 54061, + "destination.address": "8.8.8.8", + "destination.bytes": 85, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2018-11-30T16:08:52.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:08:52.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 6078, + "log.original": "Nov 30 16:09:25 PA-220 1,2018/11/30 16:09:24,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:24,192.168.15.207,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:24,24063,1,54061,53,2987,53,0x400019,udp,allow,392,85,307,2,2018/11/30 16:08:52,0,any,0,32091125,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "dns", + "network.bytes": 392, + "network.community_id": [ + "1:b+lWViOjpbOZConz3JzrSDR609Q=", + "1:+6FjOLCCWY+JDxSWKn7tYpAXksA=" + ], + "network.direction": "outbound", + "network.packets": 2, + "network.transport": "udp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "8.8.8.8", + "palo_alto.pan_os.destination.nat.port": 53, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24063", + "palo_alto.pan_os.network.nat.community_id": "1:+6FjOLCCWY+JDxSWKn7tYpAXksA=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091125, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 2987, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.15.207", + "8.8.8.8", + "192.168.1.63", + "8.8.8.8" + ], + "server.bytes": 307, + "server.ip": "8.8.8.8", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.address": "192.168.15.207", + "source.bytes": 307, + "source.ip": "192.168.15.207", + "source.packets": 1, + "source.port": 54061, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:24.000Z", + "client.bytes": 75, + "client.ip": "192.168.15.207", + "client.packets": 1, + "client.port": 52701, + "destination.address": "8.8.8.8", + "destination.bytes": 75, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2018-11-30T16:08:52.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:08:52.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 6526, + "log.original": "Nov 30 16:09:25 PA-220 1,2018/11/30 16:09:24,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:24,192.168.15.207,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:24,24145,1,52701,53,6945,53,0x400019,udp,allow,440,75,365,2,2018/11/30 16:08:52,0,any,0,32091126,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "dns", + "network.bytes": 440, + "network.community_id": [ + "1:dnGaTG13rwIh66+Pj0GQSdJMhu8=", + "1:rR5F8eZHI1nwmznedxqG9e8vUQE=" + ], + "network.direction": "outbound", + "network.packets": 2, + "network.transport": "udp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "8.8.8.8", + "palo_alto.pan_os.destination.nat.port": 53, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24145", + "palo_alto.pan_os.network.nat.community_id": "1:rR5F8eZHI1nwmznedxqG9e8vUQE=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091126, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 6945, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.15.207", + "8.8.8.8", + "192.168.1.63", + "8.8.8.8" + ], + "server.bytes": 365, + "server.ip": "8.8.8.8", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.address": "192.168.15.207", + "source.bytes": 365, + "source.ip": "192.168.15.207", + "source.packets": 1, + "source.port": 52701, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:27.000Z", + "client.bytes": 588, + "client.ip": "192.168.15.224", + "client.packets": 6, + "client.port": 0, + "destination.address": "8.8.8.8", + "destination.bytes": 588, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 6, + "destination.port": 0, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2018-11-30T16:09:13.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:13.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 6974, + "log.original": "Nov 30 16:09:28 PA-220 1,2018/11/30 16:09:27,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:27,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:27,24245,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:09:13,0,any,0,32091127,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "ping", + "network.bytes": 1176, + "network.community_id": [ + "1:iNhLzwoKKarTKCq59Sts/hhZN7Q=", + "1:QVXHpdoObbzEeqP6DGULYxqYgAY=" + ], + "network.direction": "outbound", + "network.packets": 12, + "network.transport": "icmp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "8.8.8.8", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24245", + "palo_alto.pan_os.network.nat.community_id": "1:QVXHpdoObbzEeqP6DGULYxqYgAY=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091127, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.15.224", + "8.8.8.8", + "192.168.1.63", + "8.8.8.8" + ], + "server.bytes": 588, + "server.ip": "8.8.8.8", + "server.packets": 6, + "server.port": 0, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.bytes": 588, + "source.ip": "192.168.15.224", + "source.packets": 6, + "source.port": 0, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:27.000Z", + "client.bytes": 97, + "client.ip": "192.168.15.224", + "client.packets": 1, + "client.port": 62503, + "destination.address": "8.8.8.8", + "destination.bytes": 97, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 1000000000, + "event.end": "2018-11-30T16:08:55.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:08:54.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 7418, + "log.original": "Nov 30 16:09:28 PA-220 1,2018/11/30 16:09:27,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:27,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:27,24167,1,62503,53,42208,53,0x400019,udp,allow,258,97,161,2,2018/11/30 16:08:54,1,any,0,32091128,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "dns", + "network.bytes": 258, + "network.community_id": [ + "1:Jof66SUOY3j4C+WrZwbgtKls1/Y=", + "1:81Mi4MwpmNYtUrc7CMJH0MPRelU=" + ], + "network.direction": "outbound", + "network.packets": 2, + "network.transport": "udp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "8.8.8.8", + "palo_alto.pan_os.destination.nat.port": 53, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24167", + "palo_alto.pan_os.network.nat.community_id": "1:81Mi4MwpmNYtUrc7CMJH0MPRelU=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091128, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 42208, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.15.224", + "8.8.8.8", + "192.168.1.63", + "8.8.8.8" + ], + "server.bytes": 161, + "server.ip": "8.8.8.8", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.bytes": 161, + "source.ip": "192.168.15.224", + "source.packets": 1, + "source.port": 62503, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:28.000Z", + "client.bytes": 2086, + "client.ip": "192.168.15.224", + "client.packets": 13, + "client.port": 52442, + "destination.address": "98.138.49.44", + "destination.bytes": 2086, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "98.138.49.44", + "destination.packets": 14, + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 17000000000, + "event.end": "2018-11-30T16:09:11.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:08:54.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 7867, + "log.original": "Nov 30 16:09:29 PA-220 1,2018/11/30 16:09:28,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:28,192.168.15.224,98.138.49.44,192.168.1.63,98.138.49.44,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:28,24212,1,52442,443,14660,443,0x40001c,tcp,allow,9891,2086,7805,27,2018/11/30 16:08:54,17,web-advertisements,0,32091129,0x0,192.168.0.0-192.168.255.255,United States,0,14,13,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "ssl", + "network.bytes": 9891, + "network.community_id": [ + "1:08BinpWe/JWymiOV0oCsRR8Lo4Q=", + "1:FfbVY/+5Mds7zDjSs5/Yfw5bxNQ=" + ], + "network.direction": "outbound", + "network.packets": 27, + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "98.138.49.44", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24212", + "palo_alto.pan_os.network.nat.community_id": "1:FfbVY/+5Mds7zDjSs5/Yfw5bxNQ=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091129, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 14660, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "web-advertisements", + "related.ip": [ + "192.168.15.224", + "98.138.49.44", + "192.168.1.63", + "98.138.49.44" + ], + "server.bytes": 7805, + "server.ip": "98.138.49.44", + "server.packets": 14, + "server.port": 443, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.bytes": 7805, + "source.ip": "192.168.15.224", + "source.packets": 13, + "source.port": 52442, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:28.000Z", + "client.bytes": 2354, + "client.ip": "192.168.15.224", + "client.packets": 11, + "client.port": 52441, + "destination.address": "72.30.3.43", + "destination.bytes": 2354, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "72.30.3.43", + "destination.packets": 13, + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 17000000000, + "event.end": "2018-11-30T16:09:11.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:08:54.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 8350, + "log.original": "Nov 30 16:09:29 PA-220 1,2018/11/30 16:09:28,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:28,192.168.15.224,72.30.3.43,192.168.1.63,72.30.3.43,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:28,24149,1,52441,443,16483,443,0x40001c,tcp,allow,8460,2354,6106,24,2018/11/30 16:08:54,17,web-advertisements,0,32091130,0x0,192.168.0.0-192.168.255.255,United States,0,13,11,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "ssl", + "network.bytes": 8460, + "network.community_id": [ + "1:2NNXjZpDcB9oYU1TRLRSU5v7hoQ=", + "1:TGvDRLypWuNWkuMsAxPzc5TSbAo=" + ], + "network.direction": "outbound", + "network.packets": 24, + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "72.30.3.43", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24149", + "palo_alto.pan_os.network.nat.community_id": "1:TGvDRLypWuNWkuMsAxPzc5TSbAo=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091130, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 16483, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "web-advertisements", + "related.ip": [ + "192.168.15.224", + "72.30.3.43", + "192.168.1.63", + "72.30.3.43" + ], + "server.bytes": 6106, + "server.ip": "72.30.3.43", + "server.packets": 13, + "server.port": 443, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.bytes": 6106, + "source.ip": "192.168.15.224", + "source.packets": 11, + "source.port": 52441, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:29.000Z", + "client.bytes": 196, + "client.ip": "192.168.15.196", + "client.packets": 2, + "client.port": 0, + "destination.address": "8.8.8.8", + "destination.bytes": 196, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 2, + "destination.port": 0, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2018-11-30T16:09:15.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:15.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 8829, + "log.original": "Nov 30 16:09:30 PA-220 1,2018/11/30 16:09:29,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:29,192.168.15.196,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:29,24185,2,0,0,0,0,0x500019,icmp,allow,392,196,196,4,2018/11/30 16:09:15,0,any,0,32091131,0x0,192.168.0.0-192.168.255.255,United States,0,2,2,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "ping", + "network.bytes": 392, + "network.community_id": [ + "1:/l9vT9UwjkUeC6vNW93wy71+TBk=", + "1:QVXHpdoObbzEeqP6DGULYxqYgAY=" + ], + "network.direction": "outbound", + "network.packets": 4, + "network.transport": "icmp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "8.8.8.8", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24185", + "palo_alto.pan_os.network.nat.community_id": "1:QVXHpdoObbzEeqP6DGULYxqYgAY=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091131, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.15.196", + "8.8.8.8", + "192.168.1.63", + "8.8.8.8" + ], + "server.bytes": 196, + "server.ip": "8.8.8.8", + "server.packets": 2, + "server.port": 0, + "service.type": "palo_alto", + "source.address": "192.168.15.196", + "source.bytes": 196, + "source.ip": "192.168.15.196", + "source.packets": 2, + "source.port": 0, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:29.000Z", + "client.bytes": 2545, + "client.ip": "192.168.15.224", + "client.packets": 17, + "client.port": 52355, + "destination.address": "172.217.9.142", + "destination.bytes": 2545, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "172.217.9.142", + "destination.packets": 19, + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 116000000000, + "event.end": "2018-11-30T16:09:12.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:07:16.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 9271, + "log.original": "Nov 30 16:09:30 PA-220 1,2018/11/30 16:09:29,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:29,192.168.15.224,172.217.9.142,192.168.1.63,172.217.9.142,new_outbound_from_trust,,,ocsp,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:29,23856,1,52355,80,5570,80,0x40001c,tcp,allow,5790,2545,3245,36,2018/11/30 16:07:16,116,computer-and-internet-info,0,32091132,0x0,192.168.0.0-192.168.255.255,United States,0,19,17,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "ocsp", + "network.bytes": 5790, + "network.community_id": [ + "1:JJQ4CQTTE3x7lV+Npo80V7dd6ts=", + "1:NNgF+9vrbBFNpCI3JhUT4YWepd4=" + ], + "network.direction": "outbound", + "network.packets": 36, + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "172.217.9.142", + "palo_alto.pan_os.destination.nat.port": 80, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "23856", + "palo_alto.pan_os.network.nat.community_id": "1:NNgF+9vrbBFNpCI3JhUT4YWepd4=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091132, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 5570, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "computer-and-internet-info", + "related.ip": [ + "192.168.15.224", + "172.217.9.142", + "192.168.1.63", + "172.217.9.142" + ], + "server.bytes": 3245, + "server.ip": "172.217.9.142", + "server.packets": 19, + "server.port": 80, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.bytes": 3245, + "source.ip": "192.168.15.224", + "source.packets": 17, + "source.port": 52355, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:29.000Z", + "client.bytes": 82, + "client.ip": "192.168.15.207", + "client.packets": 1, + "client.port": 50196, + "destination.address": "8.8.8.8", + "destination.bytes": 82, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2018-11-30T16:08:57.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:08:57.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 9763, + "log.original": "Nov 30 16:09:30 PA-220 1,2018/11/30 16:09:29,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:29,192.168.15.207,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:29,24173,1,50196,53,24430,53,0x400019,udp,allow,261,82,179,2,2018/11/30 16:08:57,0,any,0,32091133,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "dns", + "network.bytes": 261, + "network.community_id": [ + "1:URR/wC9NPuHbnjGQ1Y7LffVYlTc=", + "1:9T+RKr8xDB21pvAf/Fihyq72sLY=" + ], + "network.direction": "outbound", + "network.packets": 2, + "network.transport": "udp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "8.8.8.8", + "palo_alto.pan_os.destination.nat.port": 53, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24173", + "palo_alto.pan_os.network.nat.community_id": "1:9T+RKr8xDB21pvAf/Fihyq72sLY=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091133, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 24430, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.15.207", + "8.8.8.8", + "192.168.1.63", + "8.8.8.8" + ], + "server.bytes": 179, + "server.ip": "8.8.8.8", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.address": "192.168.15.207", + "source.bytes": 179, + "source.ip": "192.168.15.207", + "source.packets": 1, + "source.port": 50196, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:30.000Z", + "client.bytes": 1758, + "client.ip": "192.168.15.224", + "client.packets": 12, + "client.port": 52454, + "destination.address": "54.84.80.198", + "destination.bytes": 1758, + "destination.geo.city_name": "Ashburn", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 39.0481, + "destination.geo.location.lon": -77.4728, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": "54.84.80.198", + "destination.packets": 13, + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "flow_started", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2018-11-30T16:09:13.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:13.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 10212, + "log.original": "Nov 30 16:09:31 PA-220 1,2018/11/30 16:09:30,012801096514,TRAFFIC,start,2049,2018/11/30 16:09:30,192.168.15.224,54.84.80.198,192.168.1.63,54.84.80.198,new_outbound_from_trust,,,traps-management-service,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:30,24257,1,52454,443,12122,443,0x400053,tcp,allow,6295,1758,4537,25,2018/11/30 16:09:13,0,computer-and-internet-info,0,32091134,0x0,192.168.0.0-192.168.255.255,United States,0,13,12,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "traps-management-service", + "network.bytes": 6295, + "network.community_id": [ + "1:OnS/uikvrbdse63UYQtmHKrEk7k=", + "1:k69UBIONLgCiGo9UhMOEY0pQnZ4=" + ], + "network.direction": "outbound", + "network.packets": 25, + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "54.84.80.198", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24257", + "palo_alto.pan_os.network.nat.community_id": "1:k69UBIONLgCiGo9UhMOEY0pQnZ4=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091134, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 12122, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "computer-and-internet-info", + "related.ip": [ + "192.168.15.224", + "54.84.80.198", + "192.168.1.63", + "54.84.80.198" + ], + "server.bytes": 4537, + "server.ip": "54.84.80.198", + "server.packets": 13, + "server.port": 443, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.bytes": 4537, + "source.ip": "192.168.15.224", + "source.packets": 12, + "source.port": 52454, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:32.000Z", + "client.bytes": 624, + "client.ip": "192.168.15.224", + "client.packets": 0, + "client.port": 52445, + "destination.address": "199.167.55.52", + "destination.bytes": 624, + "destination.geo.city_name": "Santa Clara", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.3961, + "destination.geo.location.lon": -121.9617, + "destination.geo.region_iso_code": "US-CA", + "destination.geo.region_name": "California", + "destination.ip": "199.167.55.52", + "destination.packets": 8, + "destination.port": 4282, + "ecs.version": "1.0.0", + "event.action": "flow_dropped", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 13000000000, + "event.end": "2018-11-30T16:09:25.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:12.