Recoger registros de cortafuegos de Palo Alto Networks
Información general
En este documento se describe cómo puede configurar syslog y un reenviador de Google Security Operations para recoger los registros del cortafuegos de Palo Alto Networks. En este documento también se explica cómo se asignan los campos de registro del cortafuegos de Palo Alto Networks a los campos del modelo de datos unificado (UDM) de Google Security Operations.
Para obtener información general sobre la ingestión de datos en Google Security Operations, consulta el artículo Ingestión de datos en Google Security Operations.
Una etiqueta de ingestión identifica el analizador que normaliza los datos de registro sin procesar en formato UDM estructurado. La información de este documento se aplica al analizador con la etiqueta de ingestión PAN_FIREWALL.
Antes de empezar
Asegúrese de que el producto de firewall de Palo Alto Networks se haya implementado y configurado correctamente. Para obtener instrucciones de configuración detalladas, consulta la documentación de PAN-OS.
Para comprender los componentes implementados para recoger los registros del cortafuegos de Palo Alto Networks, consulta la arquitectura de implementación. Cada implementación de cliente puede ser diferente de esta representación y puede ser más compleja.
En el siguiente diagrama se muestra cómo puede configurar syslog en un firewall de Palo Alto Networks e instalar un reenviador de Google Security Operations en un servidor Linux para reenviar datos de registro a Google Security Operations. El analizador admite registros escritos en los siguientes formatos de datos: valores separados por comas (CSV), formato de evento común (CEF) y formato de evento de registro extendido (LEEF).
Verifica los formatos de registro y las versiones de PAN-OS que admite el analizador de Google Security Operations. En la siguiente tabla se indican los formatos de registro y las versiones de PAN-OS correspondientes que admite el analizador de Google Security Operations:
Formato de registro Versión de PAN-OS CSV 10.1.3 CEF 10.0.0 LEE 9.1.0 Verifica los tipos de registros de firewall de Palo Alto Networks que admite el analizador de Google Security Operations. El analizador de Google Security Operations admite los siguientes tipos de registros de cortafuegos de Palo Alto Networks:
- Tráfico
- Amenaza
- Envíos de WildFire
- Inspección de túneles
- Configuración
- Sistema
- Coincidencia de HIP
- Etiqueta IP
- User-ID
- Desencriptado
- Autenticación
- Filtrado de URLs
- Filtrado de datos
- GlobalProtect
- Correlación
- GTP
Para obtener más información sobre los tipos de registros de cortafuegos de Palo Alto Networks, consulta Tipos de registros de PAN-OS.
Asegúrate de que todos los sistemas de la arquitectura de implementación estén configurados en la zona horaria UTC.
Antes de usar el analizador de cortafuegos de Palo Alto Networks, consulta los cambios en las asignaciones de campos entre el analizador anterior y el actual analizador de cortafuegos de Palo Alto Networks. Como parte de la migración, asegúrate de que las reglas, las búsquedas, los paneles de control u otros procesos que dependan de los campos originales usen los campos actualizados.
Por ejemplo, en la versión anterior del analizador, el campo de registro
categoryse asigna al camposecurity_result.descriptionde UDM. En el analizador de cortafuegos de Palo Alto Networks actual, el campo de registrocategoryse asigna al camposecurity_result.category_detailsde UDM. Si migras al analizador de cortafuegos de Palo Alto Networks actual y usas el campocategoryen tus reglas, debes modificar las reglas para usar el camposecurity_result.category_detailsde UDM del analizador actual.
Configurar syslog y el reenviador de Google Security Operations
Para configurar syslog y el reenviador de Google Security Operations, sigue estos pasos:
Para monitorizar los registros CSV, configura el perfil del servidor syslog. Para obtener más información, consulta Configurar el perfil del servidor syslog.
Cuando configure el perfil del servidor syslog, especifique "Default" como formato de registro personalizado.
Para monitorizar los registros de CEF, configure el cortafuegos de Palo Alto Networks para que reenvíe los registros de CEF. Para obtener más información, descarga la guía de integración de CEF de PAN-OS en PDF y consulta la sección "Configuración de Palo Alto Networks NGFW para generar eventos CEF".
Para monitorizar los registros LEEF, configure el perfil del servidor syslog. Para obtener más información, consulte Reenvío de registros personalizados en formato LEEF.
Configura el reenviador de Google Security Operations para enviar registros a Google Security Operations. Para obtener más información, consulta Instalar y configurar el reenviador en Linux. A continuación, se muestra un ejemplo de configuración de un reenviador de Google Security Operations:
- syslog: common: enabled: true data_type: PAN_FIREWALL batch_n_seconds: 10 batch_n_bytes: 1048576 tcp_address: 0.0.0.0:10518 connection_timeout_sec: 60
Formatos de registro de cortafuegos de Palo Alto Networks admitidos
El analizador de cortafuegos de Palo Alto Networks admite registros en formato LEEF,CEF y CSV.
Registros de ejemplo de firewall de Palo Alto Networks admitidos
LEE
<14>Jan 22 02:20:19 device_host LEEF:1.0|Palo Alto Networks|PAN-OS Syslog Integration|10.2.12-h4|Microsoft MSOFFICE(52033)|ReceiveTime=2025/01/22 02:20:18|SerialNumber=01250100xxxx|cat=THREAT|Subtype=wildfire|devTime=Jan 22 2025 08:20:18 GMT|src=198.50.100.1|dst=198.50.100.2|srcPostNAT=198.50.100.3|dstPostNAT=198.50.100.4|RuleName=AZURE-US-NEW-CNF_Inbound_To_Azure-ALLOW|usrName=|SourceUser=|DestinationUser=|Application=smtp-base|VirtualSystem=vsys1|SourceZone=McD-Global-Zone|DestinationZone=Azure-Zone|IngressInterface=ae1.111|EgressInterface=ae2.409|LogForwardingProfile=Default-Traffic-Logging|SessionID=35331795|RepeatCount=1|srcPort=21578|dstPort=25|srcPostNATPort=0|dstPostNATPort=0|Flags=0x2000|proto=tcp|action=allow|Miscellaneous=\"......3...................xls\"|ThreatID=Microsoft MSOFFICE(52033)|URLCategory=malicious|sev=4|Severity=high|Direction=client-to-server|sequence=7462614601465681755|ActionFlags=0x8000000000000000|SourceLocation=198.50.100.1-198.50.100.255|DestinationLocation=United States|ContentType=|PCAP_ID=0|FileDigest=0ea04c99bf188c2e4207f60f92ca7c6f5088c7943ee63f45c50032bbd2bf7ea9|Cloud=demo.com|URLIndex=1|RequestMethod=|FileType=ms-office|Sender=sender@ab.myownpersonaldomain.com|Subject=\"............:.................................................................................-.........(Name)-2025-01-22...............:Y107202501220005, ............:........................, ...............:.........\"|Recipient=abc@demo.myownpersonaldomain.com|ReportID=117022282776|DeviceGroupHierarchyL1=143|DeviceGroupHierarchyL2=144|DeviceGroupHierarchyL3=39|DeviceGroupHierarchyL4=0|vSrcName=|DeviceName=device_host|SrcUUID=|DstUUID=|TunnelID=0|MonitorTag=|ParentSessionID=0|ParentStartTime=|TunnelType=N/A|ThreatCategory=N/A|ContentVer=WildFire-0CEF
14>1 2024-04-04T16:21:56+02:00 FW-PERIMETRAL-AVG-01 - - - - CEF:0|Palo Alto Networks|PAN-OS|10.1.10-h2|end|TRAFFIC|1|src=198.51.100.1 dst=198.51.100.2 srcTranslatedAddress=198.51.100.3 dstTranslatedAddress=198.51.100.4 rule=FW_USER_NATS2_APP suser= duser= app=bittorrent vs=vsys1 sz=INSIDE dz=EXTERNAL InboundInterface=ae2.2266 OutboundInterface=ae1 lp=log_forwarding sid=2935823 cnt=1 spt=6881 dpt=51413 srcTranslatedPort=0 dstTranslatedPort=0 flags=0x7a proto=udp act=allow tbytes=475 in=150 out=325 pkt=2 pktReceived=1 pktSent=1 start=Apr 04 2024 14:21:56 GMT stime=1206 urlcat=any externalId=externalId reason=aged-out DGl1=11 DGl2=161 DGl3=0 DGl4=0 VsysName=STONESOFT dvchost=FW-PERIMETRAL-AVG-01 cat=from-policy ActionFlags=0x8000000000000000 srcUUID= dstUUID= TunnelID=0 MonitorTag= ParentSessionID=0 ParentStartTime= TunnelType=N/A SCTPAssocID=0 SCTPChunks=0 SCTPChunkSent=0 SCTPChunksRcv=0 RuleUUID=746c3eb6-3d51-4679-8438-bd0e00e170a8 HTTP2Con=0 LinkChange=0 PolicyID= LinkDetail= SDWANCluster= SDWANDevice= SDWANClustype= SDWANSite= DynamicUsrgrp= XFFIP= srcDevCat= srcDevProf= srcDevModel= srcDevVendor= srcDevOS= srcDevOSv= srcHostname= srcMac= dstDevCat= dstDevProf= dstDevModel= dstDevVendor= dstDevOS= dstDevOSv= dstHostname= dstMac= ContainerName= PODNamespace= PODName= srcEDL= dstEDL= GPHostID= EPSerial= srcDAG= dstDAG= HASessionOwner= TimeHighRes=2024-04-04T16:21:56.250+02:00 ASServiceType= ASServiceDiff="CSV
1,2021/10/24 15:30:07,,CONFIG,0,2561,2021/10/24 15:30:07,198.51.100.0,,set,admin,Web,Succeeded, network virtual-router VR1,,VR1 { ecmp { algorithm { ip-modulo ; } } protocol { bgp { routing-options { graceful-restart { enable yes; } } enable no; } rip { enable no; } ospf { enable no; } ospfv3 { enable no; } } routing-table { ip { static-route { vr1-log { path-monitor { enable no; failure-condition any; hold-time 2; } nexthop { ip-address 198.51.100.0; } bfd { profile None; } interface ethernet1/1; metric 10; destination 0.0.0.0/0; route-table { unicast ; } } } } } interface [ ethernet1/1 ethernet1/2 ]; } ,7022390503849066572,0x0,0,0,0,0,,PA-VM,0,
Referencia de la asignación de campos: campos de registro de cortafuegos de PAN a campos de UDM
En esta sección se explica cómo asigna el analizador los campos de registro del cortafuegos de Palo Alto Networks a los campos de evento de UDM de Google Security Operations para cada tipo de registro.
La clave de la etiqueta de Google Security Operations hace referencia al nombre de la clave asignada al campo UDM Labels.key. Por ejemplo, en el caso del campo "Virtual System", el nombre del campo es "cs3" en formato CEF y "VirtualSystem" en formato LEEF. El campo de UDM "about.labels.key" contiene el valor "vsys" y el campo de UDM "about.labels.value" contiene el valor de ese campo.
Algunos de los nombres de campo de CEF o LEEF no tienen un nombre correspondiente a los nombres de campo del archivo CSV. En estos casos, si añade su propio nombre de variable en el formato de registro personalizado del perfil de syslog, el analizador no lo asignará al campo UDM.
Consulta las siguientes secciones para obtener información sobre la asignación de cada tipo de registro:
- Sistema
- Configuración
- Amenaza o incendio forestal
- Tráfico
- ID de usuario
- Concordancia de HIP
- Etiqueta de IP
- Descifrado
- Túnel
- Autenticación
- URL
- Datos
- GlobalProtect
- Correlación
- GTP
Sistema
En la siguiente tabla se enumeran los campos de registro del tipo de registro del sistema y sus campos de UDM correspondientes.
| Campo de CSV | Campo CEF | Campo LEEF | Clave de etiqueta de Google Security Operations | Campo de UDM |
|---|---|---|---|---|
| Hora de recepción (receive_time o cef-formatted-receive_time) | rt | devTime | metadata.collected_timestamp,
metadata.event_timestamp (si no se incluye "Generate Time") |
|
| Número de serie (serial) | deviceExternalId | SerialNumber | intermediary.asset.hardware.serial_number | |
| Tipo (type) | type (Header) | gato | metadata.product_event_type se ha definido como "%{type} - %{subtype}". | |
| Tipo de amenaza o contenido (subtipo) | subtipo (encabezado) | Subtipo | metadata.product_event_type se ha definido como "%{type} - %{subtype}". | |
| Hora de generación (time_generated o cef-formatted-time_generated) | metadata.event_timestamp | |||
| Sistema virtual (vsys) | cs3 | VirtualSystem | vsys | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| ID de evento (eventid) | gato | eventid | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Objeto (object) | fname | Nombre del archivo | objeto | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| Módulo (module) | flexString2 | Módulo | module | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| Gravedad (severity) | $number-of-severity(header) | Gravedad | security_result.severity y security_result.severity_details | |
| Descripción (opaca) | msg | msg | metadata.description | |
| principal_user_userid (este campo se extrae del campo msg) | principal.user.userid | |||
| principal_ip3 (este campo se extrae del campo msg) | principal.ip | |||
| Motivo (este campo se extrae del campo msg) | security_result.description | |||
| server_address (este campo se extrae del campo msg). | target.ip | |||
| server_profile (este campo se extrae del campo msg) | additional.fields.key y additional.fields.value.string_value | |||
| Número de secuencia (seqno) | externalId | secuencia | metadata.product_log_id | |
| Marcas de acción (actionflags) | PanOSActionFlags | ActionFlags | actionflags | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| Jerarquía de grupos de dispositivos (dg_hier_level_1 a dg_hier_level_4) | PanOSDGl1 | DeviceGroupHierarchyL1 | dg_hier_level_1 | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| Jerarquía de grupos de dispositivos (dg_hier_level_2) | PanOSDGl2 | DeviceGroupHierarchyL2 | dg_hier_level_2 | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| Jerarquía de grupos de dispositivos (dg_hier_level_3) | PanOSDGl3 | DeviceGroupHierarchyL3 | dg_hier_level_3 | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| Jerarquía de grupos de dispositivos (dg_hier_level_4) | PanOSDGl4 | DeviceGroupHierarchyL4 | dg_hier_level_4 | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| Nombre del sistema virtual (vsys_name) | PanOSVsysName | vSrcName | principal.resource.name
principal.resource.resource_type=VIRTUAL_MACHINE |
|
| Nombre del dispositivo (device_name) | dvchost | DeviceName | intermediary.hostname | |
| Marca de tiempo de alta resolución (high_res_timestamp) | anOSTimeGeneratedHighResolution | metadata.collected_timestamp,
metadata.event_timestamp (si no se incluye "Generate Time") |
Configuración
En la siguiente tabla se enumeran los campos de registro del tipo de registro de configuración y sus campos de UDM correspondientes.
