Graylog - Palo Alto globalprotect stage rules

Hello,

I just wanted to add an response to anyone out there with content packs for THREAT HIP-MATCH and SYSTEM but who has recently updated their Palo Alto Firewalls beyond 9.1.3.

This is a response/build-on to thread:

Since i already have System/Threat/Hip i created the following pipeline:

Stage 1:

Blockquote
rule “PA-Firewall - GP - Type Extract”
when
regex(pattern: “(,GLOBALPROTECT,)”, value: to_string($message.message)).matches == true
then
set_field(“Type”, “GLOBALPROTECT”);
end

Stage 2:

Blockquote

rule “PA-Firewall- GP - Split”
when
has_field(“Type”) &&
to_string($message.Type) == “GLOBALPROTECT”
then

let message     = to_string($message.message);

//convert " , " to "-" in temp message
let message = replace(  value:          message, 
                        search:         " , 64-bit",
                        replacement:    " - 64-bit"
        );
//convert " ," to " " in temp message
    let message = replace(  value:          message, 
                        search:         ", ",
                        replacement:    " - "
        );

let splittraf   = split(",", message);
set_field("hostname",                   splittraf[0]);
set_field("receive_date_time",          splittraf[1]);
set_field("serial_number",              splittraf[2]);
set_field("logtype",                    splittraf[3]); 
set_field("subtype",			     	splittraf[4]);  //Not used: panorama
set_field("sub_id",                     splittraf[5]);
set_field("time_generated",				splittraf[6]);
set_field("virtual_system",				splittraf[7]); 
set_field("event_id_name",				splittraf[8]);
set_field("session_stage",				splittraf[9]); //created for consistancey with Pulse vpn
set_field("auth_method",				splittraf[10]);
set_field("tunnel_type",				splittraf[11]);
set_field("auth_user",		    		splittraf[12]);
set_field("region",                     splittraf[13]);
set_field("host_name",		            splittraf[14]);
set_field("public_ip",				    splittraf[15]);
set_field("public_ipv6",				splittraf[16]);
set_field("private_ip",				    splittraf[17]);
set_field("private_ipv6",				splittraf[18]);  //unused
set_field("hostid",				        splittraf[19]);
set_field("hostname",			        splittraf[20]);
set_field("client_ver",				    splittraf[21]);
set_field("client_os",				    splittraf[22]);
set_field("client_os_ver",		        splittraf[23]);
set_field("repeatcnt",				    splittraf[24]);
set_field("reason",				        splittraf[25]);
set_field("error",				        splittraf[26]);
set_field("desc",				        splittraf[27]);
set_field("status",				        splittraf[28]);
set_field("location",				    splittraf[29]);
set_field("login_duration",				to_long(splittraf[30]));  //enforce as number
set_field("connect_method",				splittraf[31]);
set_field("error_code",				    splittraf[32]);
set_field("portal",				        splittraf[33]);

end

1 Like