Graylog

This Integration is part of the Graylog Pack.

Integration with Graylog to search for logs and events This integration was integrated and tested with version 3.3.6 of Graylog

Configure Graylog in Cortex

Parameter	Description	Required
url	Server URL (e.g. https://serverurl:9000)	True
credentials	Username	True
insecure	Trust any certificate (not secure)	False
proxy	Use system proxy settings	False
fetch_time	First fetch timestamp (<number> <time unit>, e.g., 12 hours, 7 days)	False
fetch_query	The query that is used to fetch events as incidents (lucene syntax)	False
isFetch	Fetch incidents	False
incidentType	Incident type	False

Commands

You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

graylog-cluster-status

---

Get Cluster nodes status

Base Command

graylog-cluster-status

Input

Argument Name	Description	Required

Context Output

Path	Type	Description
Graylog.ClusterStatus	String	Status of nodes in the Cluster

Command Example

!graylog-cluster-status

Context Example

{

"Graylog": {

"ClusterStatus": {

"95ba5102-13c9-4520-ac75-c8736f206953": {

"cluster_id": "70a69af5-7368-4244-ac12-cf5b87c83ac2",

"codename": "Sloth Rocket",

"facility": "graylog-server",

"hostname": "graylog",

"is_processing": true,

"lb_status": "alive",

"lifecycle": "running",

"node_id": "95ba5102-13c9-4520-ac75-c8736f206953",

"operating_system": "Linux 4.15.0-118-generic",

"started_at": "2020-10-07T16:04:07.506Z",

"timezone": "UTC",

"version": "3.3.6+92fb41e"

}

}

}

}

Human Readable Output

Results

95ba5102-13c9-4520-ac75-c8736f206953
facility: graylog-server codename: Sloth Rocket node_id: 95ba5102-13c9-4520-ac75-c8736f206953 cluster_id: 70a69af5-7368-4244-ac12-cf5b87c83ac2 version: 3.3.6+92fb41e started_at: 2020-10-07T16:04:07.506Z hostname: graylog lifecycle: running lb_status: alive timezone: UTC operating_system: Linux 4.15.0-118-generic is_processing: true

graylog-cluster-node-jvm

---

Get JVM status of a node in cluster

Base Command

graylog-cluster-node-jvm

Input

Argument Name	Description	Required
nodeId	Node ID of the cluster member	Required

Context Output

Path	Type	Description
Graylog.ClusterNodeJVM	String	JVM info of Node

Command Example

!graylog-cluster-node-jvm nodeId=95ba5102-13c9-4520-ac75-c8736f206953

Context Example

{

"Graylog": {

"ClusterNodeJVM": {

"free_memory": {

"bytes": 387725360,

"kilobytes": 378638,

"megabytes": 369

},

"info": "Private Build 1.8.0_265 on Linux 4.15.0-118-generic",

"max_memory": {

"bytes": 1020067840,

"kilobytes": 996160,

"megabytes": 972

},

"node_id": "95ba5102-13c9-4520-ac75-c8736f206953",

"pid": "550",

"total_memory": {

"bytes": 1020067840,

"kilobytes": 996160,

"megabytes": 972

},

"used_memory": {

"bytes": 632342480,

"kilobytes": 617521,

"megabytes": 603

}

}

}

}

Human Readable Output

Results

free_memory	info	max_memory	node_id	pid	total_memory	used_memory
bytes: 387725360 kilobytes: 378638 megabytes: 369	Private Build 1.8.0_265 on Linux 4.15.0-118-generic	bytes: 1020067840 kilobytes: 996160 megabytes: 972	95ba5102-13c9-4520-ac75-c8736f206953	550	bytes: 1020067840 kilobytes: 996160 megabytes: 972	bytes: 632342480 kilobytes: 617521 megabytes: 603

graylog-cluster-inputstates

---

Get input states of the cluster

Base Command

graylog-cluster-inputstates

Input

Argument Name	Description	Required

Context Output

Path	Type	Description
Graylog.ClusterInputStates	String	Input states of the cluster

Command Example

!graylog-cluster-inputstates

Context Example

{

"Graylog": {

"ClusterInputStates": {

"95ba5102-13c9-4520-ac75-c8736f206953": [

{

"detailed_message": null,

"id": "5f7433f60f4d9c360092a070",

"message_input": {

"attributes": {

"bind_address": "0.0.0.0",

"max_message_size": 2097152,

"number_worker_threads": 2,

"port": 5555,

"recv_buffer_size": 1048576,

"store_full_message": false,

"tcp_keepalive": false,

"tls_cert_file": "",

"tls_client_auth": "disabled",

"tls_client_auth_cert_file": "",

"tls_enable": false,

"tls_key_file": "",

"tls_key_password": "",

"use_null_delimiter": false

},

"content_pack": null,

"created_at": "2020-09-30T07:29:58.169Z",

"creator_user_id": "harri",

"global": true,

"id": "5f7433f60f4d9c360092a070",

"name": "Palo Alto Networks TCP (PAN-OS v9.x)",

"node": null,

"static_fields": {},

"title": "PAN-OS-input",

"type": "org.graylog.integrations.inputs.paloalto9.PaloAlto9xInput"

},

"started_at": "2020-10-07T16:04:28.814Z",

"state": "RUNNING"

},

]