| Campo de CSV | Campo CEF | Campo LEEF | Clave de etiqueta de Google Security Operations | Campo de UDM |
|---|---|---|---|---|
| Hora de recepción (receive_time o cef-formatted-receive_time) | rt | devTime | metadata.collected_timestamp,
metadata.event_timestamp (si no se incluye "Generate Time") |
|
| Número de serie (serial) | deviceExternalId | SerialNumber | intermediary.asset.hardware.serial_number | |
| Tipo (type) | type (Header) | gato | metadata.product_event_type | |
| Tipo de amenaza o contenido (subtipo) | subtipo (encabezado) | metadata.product_event_type | ||
| Hora de generación (time_generated o cef-formatted-time_generated) | metadata.event_timestamp | |||
| Host (host) | shost | src | principal.ip/hostname | |
| Sistema virtual (vsys) | cs3 | VirtualSystem | vsys | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| Comando (cmd) | actuar | msg | cmd | metadata.description |
| Administrador (admin) | duser | usrName | principal.user.userid | |
| Cliente (client) | destinationServiceName | client | principal.application | |
| Resultado (result) | ID de firma (encabezado)(motivo) | Resultado | security_result.summary | |
| Ruta de configuración (path) | msg | ConfigurationPath | principal.process.command_line | |
| Detalles del cambio anterior (before_change_detail) | cs1 | BeforeChangeDetail | before_change_detail | target.resource.attribute.labels.key/value |
| Detalle del cambio (after_change_detail) | cs2 | AfterChangeDetail | after_change_detail | target.resource.attribute.labels.key/value |
| Número de secuencia (seqno) | externalId | secuencia | metadata.product_log_id | |
| Marcas de acción (actionflags) | PanOSActionFlags | ActionFlags | actionflags | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| Jerarquía de grupos de dispositivos (dg_hier_level_1 a dg_hier_level_4) | PanOSDGl1 | DeviceGroupHierarchyL1 | dg_hier_level_1 | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| Jerarquía de grupos de dispositivos (dg_hier_level_2) | PanOSDGl2 | DeviceGroupHierarchyL2 | dg_hier_level_2 | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| Jerarquía de grupos de dispositivos (dg_hier_level_3) | PanOSDGl3 | DeviceGroupHierarchyL3 | dg_hier_level_3 | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| Jerarquía de grupos de dispositivos (dg_hier_level_4) | PanOSDGl4 | DeviceGroupHierarchyL4 | dg_hier_level_4 | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| Nombre del sistema virtual (vsys_name) | PanOSVsysName | vSrcName | principal.resource.name
principal.resource.resource_type=VIRTUAL_MACHINE |
|
| Nombre del dispositivo (device_name) | dvchost | DeviceName | intermediary.hostname | |
| Grupo de dispositivos (dg_id) | PanOSFWDeviceGroup | dg_id | principal.asset.attribute.labels.key/value | |
| Comentario de auditoría (comment) | PanOSPolicyAuditComment | comentario | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Gravedad (severity) | number-of-severity(header) | security_result.severity y security_result.severity_details |
Threat/WildFire
En la tabla siguiente se enumeran los campos de registro del tipo de registro Threat/WildFire y sus campos de UDM correspondientes.
| Campo de CSV | Campo CEF | Campo LEEF | Clave de etiqueta de Google Security Operations | Campo de UDM |
|---|---|---|---|---|
| Hora de recepción (receive_time o cef-formatted-receive_time) | rt | devTime | metadata.collected_timestamp,
metadata.event_timestamp (si no se incluye "Generate Time") |
|
| Número de serie | deviceExternalId | SerialNumber | intermediary.asset.hardware.serial_number | |
| Tipo (type) | type (Header) | gato | metadata.product_event_type | |
| Tipo de amenaza o contenido (subtipo) | cat/subtype (encabezado) | Subtipo | metadata.product_event_type | |
| Generar hora (time_generated o cef-formatted-time_generated) | metadata.event_timestamp | |||
| Dirección de origen (src) | src | src | principal.ip | |
| Dirección de destino (dst) | dst | dst | target.ip | |
| IP de origen de NAT (natsrc) | sourceTranslatedAddress | srcPostNAT | principal.nat_ip | |
| IP de destino de NAT (natdst) | destinationTranslatedAddress | dstPostNAT | target.nat_ip | |
| Nombre de la regla | cs1 | RuleName | security_result.rule_name | |
| Usuario de origen (srcuser) | suser | SourceUser/usrName | principal.user.userid | |
| Usuario de destino (dstuser) | duser | DestinationUser | target.user.userid | |
| Aplicación | aplicación | Aplicación | target.application | |
| Sistema virtual (vsys) | cs3 | VirtualSystem | vsys | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| Zona de origen (desde) | cs4 | SourceZone | de | principal.labels.key y principal.labels.value additional.fields.key y additional.fields.value.string_value |
| Zona de destino | cs5 | DestinationZone | a | target.labels.key y target.labels.value additional.fields.key y additional.fields.value.string_value |
| Interfaz de entrada (inbound_if) | deviceInboundInterface | IngressInterface | inbound_if | principal.labels.key y principal.labels.value additional.fields.key y additional.fields.value.string_value |
| Interfaz de salida (outbound_if) | deviceOutboundInterface | EgressInterface | outbound_if | target.labels.key y target.labels.value additional.fields.key y additional.fields.value.string_value |
| Registrar acción (logset) | cs6 | LogForwardingProfile | logset | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| ID de sesión (sessionid) | cn1 | SessionID | network.session_id | |
| Número de repeticiones (repeatcnt) | cnt | RepeatCount | repeatcnt | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| Puerto de origen (sport) | spt | srcPort | principal.port | |
| Puerto de destino (dport) | dpt | dstPort | target.port | |
| Puerto de origen de NAT (natsport) | sourceTranslatedPort | srcPostNATPort | principal.nat_port | |
| Puerto de destino de NAT (natdport) | destinationTranslatedPort | dstPostNATPort | target.nat_port | |
| Marcas (flags) | flexString1 | Banderas | flags | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| Protocolo IP (proto) | proto | proto | network.ip_protocol | |
| Acción (action) | actuar | acción | security_result.action_details
security_result.action |
|
| URL o nombre de archivo (varios) | solicitud | Varios | target.file.full_path (si el subtipo es "file", "virus", "wildfire-virus" o "wildfire", el campo `misc` se asigna a target.file.full_path) target.url (si el subtipo es "url", el campo `misc` se asigna a target.url y target.hostname) target.hostname (si subtype es "spyware" o "vulnerability", el campo `misc` se asigna a target.file.full_path y target.url) |
|
| Nombre de la amenaza o del contenido (threatid) | gato | ThreatID | security_result.threat_name | |
| Categoría (category) | cs2 | URLCategory | security_result.category_details | |
| Gravedad (severity) | number-of-severity(header) | Gravedad | security_result.severity y security_result.severity_details | |
| Dirección (direction) | flexString2 | Dirección | network.direction | |
| Número de secuencia (seqno) | externalId | secuencia | metadata.product_log_id | |
| Marcas de acción (actionflags) | PanOSActionFlags | ActionFlags | actionflags | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| País de origen (srcloc) | SourceLocation | principal.location.country_or_region | ||
| País de destino (dstloc) | DestinationLocation | target.location.country_or_region | ||
| Tipo de contenido (contenttype) | ContentType | contenttype | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
|
| ID de PCAP (pcap_id) | fileId | PCAP_ID | pcap_id | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| Resumen de archivos (filedigest) | fileHash | FileDigest | about.file.sha1/md5/sha256 | |
| Cloud (nube) | filePath | Nube | nube | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| Índice de URLs (url_idx) | URLIndex | url_idx | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
|
| User-agent (user_agent) | network.http.user_agent | |||
| Tipo de archivo (filetype) | fileType | FileType | about.file.mime_type | |
| X-Forwarded-For (XFF) | principal.ip | |||
| Referente (referer) | network.http.referral_url | |||
| Remitente (sender) | suid | Remitente | network.email.from | |
| Asunto (subject) | msg | Asunto | network.email.subject | |
| Destinatario | duid | Destinatario | network.email.to | |
| ID de informe (reportid) | oldFileId | ReportID | reportid | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| Jerarquía de grupos de dispositivos (dg_hier_level_1 a dg_hier_level_4) | PanOSDGl1 | DeviceGroupHierarchyL1 | dg_hier_level_1 | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| Jerarquía de grupos de dispositivos (dg_hier_level_2) | PanOSDGl2 | DeviceGroupHierarchyL2 | dg_hier_level_2 | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| Jerarquía de grupos de dispositivos (dg_hier_level_3) | PanOSDGl3 | DeviceGroupHierarchyL3 | dg_hier_level_3 | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| Jerarquía de grupos de dispositivos (dg_hier_level_4) | PanOSDGl4 | DeviceGroupHierarchyL4 | dg_hier_level_4 | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| Nombre del sistema virtual (vsys_name) | PanOSVsysName | vSrcName | principal.resource.name
principal.resource.resource_type=VIRTUAL_MACHINE |
|
| Nombre del dispositivo (device_name) | dvchost | DeviceName | intermediary.hostname | |
| UUID de VM de origen (src_uuid) | PanOSSrcUUID | SrcUUID | principal.user.product_object_id | |
| UUID de la VM de destino (dst_uuid) | PanOSDstUUID | DstUUID | target.user.product_object_id | |
| Método HTTP (http_method) | RequestMethod | network.http.method | ||
| ID de túnel/IMSI (tunnel_id/imsi) | PanOSTunnelID | TunnelID | tunnel_id/imsi | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| Monitor Tag/IMEI (monitortag/imei) | PanOSMonitorTag | MonitorTag | monitortag/imei | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| ID de sesión principal (parent_session_id) | PanOSParentSessionID | ParentSessionID | parent_session_id | network.parent_session_id |
| Hora de inicio de la sesión principal (parent_start_time) | PanOSParentStartTime | ParentStartTime | parent_start_time | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| Tipo de túnel (tunnel) | PanOSTunnelType | TunnelType | túnel | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| Categoría de amenaza (thr_category) | PanOSThreatCategory | ThreatCategory | thr_category | security_result.detection_fields.key/value |
| Versión del contenido (contentver) | PanOSContentVer | ContentVer | contentver | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| ID de asociación SCTP (assoc_id) | PanOSAssocID | assoc_id | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
|
| ID de protocolo de carga útil (ppid) | PanOSPPID | ppid | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Encabezados HTTP (http_headers) | PanOSHTTPHeader | http_headers | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Lista de categorías de URLs (url_category_list) | PanOSURLCatList | url_category_list | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
|
| UUID de la regla (rule_uuid) | PanOSRuleUUID | security_result.rule_id | ||
| Conexión HTTP/2 (http2_connection) | PanOSHTTP2Con | http2_connection | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Nombre del grupo de usuarios dinámico (dynusergroup_name) | PanDynamicUsrgrp | dynusergroup_name | principal.labels.key y principal.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Dirección XFF (xff_ip) | PanXFFIP | principal.ip | ||
| Categoría del dispositivo de origen (src_category) | PanSrcDeviceCat | src_category | principal.labels.key y principal.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Perfil del dispositivo de origen (src_profile) | PanSrcDeviceProf | src_profile | principal.labels.key y principal.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Modelo del dispositivo de origen (src_model) | PanSrcDeviceModel | src_model | principal.labels.key y principal.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Proveedor del dispositivo de origen (src_vendor) | PanSrcDeviceVendor | src_vendor | principal.labels.key y principal.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Familia del SO del dispositivo de origen (src_osfamily) | PanSrcDeviceOS | src_osfamily | principal.asset.platform_software.platform principal.labels.key y principal.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Versión del SO del dispositivo de origen (src_osversion) | PanSrcDeviceOSv | principal.asset.software.version | ||
| Nombre de host de origen (src_host) | PanSrcHostname | principal.hostname | ||
| Dirección MAC de origen (src_mac) | PanSrcMac | principal.mac | ||
| Categoría del dispositivo de destino (dst_category) | PanDstDeviceCat | dst_category | target.labels.key y target.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Perfil del dispositivo de destino (dst_profile) | PanDstDeviceProf | dst_profile | target.labels.key y target.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Modelo del dispositivo de destino (dst_model) | PanDstDeviceModel | dst_model | target.labels.key y target.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Proveedor del dispositivo de destino (dst_vendor) | PanDstDeviceVendor | dst_vendor | target.labels.key y target.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Familia del SO del dispositivo de destino (dst_osfamily) | PanDstDeviceOS | dst_osfamily | target.labels.key y target.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Versión del SO del dispositivo de destino (dst_osversion) | PanDstDeviceOSv | target.asset.software.version | ||
| Nombre de host de destino (dst_host) | PanDstHostname | target.hostname | ||
| Dirección MAC de destino (dst_mac) | PanDstMac | target.mac | ||
| ID de contenedor (container_id) | PanContainerName | container_id | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Espacio de nombres de POD (pod_namespace) | PanPODNamespace | pod_namespace | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Nombre del POD (pod_name) | PanPODName | pod_name | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Lista dinámica externa de origen (src_edl) | PanSrcEDL | src_edl | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Lista dinámica externa de destino (dst_edl) | PanDstEDL | dst_edl | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
|
| ID de host (hostid) | PanGPHostID | hostid | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Número de serie del dispositivo del usuario (serialnumber) | PanEPSerial | principal.asset.hardware.serial_number | ||
| EDL de dominio (domain_edl) | PanDomainEDL | domain_edl | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Grupo de direcciones dinámicas de origen (src_dag) | PanSrcDAG | principal.group.group_display_name | ||
| Grupo de direcciones dinámicas de destino (dst_dag) | PanDstDAG | target.group.group_display_name | ||
| Hash parcial (partial_hash) | PanPartialHash | partial_hash | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Marca de tiempo de alta resolución (high_res timestamp) | PanTimeHighRes | Marca de tiempo de alta resolución | metadata.collected_timestamp,
metadata.event_timestamp (si no se incluye "Generate Time") |
|
| Motivo (reason) | PanReasonFilteringAction | reason | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Justificación (justification) | PanJustification | justificación | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Un tipo de servicio de segmento (nssai_sst) | PanASServiceType | nssai_sst | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Subcategoría de la aplicación (subcategory_of_app) | subcategory_of_app | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
||
| Categoría de la aplicación (category_of_app) | category_of_app | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
||
| Tecnología de la aplicación (technology_of_app) | technology_of_app | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
||
| Riesgo de la aplicación (risk_of_app) | risk_of_app | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
||
| Característica de la aplicación (characteristic_of_app) | characteristic_of_app | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
||
| Contenedor de aplicaciones (container_of_app) | container_of_app | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
||
| Aplicación SaaS (is_saas_of_app) | is_saas_of_app | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
||
| Estado de sanción de la aplicación (sanctioned_state_of_app) | sanctioned_state_of_app | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
Tráfico
En la siguiente tabla se enumeran los campos de registro del tipo de registro de tráfico y sus campos de UDM correspondientes.
| Campo de CSV | Campo CEF | Campo LEEF | Clave de etiqueta de Google Security Operations | Campo de UDM |
|---|---|---|---|---|
| Hora de recepción (receive_time o cef-formatted-receive_time) | rt | devTime | metadata.collected_timestamp,
metadata.event_timestamp (si no se incluye "Generate Time") |
|
| Número de serie (serial) | deviceExternalId | SerialNumber | intermediary.asset.hardware.serial_number | |
| Tipo (type) | type (Header) | cat/Type | metadata.product_event_type | |
| Tipo de amenaza o contenido (subtipo) | subtipo (encabezado) | Subtipo | metadata.product_event_type | |
| Hora de generación (time_generated o cef-formatted-time_generated) | start | metadata.event_timestamp | ||
| Dirección de origen (src) | src | src | principal.ip | |
| Dirección de destino (dst) | dst | dst | target.ip | |
| IP de origen de NAT (natsrc) | sourceTranslatedAddress | srcPostNAT | principal.nat_ip | |
| IP de destino de NAT (natdst) | destinationTranslatedAddress | dstPostNAT | target.nat_ip | |
| Nombre de la regla | cs1 | RuleName | security_result.rule_name | |
| Usuario de origen (srcuser) | suser | SourceUser | principal.user.userid | |
| Usuario de destino (dstuser) | duser | DestinationUser | target.user.userid | |
| Aplicación | aplicación | Aplicación | target.application | |
| Sistema virtual (vsys) | cs3 | VirtualSystem | vsys | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| Zona de origen (desde) | cs4 | SourceZone | de | principal.labels.key y principal.labels.value additional.fields.key y additional.fields.value.string_value |
| Zona de destino | cs5 | DestinationZone | a | target.labels.key y target.labels.value additional.fields.key y additional.fields.value.string_value |
| Interfaz de entrada (inbound_if) | deviceInboundInterface | IngressInterface | inbound_if | principal.labels.key y principal.labels.value additional.fields.key y additional.fields.value.string_value |
| Interfaz de salida (outbound_if) | deviceOutboundInterface | EgressInterface | outbound_if | target.labels.key y target.labels.value additional.fields.key y additional.fields.value.string_value |
| Registrar acción (logset) | cs6 | LogForwardingProfile | logset | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| ID de sesión (sessionid) | cn1 | SessionID | network.session_id | |
| Número de repeticiones (repeatcnt) | cnt | RepeatCount | repeatcnt | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| Puerto de origen (sport) | spt | srcPort | principal.port | |
| Puerto de destino (dport) | dpt | dstPort | target.port | |
| Puerto de origen de NAT (natsport) | sourceTranslatedPort | srcPostNATPort | principal.nat_port | |
| Puerto de destino de NAT (natdport) | destinationTranslatedPort | dstPostNATPort | target.nat_port | |
| Marcas (flags) | flexString1 | Banderas | flags | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| Protocolo IP (proto) | proto | proto | network.ip_protocol | |
| Acción (action) | actuar | acción | security_result.action_details
security_result.action |
|
| Bytes (bytes) | flexNumber1 | totalBytes | bytes | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| Bytes enviados (bytes_sent) | en | srcBytes | network.sent_bytes | |
| Bytes recibidos (bytes_received) | out | dstBytes | network.received_bytes | |
| Paquetes | cn2 | totalPackets | paquetes | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| Hora de inicio (start) | StartTime | start | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Tiempo transcurrido (elapsed) | cn3 | ElapsedTime | transcurrido | network.session_duration.seconds |
| Categoría (category) | cs2 | URLCategory | security_result.category/security_result.category_details | |
| Número de secuencia (seqno) | externalId | secuencia | metadata.product_log_id | |
| Marcas de acción (actionflags) | PanOSActionFlags | ActionFlags | actionflags | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| País de origen (srcloc) | SourceLocation | principal.location.country_or_region | ||
| País de destino (dstloc) | DestinationLocation | target.location.country_or_region | ||
| Paquetes enviados (pkts_sent) | PanOSPacketsSent | srcPackets | pkts_sent | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| Paquetes recibidos (pkts_received) | PanOSPacketsReceived | dstPackets | pkts_received | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| Motivo de finalización de la sesión (session_end_reason) | reason | SessionEndReason | security_result.summary | |
| Jerarquía de grupos de dispositivos 1 (dg_hier_level_1 a dg_hier_level_4) | PanOSDGl1 | DeviceGroupHierarchyL1 | dg_hier_level_1 | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| Jerarquía de grupos de dispositivos 2 (dg_hier_level_2) | PanOSDGl2 | DeviceGroupHierarchyL2 | dg_hier_level_2 | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| Jerarquía de grupos de dispositivos 3 (dg_hier_level_3) | PanOSDGl3 | DeviceGroupHierarchyL3 | dg_hier_level_3 | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| Jerarquía de grupos de dispositivos (dg_hier_level_4) | PanOSDGl4 | DeviceGroupHierarchyL4 | dg_hier_level_4 | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| Nombre del sistema virtual (vsys_name) | PanOSVsysName | vSrcName | principal.resource.name
principal.resource.resource_type=VIRTUAL_MACHINE |
|
| Nombre del dispositivo (device_name) | dvchost | DeviceName | intermediary.hostname | |
| Fuente de la acción (action_source) | gato | ActionSource | action_source | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| UUID de VM de origen (src_uuid) | PanOSSrcUUID | SrcUUID | principal.asset.product_object_id | |
| UUID de la VM de destino (dst_uuid) | PanOSDstUUID | DstUUID | target.asset.product_object_id | |
| ID de túnel/IMSI (tunnelid/imsi) | PanOSTunnelID | TunnelID | tunnelid/imsi | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| Monitor Tag/IMEI (monitortag/imei) | PanOSMonitorTag | MonitorTag | monitortag/imei | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| ID de sesión principal (parent_session_id) | PanOSParentSessionID | ParentSessionID | parent_session_id | network.parent_session_id |
| Hora de inicio de la actividad principal (parent_start_time) | PanOSParentStartTime | ParentStartTime | parent_start_time | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| Tipo de túnel (tunnel) | PanOSTunnelType | TunnelType | túnel | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| ID de asociación SCTP (assoc_id) | PanOSSCTPAssocID | assoc_id | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Bloques SCTP (chunks) | PanOSSCTPChunks | trozos | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Fragmentos SCTP enviados (chunks_sent) | PanOSSCTPChunkSent | chunks_sent | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Fragmentos SCTP recibidos (chunks_received) | PanOSSCTPChunksRcv | chunks_received | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
|
| UUID de la regla (rule_uuid) | PanOSRuleUUID | security_result.rule_id | ||
| Conexión HTTP/2 (http2_connection) | PanOSHTTP2Con | http2_connection | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Número de solapas de la aplicación (link_change_count) | PanLinkChange | link_change_count | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
|
| ID de política (policy_id) | PanPolicyID | policy_id | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Interruptores de enlace (link_switches) | PanLinkDetail | link_switches | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Clúster de SD-WAN (sdwan_cluster) | PanSDWANCluster | sdwan_cluster | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Tipo de dispositivo SD-WAN (sdwan_device_type) | PanSDWANDevice | sdwan_device_type | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Tipo de clúster de SD-WAN (sdwan_cluster_type) | PanSDWANClustype | sdwan_cluster_type | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Sitio de SD-WAN (sdwan_site) | PanSDWANSite | sdwan_site | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Nombre del grupo de usuarios dinámico (dynusergroup_name) | PanDynamicUsrgrp | dynusergroup_name | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Dirección XFF (xff_ip) | PanXFFIP | principal.ip | ||
| Categoría del dispositivo de origen (src_category) | PanSrcDeviceCat | src_category | principal.labels.key y principal.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Perfil del dispositivo de origen (src_profile) | PanSrcDeviceProf | src_profile | principal.labels.key y principal.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Modelo del dispositivo de origen (src_model) | PanSrcDeviceModel | src_model | principal.labels.key y principal.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Proveedor del dispositivo de origen (src_vendor) | PanSrcDeviceVendor | src_vendor | principal.labels.key y principal.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Familia del SO del dispositivo de origen (src_osfamily) | PanSrcDeviceOS | principal.asset.platform_software.platform principal.labels.key y principal.labels.value additional.fields.key y additional.fields.value.string_value |
||
| Versión del SO del dispositivo de origen (src_osversion) | PanSrcDeviceOSv | principal.asset.software.version | ||
| Nombre de host de origen (src_host) | PanSrcHostname | principal.hostname | ||
| Dirección MAC de origen (src_mac) | PanSrcMac | principal.mac | ||
| Categoría del dispositivo de destino (dst_category) | PanDstDeviceCat | dst_category | target.labels.key y target.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Perfil del dispositivo de destino (dst_profile) | PanDstDeviceProf | dst_profile | target.labels.key y target.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Modelo del dispositivo de destino (dst_model) | PanDstDeviceModel | dst_model | target.labels.key y target.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Proveedor del dispositivo de destino (dst_vendor) | PanDstDeviceVendor | dst_vendor | target.labels.key y target.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Familia del SO del dispositivo de destino (dst_osfamily) | PanDstDeviceOS | dst_osfamily | target.labels.key y target.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Versión del SO del dispositivo de destino (dst_osversion) | PanDstDeviceOSv | target.asset.software.version | ||
| Nombre de host de destino (dst_host) | PanDstHostname | target.hostname | ||
| Dirección MAC de destino (dst_mac) | PanDstMac | target.mac | ||
| ID de contenedor (container_id) | PanContainerName | container_id | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Espacio de nombres de POD (pod_namespace) | PanPODNamespace | pod_namespace | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Nombre del POD (pod_name) | PanPODName | pod_name | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Lista dinámica externa de origen (src_edl) | PanSrcEDL | src_edl | principal.labels.key y principal.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Lista dinámica externa de destino (dst_edl) | PanDstEDL | dst_edl | target.labels.key y target.labels.value additional.fields.key y additional.fields.value.string_value |
|
| ID de host (hostid) | PanGPHostID | hostid | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Número de serie del dispositivo del usuario (serialnumber) | PanEPSerial | principal.asset.hardware.serial_number | ||
| Grupo de direcciones dinámicas de origen (src_dag) | PanSrcDAG | principal.group.group_display_name | ||
| Grupo de direcciones dinámicas de destino (dst_dag) | PanDstDAG | target.group.group_display_name | ||
| Propietario de la sesión (session_owner) | PanHASessionOwner | session_owner | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Marca de tiempo de alta resolución (high_res_timestamp) | PanTimeHighRes | metadata.collected_timestamp,
metadata.event_timestamp (si no se incluye "Generate Time") |
||
| Un tipo de servicio de segmento (nsdsai_sst) | PanASServiceType | nsdsai_sst | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Un diferenciador de segmento (nsdsai_sd) | PanASServiceDiff | nsdsai_sd | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Subcategoría de la aplicación (subcategory_of_app) | subcategory_of_app | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
||
| Categoría de la aplicación (category_of_app) | category_of_app | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
||
| Tecnología de la aplicación (technology_of_app) | technology_of_app | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
||
| Riesgo de la aplicación (risk_of_app) | security_result.severity | |||
| Característica de la aplicación (characteristic_of_app) | characteristic_of_app | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
||
| Contenedor de aplicaciones (container_of_app) | container_of_app | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
||
| Aplicación SaaS (is_saas_of_app) | is_saas_of_app | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
||
| Estado de sanción de la aplicación (sanctioned_state_of_app) | sanctioned_state_of_app | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
||
| Subcategoría de la aplicación (subcategory_of_app) | subcategory_of_app1 | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
||
| Gravedad (severity) | number-of-severity(header) | security_result.severity y security_result.severity_details |
User-ID
En la siguiente tabla se enumeran los campos de registro del tipo de registro user-id y sus campos de UDM correspondientes.
| Campo de CSV | Campo CEF | Campo LEEF | Clave de etiqueta de Google Security Operations | Campo de UDM |
|---|---|---|---|---|
| Hora de recepción (receive_time o cef-formatted-receive_time) | rt | devTime | metadata.collected_timestamp,
metadata.event_timestamp (si no se incluye "Generate Time") |
|
| Número de serie (serial) | deviceExternalId | SerialNumber | intermediary.asset.hardware.serial_number | |
| Tipo (type) | type (Header) | gato | metadata.product_event_type | |
| Tipo de amenaza o contenido (subtipo) | subtipo (encabezado) | Subtipo | metadata.product_event_type | |
| Hora de generación (time_generated o cef-formatted-time_generated) | metadata.event_timestamp | |||
| Sistema virtual (vsys) | cs3 | VirtualSystem | vsys | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| IP de origen (ip) | src | src | principal.ip | |
| Usuario (user) | duser | usrName | target.user.userid
target.administrative_domain target.user.email_addresses |
|
| Nombre de la fuente de datos (datasourcename) | cs4 | DataSourceName | datasourcename | principal.labels.key y principal.labels.value additional.fields.key y additional.fields.value.string_value |
| ID de evento (eventid) | EventID | eventid | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Número de repeticiones (repeatcnt) | cnt | RepeatCount | repeatcnt | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| Umbral de tiempo de espera (timeout) | cn3 | TimeoutThreshold | Tiempo de espera | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| Puerto de origen (beginport) | spt | srcPort | principal.port | |
| Puerto de destino (endport) | dpt | dstPort | target.port | |
| Fuente de datos (datasource) | cs5 | DataSource | fuente de datos | principal.labels.key y principal.labels.value additional.fields.key y additional.fields.value.string_value |
| Tipo de fuente de datos (datasourcetype) | cs6 | DataSourceType | datasourcetype | principal.labels.key y principal.labels.value additional.fields.key y additional.fields.value.string_value |
| Número de secuencia (seqno) | externalId | secuencia | metadata.product_log_id | |
| Marcas de acción (actionflags) | PanOSActionFlags | ActionFlags | actionflags | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| Jerarquía de grupos de dispositivos (dg_hier_level_1) | PanOSDGl1 | DeviceGroupHierarchyL1 | dg_hier_level_1 | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| Jerarquía de grupos de dispositivos (dg_hier_level_2) | PanOSDGl2 | DeviceGroupHierarchyL2 | dg_hier_level_2 | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| Jerarquía de grupos de dispositivos (dg_hier_level_3) | PanOSDGl3 | DeviceGroupHierarchyL3 | dg_hier_level_3 | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| Jerarquía de grupos de dispositivos (dg_hier_level_4) | PanOSDGl4 | DeviceGroupHierarchyL4 | dg_hier_level_4 | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| Nombre del sistema virtual (vsys_name) | PanOSVsysName | vSrcName | principal.resource.name
principal.resource.resource_type=VIRTUAL_MACHINE |
|
| Nombre del dispositivo (device_name) | dvchost | DeviceName | intermediary.hostname | |
| ID de sistema virtual (vsys_id) | cn2 | VirtualSystemID | principal.resource.resource_type=VIRTUAL_MACHINE and principal.resource.product_object_id | |
| Tipo de factor (factortype) | cs1 | FactorType | factortype | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| Tiempo de finalización del factor (factorcompletiontime) | fin | FactorCompletionTime | factorcompletiontime | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| Número de factor (factorno) | cn1 | FactorNumber | factorno | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| Marcas de grupos de usuarios (ugflags) | PanOSUGFlags | ugflags | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Usuario por fuente (userbysource) | PanOSUserBySource | principal.user.userid
principal.administrative_domain principal.user.email_addresses |
||
| Marca de tiempo de alta resolución (high_res timestamp) | PanOSTimeGeneratedHighResolution | metadata.collected_timestamp,
metadata.event_timestamp (si no se incluye "Generate Time") |
||
| Gravedad (severity) | number-of-severity(header) | security_result.severity y security_result.severity_details |
Coincidencia de HIP
En la siguiente tabla se enumeran los campos de registro del tipo de registro de coincidencias de historial de IPs y sus campos de UDM correspondientes.
| Campo de CSV | Campo CEF | Campo LEEF | Clave de etiqueta de Google Security Operations | Campo de UDM |
|---|---|---|---|---|
| Hora de recepción (receive_time o cef-formatted-receive_time) | rt | devTime | metadata.collected_timestamp,
metadata.event_timestamp (si no se incluye "Generate Time") |
|
| Número de serie (serial) | deviceExternalId | SerialNumber | intermediary.asset.hardware.serial_number | |
| Tipo (type) | type (Header) | gato | metadata.product_event_type | |
| Tipo de amenaza o contenido (subtipo) | subtipo (encabezado) | Subtipo | ||
| Hora de generación (time_generated o cef-formatted-time_generated) | start | startTime | metadata.event_timestamp | |
| Usuario de origen (srcuser) | suser | usrName | principal.user.userid | |
| Sistema virtual (vsys) | cs3 | VirtualSystem | vsys | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| Nombre del equipo (machinename) | shost | identHostName | principal.hostname | |
| Sistema operativo | cs2 | SO | principal.asset.platform_software.platform | |
| Dirección de origen (src) | src | identsrc | principal.ip | |
| HIP (matchname) | gato | HIP | matchname | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| Número de repeticiones (repeatcnt) | cnt | RepeatCount | repeatcnt | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| Tipo de HIP (matchtype) | ID de clase de evento del dispositivo (encabezado) | HIPType | matchtype | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| Número de secuencia (seqno) | externalId | secuencia | metadata.product_log_id | |
| Marcas de acción (actionflags) | PanOSActionFlags | ActionFlags | actionflags | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| Jerarquía de grupos de dispositivos (dg_hier_level_1) | PanOSDGl1 | DeviceGroupHierarchyL1 | dg_hier_level_1 | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| Jerarquía de grupos de dispositivos (dg_hier_level_2) | PanOSDGl2 | DeviceGroupHierarchyL2 | dg_hier_level_2 | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| Jerarquía de grupos de dispositivos (dg_hier_level_3) | PanOSDGl3 | DeviceGroupHierarchyL3 | dg_hier_level_3 | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| Jerarquía de grupos de dispositivos (dg_hier_level_4) | PanOSDGl4 | DeviceGroupHierarchyL4 | dg_hier_level_4 | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| Nombre del sistema virtual (vsys_name) | PanOSVsysName | vSrcName | principal.resource.name
principal.resource.resource_type=VIRTUAL_MACHINE |
|
| Nombre del dispositivo (device_name) | dvchost | DeviceName | intermediary.hostname | |
| ID de sistema virtual (vsys_id) | cn2 | VirtualSystemID | principal.resource.resource_type=VIRTUAL_MACHINE and principal.resource.product_object_id | |
| Dirección del sistema IPv6 (srcipv6) | c6a2 | srcipv6 | principal.asset.ip | |
| ID de host (hostid) | PanOSHostID | principal.asset.product_object_id | ||
| Número de serie del dispositivo del usuario (serialnumber) | PanOSEndpointSerialNumber | principal.asset.hardware.serial_number | ||
| Dirección MAC del dispositivo (mac) | PanOSEndpointMac | principal.asset.mac | ||
| Marca de tiempo de alta resolución (high_res_timestamp) | PanOSTimeGeneratedHighResolution | metadata.collected_timestamp,
metadata.event_timestamp (si no se incluye "Generate Time") |
||
| Gravedad (severity) | number-of-severity(header) | security_result.severity y security_result.severity_details |
Etiqueta de IP
En la siguiente tabla se enumeran los campos de registro del tipo de registro de etiquetas de IP y sus campos de UDM correspondientes.
| Campo de CSV | Campo CEF | Campo LEEF | Clave de etiqueta de Google Security Operations | Campo de UDM |
|---|---|---|---|---|
| Hora de recepción (receive_time o cef-formatted-receive_time) | rt | devTime | metadata.collected_timestamp,
metadata.event_timestamp (si no se incluye "Generate Time") |
|
| Número de serie (serial) | deviceExternalId | SerialNumber | intermediary.asset.hardware.serial_number | |
| Tipo (type) | type (Header) | gato | metadata.product_event_type | |
| Tipo de amenaza o contenido (subtipo) | subtipo (encabezado) | Subtipo | metadata.product_event_type | |
| Hora de generación (time_generated o cef-formatted-time_generated) | GenerateTime | metadata.event_timestamp | ||
| Sistema virtual (vsys) | cs3 | VirtualSystem | vsys | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| IP de origen (ip) | src | src | principal.ip | |
| Nombre de la etiqueta (tag_name) | PanOSTagName | TagName | tag_name | principal.labels.key y principal.labels.value additional.fields.key y additional.fields.value.string_value |
| ID de evento (event_id) | PanOSEventID | EventID | event_id | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| Número de repeticiones (repeatcnt) | cnt | RepeatCount | repeatcnt | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| Tiempo de espera (timeout) | PanOSTimeout | TimeoutThreshold | Tiempo de espera | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| Nombre de la fuente de datos (datasourcename) | PanOSDataSourceName | DataSourceName | datasourcename | principal.labels.key y principal.labels.value additional.fields.key y additional.fields.value.string_value |
| Tipo de fuente de datos (datasource_type) | PanOSDataSourceType | DataSource | datasource_type | principal.labels.key y principal.labels.value additional.fields.key y additional.fields.value.string_value |
| Subtipo de fuente de datos (datasource_subtype) | PanOSDataSourceSubType | DataSourceType | datasource_subtype | principal.labels.key y principal.labels.value additional.fields.key y additional.fields.value.string_value |
| Número de secuencia (seqno) | externalId | secuencia | metadata.product_log_id | |
| Marcas de acción (actionflags) | PanOSActionFlags | ActionFlags | actionflags | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| Jerarquía de grupos de dispositivos (dg_hier_level_1) | PanOSDGl1 | DeviceGroupHierarchyL1 | dg_hier_level_1 | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| Jerarquía de grupos de dispositivos (dg_hier_level_2) | PanOSDGl2 | DeviceGroupHierarchyL2 | dg_hier_level_2 | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| Jerarquía de grupos de dispositivos (dg_hier_level_3) | PanOSDGl3 | DeviceGroupHierarchyL3 | dg_hier_level_3 | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| Jerarquía de grupos de dispositivos (dg_hier_level_4) | PanOSDGl4 | DeviceGroupHierarchyL4 | dg_hier_level_4 | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| Nombre del sistema virtual (vsys_name) | PanOsVsysName | vSrcName | principal.resource.name
principal.resource.resource_type=VIRTUAL_MACHINE |
|
| Nombre del dispositivo (device_name) | dvchost | DeviceName | intermediary.hostname | |
| ID de sistema virtual (vsys_id) | cn2 | VirtualSystemID | principal.resource.resource_type=VIRTUAL_MACHINE and principal.resource.product_object_id | |
| Marca de tiempo de alta resolución (high_res timestamp) | PanOSTimeGeneratedHighResolution | metadata.collected_timestamp,
metadata.event_timestamp (si no se incluye "Generate Time") |
||
| Gravedad (severity) | number-of-severity(header) | security_result.severity y security_result.severity_details |
Desencriptado
En la siguiente tabla se enumeran los campos de registro del tipo de registro de descifrado y sus campos de UDM correspondientes.
| Campo de CSV | Campo CEF | Campo LEEF | Clave de etiqueta de Google Security Operations | Campo de UDM |
|---|---|---|---|---|
| Hora de recepción (receive_time o cef-formatted-receive_time) | rt | metadata.collected_timestamp,
metadata.event_timestamp (si no se incluye "Generate Time") |
||
| Número de serie (serial) | PanOSDeviceSN | intermediary.asset.hardware.serial_number | ||
| Tipo (type) | type (Header) | metadata.product_event_type | ||
| Tipo de amenaza o contenido (subtipo) | subtipo (encabezado) | metadata.product_event_type | ||
| Versión de configuración (config_ver) | PanOSConfigVersion | config_ver | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Hora de generación (time_generated) | PanOSLogTimeStamp | metadata.event_timestamp | ||
| Dirección de origen (src) | src | principal.ip | ||
| Dirección de destino (dst) | dst | target.ip | ||
| IP de origen de NAT (natsrc) | sourceTranslatedAddress | principa.nat_ip | ||
| IP de destino de NAT (natdst) | destinationTranslatedAddress | target.nat_ip | ||
| Rule (regla) | cs1 | security_result.rule_name | ||
| Usuario de origen (srcuser) | suser | principal.user.userid | ||
| Usuario de destino (dstuser) | duser | target.user.userid | ||
| Aplicación | aplicación | target.application | ||
| Sistema virtual (vsys) | cs3 | vsys | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Zona de origen (desde) | cs4 | de | principal.labels.key y principal.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Zona de destino | cs5 | a | target.labels.key y target.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Interfaz de entrada (inbound_if) | deviceInboundInterface | inbound_if | principal.labels.key y principal.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Interfaz de salida (outbound_if) | deviceOutboundInterface | outbound_if | target.labels.key y target.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Registrar acción (logset) | cs6 | logset | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Hora registrada (time_received) | PanOSTimeReceivedManagementPlane | - | ||
| ID de sesión (sessionid) | cn1 | network.session_id | ||
| Número de repeticiones (repeatcnt) | PanOSCountOfRepeats/RepeatCount | repeatcnt | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Puerto de origen (sport) | spt | principal.port | ||
| Puerto de destino (dport) | dpt | target.port | ||
| Puerto de origen de NAT (natsport) | sourceTranslatedPort | principal.nat_port | ||
| Puerto de destino de NAT (natdport) | destinationTranslatedPort | target.nat_port | ||
| Marcas (flags) | flexString1 | flags | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Protocolo IP (proto) | proto | network.ip_protocol | ||
| Acción (action) | actuar | security_result.action_details
security_result.action |
||
| Túnel | PanOSTunnel | túnel | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
|
| UUID de VM de origen (src_uuid) | PanOSSourceUUID | principal.asset.asset_id | ||
| UUID de la VM de destino (dst_uuid) | PanOSDestinationUUID | target.asset.asset_id | ||
| UUID de la regla (rule_uuid) | PanOSRuleUUID | security_result.rule_id | ||
| Fase de cliente a firewall (hs_stage_c2f) | PanOSClientToFirewall | hs_stage_c2f | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Etapa de cortafuegos a servidor (hs_stage_f2s) | PanOSFirewallToServer | hs_stage_f2s | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Versión de TLS (tls_version) | PanOSTLSVersion | network.tls.version | ||
| Algoritmo de intercambio de claves (tls_keyxchg) | PanOSTLSKeyExchange | tls_keyxchg | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Algoritmo de cifrado (tls_enc) | PanOSTLSEncryptionAlgorithm | tls_enc | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Algoritmo hash (tls_auth) | PanOSTLSAuth | tls_auth | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Nombre de la política (policy_name) | PanOSPolicyName | policy_name | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Curva elíptica (ec_curve) | PanOSEllipticCurve | network.tls.curve | ||
| Índice de errores (err_index) | PanOSErrorIndex | err_index | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Estado de root (root_status) | PanOSRootStatus | root_status | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Estado de la cadena (chain_status) | PanOSChainStatus | chain_status | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Tipo de proxy (proxy_type) | PanOSProxyType | proxy_type | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Número de serie del certificado (cert_serial) | PanOSCertificateSerial | network.tls.server.certificate.serial | ||
| Huella digital del certificado | PanOSFingerprint | network.tls.server.certificate.md5/sha1/sha256 | ||
| Fecha de inicio del certificado (notbefore) | PanOSTimeNotBefore | network.tls.server.certificate.not_before | ||
| Fecha de finalización del certificado (notafter) | PanOSTimeNotAfter | network.tls.server.certificate.not_after | ||
| Versión del certificado (cert_ver) | PanOSCertificateVersion | network.tls.server.certificate.version | ||