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 10725, + "log.original": "Nov 30 16:09:33 PA-220 1,2018/11/30 16:09:32,012801096514,TRAFFIC,drop,2049,2018/11/30 16:09:32,192.168.15.224,199.167.55.52,192.168.1.63,199.167.55.52,new_outbound_from_trust,,,incomplete,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:32,24090,1,52445,4282,49145,4282,0x400019,tcp,allow,624,624,0,8,2018/11/30 16:09:12,13,any,0,32091135,0x0,192.168.0.0-192.168.255.255,United States,0,8,0,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "incomplete", + "network.bytes": 624, + "network.community_id": [ + "1:wFD93203ukPDpbZjVJE5SAMYrw4=", + "1:07q7McJtir76GhJwAJffz+C0sNo=" + ], + "network.direction": "outbound", + "network.packets": 8, + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "199.167.55.52", + "palo_alto.pan_os.destination.nat.port": 4282, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24090", + "palo_alto.pan_os.network.nat.community_id": "1:07q7McJtir76GhJwAJffz+C0sNo=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091135, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 49145, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.15.224", + "199.167.55.52", + "192.168.1.63", + "199.167.55.52" + ], + "server.bytes": 0, + "server.ip": "199.167.55.52", + "server.packets": 8, + "server.port": 4282, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.bytes": 0, + "source.ip": "192.168.15.224", + "source.packets": 0, + "source.port": 52445, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:33.000Z", + "client.bytes": 588, + "client.ip": "192.168.15.224", + "client.packets": 6, + "client.port": 0, + "destination.address": "8.8.8.8", + "destination.bytes": 588, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 6, + "destination.port": 0, + "ecs.version": "1.0.0", + "event.action": "flow_denied", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2018-11-30T16:09:19.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:19.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 11198, + "log.original": "Nov 30 16:09:34 PA-220 1,2018/11/30 16:09:33,012801096514,TRAFFIC,deny,2049,2018/11/30 16:09:33,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:33,24242,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:09:19,0,any,0,32091136,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "ping", + "network.bytes": 1176, + "network.community_id": [ + "1:iNhLzwoKKarTKCq59Sts/hhZN7Q=", + "1:QVXHpdoObbzEeqP6DGULYxqYgAY=" + ], + "network.direction": "outbound", + "network.packets": 12, + "network.transport": "icmp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "8.8.8.8", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24242", + "palo_alto.pan_os.network.nat.community_id": "1:QVXHpdoObbzEeqP6DGULYxqYgAY=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091136, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.15.224", + "8.8.8.8", + "192.168.1.63", + "8.8.8.8" + ], + "server.bytes": 588, + "server.ip": "8.8.8.8", + "server.packets": 6, + "server.port": 0, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.bytes": 588, + "source.ip": "192.168.15.224", + "source.packets": 6, + "source.port": 0, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:34.000Z", + "client.bytes": 85, + "client.ip": "192.168.15.210", + "client.packets": 1, + "client.port": 35485, + "destination.address": "8.8.8.8", + "destination.bytes": 85, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2018-11-30T16:09:02.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:02.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 11643, + "log.original": "Nov 30 16:09:35 PA-220 1,2018/11/30 16:09:34,012801096514,TRAFFIC,,2049,2018/11/30 16:09:34,192.168.15.210,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:34,24190,1,35485,53,33110,53,0x400019,udp,allow,215,85,130,2,2018/11/30 16:09:02,0,any,0,32091137,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "dns", + "network.bytes": 215, + "network.community_id": [ + "1:XjmNQR0k4Z9rGS6dXH+3mvmrqzA=", + "1:JM1EdN05nKTy8Sq9WGpY15fCNJk=" + ], + "network.direction": "outbound", + "network.packets": 2, + "network.transport": "udp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "8.8.8.8", + "palo_alto.pan_os.destination.nat.port": 53, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24190", + "palo_alto.pan_os.network.nat.community_id": "1:JM1EdN05nKTy8Sq9WGpY15fCNJk=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091137, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 33110, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.15.210", + "8.8.8.8", + "192.168.1.63", + "8.8.8.8" + ], + "server.bytes": 130, + "server.ip": "8.8.8.8", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.address": "192.168.15.210", + "source.bytes": 130, + "source.ip": "192.168.15.210", + "source.packets": 1, + "source.port": 35485, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:37.000Z", + "client.bytes": 2876, + "client.ip": "192.168.15.224", + "client.packets": 6, + "client.port": 62730, + "destination.address": "172.217.9.142", + "destination.bytes": 2876, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "172.217.9.142", + "destination.packets": 6, + "destination.port": 443, + "ecs.version": "1.0.0", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 15000000000, + "event.end": "2018-11-30T16:07:35.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:07:20.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 12089, + "log.original": "Nov 30 16:09:38 PA-220 1,2018/11/30 16:09:37,012801096514,TRAFFIC,test,2049,2018/11/30 16:09:37,192.168.15.224,172.217.9.142,192.168.1.63,172.217.9.142,new_outbound_from_trust,,,quic,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:37,23892,1,62730,443,9299,443,0x400019,udp,allow,4867,2876,1991,12,2018/11/30 16:07:20,15,any,0,32091138,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "quic", + "network.bytes": 4867, + "network.community_id": [ + "1:lVJii2BraOSOIissazAe7/enqkQ=", + "1:3vS12CJ5QBY6RbGXOUPYKL9E0+U=" + ], + "network.direction": "outbound", + "network.packets": 12, + "network.transport": "udp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "172.217.9.142", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "23892", + "palo_alto.pan_os.network.nat.community_id": "1:3vS12CJ5QBY6RbGXOUPYKL9E0+U=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091138, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 9299, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.15.224", + "172.217.9.142", + "192.168.1.63", + "172.217.9.142" + ], + "server.bytes": 1991, + "server.ip": "172.217.9.142", + "server.packets": 6, + "server.port": 443, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.bytes": 1991, + "source.ip": "192.168.15.224", + "source.packets": 6, + "source.port": 62730, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:38.000Z", + "client.bytes": 1100, + "client.ip": "192.168.15.224", + "client.packets": 5, + "client.port": 52506, + "destination.address": "151.101.2.2", + "destination.bytes": 1100, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "151.101.2.2", + "destination.packets": 8, + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2018-11-30T16:09:21.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:21.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 12559, + "log.original": "Nov 30 16:09:39 PA-220 1,2018/11/30 16:09:38,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:38,192.168.15.224,151.101.2.2,192.168.1.63,151.101.2.2,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:38,24360,1,52506,443,47194,443,0x40001c,tcp,allow,1623,1100,523,13,2018/11/30 16:09:21,0,business-and-economy,0,32091139,0x0,192.168.0.0-192.168.255.255,United States,0,8,5,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "ssl", + "network.bytes": 1623, + "network.community_id": [ + "1:Te0H9rrEbN0bNEjgdC1n6hD8kQU=", + "1:l6nFWeOSs/2aQaVCfYhfQ09l0ko=" + ], + "network.direction": "outbound", + "network.packets": 13, + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "151.101.2.2", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24360", + "palo_alto.pan_os.network.nat.community_id": "1:l6nFWeOSs/2aQaVCfYhfQ09l0ko=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091139, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 47194, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "151.101.2.2", + "192.168.1.63", + "151.101.2.2" + ], + "server.bytes": 523, + "server.ip": "151.101.2.2", + "server.packets": 8, + "server.port": 443, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.bytes": 523, + "source.ip": "192.168.15.224", + "source.packets": 5, + "source.port": 52506, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:38.000Z", + "client.bytes": 1977, + "client.ip": "192.168.15.224", + "client.packets": 4, + "client.port": 60596, + "destination.address": "216.58.194.66", + "destination.bytes": 1977, + "destination.geo.city_name": "Mountain View", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.386, + "destination.geo.location.lon": -122.0838, + "destination.geo.region_iso_code": "US-CA", + "destination.geo.region_name": "California", + "destination.ip": "216.58.194.66", + "destination.packets": 5, + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2018-11-30T16:07:36.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:07:36.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 13050, + "log.original": "Nov 30 16:09:39 PA-220 1,2018/11/30 16:09:38,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:38,192.168.15.224,216.58.194.66,192.168.1.63,216.58.194.66,new_outbound_from_trust,,,quic,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:38,23952,1,60596,443,62921,443,0x400019,udp,allow,4405,1977,2428,9,2018/11/30 16:07:36,0,any,0,32091140,0x0,192.168.0.0-192.168.255.255,United States,0,5,4,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "quic", + "network.bytes": 4405, + "network.community_id": [ + "1:5umxbSgQhlPOZM9gbu1iBMqzRr8=", + "1:hVpNmZPedeB/gYRm9U4/gS+LNkQ=" + ], + "network.direction": "outbound", + "network.packets": 9, + "network.transport": "udp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "216.58.194.66", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "23952", + "palo_alto.pan_os.network.nat.community_id": "1:hVpNmZPedeB/gYRm9U4/gS+LNkQ=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091140, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 62921, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.15.224", + "216.58.194.66", + "192.168.1.63", + "216.58.194.66" + ], + "server.bytes": 2428, + "server.ip": "216.58.194.66", + "server.packets": 5, + "server.port": 443, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.bytes": 2428, + "source.ip": "192.168.15.224", + "source.packets": 4, + "source.port": 60596, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:39.000Z", + "client.bytes": 588, + "client.ip": "192.168.15.224", + "client.packets": 6, + "client.port": 0, + "destination.address": "8.8.8.8", + "destination.bytes": 588, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 6, + "destination.port": 0, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2018-11-30T16:09:25.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:25.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 13518, + "log.original": "Nov 30 16:09:40 PA-220 1,2018/11/30 16:09:39,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:39,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:39,24328,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:09:25,0,any,0,32091141,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "ping", + "network.bytes": 1176, + "network.community_id": [ + "1:iNhLzwoKKarTKCq59Sts/hhZN7Q=", + "1:QVXHpdoObbzEeqP6DGULYxqYgAY=" + ], + "network.direction": "outbound", + "network.packets": 12, + "network.transport": "icmp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "8.8.8.8", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24328", + "palo_alto.pan_os.network.nat.community_id": "1:QVXHpdoObbzEeqP6DGULYxqYgAY=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091141, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.15.224", + "8.8.8.8", + "192.168.1.63", + "8.8.8.8" + ], + "server.bytes": 588, + "server.ip": "8.8.8.8", + "server.packets": 6, + "server.port": 0, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.bytes": 588, + "source.ip": "192.168.15.224", + "source.packets": 6, + "source.port": 0, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:39.000Z", + "client.bytes": 196, + "client.ip": "192.168.15.210", + "client.packets": 2, + "client.port": 0, + "destination.address": "8.8.8.8", + "destination.bytes": 196, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 2, + "destination.port": 0, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2018-11-30T16:09:25.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:25.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 13962, + "log.original": "Nov 30 16:09:40 PA-220 1,2018/11/30 16:09:39,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:39,192.168.15.210,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:39,24385,2,0,0,0,0,0x500019,icmp,allow,392,196,196,4,2018/11/30 16:09:25,0,any,0,32091142,0x0,192.168.0.0-192.168.255.255,United States,0,2,2,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "ping", + "network.bytes": 392, + "network.community_id": [ + "1:7LdGPOlsucPADJQxcTlIy8FSIxU=", + "1:QVXHpdoObbzEeqP6DGULYxqYgAY=" + ], + "network.direction": "outbound", + "network.packets": 4, + "network.transport": "icmp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "8.8.8.8", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24385", + "palo_alto.pan_os.network.nat.community_id": "1:QVXHpdoObbzEeqP6DGULYxqYgAY=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091142, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.15.210", + "8.8.8.8", + "192.168.1.63", + "8.8.8.8" + ], + "server.bytes": 196, + "server.ip": "8.8.8.8", + "server.packets": 2, + "server.port": 0, + "service.type": "palo_alto", + "source.address": "192.168.15.210", + "source.bytes": 196, + "source.ip": "192.168.15.210", + "source.packets": 2, + "source.port": 0, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:39.000Z", + "client.bytes": 2228, + "client.ip": "192.168.15.224", + "client.packets": 10, + "client.port": 52514, + "destination.address": "184.51.253.193", + "destination.bytes": 2228, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "184.51.253.193", + "destination.packets": 12, + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2018-11-30T16:09:22.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:22.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 14404, + "log.original": "Nov 30 16:09:40 PA-220 1,2018/11/30 16:09:39,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:39,192.168.15.224,184.51.253.193,192.168.1.63,184.51.253.193,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:39,24172,1,52514,443,41958,443,0x40001c,tcp,allow,7231,2228,5003,22,2018/11/30 16:09:22,0,web-advertisements,0,32091143,0x0,192.168.0.0-192.168.255.255,United States,0,12,10,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "ssl", + "network.bytes": 7231, + "network.community_id": [ + "1:zaX+BV1nxniPCPzIGKhVpm2i7CE=", + "1:zBrhHOnlJT7YZV7WXiPAQBEhScI=" + ], + "network.direction": "outbound", + "network.packets": 22, + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "184.51.253.193", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24172", + "palo_alto.pan_os.network.nat.community_id": "1:zBrhHOnlJT7YZV7WXiPAQBEhScI=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091143, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 41958, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "web-advertisements", + "related.ip": [ + "192.168.15.224", + "184.51.253.193", + "192.168.1.63", + "184.51.253.193" + ], + "server.bytes": 5003, + "server.ip": "184.51.253.193", + "server.packets": 12, + "server.port": 443, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.bytes": 5003, + "source.ip": "192.168.15.224", + "source.packets": 10, + "source.port": 52514, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:40.000Z", + "client.bytes": 96, + "client.ip": "192.168.15.224", + "client.packets": 1, + "client.port": 55155, + "destination.address": "8.8.8.8", + "destination.bytes": 96, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2018-11-30T16:09:08.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:08.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 14890, + "log.original": "Nov 30 16:09:41 PA-220 1,2018/11/30 16:09:40,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:40,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:40,24131,1,55155,53,51374,53,0x400019,udp,allow,267,96,171,2,2018/11/30 16:09:08,0,any,0,32091144,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "dns", + "network.bytes": 267, + "network.community_id": [ + "1:BengLCKQRlHSjje1eFQLdxgTKJc=", + "1:QjiWUuclXv+JzWhbuYDyyP+YyTk=" + ], + "network.direction": "outbound", + "network.packets": 2, + "network.transport": "udp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "8.8.8.8", + "palo_alto.pan_os.destination.nat.port": 53, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24131", + "palo_alto.pan_os.network.nat.community_id": "1:QjiWUuclXv+JzWhbuYDyyP+YyTk=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091144, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 51374, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.15.224", + "8.8.8.8", + "192.168.1.63", + "8.8.8.8" + ], + "server.bytes": 171, + "server.ip": "8.8.8.8", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.bytes": 171, + "source.ip": "192.168.15.224", + "source.packets": 1, + "source.port": 55155, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:40.000Z", + "client.bytes": 78, + "client.ip": "192.168.15.224", + "client.packets": 0, + "client.port": 52445, + "destination.address": "199.167.55.52", + "destination.bytes": 78, + "destination.geo.city_name": "Santa Clara", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.3961, + "destination.geo.location.lon": -121.9617, + "destination.geo.region_iso_code": "US-CA", + "destination.geo.region_name": "California", + "destination.ip": "199.167.55.52", + "destination.packets": 1, + "destination.port": 4282, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2018-11-30T16:09:33.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:33.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 15339, + "log.original": "Nov 30 16:09:41 PA-220 1,2018/11/30 16:09:40,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:40,192.168.15.224,199.167.55.52,192.168.1.63,199.167.55.52,new_outbound_from_trust,,,incomplete,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:40,24393,1,52445,4282,25566,4282,0x400019,tcp,allow,78,78,0,1,2018/11/30 16:09:33,0,any,0,32091145,0x0,192.168.0.0-192.168.255.255,United States,0,1,0,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "incomplete", + "network.bytes": 78, + "network.community_id": [ + "1:wFD93203ukPDpbZjVJE5SAMYrw4=", + "1:WSYAeVnYXY4WmfLFYEEo/atQJE8=" + ], + "network.direction": "outbound", + "network.packets": 1, + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "199.167.55.52", + "palo_alto.pan_os.destination.nat.port": 4282, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24393", + "palo_alto.pan_os.network.nat.community_id": "1:WSYAeVnYXY4WmfLFYEEo/atQJE8=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091145, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 25566, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.15.224", + "199.167.55.52", + "192.168.1.63", + "199.167.55.52" + ], + "server.bytes": 0, + "server.ip": "199.167.55.52", + "server.packets": 1, + "server.port": 4282, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.bytes": 0, + "source.ip": "192.168.15.224", + "source.packets": 0, + "source.port": 52445, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:42.000Z", + "client.bytes": 1086, + "client.ip": "192.168.15.224", + "client.packets": 9, + "client.port": 52516, + "destination.address": "199.167.52.219", + "destination.bytes": 1086, + "destination.geo.city_name": "Santa Clara", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.3961, + "destination.geo.location.lon": -121.9617, + "destination.geo.region_iso_code": "US-CA", + "destination.geo.region_name": "California", + "destination.ip": "199.167.52.219", + "destination.packets": 11, + "destination.port": 17472, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2018-11-30T16:09:25.