}

}

}

Human Readable Output

Results

95ba5102-13c9-4520-ac75-c8736f206953

{'id': '5f7433f60f4d9c360092a070', 'state': 'RUNNING', 'started_at': '2020-10-07T16:04:28.814Z', 'detailed_message': None, 'message_input': {'title': 'PAN-OS-input', 'global': True, 'name': 'Palo Alto Networks TCP (PAN-OS v9.x)', 'content_pack': None, 'created_at': '2020-09-30T07:29:58.169Z', 'type': 'org.graylog.integrations.inputs.paloalto9.PaloAlto9xInput', 'creator_user_id': 'harri', 'attributes': {'recv_buffer_size': 1048576, 'tcp_keepalive': False, 'use_null_delimiter': False, 'number_worker_threads': 2, 'tls_client_auth_cert_file': '', 'bind_address': '0.0.0.0', 'tls_cert_file': '', 'store_full_message': False, 'port': 5555, 'tls_key_file': '', 'tls_enable': False, 'tls_key_password': '', 'max_message_size': 2097152, 'tls_client_auth': 'disabled'}, 'static_fields': {}, 'node': None, 'id': '5f7433f60f4d9c360092a070'}}

graylog-cluster-processing-status

---

Shows the processing status of the cluster

Base Command

graylog-cluster-processing-status

Input

Argument Name	Description	Required

Context Output

Path	Type	Description
Graylog.ClusterProcessingStatus	String	Processing status of the cluster

Command Example

!graylog-cluster-processing-status

Context Example

{

"Graylog": {

"ClusterProcessingStatus": {

"95ba5102-13c9-4520-ac75-c8736f206953": {

"receive_times": {

"ingest": "2020-10-08T10:08:29.353Z",

"post_indexing": "2020-10-08T10:08:29.353Z",

"post_processing": "2020-10-08T10:08:29.353Z"

}

}

}

}

}

Human Readable Output

Results

95ba5102-13c9-4520-ac75-c8736f206953
receive_times: {"ingest": "2020-10-08T10:08:29.353Z", "post_processing": "2020-10-08T10:08:29.353Z", "post_indexing": "2020-10-08T10:08:29.353Z"}

graylog-indexer-cluster-health

---

Get health of the indexer

Base Command

graylog-indexer-cluster-health

Input

Argument Name	Description	Required

Context Output

Path	Type	Description
Graylog.IndexerHealth	String	Health of Indexer

Command Example

!graylog-indexer-cluster-health

Context Example

{

"Graylog": {

"IndexerHealth": {

"shards": {

"active": 20,

"initializing": 0,

"relocating": 0,

"unassigned": 0

},

"status": "green"

}

}

}

Human Readable Output

Results

shards	status
active: 20 initializing: 0 relocating: 0 unassigned: 0	green

graylog-search

---

Search for messages in a relative timerange, specified as seconds from now. Example: 300 means search from 5 minutes ago to now.

Base Command

graylog-search

Input

Argument Name	Description	Required
query	Query (Lucene syntax)	Required
range	Relative timeframe to search in. Default 300s	Optional
limit	Maximum number of messages to return. Default 20	Optional
offset	offset (integer)	Optional
filter	filter	Optional
fields	Comma separated list of fields to return	Optional
sort	Sorting (field:asc / field:desc)	Optional
decorate	Run decorators on search result (default True)	Optional

Context Output

Path	Type	Description
Graylog.Search	String	Search results

Command Example

!graylog-search query=\<query here\>

Context Example

{

"Graylog": {

"Search": {

"built_query": "{\n \"from\" : 0,\n \"size\" : 20,\n \"query\" : {\n \"bool\" : {\n \"must\" : [\n {\n \"query_string\" : {\n \"query\" : \"\<query here\>\",\n \"fields\" : [ ],\n \"use_dis_max\" : true,\n \"tie_breaker\" : 0.0,\n \"default_operator\" : \"or\",\n \"auto_generate_phrase_queries\" : false,\n \"max_determinized_states\" : 10000,\n \"allow_leading_wildcard\" : false,\n \"enable_position_increments\" : true,\n \"fuzziness\" : \"AUTO\",\n \"fuzzy_prefix_length\" : 0,\n \"fuzzy_max_expansions\" : 50,\n \"phrase_slop\" : 0,\n \"escape\" : false,\n \"split_on_whitespace\" : true,\n \"boost\" : 1.0\n }\n }\n ],\n \"filter\" : [\n {\n \"bool\" : {\n \"must\" : [\n {\n \"range\" : {\n \"timestamp\" : {\n \"from\" : \"2020-10-08 00:08:57.306\",\n \"to\" : \"2020-10-08 10:08:57.306\",\n \"include_lower\" : true,\n \"include_upper\" : true,\n \"boost\" : 1.0\n }\n }\n }\n ],\n \"disable_coord\" : false,\n \"adjust_pure_negative\" : true,\n \"boost\" : 1.0\n }\n }\n ],\n \"disable_coord\" : false,\n \"adjust_pure_negative\" : true,\n \"boost\" : 1.0\n }\n },\n \"sort\" : [\n {\n \"timestamp\" : {\n \"order\" : \"desc\"\n }\n }\n ]\n}",

"decoration_stats": null,

"fields": [

"event_received_time",

"pan_log_subtype",

"pan_dev_group_level_4",

"pan_dev_group_level_3",

"network_interface_out",

"source",

"pan_url_index",

"vendor_event_action",

"pan_dev_group_level_2",

"pan_dev_group_level_1",

"source_ip",

"host_virtfw_id",

"application_name",

"destination_ip",

"pan_ppid",

"alert_indicator",

"host_hostname",

"source_location_name",

"alert_signature_id",

"rule_name",

"source_zone",

"gl2_message_id",

"network_protocol",

"network_tunnel_type",

"alert_definitions_version",

"destination_nat_ip",

"pan_log_action",

"pan_http2",

"source_nat_ip",

"destination_nat_port",

"http_url_category",

"policy_uid",

"destination_port",

"pan_log_panorama",

"pan_tunnel_id",

"pan_alert_direction",

"vendor_alert_severity",

"event_uid",

"destination_location_name",

"source_port",

"event_log_name",

"event_repeat_count",

"timestamp",

"event_source_product",

"source_nat_port",

"destination_zone",

"session_id",

"message",

"alert_category",

"pan_parent_session_id",

"host_id",

"network_interface_in",

"pan_wildfire_report_id",

"pan_pcap_id",

"pan_flags",

"pan_assoc_id",

"pan_monitor_tag"

],

"from": "2020-10-08T00:08:57.306Z",

"messages": [

{

"decoration_stats": null,

"highlight_ranges": {},

"index": "graylog_0",

"message": {

"_id": "1acb0472-0923-11eb-a959-000c29d42d8e",

"alert_category": "news",

"alert_definitions_version": "AppThreat-0-0",

"alert_indicator": "\<query here\>/",

"alert_signature_id": "(9999)",

"application_name": "ssl",

"destination_ip": "aaa.aaa.aaa.aaa",

"destination_location_name": "United States",

"destination_nat_ip": "aaa.aaa.aaa.aaa",

"destination_nat_port": 443,

"destination_port": 443,

"destination_zone": "Untrust-L3",

"event_log_name": "THREAT",

"event_received_time": "2020/10/08 07:59:53",

"event_repeat_count": 1,

"event_source_product": "PAN",

"event_uid": "7665475",

"gl2_accounted_message_size": 2027,

"gl2_message_id": "ABCD",

"gl2_remote_ip": "bbb.bbb.bbb.bbb",

"gl2_remote_port": 51371,

"gl2_source_input": "5f7433f60f4d9c360092a070",

"gl2_source_node": "95ba5102-13c9-4520-ac75-c8736f206953",

"host_hostname": "PA-220",

"host_id": "ABCDEFGHIJK",

"host_virtfw_id": "vsys1",

"http_url_category": "news,low-risk",

"message": "1,2020/10/08 07:59:53,ABCDEFGHIJK,THREAT,url,2560,2020/10/08 07:59:53,ccc.ccc.ccc.ccc,aaa.aaa.aaa.aaa,ddd.ddd.ddd.ddd,aaa.aaa.aaa.aaa,FromTrust,,,ssl,vsys1,Trust-L3,Untrust-L3,ethernet1/3,ethernet1/4,default,2020/10/08 07:59:53,23366,1,61323,443,48189,443,0x816400,tcp,alert,\"\<query here\>/\",(9999),news,informational,client-to-server,7665475,0xa000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,,\"news,low-risk\",4093544d-2f66-4d80-af2d-17f361609984,0,,0.0.0.0,,,,,,,,,,,,,,,,,,,,,,,,,,,0,2020-10-08T07:59:54.289+03:00,,,",

"network_interface_in": "ethernet1/3",

"network_interface_out": "ethernet1/4",

"network_protocol": "tcp",

"network_tunnel_type": "N/A",

"pan_alert_direction": "client-to-server",

"pan_assoc_id": 0,

"pan_dev_group_level_1": 0,

"pan_dev_group_level_2": 0,

"pan_dev_group_level_3": 0,

"pan_dev_group_level_4": 0,

"pan_flags": "0x816400",

"pan_http2": "0",

"pan_log_action": "default",

"pan_log_panorama": "0xa000000000000000",

"pan_log_subtype": "url",

"pan_monitor_tag": 0,

"pan_parent_session_id": "0",

"pan_pcap_id": "0",

"pan_ppid": 4294967295,

"pan_tunnel_id": "0",

"pan_url_index": 0,

"pan_wildfire_report_id": 0,

"policy_uid": "4093544d-2f66-4d80-af2d-17f361609984",

"rule_name": "FromTrust",

"session_id": 23366,

"source": "PA-220",

"source_ip": "ccc.ccc.ccc.ccc",

"source_location_name": "192.168.0.0-192.168.255.255",

"source_nat_ip": "ddd.ddd.ddd.ddd",

"source_nat_port": 48189,

"source_port": 61323,

"source_zone": "Trust-L3",

"streams": [

"000000000000000000000001"

],

"timestamp": "2020-10-08T04:59:55.169Z",

"vendor_alert_severity": "informational",

"vendor_event_action": "alert"

