-
Notifications
You must be signed in to change notification settings - Fork 0
/
8-1-Generator.ps1
146 lines (129 loc) · 6.4 KB
/
8-1-Generator.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
#This script will generate the JSON extractor needed to parse PAN-OS syslog into something useful in Graylog
#Strings are taken from https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions.html
$PANOSVersion = "8.1"
$OutputPath = "C:\Temp\$PANOSVersion.json"
#Get the strings into objects
$TrafficString = "FUTURE_USE, Receive Time, Serial Number, Type, Threat/Content Type, FUTURE_USE, Generated Time, Source IP, Destination IP, NAT Source IP, NAT Destination IP, Rule Name, Source User, Destination User, Application, Virtual System, Source Zone, Destination Zone, Inbound Interface, Outbound Interface, Log Action, FUTURE_USE, Session ID, Repeat Count, Source Port, Destination Port, NAT Source Port, NAT Destination Port, Flags, Protocol, Action, Bytes, Bytes Sent, Bytes Received, Packets, Start Time, Elapsed Time, Category, FUTURE_USE, Sequence Number, Action Flags, Source Location, Destination Location, FUTURE_USE, Packets Sent, Packets Received, Session End Reason, Device Group Hierarchy Level 1, Device Group Hierarchy Level 2, Device Group Hierarchy Level 3, Device Group Hierarchy Level 4, Virtual System Name, Device Name, Action Source, Source VM UUID, Destination VM UUID, Tunnel ID/IMSI, Monitor Tag/IMEI, Parent Session ID, Parent Start Time, Tunnel Type, SCTP Association ID, SCTP Chunks, SCTP Chunks Sent, SCTP Chunks Received"
$ThreatString = "FUTURE_USE, Receive Time, Serial Number, Type, Threat/Content Type, FUTURE_USE, Generated Time, Source IP, Destination IP, NAT Source IP, NAT Destination IP, Rule Name, Source User, Destination User, Application, Virtual System, Source Zone, Destination Zone, Inbound Interface, Outbound Interface, Log Action, FUTURE_USE, Session ID, Repeat Count, Source Port, Destination Port, NAT Source Port, NAT Destination Port, Flags, Protocol, Action, URL/Filename, Threat ID, Category, Severity, Direction, Sequence Number, Action Flags, Source Location, Destination Location, FUTURE_USE, Content Type, PCAP_ID, File Digest, Cloud, URL Index, User Agent, File Type, X-Forwarded-For, Referer, Sender, Subject, Recipient, Report ID, Device Group Hierarchy Level 1, Device Group Hierarchy Level 2, Device Group Hierarchy Level 3, Device Group Hierarchy Level 4, Virtual System Name, Device Name, FUTURE_USE, Source VM UUID, Destination VM UUID, HTTP Method, Tunnel ID/IMSI, Monitor Tag/IMEI, Parent Session ID, Parent Start Time, Tunnel Type, Threat Category, Content Version, FUTURE_USE, SCTP Association ID, Payload Protocol ID, HTTP Headers"
$ConfigString = "FUTURE_USE, Receive Time, Serial Number, Type, Threat/Content Type, FUTURE_USE, Generated Time, Host, Virtual System, Command, Admin, Client, Result, Configuration Path, Before Change Detail, After Change Detail, Sequence Number, Action Flags, Device Group Hierarchy Level 1, Device Group Hierarchy Level 2, Device Group Hierarchy Level 3, Device Group Hierarchy Level 4, Virtual System Name, Device Name"
$SystemString = "FUTURE_USE, Receive Time, Serial Number, Type, Content/Threat Type, FUTURE_USE, Generated Time, Virtual System, Event ID, Object, FUTURE_USE, FUTURE_USE, Module, Severity, Description, Sequence Number, Action Flags, Device Group Hierarchy Level 1, Device Group Hierarchy Level 2, Device Group Hierarchy Level 3, Device Group Hierarchy Level 4, Virtual System Name, Device Name"
$TrafficValues = $TrafficString.Split(",")
$ThreatValues = $ThreatString.Split(",")
$ConfigValues = $ConfigString.Split(",")
$SystemValues = $SystemString.Split(",")
#Declare the bits that go at the start and end
$Start = @"
{
"extractors": [
"@
$End = @"
],
"version": "3.1.2"
}
"@
#Work out all the traffic strings
$TrafficResult = ""
$Index = 1
foreach($value in $TrafficValues){
$value = $value.trim().replace(" ","").replace("/","").replace("_","").replace("IP","_IP")
if($value -ne "FUTUREUSE"){
$TrafficResult += @"
{
"title": "$value",
"extractor_type": "split_and_index",
"converters": [],
"order": 0,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "$value",
"extractor_config": {
"index": $Index,
"split_by": ","
},
"condition_type": "string",
"condition_value": ",TRAFFIC,"
},
"@
}
$Index++
}
#Work out all the threat strings
$ThreatResult = ""
$Index = 1
foreach($value in $ThreatValues){
$value = $value.trim().replace(" ","").replace("/","").replace("_","").replace("IP","_IP")
if($value -ne "FUTUREUSE"){
$ThreatResult += @"
{
"title": "$value",
"extractor_type": "split_and_index",
"converters": [],
"order": 0,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "$value",
"extractor_config": {
"index": $Index,
"split_by": ","
},
"condition_type": "string",
"condition_value": ",THREAT,"
},
"@
}
$Index++
}
#Work out all the config strings
$ConfigResult = ""
$Index = 1
foreach($value in $ConfigValues){
$value = $value.trim().replace(" ","").replace("/","").replace("_","").replace("IP","_IP")
if($value -ne "FUTUREUSE"){
$ConfigResult += @"
{
"title": "$value",
"extractor_type": "split_and_index",
"converters": [],
"order": 0,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "$value",
"extractor_config": {
"index": $Index,
"split_by": ","
},
"condition_type": "string",
"condition_value": ",CONFIG,"
},
"@
}
$Index++
}
#Work out all the system strings
$SystemResult = ""
$Index = 1
foreach($value in $SystemValues){
$value = $value.trim().replace(" ","").replace("/","").replace("_","").replace("IP","_IP")
if($value -ne "FUTUREUSE"){
$ConfigResult += @"
{
"title": "$value",
"extractor_type": "split_and_index",
"converters": [],
"order": 0,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "$value",
"extractor_config": {
"index": $Index,
"split_by": ","
},
"condition_type": "string",
"condition_value": ",SYSTEM,"
},
"@
}
$Index++
}
#Mash everything together and kick it out as a file
$Start + $TrafficResult + $ThreatResult + $ConfigResult + $SystemResult + $End | Out-File $OutputPath