| Tamaño del certificado (cert_size) | PanOSCertificateSize | cert_size | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Longitud del nombre común (cn_len) | PanOSCommonNameLength | cn_len | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Longitud del nombre común del emisor (issuer_len) | PanOSIssuerNameLength | issuer_len | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Longitud del nombre común raíz (rootcn_len) | PanOSRootCNLength | rootcn_len | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Longitud de SNI (sni_len) | PanOSSNILength | sni_len | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Marcas de certificado (cert_flags) | PanOSCertificateFlags | cert_flags | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Nombre común del sujeto (cn) | PanOSCommonName | cn | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Nombre común de la entidad emisora (issuer_cn) | PanOSIssuerCommonName | network.tls.server.certificate.issuer | ||
| Nombre común de la raíz (root_cn) | PanOSRootCommonName | root_cn | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Indicador del nombre del servidor
(sni) |
network.tls.client.server_name | |||
| Error (error) | PanOSErrorMessage | error | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
|
| ID de contenedor (container_id) | PanOSContainerID | container_id | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Espacio de nombres de POD (pod_namespace) | PanOSContainerNameSpace | pod_namespace | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Nombre del POD (pod_name) | PanOSContainerName | pod_name | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Lista dinámica externa de origen (src_edl) | PanOSSourceEDL | src_edl | principal.labels.key y principal.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Lista dinámica externa de destino (dst_edl) | PanOSDestinationEDL | dst_edl | target.labels.key y target.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Grupo de direcciones dinámicas de origen (src_dag) | PanOSSourceDynamicAddressGroup | principal.group.group_display_name | ||
| Grupo de direcciones dinámicas de destino (dst_dag) | PanOSDestinationDynamicAddressGroup | target.group.group_display_name | ||
| Marca de tiempo de alta resolución (high_res_timestamp) | PanOSTimeGeneratedHighResolution | metadata.collected_timestamp,
metadata.event_timestamp (si no se incluye "Generate Time") |
||
| Categoría del dispositivo de origen (src_category) | PanOSSourceDeviceCategory | src_category | principal.labels.key y principal.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Perfil del dispositivo de origen (src_profile) | PanOSSourceDeviceProfile | src_profile | principal.labels.key y principal.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Modelo del dispositivo de origen (src_model) | PanOSSourceDeviceModel | src_model | principal.labels.key y principal.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Proveedor del dispositivo de origen (src_vendor) | PanOSSourceDeviceVendor | src_vendor | principal.labels.key y principal.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Familia del SO del dispositivo de origen (src_osfamily) | PanOSSourceDeviceOSFamily | principal.asset.platform_software.platform principal.labels.key y principal.labels.value |
||
| Versión del SO del dispositivo de origen (src_osversion) | PanOSSourceDeviceOSVersion | principal.asset.software.version | ||
| Nombre de host de origen (src_host) | PanOSSourceDeviceHost | principal.hostname | ||
| Dirección MAC de origen (src_mac) | PanOSSourceDeviceMac | principal.mac | ||
| Categoría del dispositivo de destino (dst_category) | PanOSDestinationDeviceCategory | dst_category | target.labels.key y target.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Perfil del dispositivo de destino (dst_profile) | PanOSDestinationDeviceProfile | dst_profile | target.labels.key y target.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Modelo del dispositivo de destino (dst_model) | PanOSDestinationDeviceModel | dst_model | target.labels.key y target.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Proveedor del dispositivo de destino (dst_vendor) | PanOSDestinationDeviceVendor | dst_vendor | target.labels.key y target.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Familia del SO del dispositivo de destino (dst_osfamily) | PanOSDestinationDeviceOSFamily | dst_osfamily | target.labels.key y target.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Versión del SO del dispositivo de destino (dst_osversion) | PanOSDestinationDeviceOSVersion | target.asset.software.version | ||
| Nombre de host de destino (dst_host) | PanOSDestinationDeviceHost | target.hostname | ||
| Dirección MAC de destino (dst_mac) | PanOSDestinationDeviceMac | target.mac | ||
| Número de secuencia (seqno) | PanOSLogTypeSeqNo | metadata.product_log_id | ||
| Marcas de acción (actionflags) | PanOSActionFlags | actionflags | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Jerarquía de grupos de dispositivos (dg_hier_level_1) | DeviceGroupHierarchyL1 | dg_hier_level_1 | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Jerarquía de grupos de dispositivos (dg_hier_level_2) | DeviceGroupHierarchyL2 | dg_hier_level_2 | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Jerarquía de grupos de dispositivos (dg_hier_level_3) | DeviceGroupHierarchyL3 | dg_hier_level_3 | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Jerarquía de grupos de dispositivos (dg_hier_level_4) | DeviceGroupHierarchyL4 | dg_hier_level_4 | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Nombre del sistema virtual (vsys_name) | principal.resource.name
principal.resource.resource_type=VIRTUAL_MACHINE |
|||
| Nombre del dispositivo (device_name) | intermediary.hostname | |||
| ID de sistema virtual (vsys_id) | principal.resource.resource_type=VIRTUAL_MACHINE and principal.resource.product_object_id | |||
| Subcategoría de la aplicación (subcategory_of_app) | subcategory_of_app | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
||
| Categoría de la aplicación (category_of_app) | category_of_app | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
||
| Tecnología de la aplicación (technology_of_app) | technology_of_app | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
||
| Riesgo de la aplicación (risk_of_app) | security_result.severity | |||
| Característica de la aplicación (characteristic_of_app) | characteristic_of_app | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
||
| Contenedor de aplicaciones (container_of_app) | container_of_app | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
||
| Aplicación SaaS (is_saas_of_app) | is_saas_of_app | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
||
| Estado de sanción de la aplicación (sanctioned_state_of_app) | sanctioned_state_of_app | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
||
| Gravedad (severity) | number-of-severity(header) | security_result.severity y security_result.severity_details |
Túnel
En la siguiente tabla se enumeran los campos de registro del tipo de registro de túnel y sus campos de UDM correspondientes.
| Campo de CSV | Campo CEF | Campo LEEF | Clave de etiqueta de Google Security Operations | Campo de UDM |
|---|---|---|---|---|
| Hora de recepción (receive_time o cef-formatted-receive_time) | rt | devTime | metadata.collected_timestamp,
metadata.event_timestamp (si no se incluye "Generate Time") |
|
| Número de serie (serial) | deviceExternalId | SerialNumber | intermediary.asset.hardware.serial_number | |
| Tipo (type) | type (Header) | gato | metadata.product_event_type | |
| Tipo de amenaza o contenido (subtipo) | subtipo (encabezado) | Subtipo | metadata.product_event_type | |
| Hora de generación (time_generated o cef-formatted-time_generated) | metadata.event_timestamp | |||
| Dirección de origen (src) | src | src | principal.ip | |
| Dirección de destino (dst) | dst | dst | target.ip | |
| IP de origen de NAT (natsrc) | sourceTranslatedAddress | srcPostNAT | principal.nat_ip | |
| IP de destino de NAT (natdst) | destinationTranslatedAddress | dstPostNAT | target.nat_ip | |
| Nombre de la regla | cs1 | RuleName | security_result.rule_name | |
| Usuario de origen (srcuser) | suser | SourceUser/usrName | principal.user.userid | |
| Usuario de destino (dstuser) | duser | DestinationUser | target.user.userid | |
| Aplicación | aplicación | Aplicación | network.application_protocol | |
| Sistema virtual (vsys) | cs3 | VirtualSystem | vsys | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| Zona de origen (desde) | cs4 | SourceZone | de | principal.labels.key y principal.labels.value additional.fields.key y additional.fields.value.string_value |
| Zona de destino | cs5 | DestinationZone | a | target.labels.key y target.labels.value additional.fields.key y additional.fields.value.string_value |
| Interfaz de entrada (inbound_if) | deviceInboundInterface | IngressInterface | inbound_if | principal.labels.key y principal.labels.value additional.fields.key y additional.fields.value.string_value |
| Interfaz de salida (outbound_if) | deviceOutboundInterface | EgressInterface | outbound_if | target.labels.key y target.labels.value additional.fields.key y additional.fields.value.string_value |
| Registrar acción (logset) | cs6 | LogForwardingProfile | logset | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| ID de sesión (sessionid) | cn1 | SessionID | network.session_id | |
| Número de repeticiones (repeatcnt) | cnt | RepeatCount | repeatcnt | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| Puerto de origen (sport) | spt | srcPort | principal.port | |
| Puerto de destino (dport) | dpt | dstPort | target.port | |
| Puerto de origen de NAT (natsport) | sourceTranslatedPort | srcPostNATPort | principal.nat_port | |
| Puerto de destino de NAT (natdport) | destinationTranslatedPort | dstPostNATPort | target.nat_port | |
| Marcas (flags) | flexString1 | Banderas | flags | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| Protocolo IP (proto) | proto | proto | network.ip_protocol | |
| Acción (action) | actuar | acción | security_result.action_details
security_result.action |
|
| Gravedad (severity) | number-of-severity(header) | security_result.severity y security_result.severity_details | ||
| Número de secuencia (seqno) | externalId | secuencia | metadata.product_log_id | |
| Marcas de acción (actionflags) | PanOSActionFlags | ActionFlags | actionflags | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| Ubicación de origen (srcloc) | principal.location.country_or_region | |||
| Ubicación de destino (dstloc) | target.location.country_or_region | |||
| Jerarquía de grupos de dispositivos (dg_hier_level_1) | PanOSDGl1 | DeviceGroupHierarchyL1 | dg_hier_level_1 | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| Jerarquía de grupos de dispositivos (dg_hier_level_2) | PanOSDGl2 | DeviceGroupHierarchyL2 | dg_hier_level_2 | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| Jerarquía de grupos de dispositivos (dg_hier_level_3) | PanOSDGl3 | DeviceGroupHierarchyL3 | dg_hier_level_3 | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| Jerarquía de grupos de dispositivos (dg_hier_level_4) | PanOSDGl4 | DeviceGroupHierarchyL4 | dg_hier_level_4 | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| Nombre del sistema virtual (vsys_name) | PanOSVsysName | vSrcName | principal.resource.name
principal.resource.resource_type=VIRTUAL_MACHINE |
|
| Nombre del dispositivo (device_name) | dvchost | DeviceName | intermediary.hostname | |
| ID de túnel (tunnelid) | PanOSTunnelID | TunnelID | tunnelid | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| Etiqueta de monitor (monitortag) | PanOSMonitorTag | MonitorTag | monitortag | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| ID de sesión principal (parent_session_id) | PanOSParentSessionID | ParentSessionID | parent_session_id | network.parent_session_id |
| Hora de inicio de la actividad principal (parent_start_time) | PanOSParentStartTime | ParentStartTime | parent_start_time | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| Tipo de túnel (tunnel) | cs2 | TunnelType | túnel | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| Bytes (bytes) | flexNumber1 | totalBytes | bytes | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| Bytes enviados (bytes_sent) | en | srcBytes | network.sent_bytes | |
| Bytes recibidos (bytes_received) | out | dstBytes | network.received_bytes | |
| Paquetes | cn2 | totalPackets | paquetes | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| Paquetes enviados (pkts_sent) | PanOSPacketsSent | srcPackets | pkts_sent | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| Paquetes recibidos (pkts_received) | PanOSPacketsReceived | dstPackets | pkts_received | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| Encapsulación máxima (max_encap) | flexNumber2 | MaximumEncapsulation | max_encap | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| Protocolo desconocido (unknown_proto) | cfp1 | UnknownProtocol | unknown_proto | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| Comprobación estricta (strict_check) | cfp2 | StrictChecking | strict_check | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| Fragmento de túnel (tunnel_fragment) | PanOSTunnelFragment | TunnelFragment | tunnel_fragment | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| Sesiones creadas (sessions_created) | cfp3 | SessionsCreated | sessions_created | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| Sesiones cerradas (sessions_closed) | cfp4 | SessionsClosed | sessions_closed | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| Motivo de finalización de la sesión (session_end_reason) | reason | SessionEndReason | security_result.summary | |
| Fuente de la acción (action_source) | gato | ActionSource | action_source | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| Hora de inicio (start) | startTime | start | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Tiempo transcurrido (elapsed) | cn3 | ElapsedTime | transcurrido | network.session_duration.seconds |
| Regla de inspección de túneles (tunnel_insp_rule) | PanOSTunneInspectionRule | security_result.rule_name = "Tunnel Inspection Rule: %{PanOSTunnelInspectionRule}" | ||
| IP de usuario remoto (remote_user_ip) | PanOSRmtUserIP | target.ip | ||
| ID de usuario remoto (remote_user_id) | PanOSRmtUserID | remote_user_id | target.labels.key y target.labels.value additional.fields.key y additional.fields.value.string_value |
|
| UUID de la regla de seguridad (rule_uuid) | PanOSRuleUUID | security_result.rule_id | ||
| ID de PCAP (pcap_id) | PanOSPcapID | pcap_id | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Nombre del grupo de usuarios dinámico (dynusergroup_name) | PanDynamicUsrgrp | principal.group.group_display_name | ||
| Lista dinámica externa de origen (src_edl) | PanOSSourceEDL | src_edl | principal.labels.key y principal.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Lista dinámica externa de destino (dst_edl) | PanOSDestinationEDL | dst_edl | target.labels.key y target.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Marca de tiempo de alta resolución (high_res timestamp) | PanOSTimeGeneratedHighResolution | metadata.collected_timestamp,
metadata.event_timestamp (si no se incluye "Generate Time") |
||
| Un diferenciador de segmento (nssai_sd) | nssai_sd | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
||
| Un tipo de servicio de segmento (nssai_sd) | nssai_sd1 | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
||
| ID de sesión PDU (pdu_session_id) | pdu_session_id | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
||
| Subcategoría de la aplicación (subcategory_of_app) | subcategory_of_app | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
||
| Categoría de la aplicación (category_of_app) | category_of_app | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
||
| Tecnología de la aplicación (technology_of_app) | technology_of_app | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
||
| Riesgo de la aplicación (risk_of_app) | risk_of_app | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
||
| Característica de la aplicación (characteristic_of_app) | characteristic_of_app | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
||
| Contenedor de aplicaciones (container_of_app) | container_of_app | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
||
| Aplicación SaaS (is_saas_of_app) | is_saas_of_app | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
||
| Estado de sanción de la aplicación (sanctioned_state_of_app) | sanctioned_state_of_app | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
Autenticación
En la siguiente tabla se enumeran los campos de registro del tipo de registro de autenticación y sus campos de UDM correspondientes.