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:25.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 15808, + "log.original": "Nov 30 16:09:43 PA-220 1,2018/11/30 16:09:42,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:42,192.168.15.224,199.167.52.219,192.168.1.63,199.167.52.219,new_outbound_from_trust,,,tanium,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:42,24976,1,52516,17472,63757,17472,0x40005e,tcp,allow,3402,1086,2316,20,2018/11/30 16:09:25,0,any,0,32091146,0x0,192.168.0.0-192.168.255.255,United States,0,11,9,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "tanium", + "network.bytes": 3402, + "network.community_id": [ + "1:9oIDq1tuilAK1JGhtfp35vZpz4w=", + "1:XrQuj5ypAzAqGAy0lpIvWQVVZ2E=" + ], + "network.direction": "outbound", + "network.packets": 20, + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "199.167.52.219", + "palo_alto.pan_os.destination.nat.port": 17472, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24976", + "palo_alto.pan_os.network.nat.community_id": "1:XrQuj5ypAzAqGAy0lpIvWQVVZ2E=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091146, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 63757, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.15.224", + "199.167.52.219", + "192.168.1.63", + "199.167.52.219" + ], + "server.bytes": 2316, + "server.ip": "199.167.52.219", + "server.packets": 11, + "server.port": 17472, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.bytes": 2316, + "source.ip": "192.168.15.224", + "source.packets": 9, + "source.port": 52516, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:42.000Z", + "client.bytes": 2628, + "client.ip": "192.168.15.224", + "client.packets": 19, + "client.port": 52511, + "destination.address": "52.71.117.196", + "destination.bytes": 2628, + "destination.geo.city_name": "Ashburn", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 39.0481, + "destination.geo.location.lon": -77.4728, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": "52.71.117.196", + "destination.packets": 19, + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 4000000000, + "event.end": "2018-11-30T16:09:25.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:21.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 16297, + "log.original": "Nov 30 16:09:43 PA-220 1,2018/11/30 16:09:42,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:42,192.168.15.224,52.71.117.196,192.168.1.63,52.71.117.196,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:42,24348,1,52511,443,3803,443,0x400053,tcp,allow,16594,2628,13966,38,2018/11/30 16:09:21,4,computer-and-internet-info,0,32091147,0x0,192.168.0.0-192.168.255.255,United States,0,19,19,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "ssl", + "network.bytes": 16594, + "network.community_id": [ + "1:lrruE+4dZreV0/+v9V1CpxRnfsE=", + "1:EG9O/WtvoWuYwaB1MXJTgr43kac=" + ], + "network.direction": "outbound", + "network.packets": 38, + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "52.71.117.196", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24348", + "palo_alto.pan_os.network.nat.community_id": "1:EG9O/WtvoWuYwaB1MXJTgr43kac=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091147, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 3803, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "computer-and-internet-info", + "related.ip": [ + "192.168.15.224", + "52.71.117.196", + "192.168.1.63", + "52.71.117.196" + ], + "server.bytes": 13966, + "server.ip": "52.71.117.196", + "server.packets": 19, + "server.port": 443, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.bytes": 13966, + "source.ip": "192.168.15.224", + "source.packets": 19, + "source.port": 52511, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:45.000Z", + "client.bytes": 79, + "client.ip": "192.168.15.224", + "client.packets": 1, + "client.port": 3018, + "destination.address": "8.8.8.8", + "destination.bytes": 79, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2018-11-30T16:09:12.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:12.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 16802, + "log.original": "Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24046,1,3018,53,34994,53,0x400019,udp,allow,323,79,244,2,2018/11/30 16:09:12,0,any,0,32091148,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "dns", + "network.bytes": 323, + "network.community_id": [ + "1:b/0kdGUcINh0ryiR0w0QTg0t0jQ=", + "1:eI0W7/EQJgRBimA1ZM4XVOSKMqo=" + ], + "network.direction": "outbound", + "network.packets": 2, + "network.transport": "udp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "8.8.8.8", + "palo_alto.pan_os.destination.nat.port": 53, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24046", + "palo_alto.pan_os.network.nat.community_id": "1:eI0W7/EQJgRBimA1ZM4XVOSKMqo=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091148, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 34994, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.15.224", + "8.8.8.8", + "192.168.1.63", + "8.8.8.8" + ], + "server.bytes": 244, + "server.ip": "8.8.8.8", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.bytes": 244, + "source.ip": "192.168.15.224", + "source.packets": 1, + "source.port": 3018, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:45.000Z", + "client.bytes": 95, + "client.ip": "192.168.15.224", + "client.packets": 1, + "client.port": 16569, + "destination.address": "8.8.8.8", + "destination.bytes": 95, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2018-11-30T16:09:12.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:12.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 17250, + "log.original": "Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24196,1,16569,53,38064,53,0x400019,udp,allow,300,95,205,2,2018/11/30 16:09:12,0,any,0,32091149,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "dns", + "network.bytes": 300, + "network.community_id": [ + "1:SsNvr7qdck7W52PZqREypGPIglo=", + "1:uSrPYHIl4eJpdC+J0IAMuGStuNc=" + ], + "network.direction": "outbound", + "network.packets": 2, + "network.transport": "udp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "8.8.8.8", + "palo_alto.pan_os.destination.nat.port": 53, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24196", + "palo_alto.pan_os.network.nat.community_id": "1:uSrPYHIl4eJpdC+J0IAMuGStuNc=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091149, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 38064, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.15.224", + "8.8.8.8", + "192.168.1.63", + "8.8.8.8" + ], + "server.bytes": 205, + "server.ip": "8.8.8.8", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.bytes": 205, + "source.ip": "192.168.15.224", + "source.packets": 1, + "source.port": 16569, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:45.000Z", + "client.bytes": 4296, + "client.ip": "192.168.15.224", + "client.packets": 20, + "client.port": 52479, + "destination.address": "35.186.194.41", + "destination.bytes": 4296, + "destination.geo.city_name": "Mountain View", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.419200000000004, + "destination.geo.location.lon": -122.0574, + "destination.geo.region_iso_code": "US-CA", + "destination.geo.region_name": "California", + "destination.ip": "35.186.194.41", + "destination.packets": 24, + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 8000000000, + "event.end": "2018-11-30T16:09:27.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:19.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 17699, + "log.original": "Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,35.186.194.41,192.168.1.63,35.186.194.41,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24264,1,52479,443,42924,443,0x400053,tcp,allow,6598,4296,2302,44,2018/11/30 16:09:19,8,insufficient-content,0,32091150,0x0,192.168.0.0-192.168.255.255,United States,0,24,20,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "ssl", + "network.bytes": 6598, + "network.community_id": [ + "1:oy06sQtSbOzvWgK/dr7N5HKE5Ng=", + "1:djhBHAw6H+Q9Bcz6i7V+GTrjtzA=" + ], + "network.direction": "outbound", + "network.packets": 44, + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "35.186.194.41", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24264", + "palo_alto.pan_os.network.nat.community_id": "1:djhBHAw6H+Q9Bcz6i7V+GTrjtzA=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091150, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 42924, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "insufficient-content", + "related.ip": [ + "192.168.15.224", + "35.186.194.41", + "192.168.1.63", + "35.186.194.41" + ], + "server.bytes": 2302, + "server.ip": "35.186.194.41", + "server.packets": 24, + "server.port": 443, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.bytes": 2302, + "source.ip": "192.168.15.224", + "source.packets": 20, + "source.port": 52479, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:45.000Z", + "client.bytes": 58831, + "client.ip": "192.168.15.224", + "client.packets": 41, + "client.port": 52478, + "destination.address": "35.201.124.9", + "destination.bytes": 58831, + "destination.geo.continent_name": "Asia", + "destination.geo.location.lat": 35.0, + "destination.geo.location.lon": 105.0, + "destination.ip": "35.201.124.9", + "destination.packets": 63, + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 8000000000, + "event.end": "2018-11-30T16:09:27.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:19.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 18185, + "log.original": "Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,35.201.124.9,192.168.1.63,35.201.124.9,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24248,1,52478,443,58977,443,0x400053,tcp,allow,65588,58831,6757,104,2018/11/30 16:09:19,8,insufficient-content,0,32091151,0x0,192.168.0.0-192.168.255.255,Asia Pacific Region,0,63,41,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "ssl", + "network.bytes": 65588, + "network.community_id": [ + "1:DBvAD0JZYsb+pmUJkhTQYOcLJls=", + "1:hIY5A8O11VWtEfpYG2l5voTvbVQ=" + ], + "network.direction": "outbound", + "network.packets": 104, + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "35.201.124.9", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24248", + "palo_alto.pan_os.network.nat.community_id": "1:hIY5A8O11VWtEfpYG2l5voTvbVQ=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091151, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 58977, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "insufficient-content", + "related.ip": [ + "192.168.15.224", + "35.201.124.9", + "192.168.1.63", + "35.201.124.9" + ], + "server.bytes": 6757, + "server.ip": "35.201.124.9", + "server.packets": 63, + "server.port": 443, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.bytes": 6757, + "source.ip": "192.168.15.224", + "source.packets": 41, + "source.port": 52478, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:45.000Z", + "client.bytes": 4069, + "client.ip": "192.168.15.224", + "client.packets": 15, + "client.port": 52502, + "destination.address": "100.24.131.237", + "destination.bytes": 4069, + "destination.geo.city_name": "Ashburn", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 39.0481, + "destination.geo.location.lon": -77.4728, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": "100.24.131.237", + "destination.packets": 17, + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 6000000000, + "event.end": "2018-11-30T16:09:27.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:21.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 18678, + "log.original": "Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,100.24.131.237,192.168.1.63,100.24.131.237,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24268,1,52502,443,64732,443,0x400053,tcp,allow,13076,4069,9007,32,2018/11/30 16:09:21,6,business-and-economy,0,32091152,0x0,192.168.0.0-192.168.255.255,United States,0,17,15,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "ssl", + "network.bytes": 13076, + "network.community_id": [ + "1:3G8yDLybfwtFo10J4I/c5Ayd4Qk=", + "1:sXYelUOdA/EfjcKKE8M5kPe+M+c=" + ], + "network.direction": "outbound", + "network.packets": 32, + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "100.24.131.237", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24268", + "palo_alto.pan_os.network.nat.community_id": "1:sXYelUOdA/EfjcKKE8M5kPe+M+c=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091152, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 64732, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "100.24.131.237", + "192.168.1.63", + "100.24.131.237" + ], + "server.bytes": 9007, + "server.ip": "100.24.131.237", + "server.packets": 17, + "server.port": 443, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.bytes": 9007, + "source.ip": "192.168.15.224", + "source.packets": 15, + "source.port": 52502, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:45.000Z", + "client.bytes": 1100, + "client.ip": "192.168.15.224", + "client.packets": 7, + "client.port": 52458, + "destination.address": "184.51.252.247", + "destination.bytes": 1100, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "184.51.252.247", + "destination.packets": 8, + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 13000000000, + "event.end": "2018-11-30T16:09:27.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:14.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 19179, + "log.original": "Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,184.51.252.247,192.168.1.63,184.51.252.247,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24175,1,52458,443,58292,443,0x40001c,tcp,allow,1761,1100,661,15,2018/11/30 16:09:14,13,computer-and-internet-info,0,32091153,0x0,192.168.0.0-192.168.255.255,United States,0,8,7,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "ssl", + "network.bytes": 1761, + "network.community_id": [ + "1:ZTCXYP/obCmlK+BT3BISstdxpCk=", + "1:D6pPzYoIWTOXxVzuweKvZYK6FVE=" + ], + "network.direction": "outbound", + "network.packets": 15, + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "184.51.252.247", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24175", + "palo_alto.pan_os.network.nat.community_id": "1:D6pPzYoIWTOXxVzuweKvZYK6FVE=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091153, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 58292, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "computer-and-internet-info", + "related.ip": [ + "192.168.15.224", + "184.51.252.247", + "192.168.1.63", + "184.51.252.247" + ], + "server.bytes": 661, + "server.ip": "184.51.252.247", + "server.packets": 8, + "server.port": 443, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.bytes": 661, + "source.ip": "192.168.15.224", + "source.packets": 7, + "source.port": 52458, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:45.000Z", + "client.bytes": 3596, + "client.ip": "192.168.15.224", + "client.packets": 16, + "client.port": 52484, + "destination.address": "35.190.88.148", + "destination.bytes": 3596, + "destination.geo.city_name": "Mountain View", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.419200000000004, + "destination.geo.location.lon": -122.0574, + "destination.geo.region_iso_code": "US-CA", + "destination.geo.region_name": "California", + "destination.ip": "35.190.88.148", + "destination.packets": 15, + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 8000000000, + "event.end": "2018-11-30T16:09:27.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:19.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 19683, + "log.original": "Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,35.190.88.148,192.168.1.63,35.190.88.148,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24312,1,52484,443,32209,443,0x400053,tcp,allow,14732,3596,11136,31,2018/11/30 16:09:19,8,computer-and-internet-info,0,32091154,0x0,192.168.0.0-192.168.255.255,United States,0,15,16,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "ssl", + "network.bytes": 14732, + "network.community_id": [ + "1:DEAqTvDzZjanGG1P2CcnR3CKUfc=", + "1:VFQjrA+iaNcIu6vFJNU6ls7+4Is=" + ], + "network.direction": "outbound", + "network.packets": 31, + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "35.190.88.148", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24312", + "palo_alto.pan_os.network.nat.community_id": "1:VFQjrA+iaNcIu6vFJNU6ls7+4Is=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091154, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 32209, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "computer-and-internet-info", + "related.ip": [ + "192.168.15.224", + "35.190.88.148", + "192.168.1.63", + "35.190.88.148" + ], + "server.bytes": 11136, + "server.ip": "35.190.88.148", + "server.packets": 15, + "server.port": 443, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.bytes": 11136, + "source.ip": "192.168.15.224", + "source.packets": 16, + "source.port": 52484, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:45.000Z", + "client.bytes": 3596, + "client.ip": "192.168.15.224", + "client.packets": 16, + "client.port": 52482, + "destination.address": "35.186.243.83", + "destination.bytes": 3596, + "destination.geo.city_name": "Mountain View", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.419200000000004, + "destination.geo.location.lon": -122.0574, + "destination.geo.region_iso_code": "US-CA", + "destination.geo.region_name": "California", + "destination.ip": "35.186.243.83", + "destination.packets": 15, + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 8000000000, + "event.end": "2018-11-30T16:09:27.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:19.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 20177, + "log.original": "Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,35.186.243.83,192.168.1.63,35.186.243.83,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24164,1,52482,443,38822,443,0x400053,tcp,allow,14732,3596,11136,31,2018/11/30 16:09:19,8,computer-and-internet-info,0,32091155,0x0,192.168.0.0-192.168.255.255,United States,0,15,16,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "ssl", + "network.bytes": 14732, + "network.community_id": [ + "1:t/ErTuEXtgYIkRnq4+UdhVKcFnA=", + "1:Xx31zYZNYc/mjf2GOihkp6JogmA=" + ], + "network.direction": "outbound", + "network.packets": 31, + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "35.186.243.83", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24164", + "palo_alto.pan_os.network.nat.community_id": "1:Xx31zYZNYc/mjf2GOihkp6JogmA=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091155, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 38822, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "computer-and-internet-info", + "related.ip": [ + "192.168.15.224", + "35.186.243.83", + "192.168.1.63", + "35.186.243.83" + ], + "server.bytes": 11136, + "server.ip": "35.186.243.83", + "server.packets": 15, + "server.port": 443, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.bytes": 11136, + "source.ip": "192.168.15.224", + "source.packets": 16, + "source.port": 52482, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:45.000Z", + "client.bytes": 84, + "client.ip": "192.168.15.224", + "client.packets": 1, + "client.port": 33769, + "destination.address": "8.8.8.8", + "destination.bytes": 84, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2018-11-30T16:09:12.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:12.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 20671, + "log.original": "Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,untrust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24198,1,33769,53,16044,53,0x400019,udp,allow,266,84,182,2,2018/11/30 16:09:12,0,any,0,32091156,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "dns", + "network.bytes": 266, + "network.community_id": [ + "1:Y7iOj20be5Di4rx5iGHLO9k0YoU=", + "1:445AeHI1LAvb+ii4arRZeLAO4zM=" + ], + "network.direction": "external", + "network.packets": 2, + "network.transport": "udp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "8.8.8.8", + "palo_alto.pan_os.destination.nat.port": 53, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24198", + "palo_alto.pan_os.network.nat.community_id": "1:445AeHI1LAvb+ii4arRZeLAO4zM=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091156, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 16044, + "palo_alto.pan_os.source.zone": "untrust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.15.224", + "8.8.8.8", + "192.168.1.63", + "8.8.8.8" + ], + "server.bytes": 182, + "server.ip": "8.8.8.8", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.bytes": 182, + "source.ip": "192.168.15.224", + "source.packets": 1, + "source.port": 33769, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:45.000Z", + "client.bytes": 74, + "client.ip": "192.168.15.224", + "client.packets": 1, + "client.port": 14106, + "destination.address": "8.8.8.8", + "destination.bytes": 74, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2018-11-30T16:09:12.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:12.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 21122, + "log.original": "Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,trust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24184,1,14106,53,56614,53,0x400019,udp,allow,164,74,90,2,2018/11/30 16:09:12,0,any,0,32091157,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "dns", + "network.bytes": 164, + "network.community_id": [ + "1:8HlDMcJ2vfYtzQNW4/YDX7avDu8=", + "1:+5KwsEYW+tFecEENSBwHbKTvUv8=" + ], + "network.direction": "internal", + "network.packets": 2, + "network.transport": "udp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "8.8.8.8", + "palo_alto.pan_os.destination.nat.port": 53, + "palo_alto.pan_os.destination.zone": "trust", + "palo_alto.pan_os.flow_id": "24184", + "palo_alto.pan_os.network.nat.community_id": "1:+5KwsEYW+tFecEENSBwHbKTvUv8=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091157, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 56614, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.15.224", + "8.8.8.8", + "192.168.1.63", + "8.8.8.8" + ], + "server.bytes": 90, + "server.ip": "8.8.8.8", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.bytes": 90, + "source.ip": "192.168.15.224", + "source.packets": 1, + "source.port": 14106, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:45.000Z", + "client.bytes": 2731, + "client.ip": "192.168.15.224", + "client.packets": 13, + "client.port": 52503, + "destination.address": "100.24.165.74", + "destination.bytes": 2731, + "destination.geo.city_name": "Ashburn", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 39.0481, + "destination.geo.location.lon": -77.4728, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": "100.24.165.74", + "destination.packets": 17, + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 6000000000, + "event.end": "2018-11-30T16:09:27.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:21.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 21568, + "log.original": "Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,100.24.165.74,192.168.1.63,100.24.165.74,new_outbound_from_trust,,,ssl,vsys1,untrust,trust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24314,1,52503,443,53168,443,0x400053,tcp,allow,9400,2731,6669,30,2018/11/30 16:09:21,6,business-and-economy,0,32091158,0x0,192.168.0.0-192.168.255.255,United States,0,17,13,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "ssl", + "network.bytes": 9400, + "network.community_id": [ + "1:dDqHJ1Y91GSM0iyiXXbBnOasVJM=", + "1:DRqq/mx90TOYq1a5yLf562kwIvc=" + ], + "network.direction": "inbound", + "network.packets": 30, + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "100.24.165.74", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "trust", + "palo_alto.pan_os.flow_id": "24314", + "palo_alto.pan_os.network.nat.community_id": "1:DRqq/mx90TOYq1a5yLf562kwIvc=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091158, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 53168, + "palo_alto.pan_os.source.zone": "untrust", + "palo_alto.pan_os.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "100.24.165.74", + "192.168.1.63", + "100.24.165.74" + ], + "server.bytes": 6669, + "server.ip": "100.24.165.74", + "server.packets": 17, + "server.port": 443, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.bytes": 6669, + "source.ip": "192.168.15.224", + "source.packets": 13, + "source.port": 52503, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:45.000Z", + "client.bytes": 1100, + "client.ip": "192.168.15.224", + "client.packets": 7, + "client.port": 52459, + "destination.address": "184.51.252.247", + "destination.bytes": 1100, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "184.51.252.247", + "destination.packets": 8, + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 13000000000, + "event.end": "2018-11-30T16:09:27.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:14.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 22066, + "log.original": "Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,184.51.252.247,192.168.1.63,184.51.252.247,new_outbound_from_trust,,,ssl,vsys1,xtrust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24204,1,52459,443,28012,443,0x40001c,tcp,allow,1761,1100,661,15,2018/11/30 16:09:14,13,computer-and-internet-info,0,32091159,0x0,192.168.0.0-192.168.255.255,United States,0,8,7,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "ssl", + "network.bytes": 1761, + "network.community_id": [ + "1:LeVVxJ/qJ69xMnerDRfh9DhS1wg=", + "1:vx03vuDn4sh2/e89Lm3RoSpVIVM=" + ], + "network.direction": "unknown", + "network.packets": 15, + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "184.51.252.247", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24204", + "palo_alto.pan_os.network.nat.community_id": "1:vx03vuDn4sh2/e89Lm3RoSpVIVM=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091159, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 28012, + "palo_alto.pan_os.source.zone": "xtrust", + "palo_alto.pan_os.url.category": "computer-and-internet-info", + "related.ip": [ + "192.168.15.224", + "184.51.252.247", + "192.168.1.63", + "184.51.252.247" + ], + "server.bytes": 661, + "server.ip": "184.51.252.247", + "server.packets": 8, + "server.port": 443, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.bytes": 661, + "source.ip": "192.168.15.224", + "source.packets": 7, + "source.port": 52459, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:45.000Z", + "client.bytes": 3596, + "client.ip": "192.168.15.224", + "client.packets": 16, + "client.port": 52483, + "destination.address": "35.201.94.140", + "destination.bytes": 3596, + "destination.geo.continent_name": "Asia", + "destination.geo.location.lat": 35.0, + "destination.geo.location.lon": 105.0, + "destination.ip": "35.201.94.140", + "destination.packets": 15, + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 8000000000, + "event.end": "2018-11-30T16:09:27.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:19.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 22571, + "log.original": "Nov 30 16:09:45 PA-220 1,2018/11/30 16:09:45,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:45,192.168.15.224,35.201.94.140,192.168.1.63,35.201.94.140,new_outbound_from_trust,,,ssl,vsys1,trust,xuntrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:45,24234,1,52483,443,16050,443,0x400053,tcp,allow,14732,3596,11136,31,2018/11/30 16:09:19,8,computer-and-internet-info,0,32091160,0x0,192.168.0.0-192.168.255.255,Asia Pacific Region,0,15,16,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "ssl", + "network.bytes": 14732, + "network.community_id": [ + "1:b6jBmvbfVzb1LGTW2RD80kK1rMs=", + "1:u1uvQ3wfJoaG/nNiBhvQMHQSVlU=" + ], + "network.direction": "unknown", + "network.packets": 31, + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "35.201.94.140", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "xuntrust", + "palo_alto.pan_os.flow_id": "24234", + "palo_alto.pan_os.network.nat.community_id": "1:u1uvQ3wfJoaG/nNiBhvQMHQSVlU=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091160, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 16050, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "computer-and-internet-info", + "related.ip": [ + "192.168.15.224", + "35.201.94.140", + "192.168.1.63", + "35.201.94.140" + ], + "server.bytes": 11136, + "server.ip": "35.201.94.140", + "server.packets": 15, + "server.port": 443, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.bytes": 11136, + "source.ip": "192.168.15.224", + "source.packets": 16, + "source.port": 52483, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:46.000Z", + "client.bytes": 588, + "client.ip": "192.168.15.224", + "client.packets": 6, + "client.port": 0, + "destination.address": "8.8.8.8", + "destination.bytes": 588, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 6, + "destination.port": 0, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2018-11-30T16:09:31.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:31.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 23072, + "log.original": "Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,ping,vsys1,,,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24390,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:09:31,0,any,0,32091161,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "ping", + "network.bytes": 1176, + "network.community_id": [ + "1:iNhLzwoKKarTKCq59Sts/hhZN7Q=", + "1:QVXHpdoObbzEeqP6DGULYxqYgAY=" + ], + "network.direction": "unknown", + "network.packets": 12, + "network.transport": "icmp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "8.8.8.8", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.flow_id": "24390", + "palo_alto.pan_os.network.nat.community_id": "1:QVXHpdoObbzEeqP6DGULYxqYgAY=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091161, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.15.224", + "8.8.8.8", + "192.168.1.63", + "8.8.8.8" + ], + "server.bytes": 588, + "server.ip": "8.8.8.8", + "server.packets": 6, + "server.port": 0, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.bytes": 588, + "source.ip": "192.168.15.224", + "source.packets": 6, + "source.port": 0, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:46.000Z", + "client.bytes": 84, + "client.ip": "192.168.15.224", + "client.packets": 1, + "client.port": 38663, + "destination.address": "8.8.8.8", + "destination.bytes": 84, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2018-11-30T16:09:13.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:13.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 23504, + "log.original": "Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24093,1,38663,53,61722,53,0x400019,udp,allow,228,84,144,2,2018/11/30 16:09:13,0,any,0,32091162,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "dns", + "network.bytes": 228, + "network.community_id": [ + "1:jK1/samUe1w5J1uVlmH7SIXX1YE=", + "1:lz0ZCL4R4wwyqmvefpkiJk7yR18=" + ], + "network.direction": "outbound", + "network.packets": 2, + "network.transport": "udp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "8.8.8.8", + "palo_alto.pan_os.destination.nat.port": 53, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24093", + "palo_alto.pan_os.network.nat.community_id": "1:lz0ZCL4R4wwyqmvefpkiJk7yR18=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091162, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 61722, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.15.224", + "8.8.8.8", + "192.168.1.63", + "8.8.8.8" + ], + "server.bytes": 144, + "server.ip": "8.8.8.8", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.bytes": 144, + "source.ip": "192.168.15.224", + "source.packets": 1, + "source.port": 38663, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:46.000Z", + "client.bytes": 131, + "client.ip": "192.168.15.224", + "client.packets": 1, + "client.port": 50443, + "destination.address": "8.8.8.8", + "destination.bytes": 131, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2018-11-30T16:09:13.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:13.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 23953, + "log.original": "Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24117,1,50443,53,14247,53,0x400019,udp,allow,337,131,206,2,2018/11/30 16:09:13,0,any,0,32091163,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "dns", + "network.bytes": 337, + "network.community_id": [ + "1:pe+tF7SEY/Km9LRsrGI4UWHmV8E=", + "1:DkOVz0BGrlh9OPZZ8+58eugW7gU=" + ], + "network.direction": "outbound", + "network.packets": 2, + "network.transport": "udp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "8.8.8.8", + "palo_alto.pan_os.destination.nat.port": 53, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24117", + "palo_alto.pan_os.network.nat.community_id": "1:DkOVz0BGrlh9OPZZ8+58eugW7gU=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091163, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 14247, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.15.224", + "8.8.8.8", + "192.168.1.63", + "8.8.8.8" + ], + "server.bytes": 206, + "server.ip": "8.8.8.8", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.bytes": 206, + "source.ip": "192.168.15.224", + "source.packets": 1, + "source.port": 50443, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:46.000Z", + "client.bytes": 131, + "client.ip": "192.168.15.224", + "client.packets": 1, + "client.port": 54215, + "destination.address": "8.8.8.8", + "destination.bytes": 131, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2018-11-30T16:09:13.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:13.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 24403, + "log.original": "Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24142,1,54215,53,33580,53,0x400019,udp,allow,337,131,206,2,2018/11/30 16:09:13,0,any,0,32091164,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "dns", + "network.bytes": 337, + "network.community_id": [ + "1:qHh6xeCGBZ5pLwaBsFDRVbP5MZU=", + "1:twx1eOqehbazvI0g0nkTeVynrY0=" + ], + "network.direction": "outbound", + "network.packets": 2, + "network.transport": "udp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "8.8.8.8", + "palo_alto.pan_os.destination.nat.port": 53, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24142", + "palo_alto.pan_os.network.nat.community_id": "1:twx1eOqehbazvI0g0nkTeVynrY0=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091164, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 33580, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.15.224", + "8.8.8.8", + "192.168.1.63", + "8.8.8.8" + ], + "server.bytes": 206, + "server.ip": "8.8.8.8", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.bytes": 206, + "source.ip": "192.168.15.224", + "source.packets": 1, + "source.port": 54215, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:46.000Z", + "client.bytes": 83, + "client.ip": "192.168.15.224", + "client.packets": 1, + "client.port": 35827, + "destination.address": "8.8.8.8", + "destination.bytes": 83, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2018-11-30T16:09:13.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:13.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 24853, + "log.original": "Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24195,1,35827,53,13498,53,0x400019,udp,allow,252,83,169,2,2018/11/30 16:09:13,0,any,0,32091165,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "dns", + "network.bytes": 252, + "network.community_id": [ + "1:7yZMN4i1Gxii2+FmEtBbvDk3lvA=", + "1:hcgjXpi+ne3QnFDBLeskkVg4V+M=" + ], + "network.direction": "outbound", + "network.packets": 2, + "network.transport": "udp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "8.8.8.8", + "palo_alto.pan_os.destination.nat.port": 53, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24195", + "palo_alto.pan_os.network.nat.community_id": "1:hcgjXpi+ne3QnFDBLeskkVg4V+M=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091165, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 13498, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.15.224", + "8.8.8.8", + "192.168.1.63", + "8.8.8.8" + ], + "server.bytes": 169, + "server.ip": "8.8.8.8", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.bytes": 169, + "source.ip": "192.168.15.224", + "source.packets": 1, + "source.port": 35827, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:46.000Z", + "client.bytes": 100, + "client.ip": "192.168.15.224", + "client.packets": 1, + "client.port": 60609, + "destination.address": "8.8.8.8", + "destination.bytes": 100, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2018-11-30T16:09:13.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:13.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 25302, + "log.original": "Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24124,1,60609,53,20365,53,0x400019,udp,allow,232,100,132,2,2018/11/30 16:09:13,0,any,0,32091166,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "dns", + "network.bytes": 232, + "network.community_id": [ + "1:0vV/bWp15XA8ntbAvsV9+ktbx6E=", + "1:C91XK45Q10iqwwp4XYM+Wg1Ua8A=" + ], + "network.direction": "outbound", + "network.packets": 2, + "network.transport": "udp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "8.8.8.8", + "palo_alto.pan_os.destination.nat.port": 53, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24124", + "palo_alto.pan_os.network.nat.community_id": "1:C91XK45Q10iqwwp4XYM+Wg1Ua8A=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091166, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 20365, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.15.224", + "8.8.8.8", + "192.168.1.63", + "8.8.8.8" + ], + "server.bytes": 132, + "server.ip": "8.8.8.8", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.bytes": 132, + "source.ip": "192.168.15.224", + "source.packets": 1, + "source.port": 60609, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:46.000Z", + "client.bytes": 79, + "client.ip": "192.168.15.224", + "client.packets": 1, + "client.port": 3248, + "destination.address": "8.8.8.8", + "destination.bytes": 79, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2018-11-30T16:09:13.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:13.