}

},

{

"decoration_stats": null,

"highlight_ranges": {},

"index": "graylog_0",

"message": {

"_id": "1acb0470-0923-11eb-a959-000c29d42d8e",

"alert_category": "news",

"alert_definitions_version": "AppThreat-0-0",

"alert_indicator": "\<query here\>/",

"alert_signature_id": "(9999)",

"application_name": "ssl",

"destination_ip": "aaa.aaa.aaa.aaa",

"destination_location_name": "United States",

"destination_nat_ip": "aaa.aaa.aaa.aaa",

"destination_nat_port": 443,

"destination_port": 443,

"destination_zone": "Untrust-L3",

"event_log_name": "THREAT",

"event_received_time": "2020/10/08 07:59:53",

"event_repeat_count": 1,

"event_source_product": "PAN",

"event_uid": "7665473",

"gl2_accounted_message_size": 2027,

"gl2_message_id": "ABCD",

"gl2_remote_ip": "bbb.bbb.bbb.bbb",

"gl2_remote_port": 51371,

"gl2_source_input": "5f7433f60f4d9c360092a070",

"gl2_source_node": "95ba5102-13c9-4520-ac75-c8736f206953",

"host_hostname": "PA-220",

"host_id": "ABCDEFGHIJK",

"host_virtfw_id": "vsys1",

"http_url_category": "news,low-risk",

"message": "1,2020/10/08 07:59:53,ABCDEFGHIJK,THREAT,url,2560,2020/10/08 07:59:53,ccc.ccc.ccc.ccc,aaa.aaa.aaa.aaa,ddd.ddd.ddd.ddd,aaa.aaa.aaa.aaa,FromTrust,,,ssl,vsys1,Trust-L3,Untrust-L3,ethernet1/3,ethernet1/4,default,2020/10/08 07:59:53,24085,1,61322,443,29959,443,0x816400,tcp,alert,\"\<query here\>/\",(9999),news,informational,client-to-server,7665473,0xa000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,,\"news,low-risk\",4093544d-2f66-4d80-af2d-17f361609984,0,,0.0.0.0,,,,,,,,,,,,,,,,,,,,,,,,,,,0,2020-10-08T07:59:54.289+03:00,,,",

"network_interface_in": "ethernet1/3",

"network_interface_out": "ethernet1/4",

"network_protocol": "tcp",

"network_tunnel_type": "N/A",

"pan_alert_direction": "client-to-server",

"pan_assoc_id": 0,

"pan_dev_group_level_1": 0,

"pan_dev_group_level_2": 0,

"pan_dev_group_level_3": 0,

"pan_dev_group_level_4": 0,

"pan_flags": "0x816400",

"pan_http2": "0",

"pan_log_action": "default",

"pan_log_panorama": "0xa000000000000000",

"pan_log_subtype": "url",

"pan_monitor_tag": 0,

"pan_parent_session_id": "0",

"pan_pcap_id": "0",

"pan_ppid": 4294967295,

"pan_tunnel_id": "0",

"pan_url_index": 0,

"pan_wildfire_report_id": 0,

"policy_uid": "4093544d-2f66-4d80-af2d-17f361609984",

"rule_name": "FromTrust",

"session_id": 24085,

"source": "PA-220",

"source_ip": "ccc.ccc.ccc.ccc",

"source_location_name": "192.168.0.0-192.168.255.255",

"source_nat_ip": "ddd.ddd.ddd.ddd",

"source_nat_port": 29959,

"source_port": 61322,

"source_zone": "Trust-L3",

"streams": [

"000000000000000000000001"

],

"timestamp": "2020-10-08T04:59:55.169Z",

"vendor_alert_severity": "informational",

"vendor_event_action": "alert"

}

}

],

"query": "\<query here\>",

"time": 11,

"to": "2020-10-08T10:08:57.306Z",

"total_results": 2,

"used_indices": [

{

"begin": "1970-01-01T00:00:00.000Z",

"calculated_at": "2020-09-30T07:24:40.163Z",

"end": "1970-01-01T00:00:00.000Z",

"index_name": "graylog_0",

"took_ms": 0

}

]