| Campo de CSV | Campo CEF | Campo LEEF | Clave de etiqueta de Google Security Operations | Campo de UDM |
|---|---|---|---|---|
| Hora de recepción (receive_time o cef-formatted-receive_time) | rt | devTime | metadata.collected_timestamp,
metadata.event_timestamp (si no se incluye "Generate Time") |
|
| Número de serie (serial) | deviceExternalId | SerialNumber | intermediary.asset.hardware.serial_number | |
| Tipo (type) | type (Header) | gato | metadata.product_event_type | |
| Tipo de amenaza o contenido (subtipo) | subtipo (encabezado) | Subtipo | metadata.product_event_type | |
| Hora de generación (time_generated o cef-formatted-time_generated) | metadata.event_timestamp | |||
| Sistema virtual (vsys) | cs3 | VirtualSystem | vsys | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| IP de origen (ip) | src | src | principal.ip | |
| Usuario (user) | duser | usrName | target.user.userid | |
| Normalizar usuario (normalize_user) | cs2 | NormalizeUser | target.user.user_display_name | |
| Objeto (object) | fname | ObjectName | objeto | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| Política de autenticación (authpolicy) | cs4 | AuthPolicy | authpolicy | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| Número de repeticiones (repeatcnt) | cnt | RepeatCount | repeatcnt | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| ID de autenticación (authid) | cn2 | AuthenticationID | authid | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| Proveedor (vendor) | flexString2 | Proveedor | vendor | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| Registrar acción (logset) | cs6 | LogForwardingProfile | logset | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| Perfil de servidor (serverprofile) | cs1 | ServerProfile | serverprofile | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| Descripción (descendente) | PanOSDesc | AdditionalAuthInfo | security_result.description | |
| Tipo de cliente (clienttype) | cs5 | ClientType | clienttype | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| Tipo de evento (event) | msg | msg | extensions.auth.auth_details | |
| Número de factor (factorno) | cn1 | FactorNumber | factorno | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| Número de secuencia (seqno) | externalId | secuencia | metadata.product_log_id | |
| Marcas de acción (actionflags) | PanOSActionFlags | ActionFlags | actionflags | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| Jerarquía de grupos de dispositivos (dg_hier_level_1) | PanOSDGl1 | DeviceGroupHierarchyL1 | dg_hier_level_1 | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| Jerarquía de grupos de dispositivos (dg_hier_level_2) | PanOSDGl2 | DeviceGroupHierarchyL2 | dg_hier_level_2 | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| Jerarquía de grupos de dispositivos (dg_hier_level_3) | PanOSDGl3 | DeviceGroupHierarchyL3 | dg_hier_level_3 | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| Jerarquía de grupos de dispositivos (dg_hier_level_4) | PanOSDGl4 | DeviceGroupHierarchyL4 | dg_hier_level_4 | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| Nombre del sistema virtual (vsys_name) | PanOSVsysName | vSrcName | principal.resource.name
principal.resource.resource_type=VIRTUAL_MACHINE |
|
| Nombre del dispositivo (device_name) | dvchost | DeviceName | intermediary.hostname | |
| ID de sistema virtual (vsys_id) | principal.resource.resource_type=VIRTUAL_MACHINE and principal.resource.product_object_id | |||
| Protocolo de autenticación (authproto) | authproto | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
||
| UUID de la regla (rule_uuid) | PanOSRuleUUID/RuleUUID | security_result.rule_id | ||
| Marca de tiempo de alta resolución (high_res_timestamp) | PanOSTimeGeneratedHighResolution | metadata.collected_timestamp,
metadata.event_timestamp (si no se incluye "Generate Time") |
||
| Categoría del dispositivo de origen (src_category) | PanOSSourceDeviceCategory | src_category | principal.labels.key y principal.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Perfil del dispositivo de origen (src_profile) | PanOSSourceDeviceProfile | src_profile | principal.labels.key y principal.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Modelo del dispositivo de origen (src_model) | PanOSSourceDeviceModel | src_model | principal.labels.key y principal.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Proveedor del dispositivo de origen (src_vendor) | PanOSSourceDeviceVendor | src_vendor | principal.labels.key y principal.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Familia del SO del dispositivo de origen (src_osfamily) | PanOSSourceDeviceOSFamily | principal.asset.platform_software.platform principal.labels.key y principal.labels.value additional.fields.key y additional.fields.value.string_value |
||
| Versión del SO del dispositivo de origen (src_osversion) | PanOSSourceDeviceOSVersion | principal.asset.software.version | ||
| Nombre de host de origen (src_host) | PanOSSourceHostname | principal.hostname | ||
| Dirección MAC de origen (src_mac) | PanOSSourceMac | principal.asset.mac | ||
| Región | PanOSTrafficOriginRegion | principal.location.country_or_region | ||
| User-agent (user_agent) | PanOSHTTPUserAgent | network.http.user_agent | ||
| ID de sesión(sessionid) | PanOSTrafficSessionID | network.session_id | ||
| Gravedad (severity) | number-of-severity(header) | security_result.severity y security_result.severity_details |
URL
En la siguiente tabla se indican los campos de registro del tipo de registro de URL y sus campos de UDM correspondientes.
| Campo de CSV | Campo CEF | Campo LEEF | Clave de etiqueta de Google Security Operations | Campo de UDM |
|---|---|---|---|---|
| Hora de recepción (cef-formatted-receive_time) | rt | devTime | metadata.collected_timestamp,
metadata.event_timestamp (si no se incluye "Generate Time") |
|
| Serie (serial) | deviceExternalId | SerialNumber | intermediary.asset.hardware.serial_number | |
| Tipo (type) | type (Header) | gato | metadata.product_event_type | |
| Tipo de amenaza o contenido (subtipo) | subtipo (encabezado) | Subtipo | metadata.product_event_type | |
| Generar hora | metadata.event_timestamp | |||
| Dirección de origen (src) | src | src | principal.ip | |
| Dirección de destino (dst) | dst | dst | target.ip | |
| IP de origen de NAT (natsrc) | sourceTranslatedAddress | srcPostNAT | principal.nat_ip | |
| IP de destino de NAT (natdst) | destinationTranslatedAddress | dstPostNAT | target.nat_ip | |
| Rule (regla) | cs1 | RuleName | security_result.rule_name | |
| Usuario de origen (srcuser) | suser | SourceUser | principal.user.userid | |
| Usuario de destino (dstuser) | duser | DestinationUser | target.user.userid | |
| Aplicación | aplicación | Aplicación | network.application_protocol | |
| Sistema virtual (vsys) | cs3 | VirtualSystem | vsys | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| Zona de origen (desde) | cs4 | SourceZone | de | principal.labels.key y principal.labels.value additional.fields.key y additional.fields.value.string_value |
| Zona de destino | cs5 | DestinationZone | a | target.labels.key y target.labels.value additional.fields.key y additional.fields.value.string_value |
| Interfaz de entrada (inbound_if) | deviceInboundInterface | IngressInterface | inbound_if | principal.labels.key y principal.labels.value additional.fields.key y additional.fields.value.string_value |
| Interfaz de salida (outbound_if) | deviceOutboundInterface | EgressInterface | outbound_if | target.labels.key y target.labels.value additional.fields.key y additional.fields.value.string_value |
| Registrar acción (logset) | cs6 | LogForwardingProfile | logset | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| Tiempo registrado | time_logged | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
||
| ID de sesión (sessionid) | cn1 | SessionID | network.session_id | |
| Número de repeticiones (repeatcnt) | cnt | RepeatCount | repeatcnt | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| Puerto de origen (sport) | spt | srcPort | principal.port | |
| Puerto de destino (dport) | dpt | dstPort | target.port | |
| Puerto de origen de NAT (natsport) | sourceTranslatedPort | srcPostNATPort | principal.nat_port | |
| Puerto de destino de NAT (natdport) | destinationTranslatedPort | dstPostNATPort | target.nat_port | |
| Marcas (flags) | flexString1 | Banderas | flags | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| Protocolo IP (proto) | proto | proto | network.ip_protocol | |
| Acción (action) | actuar | acción | security_result.action_details
security_result.action |
|
| URL o nombre de archivo (varios) | Varios | target.file.full_path
target.url |
||
| Nombre de la amenaza o del contenido (threatid) | gato | ThreatID | security_result.threat_id | |
| Categoría (category) | cs2 | URLCategory | categoría | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| Gravedad (severity) | number-of-severity (encabezado) | Gravedad | security_result.severity
security_result.severity_details |
|
| Dirección (direction) | flexString2 | Dirección | network.direction | |
| Número de secuencia (seqno) | externalId | secuencia | metadata.product_log_id | |
| Marcas de acción (actionflags) | PanOSActionFlags | ActionFlags | actionflags | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| País de origen (srcloc) | SourceLocation | principal.location.country_or_region | ||
| País de destino (dstloc) | DestinationLocation | target.location.country_or_region | ||
| contenttype (contenttype) | requestContext | ContentType | contenttype | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| pcap_id (pcap_id) | fileId | PCAP_ID | pcap_id | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| filedigest (filedigest) | FileDigest | about.file.sha1/md5/sha256 | ||
| nube (cloud) | Nube | nube | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
|
| url_idx (url_idx) | URLIndex | url_idx | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
|
| user_agent (user_agent) | requestClientApplication | UserAgent | network.http.user_agent | |
| filetype (filetype) | about.file.mime_type | |||
| xff (xff) | PanOSXForwarderfor | identSrc | xff | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| Referente (referer) | PanOSReferer | Referencia | network.http.referral_url | |
| sender (remitente) | network.email.from | |||
| Asunto (subject) | Asunto | network.email.subject | ||
| destinatario (recipient) | network.email.to | |||
| reportid (reportid) | reportid | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
||
| Nivel 1 de jerarquía de Gen. demanda (dg_hier_level_1) | PanOSDGl1 | DeviceGroupHierarchyL1 | dg_hier_level_1 | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| Nivel de jerarquía 2 de Gen. demanda (dg_hier_level_2) | PanOSDGl2 | DeviceGroupHierarchyL2 | dg_hier_level_2 | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| Nivel 3 de la jerarquía de Gen. demanda (dg_hier_level_3) | PanOSDGl3 | DeviceGroupHierarchyL3 | dg_hier_level_3 | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| Nivel de jerarquía 4 de Gen. demanda (dg_hier_level_4) | PanOSDGl4 | DeviceGroupHierarchyL4 | dg_hier_level_4 | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| Nombre del sistema virtual (vsys_name) | PanOSVsysName | vSrcName | principal.resource.name
principal.resource.resource_type=VIRTUAL_MACHINE |
|
| Nombre del dispositivo (device_name) | dvchost | DeviceName | intermediary.hostname | |
| file_url (file_url) | about.url | |||
| UUID de VM de origen (src_uuid) | SrcUUID | principal.asset.asset_id | ||
| UUID de la VM de destino (dst_uuid) | DstUUID | target.asset.asset_id | ||
| http_method (http_method) | requestMethod | RequestMethod | network.http.method | |
| ID de túnel o IMSI (tunnelid) | PanOSTunnelID | TunnelID | tunnelid | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| Monitor Tag/IMEI (monitortag) | PanOSMonitorTag | MonitorTag | monitortag | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| ID de sesión principal (parent_session_id) | PanOSParentSessionID | ParentSessionID | parent_session_id | network.parent_session_id |
| Hora de inicio de la sesión principal (parent_start_time) | PanOSParentStartTime | ParentStartTime | parent_start_time | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| Túnel | PanOSTunnelType | TunnelType | túnel | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| thr_category (thr_category) | PanOSThreatCategory | ThreatCategory | thr_category | security_result.detection_fields.key/value |
| contentver (contentver) | PanOSContentVer | ContentVer | contentver | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| sig_flags (sig_flags) | sig_flags | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
||
| ID de asociación SCTP (assoc_id) | PanOSAssocID | assoc_id | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
|
| ID de protocolo de carga útil (ppid) | PanOSPPID | ppid | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
|
| http_headers (http_headers) | PanOSHTTPHeader | http_headers | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Lista de categorías de URLs (url_category_list) | PanOSURLCatList | url_category_list | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
|
| UUID de la regla (rule_uuid) | PanOSRuleUUID | rule_uuid | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Conexión HTTP/2 (http2_connection) | PanOSHTTP2Con | http2_connection | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
|
| dynusergroup_name (dynusergroup_name) | PanDynamicUsrgrp | dynusergroup_name | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Dirección XFF (xff_ip) | PanXFFIP | principal.ip | ||
| Categoría del dispositivo de origen (src_category) | PanSrcDeviceCat | src_category | principal.labels.key y principal.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Perfil del dispositivo de origen (src_profile) | PanSrcDeviceProf | src_profile | principal.labels.key y principal.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Modelo del dispositivo de origen (src_model) | PanSrcDeviceModel | src_model | principal.labels.key y principal.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Proveedor del dispositivo de origen (src_vendor) | PanSrcDeviceVendor | src_vendor | principal.labels.key y principal.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Familia del SO del dispositivo de origen (src_osfamily) | PanSrcDeviceOS | principal.asset.platform_software.platform principal.labels.key y principal.labels.value additional.fields.key y additional.fields.value.string_value |
||
| Versión del SO del dispositivo de origen (src_osversion) | PanSrcDeviceOSv | principal.asset.software.version | ||
| Nombre de host de origen (src_host) | PanSrcHostname | src_host | principal.labels.key y principal.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Dirección MAC de origen (src_mac) | PanSrcMac | principal.mac | ||
| Categoría del dispositivo de destino (dst_category) | PanDstDeviceCat | dst_category | target.labels.key y target.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Perfil del dispositivo de destino (dst_profile) | PanDstDeviceProf | dst_profile | target.labels.key y target.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Modelo del dispositivo de destino (dst_model) | PanDstDeviceModel | dst_model | target.labels.key y target.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Proveedor del dispositivo de destino (dst_vendor) | PanDstDeviceVendor | dst_vendor | target.labels.key y target.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Familia del SO del dispositivo de destino (dst_osfamily) | PanDstDeviceOS | target.asset.platform_software.platform
target.labels.key y target.labels.value |
||
| Versión del SO del dispositivo de destino (dst_osversion) | PanDstDeviceOSv | target.asset.software.version | ||
| Nombre de host de destino (dst_host) | PanPODNamespace | target.hostname | ||
| Dirección MAC de destino (dst_mac) | PanDstMac | target.mac | ||
| ID de contenedor (container_id) | PanContainerName | container_id | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Espacio de nombres de POD (pod_namespace) | PanPODNamespace | pod_namespace | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Nombre del POD (pod_name) | PanPODName | pod_name | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Lista dinámica externa de origen (src_edl) | PanSrcEDL | src_edl | principal.labels.key y principal.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Lista dinámica externa de destino (dst_edl) | PanDstEDL | dst_edl | target.labels.key y target.labels.value additional.fields.key y additional.fields.value.string_value |
|
| ID de host (hostid) | PanGPHostID | hostid | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Número de serie (serialnumber) | PanEPSerial | principal.asset.hardware.serial_number | ||
| domain_edl (domain_edl) | PanDomainEDL | domain_edl | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Grupo de direcciones dinámicas de origen (src_dag) | PanSrcDAG | principal.group.group_display_name | ||
| Grupo de direcciones dinámicas de destino (dst_dag) | PanDstDAG | target.group.group_display_name | ||
| partial_hash (partial_hash) | PanPartialHash | partial_hash | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Marca de tiempo de alta resolución (high_res_timestamp) | PanTimeHighRes | metadata.collected_timestamp,
metadata.event_timestamp (si no se incluye "Generate Time") |
||
| Motivo (reason) | PanReasonFilteringAction | reason | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Justificación (justification) | PanJustification | justificación | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
|
| nssai_sst (nssai_sst) | PanASServiceType | nssai_sst | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Subcategoría de la aplicación (subcategory_of_app) | subcategory_of_app | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
||
| Categoría de la aplicación (category_of_app) | category_of_app | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
||
| Tecnología de la aplicación (technology_of_app) | technology_of_app | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
||
| Riesgo de la aplicación (risk_of_app) | risk_of_app | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
||
| Característica de la aplicación (characteristic_of_app) | characteristic_of_app | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
||
| Contenedor de la aplicación (container_of_app) | container_of_app | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
||
| Aplicación tunelizada (tunneled_app) | tunneled_app | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
||
| SaaS de la aplicación (is_saas_of_app) | is_saas_of_app | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
||
| Estado sancionado de la aplicación (sanctioned_state_of_app) | sanctioned_state_of_app | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
Datos
En la siguiente tabla se enumeran los campos de registro del tipo de registro de datos y sus campos de UDM correspondientes.