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 25752, + "log.original": "Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24153,1,3248,53,61464,53,0x400019,udp,allow,206,79,127,2,2018/11/30 16:09:13,0,any,0,32091167,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "dns", + "network.bytes": 206, + "network.community_id": [ + "1:v2Rn2HMvdhM3B2CXYva9UePt+Og=", + "1:hsTAFtOdeb7+Ofe152B+9h69mbE=" + ], + "network.direction": "outbound", + "network.packets": 2, + "network.transport": "udp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "8.8.8.8", + "palo_alto.pan_os.destination.nat.port": 53, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24153", + "palo_alto.pan_os.network.nat.community_id": "1:hsTAFtOdeb7+Ofe152B+9h69mbE=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091167, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 61464, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.15.224", + "8.8.8.8", + "192.168.1.63", + "8.8.8.8" + ], + "server.bytes": 127, + "server.ip": "8.8.8.8", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.bytes": 127, + "source.ip": "192.168.15.224", + "source.packets": 1, + "source.port": 3248, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:46.000Z", + "client.bytes": 89, + "client.ip": "192.168.15.196", + "client.packets": 1, + "client.port": 49284, + "destination.address": "8.8.8.8", + "destination.bytes": 89, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2018-11-30T16:09:13.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:13.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 26200, + "log.original": "Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.196,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24122,1,49284,53,42877,53,0x400019,udp,allow,194,89,105,2,2018/11/30 16:09:13,0,any,0,32091168,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "dns", + "network.bytes": 194, + "network.community_id": [ + "1:tO559KwdaAXfBh7HmZSLp9/JUJQ=", + "1:htOXUg3QOGd0fpgLjYzQlvRMzUQ=" + ], + "network.direction": "outbound", + "network.packets": 2, + "network.transport": "udp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "8.8.8.8", + "palo_alto.pan_os.destination.nat.port": 53, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24122", + "palo_alto.pan_os.network.nat.community_id": "1:htOXUg3QOGd0fpgLjYzQlvRMzUQ=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091168, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 42877, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.15.196", + "8.8.8.8", + "192.168.1.63", + "8.8.8.8" + ], + "server.bytes": 105, + "server.ip": "8.8.8.8", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.address": "192.168.15.196", + "source.bytes": 105, + "source.ip": "192.168.15.196", + "source.packets": 1, + "source.port": 49284, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:46.000Z", + "client.bytes": 97, + "client.ip": "192.168.15.224", + "client.packets": 1, + "client.port": 57732, + "destination.address": "8.8.8.8", + "destination.bytes": 97, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2018-11-30T16:09:13.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:13.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 26649, + "log.original": "Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24171,1,57732,53,5918,53,0x400019,udp,allow,269,97,172,2,2018/11/30 16:09:13,0,any,0,32091169,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "dns", + "network.bytes": 269, + "network.community_id": [ + "1:aMEfJV/f54B1+0RNtWjw49JfNFU=", + "1:gHWCOTtilTTqOn7fOKh7zVq45Xw=" + ], + "network.direction": "outbound", + "network.packets": 2, + "network.transport": "udp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "8.8.8.8", + "palo_alto.pan_os.destination.nat.port": 53, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24171", + "palo_alto.pan_os.network.nat.community_id": "1:gHWCOTtilTTqOn7fOKh7zVq45Xw=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091169, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 5918, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.15.224", + "8.8.8.8", + "192.168.1.63", + "8.8.8.8" + ], + "server.bytes": 172, + "server.ip": "8.8.8.8", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.bytes": 172, + "source.ip": "192.168.15.224", + "source.packets": 1, + "source.port": 57732, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:46.000Z", + "client.bytes": 78, + "client.ip": "192.168.15.224", + "client.packets": 1, + "client.port": 49195, + "destination.address": "8.8.8.8", + "destination.bytes": 78, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2018-11-30T16:09:13.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:13.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 27097, + "log.original": "Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24069,1,49195,53,28944,53,0x400019,udp,allow,212,78,134,2,2018/11/30 16:09:13,0,any,0,32091170,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "dns", + "network.bytes": 212, + "network.community_id": [ + "1:WgGQfntwYS3voQPhGfI/qhx0SVk=", + "1:OGDvpe1+4KQfCsxk0I61jm0+DIc=" + ], + "network.direction": "outbound", + "network.packets": 2, + "network.transport": "udp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "8.8.8.8", + "palo_alto.pan_os.destination.nat.port": 53, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24069", + "palo_alto.pan_os.network.nat.community_id": "1:OGDvpe1+4KQfCsxk0I61jm0+DIc=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091170, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 28944, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.15.224", + "8.8.8.8", + "192.168.1.63", + "8.8.8.8" + ], + "server.bytes": 134, + "server.ip": "8.8.8.8", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.bytes": 134, + "source.ip": "192.168.15.224", + "source.packets": 1, + "source.port": 49195, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:46.000Z", + "client.bytes": 73, + "client.ip": "192.168.15.224", + "client.packets": 1, + "client.port": 17266, + "destination.address": "8.8.8.8", + "destination.bytes": 73, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2018-11-30T16:09:13.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:13.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 27546, + "log.original": "Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24282,1,17266,53,13415,53,0x400019,udp,allow,252,73,179,2,2018/11/30 16:09:13,0,any,0,32091171,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "dns", + "network.bytes": 252, + "network.community_id": [ + "1:RM5edUgZPywM/hIejzFVba+A4co=", + "1:po/vy4RoD5WeFPgCZnduQkE47yY=" + ], + "network.direction": "outbound", + "network.packets": 2, + "network.transport": "udp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "8.8.8.8", + "palo_alto.pan_os.destination.nat.port": 53, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24282", + "palo_alto.pan_os.network.nat.community_id": "1:po/vy4RoD5WeFPgCZnduQkE47yY=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091171, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 13415, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.15.224", + "8.8.8.8", + "192.168.1.63", + "8.8.8.8" + ], + "server.bytes": 179, + "server.ip": "8.8.8.8", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.bytes": 179, + "source.ip": "192.168.15.224", + "source.packets": 1, + "source.port": 17266, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:46.000Z", + "client.bytes": 90, + "client.ip": "192.168.15.224", + "client.packets": 1, + "client.port": 48631, + "destination.address": "8.8.8.8", + "destination.bytes": 90, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2018-11-30T16:09:13.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:13.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 27995, + "log.original": "Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24218,1,48631,53,2489,53,0x400019,udp,allow,308,90,218,2,2018/11/30 16:09:13,0,any,0,32091172,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "dns", + "network.bytes": 308, + "network.community_id": [ + "1:jJo7FJWI3gHbC96nTsyT17hVP98=", + "1:wIxYOe++IxscmxBcRwrPGEIlZF4=" + ], + "network.direction": "outbound", + "network.packets": 2, + "network.transport": "udp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "8.8.8.8", + "palo_alto.pan_os.destination.nat.port": 53, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24218", + "palo_alto.pan_os.network.nat.community_id": "1:wIxYOe++IxscmxBcRwrPGEIlZF4=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091172, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 2489, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.15.224", + "8.8.8.8", + "192.168.1.63", + "8.8.8.8" + ], + "server.bytes": 218, + "server.ip": "8.8.8.8", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.bytes": 218, + "source.ip": "192.168.15.224", + "source.packets": 1, + "source.port": 48631, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:46.000Z", + "client.bytes": 77, + "client.ip": "192.168.15.224", + "client.packets": 1, + "client.port": 58540, + "destination.address": "8.8.8.8", + "destination.bytes": 77, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2018-11-30T16:09:13.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:13.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 28443, + "log.original": "Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24200,1,58540,53,49328,53,0x400019,udp,allow,249,77,172,2,2018/11/30 16:09:13,0,any,0,32091173,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "dns", + "network.bytes": 249, + "network.community_id": [ + "1:eWhg/7DfJGJNfW90sKt5WEYnI9g=", + "1:xN7R3QI47jVAQhgJrOAvdsu+oes=" + ], + "network.direction": "outbound", + "network.packets": 2, + "network.transport": "udp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "8.8.8.8", + "palo_alto.pan_os.destination.nat.port": 53, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24200", + "palo_alto.pan_os.network.nat.community_id": "1:xN7R3QI47jVAQhgJrOAvdsu+oes=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091173, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 49328, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.15.224", + "8.8.8.8", + "192.168.1.63", + "8.8.8.8" + ], + "server.bytes": 172, + "server.ip": "8.8.8.8", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.bytes": 172, + "source.ip": "192.168.15.224", + "source.packets": 1, + "source.port": 58540, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:46.000Z", + "client.bytes": 74, + "client.ip": "192.168.15.224", + "client.packets": 1, + "client.port": 42678, + "destination.address": "8.8.8.8", + "destination.bytes": 74, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2018-11-30T16:09:13.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:13.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 28892, + "log.original": "Nov 30 16:09:46 PA-220 1,2018/11/30 16:09:46,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:46,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:46,24224,1,42678,53,36036,53,0x400019,udp,allow,379,74,305,2,2018/11/30 16:09:13,0,any,0,32091174,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "dns", + "network.bytes": 379, + "network.community_id": [ + "1:dhAcAsMUxJrHfinQA5Q7eglS7T0=", + "1:BxuDgAhR5Rh55XOXYnYF+6GKhps=" + ], + "network.direction": "outbound", + "network.packets": 2, + "network.transport": "udp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "8.8.8.8", + "palo_alto.pan_os.destination.nat.port": 53, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24224", + "palo_alto.pan_os.network.nat.community_id": "1:BxuDgAhR5Rh55XOXYnYF+6GKhps=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091174, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 36036, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.15.224", + "8.8.8.8", + "192.168.1.63", + "8.8.8.8" + ], + "server.bytes": 305, + "server.ip": "8.8.8.8", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.bytes": 305, + "source.ip": "192.168.15.224", + "source.packets": 1, + "source.port": 42678, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:47.000Z", + "client.bytes": 76, + "client.ip": "192.168.15.224", + "client.packets": 1, + "client.port": 16576, + "destination.address": "66.28.0.45", + "destination.bytes": 76, + "destination.geo.city_name": "Upper Marlboro", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 38.8922, + "destination.geo.location.lon": -76.7681, + "destination.geo.region_iso_code": "US-MD", + "destination.geo.region_name": "Maryland", + "destination.ip": "66.28.0.45", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2018-11-30T16:09:14.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:14.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 29341, + "log.original": "Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,66.28.0.45,192.168.1.63,66.28.0.45,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24240,1,16576,53,33744,53,0x400019,udp,allow,603,76,527,2,2018/11/30 16:09:14,0,any,0,32091175,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "dns", + "network.bytes": 603, + "network.community_id": [ + "1:4i/owhGS2IpySKH+SyV4sXRj0+A=", + "1:Yv+Yq/7HK9SajeKHOV50RYQWjRU=" + ], + "network.direction": "outbound", + "network.packets": 2, + "network.transport": "udp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "66.28.0.45", + "palo_alto.pan_os.destination.nat.port": 53, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24240", + "palo_alto.pan_os.network.nat.community_id": "1:Yv+Yq/7HK9SajeKHOV50RYQWjRU=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091175, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 33744, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.15.224", + "66.28.0.45", + "192.168.1.63", + "66.28.0.45" + ], + "server.bytes": 527, + "server.ip": "66.28.0.45", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.bytes": 527, + "source.ip": "192.168.15.224", + "source.packets": 1, + "source.port": 16576, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:47.000Z", + "client.bytes": 89, + "client.ip": "192.168.15.224", + "client.packets": 1, + "client.port": 39830, + "destination.address": "8.8.8.8", + "destination.bytes": 89, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2018-11-30T16:09:14.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:14.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 29796, + "log.original": "Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24183,1,39830,53,45809,53,0x400019,udp,allow,242,89,153,2,2018/11/30 16:09:14,0,any,0,32091176,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "dns", + "network.bytes": 242, + "network.community_id": [ + "1:KZzZcwEN4cbaTck1z2Wa/3P3YjU=", + "1:MxVcaRP5Y1xyEiYiNsmO1lVcN+A=" + ], + "network.direction": "outbound", + "network.packets": 2, + "network.transport": "udp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "8.8.8.8", + "palo_alto.pan_os.destination.nat.port": 53, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24183", + "palo_alto.pan_os.network.nat.community_id": "1:MxVcaRP5Y1xyEiYiNsmO1lVcN+A=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091176, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 45809, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.15.224", + "8.8.8.8", + "192.168.1.63", + "8.8.8.8" + ], + "server.bytes": 153, + "server.ip": "8.8.8.8", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.bytes": 153, + "source.ip": "192.168.15.224", + "source.packets": 1, + "source.port": 39830, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:47.000Z", + "client.bytes": 71, + "client.ip": "192.168.15.224", + "client.packets": 1, + "client.port": 6185, + "destination.address": "8.8.8.8", + "destination.bytes": 71, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2018-11-30T16:09:14.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:14.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 30245, + "log.original": "Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24211,1,6185,53,3675,53,0x400019,udp,allow,240,71,169,2,2018/11/30 16:09:14,0,any,0,32091177,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "dns", + "network.bytes": 240, + "network.community_id": [ + "1:LJ6ZkdUI9SYHDvi3B2Yn/9ILMbM=", + "1:p8DU1xLXG63f/3s/r6ZKJcQo9u8=" + ], + "network.direction": "outbound", + "network.packets": 2, + "network.transport": "udp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "8.8.8.8", + "palo_alto.pan_os.destination.nat.port": 53, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24211", + "palo_alto.pan_os.network.nat.community_id": "1:p8DU1xLXG63f/3s/r6ZKJcQo9u8=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091177, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 3675, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.15.224", + "8.8.8.8", + "192.168.1.63", + "8.8.8.8" + ], + "server.bytes": 169, + "server.ip": "8.8.8.8", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.bytes": 169, + "source.ip": "192.168.15.224", + "source.packets": 1, + "source.port": 6185, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:47.000Z", + "client.bytes": 80, + "client.ip": "192.168.15.224", + "client.packets": 1, + "client.port": 8781, + "destination.address": "8.8.8.8", + "destination.bytes": 80, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2018-11-30T16:09:14.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:14.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 30692, + "log.original": "Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24253,1,8781,53,5787,53,0x400019,udp,allow,208,80,128,2,2018/11/30 16:09:14,0,any,0,32091178,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "dns", + "network.bytes": 208, + "network.community_id": [ + "1:8CDWB7X3kkKjoV2bprSLSQY1py4=", + "1:bU3nBIz+M3cDoPKg8azcJgVx+8Q=" + ], + "network.direction": "outbound", + "network.packets": 2, + "network.transport": "udp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "8.8.8.8", + "palo_alto.pan_os.destination.nat.port": 53, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24253", + "palo_alto.pan_os.network.nat.community_id": "1:bU3nBIz+M3cDoPKg8azcJgVx+8Q=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091178, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 5787, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.15.224", + "8.8.8.8", + "192.168.1.63", + "8.8.8.8" + ], + "server.bytes": 128, + "server.ip": "8.8.8.8", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.bytes": 128, + "source.ip": "192.168.15.224", + "source.packets": 1, + "source.port": 8781, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:47.000Z", + "client.bytes": 72, + "client.ip": "192.168.15.224", + "client.packets": 1, + "client.port": 16788, + "destination.address": "8.8.8.8", + "destination.bytes": 72, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2018-11-30T16:09:14.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:14.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 31139, + "log.original": "Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24221,1,16788,53,12342,53,0x400019,udp,allow,253,72,181,2,2018/11/30 16:09:14,0,any,0,32091179,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "dns", + "network.bytes": 253, + "network.community_id": [ + "1:ScmRIn+bxqoJafQfJfEaH/CdCjE=", + "1:vnb4ttnFy2i39tg89p3jkGs6eDg=" + ], + "network.direction": "outbound", + "network.packets": 2, + "network.transport": "udp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "8.8.8.8", + "palo_alto.pan_os.destination.nat.port": 53, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24221", + "palo_alto.pan_os.network.nat.community_id": "1:vnb4ttnFy2i39tg89p3jkGs6eDg=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091179, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 12342, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.15.224", + "8.8.8.8", + "192.168.1.63", + "8.8.8.8" + ], + "server.bytes": 181, + "server.ip": "8.8.8.8", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.bytes": 181, + "source.ip": "192.168.15.224", + "source.packets": 1, + "source.port": 16788, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:47.000Z", + "client.bytes": 76, + "client.ip": "192.168.15.224", + "client.packets": 1, + "client.port": 45307, + "destination.address": "8.8.8.8", + "destination.bytes": 76, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2018-11-30T16:09:14.