Example Mappings of two Palo Alto log sources to ECS 1.0.0-beta2 #352
Comments
|
Love this. I think it would be great to have a place where we collect and curate examples with supporting files (like this) publicly. Perhaps on the main website, perhaps not. In the meantime, I think it makes sense to use the |
|
Looking at the spreadsheet, and the Palo Alto docs, would it be worth having a column for the programmatic field name? What's in parens on their doc is the programmatic field name, correct? |
|
Another meta comment: having a sample log file attached here would be great :-) |
|
Was just looking this over, and I think the time fields need to be modified. "Generate Time" is when the event occurred and was originally logged on the firewall that observed the event, whereas "Received Time" is the time that the event was received by the management system (i.e. Panorama, if you're using it). In my logs I'm seeing Generate Time on average 9 seconds earlier than Receive Time. Therefore, I believe "Generate Time" should be @timestamp. I'm unsure where to place "Receive Time". I feel like event.created would be the original @timestamp value before it's replaced by "Generate Time" so you can track the overall time from source to Elasticsearch, but it could also be helpful to know "Receive Time" to determine if the discrepancy is from source firewall to management server (Panorama) or from management server to Elasticsearch. |
|
In regards to the NAT fields not being covered by ECS at this time, I chose to store these values under the base network object, considering this information as part of the communication path. Here is what I ended up calling these, I'd be curious to hear what other people are doing or if anyone thinks isn't a logical place for the information. |
|
Timestamps: I'm also uncertain where to place these additional timestamps in the ECS schmea. The best I can come up with is: NAT |
adding to thread on timestamp.For traffic logs - use time start as the For all other Palo logs (Threat, Config, System) - use "Generated Time" (time_generated) as the NATI agree with a nested field and placing under source/destination. I think using network.nat doesn't allow, whoever is using the data, to make that clear distinction that the source.ip was NATed. |
Log exampleexlcuding: Session Start time is the 36th (CSV). |
|
On NAT: [source/destination].nat is necessary I'd say (compared to just a single network nat nest) for any given connection there could be source and destination nats at the same time (I've done both on weird vpn setups) |
|
agree on NAT, especially with firewll (oaloalto) use cases. |
May want some consensus or clarification on this. Here's the way I interpret these fields. timestamp represents when the log was generated on the source (on the data plane):
event.start records when the session started
event.end records when the session ended
Correct me if I'm wrong, but Palo Alto generates the log for the session after the session ends? If the session start and end time are vastly different, it's really a question of what information is most important.
I think for a single event leaving GenerateTime as timestamp and using event.start and event.end may be the best, but I also agree that the session start time is also important to represent. However, in order to do so I'm more inclined to clone the event and transform a bit to use one copy with @timestamp of the session start, and another copy with timestamp as session end. I definitely have to think about this one more. |
|
Palo (and at least Firepower, tho I think I recall CP and Fortinet being
the same) can be configured to report a connection, iirc, at the start, the
end, or both (personally I've always done both as otherwise you could have
a long lived sketchy connection that doesn't get reported until some system
timeout.
The end record should contain the start time as well, but obviously the
start connection would need to be treated differently.
/d
/d
…On Fri, Apr 12, 2019 at 10:58 AM David ***@***.***> wrote:
adding to thread on timestamp.
For traffic logs - use time start as the @timestamp. this is when the
session started - this is important because when correlating network
records (flow, etc) the time of the session is most important.
Also, this holds closest to the base field of, which the description
states "Date/time when the event originated.
This is the date/time extracted from the event, typically representing
when the event was generated by the source."
The generated time is when the log was created on the dataplane. These
timestamp could be different, thus throwing off correlation of network logs.
May want some consensus or clarification on this. Here's the way I
interpret these fields.
@timestamp <https://github.com/timestamp> represents when the log was
generated on the source (on the data plane):
This is the date/time extracted from the event, typically representing
when the event was generated by the source.
event.start records when the session started
event.start contains the date when the event started or when the activity
was first observed.
event.end records when the session ended
event.end contains the date when the event ended or when the activity was
last observed.
Correct me if I'm wrong, but Palo Alto generates the log for the session
after the session ends? If the session start and end time are vastly
different, it's really a question of what information is most important. Do
you want the event to appear in your timeline for when the event was
actually generated, do you want it to appear when it was initiated or end?
I think for a single event leaving GenerateTime as @timestamp
<https://github.com/timestamp> and using event.start and event.end may be
the best, but I also agree that the session start time is also important to
represent. However, in order to do so I'm more inclined to clone the event
and transform a bit to use one copy with @timestamp
<https://github.com/timestamp> of the session start, and another copy
with @timestamp <https://github.com/timestamp> as session end. I
definitely have to think about this one more.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#352 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AlmSydhEcGm1bMZ648kirCjVR2YGC_pcks5vgJ8lgaJpZM4bY8ia>
.
|
|
A clarification on the timestamps. So in cases like this, where an event describes a longer lived phenomenon like a network flow, Then the start/end of the flow, if you have both (or one timestamp + a duration to compute the other timestamp) go to I find Visualizing long lived events like flows ordered by start time / end time can indeed be tricky. But you can sort searches based on any timestamp you have, and you can do time histograms based on any timestamp you have a well. But this means all of the searches / visualizations have to be adjusted to use |
|
Thanks for this reference material. It has been helpful. I just wanted to highlight three of the suggestions for additional fields made in the document:
I don't particularly care what they are named (the names with |
The attached Excel file proposes a logical mapping of pan_traffic and pan_threat logs to ECS 1.0.0-beta2.
The Palo Alto field definitions were obtained from:
As a reminder, in ECS, an inline firewall device takes the role of "observer" as shown below:
Notes:
ECS_Mapping_Examples_PAN_1.0.0-beta2.xlsx
Questions and/or feedback about the mappings, the value of such logical mappings, and whether or not such logical mappings might be useful as part of the repo in the future, are all welcome.
The text was updated successfully, but these errors were encountered: