Azure-Sentinel/Parsers/PAN_Parser.csl

// Palo Alto Networks
// Last Updated Date: June 3, 2020
//
// This parser parses Syslog events for Palo Alto Network event logs. (Mainly the Traffic, Threat, Trap, and OS logs)
// https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions.html
//
// Parser Notes:
// 1. This parser assumes logs are collected into the CommonSecurityLog table.
//
// Usage Instruction : 
// Paste below query in log analytics, click on Save button and select as Function from drop down by specifying function name and alias.
// Functions usually takes 10-15 minutes to activate. You can then use function alias from any other queries (e.g. PAN_CL | take 10).
//
//
CommonSecurityLog
| where DeviceVendor == "Palo Alto Networks" 
| extend DeviceCustomNumber1 = coalesce(column_ifexists("FieldDeviceCustomNumber1", long(null)),DeviceCustomNumber1),
         DeviceCustomNumber2 = coalesce(column_ifexists("FieldDeviceCustomNumber2", long(null)),DeviceCustomNumber2),
         DeviceCustomNumber3 = coalesce(column_ifexists("FieldDeviceCustomNumber3", long(null)),DeviceCustomNumber3),
         ExternalID = coalesce(column_ifexists("ExtID", ""),tostring(ExternalID))
| extend AdditionalExtensions = replace(@"$", @";", AdditionalExtensions)
| extend PanOSPacketsReceived = extract(@"PanOSPacketsReceived=(.*?);", 1, AdditionalExtensions),
    PanOSPacketsSent = extract(@"PanOSPacketsSent=(.*?);", 1, AdditionalExtensions),
    start = extract(@"start=(.*?);", 1, AdditionalExtensions),
    reason = extract(@"reason=(.*?);", 1, AdditionalExtensions),
    PanOSDGl1 = extract(@"PanOSDGl1=(.*?);", 1, AdditionalExtensions),
    PanOSDGl2 = extract(@"PanOSDGl2=(.*?);", 1, AdditionalExtensions),
    PanOSDGl3 = extract(@"PanOSDGl3=(.*?);", 1, AdditionalExtensions),
    PanOSDGl4 = extract(@"PanOSDGl4=(.*?);", 1, AdditionalExtensions),
    PanOSVsysName = extract(@"PanOSVsysName=(.*?);", 1, AdditionalExtensions),
    cat = extract(@"cat=(.*?);", 1, AdditionalExtensions),
    PanOSActionFlags = extract(@"PanOSActionFlags=(.*?);", 1, AdditionalExtensions),
    PanOSSrcUUID = extract(@"PanOSSrcUUID=(.*?);", 1, AdditionalExtensions),
    PanOSDstUUID = extract(@"PanOSDstUUID=(.*?);", 1, AdditionalExtensions),
    PanOSTunnelID = extract(@"PanOSTunnelID=(.*?);", 1, AdditionalExtensions),
    PanOSMonitorTag = extract(@"PanOSMonitorTag=(.*?);", 1, AdditionalExtensions),
    PanOSParentSessionID = extract(@"PanOSParentSessionID=(.*?);", 1, AdditionalExtensions),
    PanOSParentStartTime = extract(@"PanOSParentStartTime=(.*?);", 1, AdditionalExtensions),
    PanOSTunnelType = extract(@"PanOSTunnelType=(.*?);", 1, AdditionalExtensions),
    PanOSThreatCategory = extract(@"PanOSThreatCategory=(.*?);", 1, AdditionalExtensions),
    PanOSContentVer = extract(@"PanOSContentVer=(.*?);", 1, AdditionalExtensions),
    SessionID = DeviceCustomNumber1,
    Packets = DeviceCustomNumber2,
    ElapsedTimeInSeconds = DeviceCustomNumber3,
    Rule = DeviceCustomString1,
    Category = DeviceCustomString2,
    VirtualSystem = DeviceCustomString3,
    Src_Zone = DeviceCustomString4,
    Dest_Zone = DeviceCustomString5,
    LogProfile = DeviceCustomString6,
    TotalBytes = FlexNumber1,
    Flags = FlexString1
| extend start = coalesce(tostring(column_ifexists("StartTime",datetime(null))),start),
         reason = coalesce(column_ifexists("Reason",""),reason),
         cat = coalesce(column_ifexists("DeviceEventCategory",""),cat)
| project-away FlexString1Label, 
    FlexString1, 
    FlexNumber1Label, 
    FlexNumber1,
    DeviceCustomString6Label, 
    DeviceCustomString5Label, 
    DeviceCustomString4Label, 
    DeviceCustomString3Label, 
    DeviceCustomString2Label, 
    DeviceCustomString1Label, 
    DeviceCustomString1, 
    DeviceCustomString2, 
    DeviceCustomString3, 
    DeviceCustomString4, 
    DeviceCustomString5, 
    DeviceCustomString6, 
    DeviceCustomNumber1Label, 
    DeviceCustomNumber2Label, 
    DeviceCustomNumber3Label, 
    DeviceCustomNumber1, 
    DeviceCustomNumber2, 
    DeviceCustomNumber3, 
    AdditionalExtensions