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:14.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 31588, + "log.original": "Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24310,1,45307,53,18729,53,0x400019,udp,allow,197,76,121,2,2018/11/30 16:09:14,0,any,0,32091180,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "dns", + "network.bytes": 197, + "network.community_id": [ + "1:eupsSNkv67+oInX/FQ2hHpUMyR8=", + "1:71/qcXOmOV3sXCqZ1T6JVPlE9y8=" + ], + "network.direction": "outbound", + "network.packets": 2, + "network.transport": "udp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "8.8.8.8", + "palo_alto.pan_os.destination.nat.port": 53, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24310", + "palo_alto.pan_os.network.nat.community_id": "1:71/qcXOmOV3sXCqZ1T6JVPlE9y8=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091180, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 18729, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.15.224", + "8.8.8.8", + "192.168.1.63", + "8.8.8.8" + ], + "server.bytes": 121, + "server.ip": "8.8.8.8", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.bytes": 121, + "source.ip": "192.168.15.224", + "source.packets": 1, + "source.port": 45307, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:47.000Z", + "client.bytes": 681, + "client.ip": "192.168.15.224", + "client.packets": 5, + "client.port": 52520, + "destination.address": "23.52.174.25", + "destination.bytes": 681, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "23.52.174.25", + "destination.packets": 6, + "destination.port": 80, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2018-11-30T16:09:29.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:29.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 32037, + "log.original": "Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,23.52.174.25,192.168.1.63,23.52.174.25,new_outbound_from_trust,,,ocsp,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24326,1,52520,80,57858,80,0x400053,tcp,allow,1927,681,1246,11,2018/11/30 16:09:29,0,computer-and-internet-info,0,32091181,0x0,192.168.0.0-192.168.255.255,United States,0,6,5,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "ocsp", + "network.bytes": 1927, + "network.community_id": [ + "1://eZmJioBenLsE0zEL0rhbQ7JT8=", + "1:5ECmBtgiSUvWFJAA318pVeeu5Pw=" + ], + "network.direction": "outbound", + "network.packets": 11, + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "23.52.174.25", + "palo_alto.pan_os.destination.nat.port": 80, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24326", + "palo_alto.pan_os.network.nat.community_id": "1:5ECmBtgiSUvWFJAA318pVeeu5Pw=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091181, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 57858, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "computer-and-internet-info", + "related.ip": [ + "192.168.15.224", + "23.52.174.25", + "192.168.1.63", + "23.52.174.25" + ], + "server.bytes": 1246, + "server.ip": "23.52.174.25", + "server.packets": 6, + "server.port": 80, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.bytes": 1246, + "source.ip": "192.168.15.224", + "source.packets": 5, + "source.port": 52520, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:47.000Z", + "client.bytes": 79, + "client.ip": "192.168.15.224", + "client.packets": 1, + "client.port": 8503, + "destination.address": "8.8.8.8", + "destination.bytes": 79, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 1000000000, + "event.end": "2018-11-30T16:09:14.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:13.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 32523, + "log.original": "Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24201,1,8503,53,2722,53,0x400019,udp,allow,394,79,315,2,2018/11/30 16:09:13,1,any,0,32091182,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "dns", + "network.bytes": 394, + "network.community_id": [ + "1:5CL0nRdjk2Nab0PzB6vfyC1FbtI=", + "1:hxrz+dYE5XEf60JMlFz6JKWD6Ek=" + ], + "network.direction": "outbound", + "network.packets": 2, + "network.transport": "udp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "8.8.8.8", + "palo_alto.pan_os.destination.nat.port": 53, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24201", + "palo_alto.pan_os.network.nat.community_id": "1:hxrz+dYE5XEf60JMlFz6JKWD6Ek=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091182, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 2722, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.15.224", + "8.8.8.8", + "192.168.1.63", + "8.8.8.8" + ], + "server.bytes": 315, + "server.ip": "8.8.8.8", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.bytes": 315, + "source.ip": "192.168.15.224", + "source.packets": 1, + "source.port": 8503, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:47.000Z", + "client.bytes": 82, + "client.ip": "192.168.15.224", + "client.packets": 1, + "client.port": 6910, + "destination.address": "8.8.8.8", + "destination.bytes": 82, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2018-11-30T16:09:14.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:14.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 32970, + "log.original": "Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24130,1,6910,53,6674,53,0x400019,udp,allow,212,82,130,2,2018/11/30 16:09:14,0,any,0,32091183,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "dns", + "network.bytes": 212, + "network.community_id": [ + "1:3cIrQ2yt0QUupDVmbBJXH54+2pA=", + "1:8cb9oPS9OJnzqGAkowgmRpiqmJU=" + ], + "network.direction": "outbound", + "network.packets": 2, + "network.transport": "udp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "8.8.8.8", + "palo_alto.pan_os.destination.nat.port": 53, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24130", + "palo_alto.pan_os.network.nat.community_id": "1:8cb9oPS9OJnzqGAkowgmRpiqmJU=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091183, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 6674, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.15.224", + "8.8.8.8", + "192.168.1.63", + "8.8.8.8" + ], + "server.bytes": 130, + "server.ip": "8.8.8.8", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.bytes": 130, + "source.ip": "192.168.15.224", + "source.packets": 1, + "source.port": 6910, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:47.000Z", + "client.bytes": 354, + "client.ip": "192.168.15.224", + "client.packets": 4, + "client.port": 52475, + "destination.address": "54.230.5.228", + "destination.bytes": 354, + "destination.geo.city_name": "Seattle", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 47.542, + "destination.geo.location.lon": -122.3123, + "destination.geo.region_iso_code": "US-WA", + "destination.geo.region_name": "Washington", + "destination.ip": "54.230.5.228", + "destination.packets": 5, + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 12000000000, + "event.end": "2018-11-30T16:09:29.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:17.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 33417, + "log.original": "Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,54.230.5.228,192.168.1.63,54.230.5.228,new_outbound_from_trust,,,incomplete,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24237,1,52475,443,37427,443,0x40001c,tcp,allow,642,354,288,9,2018/11/30 16:09:17,12,any,0,32091184,0x0,192.168.0.0-192.168.255.255,United States,0,5,4,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "incomplete", + "network.bytes": 642, + "network.community_id": [ + "1:ArbNq6iF9i1NLk5zDU1qThAZf4g=", + "1:Qc2oBV7ermdHPwGTWFOi4D1TcLg=" + ], + "network.direction": "outbound", + "network.packets": 9, + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "54.230.5.228", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24237", + "palo_alto.pan_os.network.nat.community_id": "1:Qc2oBV7ermdHPwGTWFOi4D1TcLg=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091184, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 37427, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.15.224", + "54.230.5.228", + "192.168.1.63", + "54.230.5.228" + ], + "server.bytes": 288, + "server.ip": "54.230.5.228", + "server.packets": 5, + "server.port": 443, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.bytes": 288, + "source.ip": "192.168.15.224", + "source.packets": 4, + "source.port": 52475, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:47.000Z", + "client.bytes": 76, + "client.ip": "192.168.15.224", + "client.packets": 1, + "client.port": 14342, + "destination.address": "8.8.8.8", + "destination.bytes": 76, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2018-11-30T16:09:14.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:14.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 33886, + "log.original": "Nov 30 16:09:47 PA-220 1,2018/11/30 16:09:47,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:47,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:47,24108,1,14342,53,22408,53,0x400019,udp,allow,225,76,149,2,2018/11/30 16:09:14,0,any,0,32091185,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "dns", + "network.bytes": 225, + "network.community_id": [ + "1:uTxp5xDc9k43Sc1xNxNrsxzfM/I=", + "1:5IHTDvzRd4yPLPdpI4ErHcRK4/w=" + ], + "network.direction": "outbound", + "network.packets": 2, + "network.transport": "udp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "8.8.8.8", + "palo_alto.pan_os.destination.nat.port": 53, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24108", + "palo_alto.pan_os.network.nat.community_id": "1:5IHTDvzRd4yPLPdpI4ErHcRK4/w=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091185, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 22408, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.15.224", + "8.8.8.8", + "192.168.1.63", + "8.8.8.8" + ], + "server.bytes": 149, + "server.ip": "8.8.8.8", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.bytes": 149, + "source.ip": "192.168.15.224", + "source.packets": 1, + "source.port": 14342, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:48.000Z", + "client.bytes": 71, + "client.ip": "192.168.15.224", + "client.packets": 1, + "client.port": 48197, + "destination.address": "8.8.8.8", + "destination.bytes": 71, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2018-11-30T16:09:15.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:15.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 34335, + "log.original": "Nov 30 16:09:48 PA-220 1,2018/11/30 16:09:48,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:48,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:48,24247,1,48197,53,27899,53,0x400019,udp,allow,273,71,202,2,2018/11/30 16:09:15,0,any,0,32091186,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "dns", + "network.bytes": 273, + "network.community_id": [ + "1:hwpLJFJeocCuki/uuS7DMUwYAcc=", + "1:0s4n+/itsIbV3mUc8OnOxmZ6exs=" + ], + "network.direction": "outbound", + "network.packets": 2, + "network.transport": "udp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "8.8.8.8", + "palo_alto.pan_os.destination.nat.port": 53, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24247", + "palo_alto.pan_os.network.nat.community_id": "1:0s4n+/itsIbV3mUc8OnOxmZ6exs=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091186, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 27899, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.15.224", + "8.8.8.8", + "192.168.1.63", + "8.8.8.8" + ], + "server.bytes": 202, + "server.ip": "8.8.8.8", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.bytes": 202, + "source.ip": "192.168.15.224", + "source.packets": 1, + "source.port": 48197, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:48.000Z", + "client.bytes": 75, + "client.ip": "192.168.15.224", + "client.packets": 1, + "client.port": 32296, + "destination.address": "8.8.8.8", + "destination.bytes": 75, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2018-11-30T16:09:15.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:15.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 34784, + "log.original": "Nov 30 16:09:48 PA-220 1,2018/11/30 16:09:48,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:48,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:48,24098,1,32296,53,52939,53,0x400019,udp,allow,270,75,195,2,2018/11/30 16:09:15,0,any,0,32091187,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "dns", + "network.bytes": 270, + "network.community_id": [ + "1:PL/uhiXbtv9YRtGDNEfmkWyMpEw=", + "1:+GsjKlESn/QeXwrAsS8c8EaMzi0=" + ], + "network.direction": "outbound", + "network.packets": 2, + "network.transport": "udp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "8.8.8.8", + "palo_alto.pan_os.destination.nat.port": 53, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24098", + "palo_alto.pan_os.network.nat.community_id": "1:+GsjKlESn/QeXwrAsS8c8EaMzi0=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091187, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 52939, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.15.224", + "8.8.8.8", + "192.168.1.63", + "8.8.8.8" + ], + "server.bytes": 195, + "server.ip": "8.8.8.8", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.bytes": 195, + "source.ip": "192.168.15.224", + "source.packets": 1, + "source.port": 32296, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:48.000Z", + "client.bytes": 90, + "client.ip": "192.168.15.195", + "client.packets": 1, + "client.port": 33870, + "destination.address": "208.83.246.20", + "destination.bytes": 90, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "208.83.246.20", + "destination.packets": 1, + "destination.port": 123, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2018-11-30T16:09:15.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:15.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 35233, + "log.original": "Nov 30 16:09:48 PA-220 1,2018/11/30 16:09:48,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:48,192.168.15.195,208.83.246.20,192.168.1.63,208.83.246.20,new_outbound_from_trust,,,ntp,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:48,24263,1,33870,123,42907,123,0x400053,udp,allow,180,90,90,2,2018/11/30 16:09:15,0,any,0,32091188,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "ntp", + "network.bytes": 180, + "network.community_id": [ + "1:zSTxlbsV3qi7ri6QQifUc6oMz/o=", + "1:OSARbLstqz9D5CGo0NQuv0a9g20=" + ], + "network.direction": "outbound", + "network.packets": 2, + "network.transport": "udp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "208.83.246.20", + "palo_alto.pan_os.destination.nat.port": 123, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24263", + "palo_alto.pan_os.network.nat.community_id": "1:OSARbLstqz9D5CGo0NQuv0a9g20=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091188, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 42907, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.15.195", + "208.83.246.20", + "192.168.1.63", + "208.83.246.20" + ], + "server.bytes": 90, + "server.ip": "208.83.246.20", + "server.packets": 1, + "server.port": 123, + "service.type": "palo_alto", + "source.address": "192.168.15.195", + "source.bytes": 90, + "source.ip": "192.168.15.195", + "source.packets": 1, + "source.port": 33870, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:49.000Z", + "client.bytes": 148, + "client.ip": "192.168.15.196", + "client.packets": 2, + "client.port": 54659, + "destination.address": "8.8.8.8", + "destination.bytes": 148, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 2, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2018-11-30T16:09:16.000Z", + "event.module": "palo_alto", + "event.outcome": "drop-icmp", + "event.start": "2018-11-30T16:09:16.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 35695, + "log.original": "Nov 30 16:09:49 PA-220 1,2018/11/30 16:09:49,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:49,192.168.15.196,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:49,24258,1,54659,53,19658,53,0x400019,udp,drop ICMP,340,148,192,4,2018/11/30 16:09:16,0,any,0,32091189,0x0,192.168.0.0-192.168.255.255,United States,0,2,2,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "dns", + "network.bytes": 340, + "network.community_id": [ + "1:E2LqiKHR3ZQXGMA0QsH84jNNC/0=", + "1:Cc+ekkpKaB3f2BPdSyd/esY/QVI=" + ], + "network.direction": "outbound", + "network.packets": 4, + "network.transport": "udp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "8.8.8.8", + "palo_alto.pan_os.destination.nat.port": 53, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24258", + "palo_alto.pan_os.network.nat.community_id": "1:Cc+ekkpKaB3f2BPdSyd/esY/QVI=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091189, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 19658, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.15.196", + "8.8.8.8", + "192.168.1.63", + "8.8.8.8" + ], + "server.bytes": 192, + "server.ip": "8.8.8.8", + "server.packets": 2, + "server.port": 53, + "service.type": "palo_alto", + "source.address": "192.168.15.196", + "source.bytes": 192, + "source.ip": "192.168.15.196", + "source.packets": 2, + "source.port": 54659, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:49.000Z", + "client.bytes": 83, + "client.ip": "192.168.15.224", + "client.packets": 1, + "client.port": 57446, + "destination.address": "8.8.8.8", + "destination.bytes": 83, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2018-11-30T16:09:16.000Z", + "event.module": "palo_alto", + "event.outcome": "reset-client", + "event.start": "2018-11-30T16:09:16.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 36149, + "log.original": "Nov 30 16:09:49 PA-220 1,2018/11/30 16:09:49,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:49,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:49,24155,1,57446,53,64352,53,0x400019,udp,reset client,291,83,208,2,2018/11/30 16:09:16,0,any,0,32091190,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "dns", + "network.bytes": 291, + "network.community_id": [ + "1:wZXxVANJq0JID3j0Sh2o/qnIa7A=", + "1:uPFYX4KL/wjyCp4kt+08v7myT3w=" + ], + "network.direction": "outbound", + "network.packets": 2, + "network.transport": "udp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "8.8.8.8", + "palo_alto.pan_os.destination.nat.port": 53, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24155", + "palo_alto.pan_os.network.nat.community_id": "1:uPFYX4KL/wjyCp4kt+08v7myT3w=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091190, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 64352, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.15.224", + "8.8.8.8", + "192.168.1.63", + "8.8.8.8" + ], + "server.bytes": 208, + "server.ip": "8.8.8.8", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.bytes": 208, + "source.ip": "192.168.15.224", + "source.packets": 1, + "source.port": 57446, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:49.000Z", + "client.bytes": 84, + "client.ip": "192.168.15.224", + "client.packets": 1, + "client.port": 22655, + "destination.address": "8.8.8.8", + "destination.bytes": 84, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2018-11-30T16:09:16.000Z", + "event.module": "palo_alto", + "event.outcome": "reset-server", + "event.start": "2018-11-30T16:09:16.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 36605, + "log.original": "Nov 30 16:09:49 PA-220 1,2018/11/30 16:09:49,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:49,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:49,24232,1,22655,53,60126,53,0x400019,udp,reset server,184,84,100,2,2018/11/30 16:09:16,0,any,0,32091191,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "dns", + "network.bytes": 184, + "network.community_id": [ + "1:GzSDvCcBuprowvf40RNRaGTOn+A=", + "1:f3vxOCmoOo/FOLV6VRqKjZ7eUVE=" + ], + "network.direction": "outbound", + "network.packets": 2, + "network.transport": "udp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "8.8.8.8", + "palo_alto.pan_os.destination.nat.port": 53, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24232", + "palo_alto.pan_os.network.nat.community_id": "1:f3vxOCmoOo/FOLV6VRqKjZ7eUVE=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091191, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 60126, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.15.224", + "8.8.8.8", + "192.168.1.63", + "8.8.8.8" + ], + "server.bytes": 100, + "server.ip": "8.8.8.8", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.bytes": 100, + "source.ip": "192.168.15.224", + "source.packets": 1, + "source.port": 22655, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:49.000Z", + "client.bytes": 2053, + "client.ip": "192.168.15.224", + "client.packets": 11, + "client.port": 52509, + "destination.address": "35.185.88.112", + "destination.bytes": 2053, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 38.6582, + "destination.geo.location.lon": -77.2497, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": "35.185.88.112", + "destination.packets": 13, + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 10000000000, + "event.end": "2018-11-30T16:09:31.000Z", + "event.module": "palo_alto", + "event.outcome": "reset-both", + "event.start": "2018-11-30T16:09:21.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 37061, + "log.original": "Nov 30 16:09:49 PA-220 1,2018/11/30 16:09:49,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:49,192.168.15.224,35.185.88.112,192.168.1.63,35.185.88.112,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:49,24330,1,52509,443,59771,443,0x40001a,tcp,reset both,9290,2053,7237,24,2018/11/30 16:09:21,10,business-and-economy,0,32091192,0x0,192.168.0.0-192.168.255.255,United States,0,13,11,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "ssl", + "network.bytes": 9290, + "network.community_id": [ + "1:WVDXvoZNkWqELBhlp2DzAjKS6V4=", + "1:/rmnQ6QBbJzgkfNBrkCgvu5UHiU=" + ], + "network.direction": "outbound", + "network.packets": 24, + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "35.185.88.112", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24330", + "palo_alto.pan_os.network.nat.community_id": "1:/rmnQ6QBbJzgkfNBrkCgvu5UHiU=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091192, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 59771, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "35.185.88.112", + "192.168.1.63", + "35.185.88.112" + ], + "server.bytes": 7237, + "server.ip": "35.185.88.112", + "server.packets": 13, + "server.port": 443, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.bytes": 7237, + "source.ip": "192.168.15.224", + "source.packets": 11, + "source.port": 52509, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:49.000Z", + "client.bytes": 93, + "client.ip": "192.168.15.224", + "client.packets": 1, + "client.port": 27192, + "destination.address": "8.8.8.8", + "destination.bytes": 93, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2018-11-30T16:09:16.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:16.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 37565, + "log.original": "Nov 30 16:09:49 PA-220 1,2018/11/30 16:09:49,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:49,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:49,23960,1,27192,53,35748,53,0x400019,udp,allow,202,93,109,2,2018/11/30 16:09:16,0,any,0,32091193,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "dns", + "network.bytes": 202, + "network.community_id": [ + "1:SaW9SLCHEmuQYbHgbCLPVZmIrWo=", + "1:9Ub1pskil4C0tLo85OJa61g1D0Q=" + ], + "network.direction": "outbound", + "network.packets": 2, + "network.transport": "udp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "8.8.8.8", + "palo_alto.pan_os.destination.nat.port": 53, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "23960", + "palo_alto.pan_os.network.nat.community_id": "1:9Ub1pskil4C0tLo85OJa61g1D0Q=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091193, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 35748, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.15.224", + "8.8.8.8", + "192.168.1.63", + "8.8.8.8" + ], + "server.bytes": 109, + "server.ip": "8.8.8.8", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.bytes": 109, + "source.ip": "192.168.15.224", + "source.packets": 1, + "source.port": 27192, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:49.000Z", + "client.bytes": 84, + "client.ip": "192.168.15.224", + "client.packets": 1, + "client.port": 30221, + "destination.address": "8.8.8.8", + "destination.bytes": 84, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2018-11-30T16:09:16.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:16.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 38014, + "log.original": "Nov 30 16:09:49 PA-220 1,2018/11/30 16:09:49,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:49,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:49,24236,1,30221,53,63701,53,0x400019,udp,allow,200,84,116,2,2018/11/30 16:09:16,0,any,0,32091194,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "dns", + "network.bytes": 200, + "network.community_id": [ + "1:UKGEn5x2xKPJhb0aLNUd3IM2xP0=", + "1:rh7nCIUBzUAekx4F+OTwBbpRh+E=" + ], + "network.direction": "outbound", + "network.packets": 2, + "network.transport": "udp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "8.8.8.8", + "palo_alto.pan_os.destination.nat.port": 53, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24236", + "palo_alto.pan_os.network.nat.community_id": "1:rh7nCIUBzUAekx4F+OTwBbpRh+E=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091194, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 63701, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.15.224", + "8.8.8.8", + "192.168.1.63", + "8.8.8.8" + ], + "server.bytes": 116, + "server.ip": "8.8.8.8", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.bytes": 116, + "source.ip": "192.168.15.224", + "source.packets": 1, + "source.port": 30221, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:49.000Z", + "client.bytes": 64, + "client.ip": "192.168.15.224", + "client.packets": 1, + "client.port": 30570, + "destination.address": "8.8.8.8", + "destination.bytes": 64, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2018-11-30T16:09:16.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:16.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 38463, + "log.original": "Nov 30 16:09:49 PA-220 1,2018/11/30 16:09:49,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:49,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:49,24276,1,30570,53,57872,53,0x400019,udp,allow,160,64,96,2,2018/11/30 16:09:16,0,any,0,32091195,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "dns", + "network.bytes": 160, + "network.community_id": [ + "1:7WDGZhY7X3GTZLGCIDWzxK5juF4=", + "1:eIIc+AXkJtZLyfNqUAVZLumaYVQ=" + ], + "network.direction": "outbound", + "network.packets": 2, + "network.transport": "udp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "8.8.8.8", + "palo_alto.pan_os.destination.nat.port": 53, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24276", + "palo_alto.pan_os.network.nat.community_id": "1:eIIc+AXkJtZLyfNqUAVZLumaYVQ=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091195, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 57872, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.15.224", + "8.8.8.8", + "192.168.1.63", + "8.8.8.8" + ], + "server.bytes": 96, + "server.ip": "8.8.8.8", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.bytes": 96, + "source.ip": "192.168.15.224", + "source.packets": 1, + "source.port": 30570, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:50.000Z", + "client.bytes": 1100, + "client.ip": "192.168.15.224", + "client.packets": 7, + "client.port": 52497, + "destination.address": "50.19.85.24", + "destination.bytes": 1100, + "destination.geo.city_name": "Ashburn", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 39.0481, + "destination.geo.location.lon": -77.4728, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": "50.19.85.24", + "destination.packets": 8, + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 11000000000, + "event.end": "2018-11-30T16:09:32.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:21.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 38911, + "log.original": "Nov 30 16:09:50 PA-220 1,2018/11/30 16:09:50,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:50,192.168.15.224,50.19.85.24,192.168.1.63,50.19.85.24,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24299,1,52497,443,37581,443,0x40001c,tcp,allow,1754,1100,654,15,2018/11/30 16:09:21,11,business-and-economy,0,32091196,0x0,192.168.0.0-192.168.255.255,United States,0,8,7,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "ssl", + "network.bytes": 1754, + "network.community_id": [ + "1:wOhR5YstpLgnt5WE19sGYKCmyZU=", + "1:Mn7w9ScywW3qjDMNsO8QsGj6BY0=" + ], + "network.direction": "outbound", + "network.packets": 15, + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "50.19.85.24", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24299", + "palo_alto.pan_os.network.nat.community_id": "1:Mn7w9ScywW3qjDMNsO8QsGj6BY0=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091196, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 37581, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "50.19.85.24", + "192.168.1.63", + "50.19.85.24" + ], + "server.bytes": 654, + "server.ip": "50.19.85.24", + "server.packets": 8, + "server.port": 443, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.bytes": 654, + "source.ip": "192.168.15.224", + "source.packets": 7, + "source.port": 52497, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:50.000Z", + "client.bytes": 1100, + "client.ip": "192.168.15.224", + "client.packets": 7, + "client.port": 52498, + "destination.address": "50.19.85.24", + "destination.bytes": 1100, + "destination.geo.city_name": "Ashburn", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 39.0481, + "destination.geo.location.lon": -77.4728, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": "50.19.85.24", + "destination.packets": 8, + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 11000000000, + "event.end": "2018-11-30T16:09:32.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:21.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 39403, + "log.original": "Nov 30 16:09:50 PA-220 1,2018/11/30 16:09:50,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:50,192.168.15.224,50.19.85.24,192.168.1.63,50.19.85.24,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24229,1,52498,443,19226,443,0x40001c,tcp,allow,1754,1100,654,15,2018/11/30 16:09:21,11,business-and-economy,0,32091197,0x0,192.168.0.0-192.168.255.255,United States,0,8,7,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "ssl", + "network.bytes": 1754, + "network.community_id": [ + "1:6h8eY2s13iXP9cVx+C3Odlnn4+A=", + "1:8oAG19bm5FROhazDy0CcTH+Cfqc=" + ], + "network.direction": "outbound", + "network.packets": 15, + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "50.19.85.24", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24229", + "palo_alto.pan_os.network.nat.community_id": "1:8oAG19bm5FROhazDy0CcTH+Cfqc=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091197, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 19226, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "50.19.85.24", + "192.168.1.63", + "50.19.85.24" + ], + "server.bytes": 654, + "server.ip": "50.19.85.24", + "server.packets": 8, + "server.port": 443, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.bytes": 654, + "source.ip": "192.168.15.224", + "source.packets": 7, + "source.port": 52498, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:50.000Z", + "client.bytes": 1100, + "client.ip": "192.168.15.224", + "client.packets": 7, + "client.port": 52496, + "destination.address": "50.19.85.24", + "destination.bytes": 1100, + "destination.geo.city_name": "Ashburn", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 39.0481, + "destination.geo.location.lon": -77.4728, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": "50.19.85.24", + "destination.packets": 8, + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 11000000000, + "event.end": "2018-11-30T16:09:32.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:21.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 39895, + "log.original": "Nov 30 16:09:50 PA-220 1,2018/11/30 16:09:50,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:50,192.168.15.224,50.19.85.24,192.168.1.63,50.19.85.24,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24283,1,52496,443,61721,443,0x40001c,tcp,allow,1754,1100,654,15,2018/11/30 16:09:21,11,business-and-economy,0,32091198,0x0,192.168.0.0-192.168.255.255,United States,0,8,7,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "ssl", + "network.bytes": 1754, + "network.community_id": [ + "1:/ZL4TDk4BgzLIyz/Xp1oJ9ew5cE=", + "1:ZhVElLU1QcpGayhElc2L/+Rp+xw=" + ], + "network.direction": "outbound", + "network.packets": 15, + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "50.19.85.24", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24283", + "palo_alto.pan_os.network.nat.community_id": "1:ZhVElLU1QcpGayhElc2L/+Rp+xw=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091198, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 61721, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "50.19.85.24", + "192.168.1.63", + "50.19.85.24" + ], + "server.bytes": 654, + "server.ip": "50.19.85.24", + "server.packets": 8, + "server.port": 443, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.bytes": 654, + "source.ip": "192.168.15.224", + "source.packets": 7, + "source.port": 52496, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:50.000Z", + "client.bytes": 2691, + "client.ip": "192.168.15.224", + "client.packets": 10, + "client.port": 52510, + "destination.address": "104.254.150.9", + "destination.bytes": 2691, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "104.254.150.9", + "destination.packets": 12, + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 11000000000, + "event.end": "2018-11-30T16:09:32.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:21.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 40387, + "log.original": "Nov 30 16:09:50 PA-220 1,2018/11/30 16:09:50,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:50,192.168.15.224,104.254.150.9,192.168.1.63,104.254.150.9,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24369,1,52510,443,10098,443,0x40001a,tcp,allow,10511,2691,7820,22,2018/11/30 16:09:21,11,web-advertisements,0,32091199,0x0,192.168.0.0-192.168.255.255,United States,0,12,10,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "ssl", + "network.bytes": 10511, + "network.community_id": [ + "1:xYiSF9gJFyCzwbXQPyFt8YU2J78=", + "1:aHhDlT3Bx285CJRrBykpRsei1a0=" + ], + "network.direction": "outbound", + "network.packets": 22, + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "104.254.150.9", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24369", + "palo_alto.pan_os.network.nat.community_id": "1:aHhDlT3Bx285CJRrBykpRsei1a0=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091199, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 10098, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "web-advertisements", + "related.ip": [ + "192.168.15.224", + "104.254.150.9", + "192.168.1.63", + "104.254.150.9" + ], + "server.bytes": 7820, + "server.ip": "104.254.150.9", + "server.packets": 12, + "server.port": 443, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.bytes": 7820, + "source.ip": "192.168.15.224", + "source.packets": 10, + "source.port": 52510, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:50.000Z", + "client.bytes": 1100, + "client.ip": "192.168.15.224", + "client.packets": 7, + "client.port": 52495, + "destination.address": "50.19.85.24", + "destination.bytes": 1100, + "destination.geo.city_name": "Ashburn", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 39.0481, + "destination.geo.location.lon": -77.4728, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": "50.19.85.24", + "destination.packets": 8, + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 11000000000, + "event.end": "2018-11-30T16:09:32.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:21.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 40885, + "log.original": "Nov 30 16:09:50 PA-220 1,2018/11/30 16:09:50,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:50,192.168.15.224,50.19.85.24,192.168.1.63,50.19.85.24,new_outbound_from_trust,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24354,1,52495,443,4564,443,0x40001c,tcp,allow,1754,1100,654,15,2018/11/30 16:09:21,11,business-and-economy,0,32091200,0x0,192.168.0.0-192.168.255.255,United States,0,8,7,tcp-rst-from-client,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "ssl", + "network.bytes": 1754, + "network.community_id": [ + "1:QTH4ra5ZOxMb5v4tYy8DkqQsSus=", + "1:RLfRarGPGl+PnGhB8fb+S+uTX1o=" + ], + "network.direction": "outbound", + "network.packets": 15, + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "50.19.85.24", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24354", + "palo_alto.pan_os.network.nat.community_id": "1:RLfRarGPGl+PnGhB8fb+S+uTX1o=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091200, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 4564, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "business-and-economy", + "related.ip": [ + "192.168.15.224", + "50.19.85.24", + "192.168.1.63", + "50.19.85.24" + ], + "server.bytes": 654, + "server.ip": "50.19.85.24", + "server.packets": 8, + "server.port": 443, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.bytes": 654, + "source.ip": "192.168.15.224", + "source.packets": 7, + "source.port": 52495, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:50.000Z", + "client.bytes": 276, + "client.ip": "192.168.15.224", + "client.packets": 3, + "client.port": 52486, + "destination.address": "52.0.218.108", + "destination.bytes": 276, + "destination.geo.city_name": "Ashburn", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 39.0481, + "destination.geo.location.lon": -77.4728, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": "52.0.218.108", + "destination.packets": 4, + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 12000000000, + "event.end": "2018-11-30T16:09:32.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:20.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 41376, + "log.original": "Nov 30 16:09:50 PA-220 1,2018/11/30 16:09:50,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:50,192.168.15.224,52.0.218.108,192.168.1.63,52.0.218.108,new_outbound_from_trust,,,incomplete,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24254,1,52486,443,32104,443,0x40001c,tcp,allow,490,276,214,7,2018/11/30 16:09:20,12,any,0,32091201,0x0,192.168.0.0-192.168.255.255,United States,0,4,3,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "incomplete", + "network.bytes": 490, + "network.community_id": [ + "1:pRGS72RJ+/RdCMjmtcrBxdR6i9w=", + "1:/0iCZCsnpk+5MR4Tc26unyr/T4Q=" + ], + "network.direction": "outbound", + "network.packets": 7, + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "52.0.218.108", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24254", + "palo_alto.pan_os.network.nat.community_id": "1:/0iCZCsnpk+5MR4Tc26unyr/T4Q=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091201, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 32104, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.15.224", + "52.0.218.108", + "192.168.1.63", + "52.0.218.108" + ], + "server.bytes": 214, + "server.ip": "52.0.218.108", + "server.packets": 4, + "server.port": 443, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.bytes": 214, + "source.ip": "192.168.15.224", + "source.packets": 3, + "source.port": 52486, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:50.000Z", + "client.bytes": 276, + "client.ip": "192.168.15.224", + "client.packets": 3, + "client.port": 52489, + "destination.address": "52.6.117.19", + "destination.bytes": 276, + "destination.geo.city_name": "Ashburn", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 39.0481, + "destination.geo.location.lon": -77.4728, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": "52.6.117.19", + "destination.packets": 4, + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 12000000000, + "event.end": "2018-11-30T16:09:32.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:20.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 41845, + "log.original": "Nov 30 16:09:50 PA-220 1,2018/11/30 16:09:50,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:50,192.168.15.224,52.6.117.19,192.168.1.63,52.6.117.19,new_outbound_from_trust,,,incomplete,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24246,1,52489,443,14172,443,0x40001c,tcp,allow,490,276,214,7,2018/11/30 16:09:20,12,any,0,32091202,0x0,192.168.0.0-192.168.255.255,United States,0,4,3,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "incomplete", + "network.bytes": 490, + "network.community_id": [ + "1:zaENYnP2VlZewYNuHhpqTvNAf4Y=", + "1:486dmnLzuTH8P7j6jI6JsUtW2VU=" + ], + "network.direction": "outbound", + "network.packets": 7, + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "52.6.117.19", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24246", + "palo_alto.pan_os.network.nat.community_id": "1:486dmnLzuTH8P7j6jI6JsUtW2VU=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091202, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 14172, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.15.224", + "52.6.117.19", + "192.168.1.63", + "52.6.117.19" + ], + "server.bytes": 214, + "server.ip": "52.6.117.19", + "server.packets": 4, + "server.port": 443, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.bytes": 214, + "source.ip": "192.168.15.224", + "source.packets": 3, + "source.port": 52489, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:50.000Z", + "client.bytes": 276, + "client.ip": "192.168.15.224", + "client.packets": 3, + "client.port": 52490, + "destination.address": "34.238.96.22", + "destination.bytes": 276, + "destination.geo.city_name": "Ashburn", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 39.0481, + "destination.geo.location.lon": -77.4728, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": "34.238.96.22", + "destination.packets": 4, + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 12000000000, + "event.end": "2018-11-30T16:09:32.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:20.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 42312, + "log.original": "Nov 30 16:09:50 PA-220 1,2018/11/30 16:09:50,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:50,192.168.15.224,34.238.96.22,192.168.1.63,34.238.96.22,new_outbound_from_trust,,,incomplete,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24343,1,52490,443,10286,443,0x40001c,tcp,allow,490,276,214,7,2018/11/30 16:09:20,12,any,0,32091203,0x0,192.168.0.0-192.168.255.255,United States,0,4,3,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "incomplete", + "network.bytes": 490, + "network.community_id": [ + "1:FdupsUbF1ju1djczW9JAKlxKNC4=", + "1:6LTK93w8ZdfxzSfZXzebKR6jWxo=" + ], + "network.direction": "outbound", + "network.packets": 7, + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "34.238.96.22", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24343", + "palo_alto.pan_os.network.nat.community_id": "1:6LTK93w8ZdfxzSfZXzebKR6jWxo=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091203, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 10286, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.15.224", + "34.238.96.22", + "192.168.1.63", + "34.238.96.22" + ], + "server.bytes": 214, + "server.ip": "34.238.96.22", + "server.packets": 4, + "server.port": 443, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.bytes": 214, + "source.ip": "192.168.15.224", + "source.packets": 3, + "source.port": 52490, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:50.000Z", + "client.bytes": 276, + "client.ip": "192.168.15.224", + "client.packets": 4, + "client.port": 52493, + "destination.address": "130.211.47.17", + "destination.bytes": 276, + "destination.geo.city_name": "Mountain View", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.419200000000004, + "destination.geo.location.lon": -122.0574, + "destination.geo.region_iso_code": "US-CA", + "destination.geo.region_name": "California", + "destination.ip": "130.211.47.17", + "destination.packets": 4, + "destination.port": 443, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 12000000000, + "event.end": "2018-11-30T16:09:32.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:20.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 42781, + "log.original": "Nov 30 16:09:50 PA-220 1,2018/11/30 16:09:50,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:50,192.168.15.224,130.211.47.17,192.168.1.63,130.211.47.17,new_outbound_from_trust,,,incomplete,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:50,24262,1,52493,443,30799,443,0x40001c,tcp,allow,556,276,280,8,2018/11/30 16:09:20,12,any,0,32091204,0x0,192.168.0.0-192.168.255.255,United States,0,4,4,tcp-fin,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "incomplete", + "network.bytes": 556, + "network.community_id": [ + "1:fHitWYVd9RNFs7M5hQrqw/dmY8Y=", + "1:roV5JFl0FdQHIRUkgeZm+ZeyeCQ=" + ], + "network.direction": "outbound", + "network.packets": 8, + "network.transport": "tcp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "130.211.47.17", + "palo_alto.pan_os.destination.nat.port": 443, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24262", + "palo_alto.pan_os.network.nat.community_id": "1:roV5JFl0FdQHIRUkgeZm+ZeyeCQ=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091204, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 30799, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.15.224", + "130.211.47.17", + "192.168.1.63", + "130.211.47.17" + ], + "server.bytes": 280, + "server.ip": "130.211.47.17", + "server.packets": 4, + "server.port": 443, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.bytes": 280, + "source.ip": "192.168.15.224", + "source.packets": 4, + "source.port": 52493, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:51.000Z", + "client.bytes": 97, + "client.ip": "192.168.15.224", + "client.packets": 1, + "client.port": 59320, + "destination.address": "8.8.8.8", + "destination.bytes": 97, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2018-11-30T16:09:18.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:18.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 43252, + "log.original": "Nov 30 16:09:51 PA-220 1,2018/11/30 16:09:51,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:51,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:51,24281,1,59320,53,13490,53,0x400019,udp,allow,269,97,172,2,2018/11/30 16:09:18,0,any,0,32091205,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "dns", + "network.bytes": 269, + "network.community_id": [ + "1:n/IZF37E/7cErtK4po3ewuEQScY=", + "1:5G+JVi/ClM/MfHhUL//vH/GmuaA=" + ], + "network.direction": "outbound", + "network.packets": 2, + "network.transport": "udp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "8.8.8.8", + "palo_alto.pan_os.destination.nat.port": 53, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24281", + "palo_alto.pan_os.network.nat.community_id": "1:5G+JVi/ClM/MfHhUL//vH/GmuaA=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091205, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 13490, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.15.224", + "8.8.8.8", + "192.168.1.63", + "8.8.8.8" + ], + "server.bytes": 172, + "server.ip": "8.8.8.8", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.bytes": 172, + "source.ip": "192.168.15.224", + "source.packets": 1, + "source.port": 59320, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:52.000Z", + "client.bytes": 588, + "client.ip": "192.168.15.224", + "client.packets": 6, + "client.port": 0, + "destination.address": "8.8.8.8", + "destination.bytes": 588, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 6, + "destination.port": 0, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2018-11-30T16:09:37.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:37.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 43701, + "log.original": "Nov 30 16:09:52 PA-220 1,2018/11/30 16:09:52,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:52,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,ping,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:52,24424,6,0,0,0,0,0x500019,icmp,allow,1176,588,588,12,2018/11/30 16:09:37,0,any,0,32091206,0x0,192.168.0.0-192.168.255.255,United States,0,6,6,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "ping", + "network.bytes": 1176, + "network.community_id": [ + "1:iNhLzwoKKarTKCq59Sts/hhZN7Q=", + "1:QVXHpdoObbzEeqP6DGULYxqYgAY=" + ], + "network.direction": "outbound", + "network.packets": 12, + "network.transport": "icmp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "8.8.8.8", + "palo_alto.pan_os.destination.nat.port": 0, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24424", + "palo_alto.pan_os.network.nat.community_id": "1:QVXHpdoObbzEeqP6DGULYxqYgAY=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091206, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 0, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.15.224", + "8.8.8.8", + "192.168.1.63", + "8.8.8.8" + ], + "server.bytes": 588, + "server.ip": "8.8.8.8", + "server.packets": 6, + "server.port": 0, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.bytes": 588, + "source.ip": "192.168.15.224", + "source.packets": 6, + "source.port": 0, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:52.000Z", + "client.bytes": 78, + "client.ip": "192.168.15.224", + "client.packets": 1, + "client.port": 13076, + "destination.address": "8.8.8.8", + "destination.bytes": 78, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2018-11-30T16:09:19.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:19.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 44145, + "log.original": "Nov 30 16:09:52 PA-220 1,2018/11/30 16:09:52,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:52,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:52,24230,1,13076,53,53751,53,0x400019,udp,allow,172,78,94,2,2018/11/30 16:09:19,0,any,0,32091207,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "dns", + "network.bytes": 172, + "network.community_id": [ + "1:jKueIOIhkRRjHQyRO93QyuKEiP8=", + "1:mdksC4jGw6MN7g3nGdquiqQ95vU=" + ], + "network.direction": "outbound", + "network.packets": 2, + "network.transport": "udp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "8.8.8.8", + "palo_alto.pan_os.destination.nat.port": 53, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24230", + "palo_alto.pan_os.network.nat.community_id": "1:mdksC4jGw6MN7g3nGdquiqQ95vU=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091207, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 53751, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.15.224", + "8.8.8.8", + "192.168.1.63", + "8.8.8.8" + ], + "server.bytes": 94, + "server.ip": "8.8.8.8", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.bytes": 94, + "source.ip": "192.168.15.224", + "source.packets": 1, + "source.port": 13076, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:52.000Z", + "client.bytes": 72, + "client.ip": "192.168.15.224", + "client.packets": 1, + "client.port": 5511, + "destination.address": "8.8.8.8", + "destination.bytes": 72, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2018-11-30T16:09:19.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:19.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 44593, + "log.original": "Nov 30 16:09:52 PA-220 1,2018/11/30 16:09:52,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:52,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:52,24243,1,5511,53,21643,53,0x400019,udp,allow,242,72,170,2,2018/11/30 16:09:19,0,any,0,32091208,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "dns", + "network.bytes": 242, + "network.community_id": [ + "1:mci4o+GZJDLvZr11UdJH9bepPqU=", + "1:+zC2Y+UE7UqApr01oqb755Xyuf4=" + ], + "network.direction": "outbound", + "network.packets": 2, + "network.transport": "udp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "8.8.8.8", + "palo_alto.pan_os.destination.nat.port": 53, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24243", + "palo_alto.pan_os.network.nat.community_id": "1:+zC2Y+UE7UqApr01oqb755Xyuf4=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091208, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 21643, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.15.224", + "8.8.8.8", + "192.168.1.63", + "8.8.8.8" + ], + "server.bytes": 170, + "server.ip": "8.8.8.8", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.bytes": 170, + "source.ip": "192.168.15.224", + "source.packets": 1, + "source.port": 5511, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:52.000Z", + "client.bytes": 78, + "client.ip": "192.168.15.224", + "client.packets": 1, + "client.port": 9799, + "destination.address": "8.8.8.8", + "destination.bytes": 78, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2018-11-30T16:09:19.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:19.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 45041, + "log.original": "Nov 30 16:09:52 PA-220 1,2018/11/30 16:09:52,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:52,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:52,24077,1,9799,53,22446,53,0x400019,udp,allow,172,78,94,2,2018/11/30 16:09:19,0,any,0,32091209,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "dns", + "network.bytes": 172, + "network.community_id": [ + "1:Px8uRfOgVDuaWj/VKxjTwyAzHAM=", + "1:xawqUBgLyfe1E61ObEXv4nbO590=" + ], + "network.direction": "outbound", + "network.packets": 2, + "network.transport": "udp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "8.8.8.8", + "palo_alto.pan_os.destination.nat.port": 53, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24077", + "palo_alto.pan_os.network.nat.community_id": "1:xawqUBgLyfe1E61ObEXv4nbO590=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091209, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 22446, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.15.224", + "8.8.8.8", + "192.168.1.63", + "8.8.8.8" + ], + "server.bytes": 94, + "server.ip": "8.8.8.8", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.bytes": 94, + "source.ip": "192.168.15.224", + "source.packets": 1, + "source.port": 9799, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:52.000Z", + "client.bytes": 78, + "client.ip": "192.168.15.224", + "client.packets": 1, + "client.port": 39169, + "destination.address": "8.8.8.8", + "destination.bytes": 78, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2018-11-30T16:09:19.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:19.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 45488, + "log.original": "Nov 30 16:09:52 PA-220 1,2018/11/30 16:09:52,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:52,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:52,24266,1,39169,53,22301,53,0x400019,udp,allow,172,78,94,2,2018/11/30 16:09:19,0,any,0,32091210,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "dns", + "network.bytes": 172, + "network.community_id": [ + "1:6tSek5GUc9k56LSY4NgTMd0igd8=", + "1:PDWWOeDVqKGZ/hwjVVdCDdF6qB4=" + ], + "network.direction": "outbound", + "network.packets": 2, + "network.transport": "udp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "8.8.8.8", + "palo_alto.pan_os.destination.nat.port": 53, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24266", + "palo_alto.pan_os.network.nat.community_id": "1:PDWWOeDVqKGZ/hwjVVdCDdF6qB4=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091210, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 22301, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.15.224", + "8.8.8.8", + "192.168.1.63", + "8.8.8.8" + ], + "server.bytes": 94, + "server.ip": "8.8.8.8", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.bytes": 94, + "source.ip": "192.168.15.224", + "source.packets": 1, + "source.port": 39169, + "tags": [ + "pan-os" + ] + }, + { + "@timestamp": "2018-11-30T16:09:52.000Z", + "client.bytes": 72, + "client.ip": "192.168.15.224", + "client.packets": 1, + "client.port": 42476, + "destination.address": "8.8.8.8", + "destination.bytes": 72, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 1, + "destination.port": 53, + "ecs.version": "1.0.0", + "event.action": "flow_terminated", + "event.category": "network_traffic", + "event.dataset": "palo_alto.pan_os", + "event.duration": 0, + "event.end": "2018-11-30T16:09:19.000Z", + "event.module": "palo_alto", + "event.outcome": "allow", + "event.start": "2018-11-30T16:09:19.000Z", + "fileset.name": "pan_os", + "input.type": "log", + "labels.nat_translated": true, + "log.offset": 45936, + "log.original": "Nov 30 16:09:52 PA-220 1,2018/11/30 16:09:52,012801096514,TRAFFIC,end,2049,2018/11/30 16:09:52,192.168.15.224,8.8.8.8,192.168.1.63,8.8.8.8,new_outbound_from_trust,,,dns,vsys1,trust,untrust,ethernet1/2,ethernet1/1,send_to_mac,2018/11/30 16:09:52,24269,1,42476,53,58124,53,0x400019,udp,allow,238,72,166,2,2018/11/30 16:09:19,0,any,0,32091211,0x0,192.168.0.0-192.168.255.255,United States,0,1,1,aged-out,0,0,0,0,,PA-220,from-policy,,,0,,0,,N/A,0,0,0,0", + "network.application": "dns", + "network.bytes": 238, + "network.community_id": [ + "1:xl0u/+SYGciPtyPuv813G1aTEdI=", + "1:yNIHAg1M08IChho9000mtg7zUOc=" + ], + "network.direction": "outbound", + "network.packets": 2, + "network.transport": "udp", + "observer.hostname": "PA-220", + "observer.serial_number": "012801096514", + "palo_alto.pan_os.destination.interface": "ethernet1/1", + "palo_alto.pan_os.destination.nat.ip": "8.8.8.8", + "palo_alto.pan_os.destination.nat.port": 53, + "palo_alto.pan_os.destination.zone": "untrust", + "palo_alto.pan_os.flow_id": "24269", + "palo_alto.pan_os.network.nat.community_id": "1:yNIHAg1M08IChho9000mtg7zUOc=", + "palo_alto.pan_os.ruleset": "new_outbound_from_trust", + "palo_alto.pan_os.sequence_number": 32091211, + "palo_alto.pan_os.source.interface": "ethernet1/2", + "palo_alto.pan_os.source.nat.ip": "192.168.1.63", + "palo_alto.pan_os.source.nat.port": 58124, + "palo_alto.pan_os.source.zone": "trust", + "palo_alto.pan_os.url.category": "any", + "related.ip": [ + "192.168.15.224", + "8.8.8.8", + "192.168.1.63", + "8.8.8.8" + ], + "server.bytes": 166, + "server.ip": "8.8.8.8", + "server.packets": 1, + "server.port": 53, + "service.type": "palo_alto", + "source.address": "192.168.15.224", + "source.bytes": 166, + "source.ip": "192.168.15.224", + "source.packets": 1, + "source.port": 42476, + "tags": [ + "pan-os" + ] + } +] \ No newline at end of file