| Campo de CSV | Campo CEF | Campo LEEF | Clave de etiqueta de Google Security Operations | Campo de UDM |
|---|---|---|---|---|
| Hora de recepción (cef-formatted-receive_time) | rt | devTime | metadata.collected_timestamp,
metadata.event_timestamp (si no se incluye "Generate Time") |
|
| Serie (serial) | deviceExternalId | SerialNumber | intermediary.asset.hardware.serial_number | |
| Tipo (type) | type (Header) | gato | metadata.product_event_type | |
| Tipo de amenaza o contenido (subtipo) | subtipo (encabezado) | Subtipo | metadata.product_event_type | |
| Generar hora | metadata.event_timestamp | |||
| Dirección de origen (src) | src | src | principal.ip | |
| Dirección de destino (dst) | dst | dst | target.ip | |
| IP de origen de NAT (natsrc) | sourceTranslatedAddress | srcPostNAT | principal.nat_ip | |
| IP de destino de NAT (natdst) | destinationTranslatedAddress | dstPostNAT | target.nat_ip | |
| Rule (regla) | cs1 | RuleName | security_result.rule_name | |
| Usuario de origen (srcuser) | suser | SourceUser | principal.user.userid | |
| Usuario de destino (dstuser) | duser | DestinationUser | target.user.userid | |
| Aplicación | aplicación | Aplicación | network.application_protocol | |
| Sistema virtual (vsys) | cs3 | VirtualSystem | vsys | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| Zona de origen (desde) | cs4 | SourceZone | de | principal.labels.key y principal.labels.value additional.fields.key y additional.fields.value.string_value |
| Zona de destino | cs5 | DestinationZone | a | target.labels.key y target.labels.value additional.fields.key y additional.fields.value.string_value |
| Interfaz de entrada (inbound_if) | deviceInboundInterface | IngressInterface | inbound_if | principal.labels.key y principal.labels.value additional.fields.key y additional.fields.value.string_value |
| Interfaz de salida (outbound_if) | deviceOutboundInterface | EgressInterface | outbound_if | target.labels.key y target.labels.value additional.fields.key y additional.fields.value.string_value |
| Registrar acción (logset) | cs6 | LogForwardingProfile | logset | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| Tiempo registrado | time_logged | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
||
| ID de sesión (sessionid) | cn1 | SessionID | network.session_id | |
| Número de repeticiones (repeatcnt) | cnt | RepeatCount | repeatcnt | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| Puerto de origen (sport) | spt | srcPort | principal.port | |
| Puerto de destino (dport) | dpt | dstPort | target.port | |
| Puerto de origen de NAT (natsport) | sourceTranslatedPort | srcPostNATPort | principal.nat_port | |
| Puerto de destino de NAT (natdport) | destinationTranslatedPort | dstPostNATPort | target.nat_port | |
| Marcas (flags) | flexString1 | Banderas | flags | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| Protocolo IP (proto) | proto | proto | network.ip_protocol | |
| Acción (action) | actuar | acción | security_result.action_details
security_result.action |
|
| URL o nombre de archivo (varios) | Varios | target.file.full_path
target.url |
||
| Nombre de la amenaza o del contenido (threatid) | gato | ThreatID | security_result.threat_id | |
| Categoría (category) | cs2 | URLCategory | categoría | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| Gravedad (severity) | number-of-severity (encabezado) | Gravedad | security_result.severity
security_result.severity_details |
|
| Dirección (direction) | flexString2 | Dirección | network.direction | |
| Número de secuencia (seqno) | externalId | secuencia | metadata.product_log_id | |
| Marcas de acción (actionflags) | PanOSActionFlags | ActionFlags | actionflags | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| País de origen (srcloc) | SourceLocation | principal.location.country_or_region | ||
| País de destino (dstloc) | DestinationLocation | target.location.country_or_region | ||
| contenttype (contenttype) | ContentType | contenttype | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
|
| pcap_id (pcap_id) | fileId | PCAP_ID | pcap_id | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| filedigest (filedigest) | FileDigest | about.file.sha1/md5/sha256 | ||
| nube (cloud) | Nube | nube | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
|
| url_idx (url_idx) | URLIndex | url_idx | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
|
| user_agent (user_agent) | network.http.user_agent | |||
| filetype (filetype) | about.file.mime_type | |||
| xff (xff) | xff | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
||
| Referente (referer) | network.http.referral_url | |||
| sender (remitente) | network.email.from | |||
| Asunto (subject) | Asunto | network.email.subject | ||
| destinatario (recipient) | network.email.to | |||
| reportid (reportid) | reportid | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
||
| Nivel 1 de jerarquía de Gen. demanda (dg_hier_level_1) | PanOSDGl1 | DeviceGroupHierarchyL1 | dg_hier_level_1 | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| Nivel de jerarquía 2 de Gen. demanda (dg_hier_level_2) | PanOSDGl2 | DeviceGroupHierarchyL2 | dg_hier_level_2 | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| Nivel 3 de la jerarquía de Gen. demanda (dg_hier_level_3) | PanOSDGl3 | DeviceGroupHierarchyL3 | dg_hier_level_3 | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| Nivel de jerarquía 4 de Gen. demanda (dg_hier_level_4) | PanOSDGl4 | DeviceGroupHierarchyL4 | dg_hier_level_4 | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| Nombre del sistema virtual (vsys_name) | PanOSVsysName | vSrcName | principal.resource.name
principal.resource.resource_type=VIRTUAL_MACHINE |
|
| Nombre del dispositivo (device_name) | dvchost | DeviceName | intermediary.hostname | |
| file_url (file_url) | about.url | |||
| UUID de VM de origen (src_uuid) | SrcUUID | principal.asset.asset_id | ||
| UUID de la VM de destino (dst_uuid) | DstUUID | target.asset.asset_id | ||
| http_method (http_method) | RequestMethod | network.http.method | ||
| ID de túnel o IMSI (tunnelid) | PanOSTunnelID | TunnelID | tunnelid | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| Monitor Tag/IMEI (monitortag) | PanOSMonitorTag | MonitorTag | monitortag | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| ID de sesión principal (parent_session_id) | PanOSParentSessionID | ParentSessionID | parent_session_id | network.parent_session_id |
| Hora de inicio de la sesión principal (parent_start_time) | PanOSParentStartTime | ParentStartTime | parent_start_time | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| Túnel | PanOSTunnelType | TunnelType | túnel | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| thr_category (thr_category) | PanOSThreatCategory | ThreatCategory | thr_category | security_result.detection_fields.key/value |
| contentver (contentver) | PanOSContentVer | ContentVer | contentver | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
| sig_flags (sig_flags) | sig_flags | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
||
| ID de asociación SCTP (assoc_id) | PanOSAssocID | assoc_id | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
|
| ID de protocolo de carga útil (ppid) | PanOSPPID | ppid | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
|
| http_headers (http_headers) | PanOSHTTPHeader | http_headers | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Lista de categorías de URLs (url_category_list) | url_category_list | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
||
| UUID de la regla (rule_uuid) | PanOSRuleUUID | rule_uuid | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Conexión HTTP/2 (http2_connection) | http2_connection | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
||
| dynusergroup_name (dynusergroup_name) | dynusergroup_name | principal.labels.key y principal.labels.value additional.fields.key y additional.fields.value.string_value |
||
| Dirección XFF (xff_ip) | principal.ip | |||
| Categoría del dispositivo de origen (src_category) | src_category | principal.labels.key y principal.labels.value additional.fields.key y additional.fields.value.string_value |
||
| Perfil del dispositivo de origen (src_profile) | src_profile | principal.labels.key y principal.labels.value additional.fields.key y additional.fields.value.string_value |
||
| Modelo del dispositivo de origen (src_model) | src_model | principal.labels.key y principal.labels.value additional.fields.key y additional.fields.value.string_value |
||
| Proveedor del dispositivo de origen (src_vendor) | src_vendor | principal.labels.key y principal.labels.value additional.fields.key y additional.fields.value.string_value |
||
| Familia del SO del dispositivo de origen (src_osfamily) | principal.asset.platform_software.platform principal.labels.key y principal.labels.value additional.fields.key y additional.fields.value.string_value |
|||
| Versión del SO del dispositivo de origen (src_osversion) | principal.asset.software.version | |||
| Nombre de host de origen (src_host) | src_host | principal.labels.key y principal.labels.value additional.fields.key y additional.fields.value.string_value |
||
| Dirección MAC de origen (src_mac) | principal.mac | |||
| Categoría del dispositivo de destino (dst_category) | dst_category | target.labels.key y target.labels.value additional.fields.key y additional.fields.value.string_value |
||
| Perfil del dispositivo de destino (dst_profile) | dst_profile | target.labels.key y target.labels.value additional.fields.key y additional.fields.value.string_value |
||
| Modelo del dispositivo de destino (dst_model) | dst_model | target.labels.key y target.labels.value additional.fields.key y additional.fields.value.string_value |
||
| Proveedor del dispositivo de destino (dst_vendor) | dst_vendor | target.labels.key y target.labels.value additional.fields.key y additional.fields.value.string_value |
||
| Familia del SO del dispositivo de destino (dst_osfamily) | target.asset.platform_software.platform
target.labels.key y target.labels.value |
|||
| Versión del SO del dispositivo de destino (dst_osversion) | target.asset.software.version | |||
| Nombre de host de destino (dst_host) | target.hostname | |||
| Dirección MAC de destino (dst_mac) | target.mac | |||
| ID de contenedor (container_id) | container_id | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
||
| Espacio de nombres de POD (pod_namespace) | pod_namespace | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
||
| Nombre del POD (pod_name) | pod_name | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
||
| Lista dinámica externa de origen (src_edl) | src_edl | principal.labels.key y principal.labels.value additional.fields.key y additional.fields.value.string_value |
||
| Lista dinámica externa de destino (dst_edl) | dst_edl | target.labels.key y target.labels.value additional.fields.key y additional.fields.value.string_value |
||
| ID de host (hostid) | hostid | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
||
| Número de serie (serialnumber) | principal.asset.hardware.serial_number | |||
| domain_edl (domain_edl) | domain_edl | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
||
| Grupo de direcciones dinámicas de origen (src_dag) | principal.group.group_display_name | |||
| Grupo de direcciones dinámicas de destino (dst_dag) | target.group.group_display_name | |||
| partial_hash (partial_hash) | partial_hash | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
||
| Marca de tiempo de alta resolución (high_res_timestamp) | metadata.collected_timestamp,
metadata.event_timestamp (si no se incluye "Generate Time") |
|||
| Motivo (reason) | reason | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
||
| Justificación (justification) | justificación | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
||
| nssai_sst (nssai_sst) | nssai_sst | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
||
| Subcategoría de la aplicación (subcategory_of_app) | subcategory_of_app | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
||
| Categoría de la aplicación (category_of_app) | category_of_app | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
||
| Tecnología de la aplicación (technology_of_app) | technology_of_app | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
||
| Riesgo de la aplicación (risk_of_app) | risk_of_app | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
||
| Característica de la aplicación (characteristic_of_app) | characteristic_of_app | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
||
| Contenedor de la aplicación (container_of_app) | container_of_app | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
||
| Aplicación tunelizada (tunneled_app) | tunneled_app | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
||
| SaaS de la aplicación (is_saas_of_app) | is_saas_of_app | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
||
| Estado sancionado de la aplicación (sanctioned_state_of_app) | sanctioned_state_of_app | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
GlobalProtect
En la siguiente tabla se enumeran los campos de registro del tipo de registro GlobalProtect y sus campos de UDM correspondientes.
| Campo de CSV | Campo CEF | Campo LEEF | Clave de etiqueta de Google Security Operations | Campo de UDM |
|---|---|---|---|---|
| Hora de recepción (receive_time) | rt | received_time | metadata.event_timestamp | |
| Serie (serial) | PanOSDeviceSN | intermediary_asset_hardware_serial_number | intermediary.asset.hardware.serial_number | |
| Tipo (type) | type (Header) | metadata.product_event_type | ||
| Tipo de amenaza o contenido (subtipo) | subtipo (encabezado) | Subtipo | metadata.product_event_type | |
| Hora de generación (time_generated) | PanOSLogTimeStamp | generated_timestamp | metadata.event_timestamp | |
| Sistema virtual (vsys) | PanOSVirtualSystem | vsys | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
|
| ID de evento (eventid) | PanOSEventID | event_id | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Fase (stage) | PanOSStage | fase | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Método de autenticación (auth_method) | PanOSAuthMethod | extension_auth_auth_details | extensions.auth.auth_details | |
| Tipo de túnel (tunnel_type) | PanOSTunnelType | túnel | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Usuario de origen (srcuser) | PanOSSourceUserName | src_user | principal.user.email_address
principal.user.userid principal.administrative_domain |
|
| Región de origen (srcregion) | PanOSSourceRegion | src_region | principal.location.country_or_region | |
| Nombre del equipo (machinename) | PanOSEndpointDeviceName | machine_name | principal.hostname | |
| IP pública (public_ip) | PanOSPublicIPv4 | principal.nat_ip | ||
| IPv6 pública (public_ipv6) | PanOSPublicIPv6 | principal.nat_ip | ||
| IP privada (private_ip) | PanOSPrivateIPv4 | principal.ip | ||
| IPv6 privada (private_ipv6) | PanOSPrivateIPv6 | principal.ip | ||
| ID de host (hostid) | PanOSHostID | hostid | principal.asset.asset_id | |
| Número de serie (serialnumber) | PanOSDeviceSN | principal.asset.hardware.serial_number | ||
| Versión de cliente (client_ver) | PanOSGlobalProtectClientVersion | client_ver | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Sistema operativo del cliente (client_os) | PanOSEndpointOSType | principal.asset.platform_software.platform(enum) | ||
| Versión del SO del cliente (client_os_ver) | PanOSEndpointOSVersion | principal.asset.platform_software.platform_version | ||
| Número de repeticiones (repeatcnt) | PanOSCountOfRepeats | repeatcnt | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Motivo (reason) | PanOSQuarantineReason | security_result.summary | ||
| Error (error) | PanOSConnectionError | error | security_result.description | |
| Descripción (opaca) | PanOSDescription | security_result.description | ||
| Estado (status) | PanOSEventStatus | status | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Ubicación (location) | PanOSGPGatewayLocation | target.location.country_or_region | ||
| Duración de inicio de sesión (login_duration) | PanOSLoginDuration | network.session_duration | ||
| Método de conexión (connect_method) | PanOSConnectionMethod | connect_method | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Código de error (error_code) | PanOSConnectionErrorID | error_code | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Portal (portal) | PanOSPortal | portal | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Número de secuencia (seqno) | PanOSSequenceNo | metadata.product_log_id | ||
| Marcas de acción (actionflags) | PanOSActionFlags | actionflags | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Marca de tiempo de alta resolución (high_res_timestamp) | anOSTimeGeneratedHighResolution | metadata.collected_timestamp,
metadata.event_timestamp (si no se incluye "Generate Time") |
||
| Método de selección de pasarela (selection_type) | PanOSGatewaySelectionType | selection_type | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Tiempo de respuesta de SSL (response_time) | PanOSSSLResponseTime | response_time | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Prioridad de la pasarela (priority) | PanOSGatewayPriority | prioridad | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Pasarelas intentadas (attempted_gateways) | PanOSAttemptedGateways | attempted_gateways | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Nombre de la pasarela (gateway) | PanOSAttemptedGateways | pasarela | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Jerarquía de grupos de dispositivos (dg_hier_level_1) | dg_hier_level_1 | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
||
| Jerarquía de grupos de dispositivos (dg_hier_level_2) | dg_hier_level_2 | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
||
| Jerarquía de grupos de dispositivos (dg_hier_level_3) | dg_hier_level_3 | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
||
| Jerarquía de grupos de dispositivos (dg_hier_level_4) | dg_hier_level_4 | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
||
| Nombre del sistema virtual (vsys_name) | principal.resource.name
principal.resource.resource_type=VIRTUAL_MACHINE |
|||
| Nombre del dispositivo (device_name) | target.hostname | |||
| ID de sistema virtual (vsys_id) | principal.resource.resource_type=VIRTUAL_MACHINE and principal.resource.product_object_id | |||
| Gravedad (severity) | number-of-severity(header) | security_result.severity y security_result.severity_details |
Correlación
En la siguiente tabla se indican los campos de registro del tipo de registro de correlación y sus campos de UDM correspondientes.
| Campo de CSV | Campo CEF | Campo LEEF | Clave de etiqueta de Google Security Operations | Campo de UDM |
|---|---|---|---|---|
| Hora de generación (time_generated o cef-formatted-time_generated) | startTime | generated_timestamp | metadata.event_timestamp | |
| Dirección de origen (src) | src | principal.ip | ||
| Usuario de origen (srcuser) | SourceUser/usrName | principal.user.userid | ||
| Sistema virtual (vsys) | VirtualSystem | vsys | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
|
| Categoría (category) | security_result.category_details | |||
| Gravedad (severity) | Gravedad | security_result.severity y security_result.severity_details | ||
| Nivel 1 de la jerarquía de grupos de dispositivos | DeviceGroupHierarchyL1 | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
||
| Nivel 2 de la jerarquía de grupos de dispositivos | DeviceGroupHierarchyL2 | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
||
| Nivel 3 de la jerarquía de grupos de dispositivos | DeviceGroupHierarchyL3 | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
||
| Nivel 4 de la jerarquía de grupos de dispositivos | DeviceGroupHierarchyL4 | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
||
| Nombre del sistema virtual (vsys_name) | vSrcName | principal.resource.name
principal.resource.resource_type=VIRTUAL_MACHINE |
||
| Nombre del dispositivo (device_name) | DeviceName | intermediary.hostname | ||
| ID de sistema virtual (vsys_id) | VirtualSystemID | principal.resource.resource_type=VIRTUAL_MACHINE and principal.resource.product_object_id | ||
| Nombre del objeto (objectname) | ObjectName | target.resource.name | ||
| ID de objeto (object_id) | ObjectID | target.resource.product_object_id |
GTP
En la siguiente tabla se enumeran los campos de registro del tipo de registro gtp y sus campos de UDM correspondientes.
| Campo de CSV | Campo CEF | Campo LEEF | Clave de etiqueta de Google Security Operations | Campo de UDM |
|---|---|---|---|---|
| Hora de recepción (receive_time o cef-formatted-receive_time) | metadata.collected_timestamp,
metadata.event_timestamp (si no se incluye "Generate Time") |
|||
| Número de serie (serial) | intermediary.asset.hardware.serial_number | |||
| Tipo (type) | metadata.product_event_type | |||
| Tipo de amenaza o contenido (subtipo) | metadata.product_event_type | |||
| Hora de generación (time_generated o cef-formatted-time_generated) | metadata.event_timestamp | |||
| Dirección de origen (src) | principal.ip | |||
| Dirección de destino (dst) | target.ip | |||
| Nombre de la regla | security_result.rule_name | |||
| Aplicación | network.application_protocol | |||
| Sistema virtual (vsys) | vsys | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
||
| Zona de origen (desde) | de | principal.labels.key y principal.labels.value additional.fields.key y additional.fields.value.string_value |
||
| Zona de destino | a | target.labels.key y target.labels.value additional.fields.key y additional.fields.value.string_value |
||
| Interfaz de entrada (inbound_if) | inbound_if | principal.labels.key y principal.labels.value additional.fields.key y additional.fields.value.string_value |
||
| Interfaz de salida (outbound_if) | outbound_if | target.labels.key y target.labels.value additional.fields.key y additional.fields.value.string_value |
||
| Registrar acción (logset) | logset | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
||
| ID de sesión (sessionid) | network.session_id | |||
| Puerto de origen (sport) | principal.port | |||
| Puerto de destino (dport) | target.port | |||
| Protocolo IP (proto) | network.ip_protocol | |||
| Acción (action) | security_result.action_details
security_result.action |
|||
| Tipo de evento de GTP (event_type) | gtp_event_type | additional.fields.key y additional.fields.value.string_value | ||
| MSISDN (msisdn) | msisdn | additional.fields.key y additional.fields.value.string_value | ||
| Nombre de punto de acceso (APN) | apn | additional.fields.key y additional.fields.value.string_value | ||
| Tecnología de acceso radioeléctrico (RAT) | rata | additional.fields.key y additional.fields.value.string_value | ||
| Tipo de mensaje de GTP (msg_type) | gtp_msg_type | additional.fields.key y additional.fields.value.string_value | ||
| Dirección IP final (end_ip_adr) | principal.ip | |||
| Identificador de endpoint de túnel 1 (teid1) | teid1 | additional.fields.key y additional.fields.value.string_value | ||
| Identificador de endpoint de túnel 2 (teid2) | teid2 | additional.fields.key y additional.fields.value.string_value | ||
| Interfaz GTP (gtp_interface) | gtp_interface | additional.fields.key y additional.fields.value.string_value | ||
| Causa de GTP (cause_code) | gtp_cause_code | additional.fields.key y additional.fields.value.string_value | ||
| Gravedad (severity) | security_result.severity y security_result.severity_details | |||
| Serving Network MCC (mcc) | mcc | additional.fields.key y additional.fields.value.string_value | ||
| Serving Network MNC (mnc) | mnc | additional.fields.key y additional.fields.value.string_value | ||
| Prefijo (area_code) | area_code | additional.fields.key y additional.fields.value.string_value | ||
| ID de celda (cell_id) | cell_id | additional.fields.key y additional.fields.value.string_value | ||
| Código de evento de GTP (event_code) | event_code | additional.fields.key y additional.fields.value.string_value | ||
| Ubicación de origen (srcloc) | principal.location.country_or_region | |||
| Ubicación de destino (dstloc) | target.location.country_or_region | |||
| ID de túnel o IMSI (imsi) | tunnelid | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
||
| Monitor Tag/IMEI (imei) | monitortag | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
||
| Hora de inicio (start) | start | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
||
| Tiempo transcurrido (elapsed) | network.session_duration.seconds | |||
| Regla de inspección de túnel (tunnel_insp_rule) | tunnel_insp_rule | security_result.detection_fields.key/value | ||
| IP de usuario remoto (remote_user_ip) | target.ip | |||
| ID de usuario remoto (remote_user_id) | remote_user_id | target.labels.key y target.labels.value additional.fields.key y additional.fields.value.string_value |
||
| UUID de la regla (rule_uuid) | security_result.rule_id | |||
| ID de PCAP (pcap_id) | pcap_id | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
||
| Marca de tiempo de alta resolución (high_res_timestamp) | metadata.collected_timestamp,
metadata.event_timestamp (si no se incluye "Generate Time") |
|||
| Un tipo de servicio de segmento (nsdsai_sst) | nsdsai_sst | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
||
| Un diferenciador de segmento (nsdsai_sd) | nsdsai_sd | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
||
| Subcategoría de la aplicación (subcategory_of_app) | subcategory_of_app | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
||
| Categoría de la aplicación (category_of_app) | category_of_app | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
||
| Tecnología de la aplicación (technology_of_app) | technology_of_app | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
||
| Riesgo de la aplicación (risk_of_app) | risk_of_app | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
||
| Característica de la aplicación (characteristic_of_app) | characteristic_of_app | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
||
| Contenedor de aplicaciones (container_of_app) | container_of_app | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
||
| Aplicación SaaS (is_saas_of_app) | is_saas_of_app | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
||
| Estado de sanción de la aplicación (sanctioned_state_of_app) | sanctioned_state_of_app | about.labels.key y about.labels.value additional.fields.key y additional.fields.value.string_value |
Referencia de asignación de campos: tipos de registro a tipos de evento de UDM
En la siguiente tabla se enumeran los tipos de registros de firewall de Palo Alto Networks y sus tipos de eventos de UDM correspondientes.
| Tipo de registro | Tipo de evento de UDM |
| Tráfico | NETWORK_CONNECTION |
| Amenaza | NETWORK_CONNECTION |
| Filtrado de URLs | NETWORK_CONNECTION |
| WildFire | NETWORK_CONNECTION
Los registros de envíos de WildFire son un subtipo de registro de amenazas y usan el mismo formato syslog. |
| Filtrado de datos | NETWORK_CONNECTION |
| Túnel | NETWORK_CONNECTION |
| GTP | NETWORK_CONNECTION |
| Configuración | SETTING_MODIFICATION/SETTING_CREATION/SETTING_DELETION/SETTING_UNCATEGORIZED
El valor del campo "Command (cmd)" determina la asignación del tipo de evento de UDM. Si el valor del campo cmd es add o clone, se define SETTING_CREATION. Si el valor del campo cmd es delete, se asigna SETTING_DELETION. Si el valor del campo cmd es edit, move, rename, set o commit, se define SETTING_MODIFICATION. Si el valor del campo cmd no contiene ningún valor, se asigna SETTING_UNCATEGORIZED. |
| Sistema |
Si el valor de subtype es "dhcp", se define NETWORK_DHCP. Si el valor de subtype es "auth", se define USER_LOGIN. Si el valor de la descripción es "logged in", se define USER_LOGIN. Si el valor de la descripción es "logged out", se define USER_LOGOUT. En el caso de otros valores del subtipo, se asigna GENERIC_EVENT. |
| Coincidencia de HIP | NETWORK_CONNECTION |
| Etiqueta de IP | GENERIC_EVENT |
| User-ID | USER_LOGIN/USER_LOGOUT/USER_UNCATEGORIZED
Si el valor de subtype es "login", se define USER_LOGIN. Si el valor de subtype es "logout", se define USER_LOGOUT. Si el subtipo no contiene ningún valor, se asigna USER_UNCATEGORIZED. |
| Desencriptado | NETWORK_CONNECTION |
| Autenticación | GENERIC_EVENT |
Siguientes pasos
¿Necesitas más ayuda? Recibe respuestas de los miembros de la comunidad y de los profesionales de Google SecOps.