}

}

}

Human Readable Output

Results

built_query	decoration_stats	fields	from	messages	query	time	to	total_results	used_indices
{ "from" : 0, "size" : 20, "query" : { "bool" : { "must" : [ { "query_string" : { "query" : "\<query here>", "fields" : [ ], "use_dis_max" : true, "tie_breaker" : 0.0, "default_operator" : "or", "auto_generate_phrase_queries" : false, "max_determinized_states" : 10000, "allow_leading_wildcard" : false, "enable_position_increments" : true, "fuzziness" : "AUTO", "fuzzy_prefix_length" : 0, "fuzzy_max_expansions" : 50, "phrase_slop" : 0, "escape" : false, "split_on_whitespace" : true, "boost" : 1.0 } } ], "filter" : [ { "bool" : { "must" : [ { "range" : { "timestamp" : { "from" : "2020-10-08 00:08:57.306", "to" : "2020-10-08 10:08:57.306", "include_lower" : true, "include_upper" : true, "boost" : 1.0 } } } ], "disable_coord" : false, "adjust_pure_negative" : true, "boost" : 1.0 } } ], "disable_coord" : false, "adjust_pure_negative" : true, "boost" : 1.0 } }, "sort" : [ { "timestamp" : { "order" : "desc" } } ] }		event_received_time, pan_log_subtype, pan_dev_group_level_4, pan_dev_group_level_3, network_interface_out, source, pan_url_index, vendor_event_action, pan_dev_group_level_2, pan_dev_group_level_1, source_ip, host_virtfw_id, application_name, destination_ip, pan_ppid, alert_indicator, host_hostname, source_location_name, alert_signature_id, rule_name, source_zone, gl2_message_id, network_protocol, network_tunnel_type, alert_definitions_version, destination_nat_ip, pan_log_action, pan_http2, source_nat_ip, destination_nat_port, http_url_category, policy_uid, destination_port, pan_log_panorama, pan_tunnel_id, pan_alert_direction, vendor_alert_severity, event_uid, destination_location_name, source_port, event_log_name, event_repeat_count, timestamp, event_source_product, source_nat_port, destination_zone, session_id, message, alert_category, pan_parent_session_id, host_id, network_interface_in, pan_wildfire_report_id, pan_pcap_id, pan_flags, pan_assoc_id, pan_monitor_tag	2020-10-08T00:08:57.306Z	{'highlight_ranges': {}, 'message': {'event_received_time': '2020/10/08 07:59:53', 'pan_log_subtype': 'url', 'gl2_remote_ip': 'bbb.bbb.bbb.bbb', 'gl2_remote_port': 51371, 'pan_dev_group_level_4': 0, 'pan_dev_group_level_3': 0, 'network_interface_out': 'ethernet1/4', 'source': 'PA-220', 'gl2_source_input': '5f7433f60f4d9c360092a070', 'pan_url_index': 0, 'vendor_event_action': 'alert', 'pan_dev_group_level_2': 0, 'pan_dev_group_level_1': 0, 'source_ip': 'ccc.ccc.ccc.ccc', 'host_virtfw_id': 'vsys1', 'application_name': 'ssl', 'destination_ip': 'aaa.aaa.aaa.aaa', 'pan_ppid': 4294967295, 'gl2_source_node': '95ba5102-13c9-4520-ac75-c8736f206953', 'alert_indicator': '\<query here>/', 'host_hostname': 'PA-220', 'source_location_name': '192.168.0.0-192.168.255.255', 'gl2_accounted_message_size': 2027, 'alert_signature_id': '(9999)', 'rule_name': 'FromTrust', 'source_zone': 'Trust-L3', 'streams': ['000000000000000000000001'], 'gl2_message_id': 'ABCD', 'network_protocol': 'tcp', 'network_tunnel_type': 'N/A', 'alert_definitions_version': 'AppThreat-0-0', 'destination_nat_ip': 'aaa.aaa.aaa.aaa', 'pan_log_action': 'default', 'pan_http2': '0', 'source_nat_ip': 'ddd.ddd.ddd.ddd', '_id': '1acb0472-0923-11eb-a959-000c29d42d8e', 'destination_nat_port': 443, 'http_url_category': 'news,low-risk', 'policy_uid': '4093544d-2f66-4d80-af2d-17f361609984', 'destination_port': 443, 'pan_log_panorama': '0xa000000000000000', 'pan_tunnel_id': '0', 'pan_alert_direction': 'client-to-server', 'vendor_alert_severity': 'informational', 'event_uid': '7665475', 'destination_location_name': 'United States', 'source_port': 61323, 'event_log_name': 'THREAT', 'event_repeat_count': 1, 'timestamp': '2020-10-08T04:59:55.169Z', 'event_source_product': 'PAN', 'source_nat_port': 48189, 'destination_zone': 'Untrust-L3', 'session_id': 23366, 'message': '1,2020/10/08 07:59:53,ABCDEFGHIJK,THREAT,url,2560,2020/10/08 07:59:53,ccc.ccc.ccc.ccc,aaa.aaa.aaa.aaa,ddd.ddd.ddd.ddd,aaa.aaa.aaa.aaa,FromTrust,,,ssl,vsys1,Trust-L3,Untrust-L3,ethernet1/3,ethernet1/4,default,2020/10/08 07:59:53,23366,1,61323,443,48189,443,0x816400,tcp,alert,"\<query here>/",(9999),news,informational,client-to-server,7665475,0xa000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,,"news,low-risk",4093544d-2f66-4d80-af2d-17f361609984,0,,0.0.0.0,,,,,,,,,,,,,,,,,,,,,,,,,,,0,2020-10-08T07:59:54.289+03:00,,,', 'alert_category': 'news', 'pan_parent_session_id': '0', 'host_id': 'ABCDEFGHIJK', 'network_interface_in': 'ethernet1/3', 'pan_wildfire_report_id': 0, 'pan_pcap_id': '0', 'pan_flags': '0x816400', 'pan_assoc_id': 0, 'pan_monitor_tag': 0}, 'index': 'graylog_0', 'decoration_stats': None}, {'highlight_ranges': {}, 'message': {'event_received_time': '2020/10/08 07:59:53', 'pan_log_subtype': 'url', 'gl2_remote_ip': 'bbb.bbb.bbb.bbb', 'gl2_remote_port': 51371, 'pan_dev_group_level_4': 0, 'pan_dev_group_level_3': 0, 'network_interface_out': 'ethernet1/4', 'source': 'PA-220', 'gl2_source_input': '5f7433f60f4d9c360092a070', 'pan_url_index': 0, 'vendor_event_action': 'alert', 'pan_dev_group_level_2': 0, 'pan_dev_group_level_1': 0, 'source_ip': 'ccc.ccc.ccc.ccc', 'host_virtfw_id': 'vsys1', 'application_name': 'ssl', 'destination_ip': 'aaa.aaa.aaa.aaa', 'pan_ppid': 4294967295, 'gl2_source_node': '95ba5102-13c9-4520-ac75-c8736f206953', 'alert_indicator': '\<query here>/', 'host_hostname': 'PA-220', 'source_location_name': '192.168.0.0-192.168.255.255', 'gl2_accounted_message_size': 2027, 'alert_signature_id': '(9999)', 'rule_name': 'FromTrust', 'source_zone': 'Trust-L3', 'streams': ['000000000000000000000001'], 'gl2_message_id': 'ABCD', 'network_protocol': 'tcp', 'network_tunnel_type': 'N/A', 'alert_definitions_version': 'AppThreat-0-0', 'destination_nat_ip': 'aaa.aaa.aaa.aaa', 'pan_log_action': 'default', 'pan_http2': '0', 'source_nat_ip': 'ddd.ddd.ddd.ddd', '_id': '1acb0470-0923-11eb-a959-000c29d42d8e', 'destination_nat_port': 443, 'http_url_category': 'news,low-risk', 'policy_uid': '4093544d-2f66-4d80-af2d-17f361609984', 'destination_port': 443, 'pan_log_panorama': '0xa000000000000000', 'pan_tunnel_id': '0', 'pan_alert_direction': 'client-to-server', 'vendor_alert_severity': 'informational', 'event_uid': '7665473', 'destination_location_name': 'United States', 'source_port': 61322, 'event_log_name': 'THREAT', 'event_repeat_count': 1, 'timestamp': '2020-10-08T04:59:55.169Z', 'event_source_product': 'PAN', 'source_nat_port': 29959, 'destination_zone': 'Untrust-L3', 'session_id': 24085, 'message': '1,2020/10/08 07:59:53,ABCDEFGHIJK,THREAT,url,2560,2020/10/08 07:59:53,ccc.ccc.ccc.ccc,aaa.aaa.aaa.aaa,ddd.ddd.ddd.ddd,aaa.aaa.aaa.aaa,FromTrust,,,ssl,vsys1,Trust-L3,Untrust-L3,ethernet1/3,ethernet1/4,default,2020/10/08 07:59:53,24085,1,61322,443,29959,443,0x816400,tcp,alert,"\<query here>/",(9999),news,informational,client-to-server,7665473,0xa000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,,"news,low-risk",4093544d-2f66-4d80-af2d-17f361609984,0,,0.0.0.0,,,,,,,,,,,,,,,,,,,,,,,,,,,0,2020-10-08T07:59:54.289+03:00,,,', 'alert_category': 'news', 'pan_parent_session_id': '0', 'host_id': 'ABCDEFGHIJK', 'network_interface_in': 'ethernet1/3', 'pan_wildfire_report_id': 0, 'pan_pcap_id': '0', 'pan_flags': '0x816400', 'pan_assoc_id': 0, 'pan_monitor_tag': 0}, 'index': 'graylog_0', 'decoration_stats': None}	\<query here>	11	2020-10-08T10:08:57.306Z	2	{'index_name': 'graylog_0', 'begin': '1970-01-01T00:00:00.000Z', 'end': '1970-01-01T00:00:00.000Z', 'calculated_at': '2020-09-30T07:24:40.163Z', 'took_ms': 0}

graylog-events-search

---

Events overview and search

Base Command

graylog-events-search

Input

Argument Name	Description	Required
query	Query to use	Optional
filter	filter to use	Optional
page	number of pages as integer	Optional
sort_direction	Ascending or Descending	Optional
per_page	how many per page (integer)	Optional
timerange	Relative timerange to search in seconds	Optional
sort_by	how to sort	Optional

Context Output

Path	Type	Description
Graylog.EventsSearch	String	Result of Events Search

Command Example

!graylog-events-search query=gmail timerange=1000

Context Example

{

"Graylog": {

"EventsSearch": {

"context": {

"event_definitions": {

"5f7436c60f4d9c360092a3ac": {

"description": "",

"id": "5f7436c60f4d9c360092a3ac",

"title": "Gmail"

}

},

"streams": {

"000000000000000000000002": {

"description": "Stream containing all events created by Graylog",

"id": "000000000000000000000002",

"title": "All events"

}

}

},

"duration": 4,

"events": [

{

"event": {

"alert": false,

"event_definition_id": "5f7436c60f4d9c360092a3ac",

"event_definition_type": "aggregation-v1",

"fields": {},

"id": "ABCD",

"key": null,

"key_tuple": [],

"message": "Gmail",

"origin_context": "urn:graylog:message:es:graylog_0:e6befc60-094d-11eb-a959-000c29d42d8e",

"priority": 1,

"source": "graylog",

"source_streams": [],

"streams": [

"000000000000000000000002"

],

"timerange_end": null,

"timerange_start": null,

"timestamp": "2020-10-08T10:06:16.169Z",

"timestamp_processing": "2020-10-08T10:07:04.269Z"

},

"index_name": "gl-events_1",

"index_type": "message"

},

{

"event": {

"alert": false,

"event_definition_id": "5f7436c60f4d9c360092a3ac",

"event_definition_type": "aggregation-v1",

"fields": {},

"id": "ABCD",

"key": null,

"key_tuple": [],

"message": "Gmail",

"origin_context": "urn:graylog:message:es:graylog_0:c265df01-094d-11eb-a959-000c29d42d8e",

"priority": 1,

"source": "graylog",

"source_streams": [],

"streams": [

"000000000000000000000002"

],

"timerange_end": null,

"timerange_start": null,

"timestamp": "2020-10-08T10:05:15.169Z",

"timestamp_processing": "2020-10-08T10:07:04.269Z"

},

"index_name": "gl-events_1",

"index_type": "message"

},

{

"event": {

"alert": false,

"event_definition_id": "5f7436c60f4d9c360092a3ac",

"event_definition_type": "aggregation-v1",

"fields": {},

"id": "ABCD",

"key": null,

"key_tuple": [],

"message": "Gmail",

"origin_context": "urn:graylog:message:es:graylog_0:9e9e0521-094d-11eb-a959-000c29d42d8e",

"priority": 1,

"source": "graylog",

"source_streams": [],

"streams": [

"000000000000000000000002"

],

"timerange_end": null,

"timerange_start": null,

"timestamp": "2020-10-08T10:04:15.169Z",

"timestamp_processing": "2020-10-08T10:07:04.269Z"

},

"index_name": "gl-events_1",

"index_type": "message"

},

{

"event": {

"alert": false,

"event_definition_id": "5f7436c60f4d9c360092a3ac",

"event_definition_type": "aggregation-v1",

"fields": {},

"id": "ABCD",

"key": null,

"key_tuple": [],

"message": "Gmail",

"origin_context": "urn:graylog:message:es:graylog_0:7ad9d4c1-094d-11eb-a959-000c29d42d8e",

"priority": 1,

"source": "graylog",

"source_streams": [],

"streams": [

"000000000000000000000002"

],

"timerange_end": null,

"timerange_start": null,

"timestamp": "2020-10-08T10:03:15.169Z",

"timestamp_processing": "2020-10-08T10:07:04.269Z"

},

"index_name": "gl-events_1",

"index_type": "message"

},

{

"event": {

"alert": false,

"event_definition_id": "5f7436c60f4d9c360092a3ac",

"event_definition_type": "aggregation-v1",

"fields": {},

"id": "ABCD",

"key": null,

"key_tuple": [],

"message": "Gmail",

"origin_context": "urn:graylog:message:es:graylog_0:571c5b22-094d-11eb-a959-000c29d42d8e",

"priority": 1,

"source": "graylog",

"source_streams": [],

"streams": [

"000000000000000000000002"

],

"timerange_end": null,

"timerange_start": null,

"timestamp": "2020-10-08T10:02:16.169Z",

"timestamp_processing": "2020-10-08T10:07:04.269Z"

},

"index_name": "gl-events_1",

"index_type": "message"

},

{

"event": {

"alert": false,

"event_definition_id": "5f7436c60f4d9c360092a3ac",

"event_definition_type": "aggregation-v1",

"fields": {},

"id": "ABCD",

"key": null,

"key_tuple": [],

"message": "Gmail",

"origin_context": "urn:graylog:message:es:graylog_0:3351e930-094d-11eb-a959-000c29d42d8e",

"priority": 1,

"source": "graylog",

"source_streams": [],

"streams": [

"000000000000000000000002"

],

"timerange_end": null,

"timerange_start": null,

"timestamp": "2020-10-08T10:01:16.169Z",

"timestamp_processing": "2020-10-08T10:02:04.510Z"

},

"index_name": "gl-events_1",

"index_type": "message"

},

{

"event": {

"alert": false,

"event_definition_id": "5f7436c60f4d9c360092a3ac",

"event_definition_type": "aggregation-v1",

"fields": {},

"id": "ABCD",

"key": null,

"key_tuple": [],

"message": "Gmail",

"origin_context": "urn:graylog:message:es:graylog_0:10cb68f1-094d-11eb-a959-000c29d42d8e",

"priority": 1,

"source": "graylog",

"source_streams": [],

"streams": [

"000000000000000000000002"

],

"timerange_end": null,

"timerange_start": null,

"timestamp": "2020-10-08T10:00:17.169Z",

"timestamp_processing": "2020-10-08T10:02:04.510Z"

},

"index_name": "gl-events_1",

"index_type": "message"

},

{

"event": {

"alert": false,

"event_definition_id": "5f7436c60f4d9c360092a3ac",

"event_definition_type": "aggregation-v1",

"fields": {},

"id": "ABCD",

"key": null,

"key_tuple": [],

"message": "Gmail",

"origin_context": "urn:graylog:message:es:graylog_0:ef65e911-094c-11eb-a959-000c29d42d8e",

"priority": 1,

"source": "graylog",

"source_streams": [],

"streams": [

"000000000000000000000002"

],

"timerange_end": null,

"timerange_start": null,

"timestamp": "2020-10-08T09:59:21.169Z",

"timestamp_processing": "2020-10-08T10:02:04.510Z"

},

"index_name": "gl-events_1",

"index_type": "message"

},

{

"event": {

"alert": false,

"event_definition_id": "5f7436c60f4d9c360092a3ac",

"event_definition_type": "aggregation-v1",

"fields": {},

"id": "ABCD",

"key": null,

"key_tuple": [],

"message": "Gmail",

"origin_context": "urn:graylog:message:es:graylog_0:c805f451-094c-11eb-a959-000c29d42d8e",

"priority": 1,

"source": "graylog",

"source_streams": [],

"streams": [

"000000000000000000000002"

],

"timerange_end": null,

"timerange_start": null,

"timestamp": "2020-10-08T09:58:15.169Z",

"timestamp_processing": "2020-10-08T10:02:04.510Z"

},

"index_name": "gl-events_1",

"index_type": "message"

},

{

"event": {

"alert": false,

"event_definition_id": "5f7436c60f4d9c360092a3ac",

"event_definition_type": "aggregation-v1",

"fields": {},

"id": "ABCD",

"key": null,

"key_tuple": [],

"message": "Gmail",

"origin_context": "urn:graylog:message:es:graylog_0:a441c3f0-094c-11eb-a959-000c29d42d8e",

"priority": 1,

"source": "graylog",

"source_streams": [],

"streams": [

"000000000000000000000002"

],

"timerange_end": null,

"timerange_start": null,

"timestamp": "2020-10-08T09:57:15.169Z",

"timestamp_processing": "2020-10-08T10:02:04.510Z"

},

"index_name": "gl-events_1",

"index_type": "message"

}

],

"parameters": {

"filter": {

"alerts": "include",

"event_definitions": []

},

"page": 1,

"per_page": 10,

"query": "gmail",

"sort_by": "timestamp",

"sort_direction": "desc",

"timerange": {

"range": 1000,

"type": "relative"

}

},

"total_events": 14,

"used_indices": [

"gl-events_1",

"gl-system-events_1"

]

}

}

}

Human Readable Output

Results

context	duration	events	parameters	total_events	used_indices
event_definitions: {"5f7436c60f4d9c360092a3ac": {"id": "5f7436c60f4d9c360092a3ac", "title": "Gmail", "description": ""}} streams: {"000000000000000000000002": {"id": "000000000000000000000002", "title": "All events", "description": "Stream containing all events created by Graylog"}}	4	{'event': {'id': 'ABCD', 'event_definition_type': 'aggregation-v1', 'event_definition_id': '5f7436c60f4d9c360092a3ac', 'origin_context': 'urn:graylog:message🇪🇸graylog_0:e6befc60-094d-11eb-a959-000c29d42d8e', 'timestamp': '2020-10-08T10:06:16.169Z', 'timestamp_processing': '2020-10-08T10:07:04.269Z', 'timerange_start': None, 'timerange_end': None, 'streams': ['000000000000000000000002'], 'source_streams': [], 'message': 'Gmail', 'source': 'graylog', 'key_tuple': [], 'key': None, 'priority': 1, 'alert': False, 'fields': {}}, 'index_name': 'gl-events_1', 'index_type': 'message'}, {'event': {'id': 'ABCD', 'event_definition_type': 'aggregation-v1', 'event_definition_id': '5f7436c60f4d9c360092a3ac', 'origin_context': 'urn:graylog:message🇪🇸graylog_0:c265df01-094d-11eb-a959-000c29d42d8e', 'timestamp': '2020-10-08T10:05:15.169Z', 'timestamp_processing': '2020-10-08T10:07:04.269Z', 'timerange_start': None, 'timerange_end': None, 'streams': ['000000000000000000000002'], 'source_streams': [], 'message': 'Gmail', 'source': 'graylog', 'key_tuple': [], 'key': None, 'priority': 1, 'alert': False, 'fields': {}}, 'index_name': 'gl-events_1', 'index_type': 'message'}, {'event': {'id': 'ABCD', 'event_definition_type': 'aggregation-v1', 'event_definition_id': '5f7436c60f4d9c360092a3ac', 'origin_context': 'urn:graylog:message🇪🇸graylog_0:9e9e0521-094d-11eb-a959-000c29d42d8e', 'timestamp': '2020-10-08T10:04:15.169Z', 'timestamp_processing': '2020-10-08T10:07:04.269Z', 'timerange_start': None, 'timerange_end': None, 'streams': ['000000000000000000000002'], 'source_streams': [], 'message': 'Gmail', 'source': 'graylog', 'key_tuple': [], 'key': None, 'priority': 1, 'alert': False, 'fields': {}}, 'index_name': 'gl-events_1', 'index_type': 'message'}, {'event': {'id': 'ABCD', 'event_definition_type': 'aggregation-v1', 'event_definition_id': '5f7436c60f4d9c360092a3ac', 'origin_context': 'urn:graylog:message🇪🇸graylog_0:7ad9d4c1-094d-11eb-a959-000c29d42d8e', 'timestamp': '2020-10-08T10:03:15.169Z', 'timestamp_processing': '2020-10-08T10:07:04.269Z', 'timerange_start': None, 'timerange_end': None, 'streams': ['000000000000000000000002'], 'source_streams': [], 'message': 'Gmail', 'source': 'graylog', 'key_tuple': [], 'key': None, 'priority': 1, 'alert': False, 'fields': {}}, 'index_name': 'gl-events_1', 'index_type': 'message'}, {'event': {'id': 'ABCD', 'event_definition_type': 'aggregation-v1', 'event_definition_id': '5f7436c60f4d9c360092a3ac', 'origin_context': 'urn:graylog:message🇪🇸graylog_0:571c5b22-094d-11eb-a959-000c29d42d8e', 'timestamp': '2020-10-08T10:02:16.169Z', 'timestamp_processing': '2020-10-08T10:07:04.269Z', 'timerange_start': None, 'timerange_end': None, 'streams': ['000000000000000000000002'], 'source_streams': [], 'message': 'Gmail', 'source': 'graylog', 'key_tuple': [], 'key': None, 'priority': 1, 'alert': False, 'fields': {}}, 'index_name': 'gl-events_1', 'index_type': 'message'}, {'event': {'id': 'ABCD', 'event_definition_type': 'aggregation-v1', 'event_definition_id': '5f7436c60f4d9c360092a3ac', 'origin_context': 'urn:graylog:message🇪🇸graylog_0:3351e930-094d-11eb-a959-000c29d42d8e', 'timestamp': '2020-10-08T10:01:16.169Z', 'timestamp_processing': '2020-10-08T10:02:04.510Z', 'timerange_start': None, 'timerange_end': None, 'streams': ['000000000000000000000002'], 'source_streams': [], 'message': 'Gmail', 'source': 'graylog', 'key_tuple': [], 'key': None, 'priority': 1, 'alert': False, 'fields': {}}, 'index_name': 'gl-events_1', 'index_type': 'message'}, {'event': {'id': 'ABCD', 'event_definition_type': 'aggregation-v1', 'event_definition_id': '5f7436c60f4d9c360092a3ac', 'origin_context': 'urn:graylog:message🇪🇸graylog_0:10cb68f1-094d-11eb-a959-000c29d42d8e', 'timestamp': '2020-10-08T10:00:17.169Z', 'timestamp_processing': '2020-10-08T10:02:04.510Z', 'timerange_start': None, 'timerange_end': None, 'streams': ['000000000000000000000002'], 'source_streams': [], 'message': 'Gmail', 'source': 'graylog', 'key_tuple': [], 'key': None, 'priority': 1, 'alert': False, 'fields': {}}, 'index_name': 'gl-events_1', 'index_type': 'message'}, {'event': {'id': 'ABCD', 'event_definition_type': 'aggregation-v1', 'event_definition_id': '5f7436c60f4d9c360092a3ac', 'origin_context': 'urn:graylog:message🇪🇸graylog_0:ef65e911-094c-11eb-a959-000c29d42d8e', 'timestamp': '2020-10-08T09:59:21.169Z', 'timestamp_processing': '2020-10-08T10:02:04.510Z', 'timerange_start': None, 'timerange_end': None, 'streams': ['000000000000000000000002'], 'source_streams': [], 'message': 'Gmail', 'source': 'graylog', 'key_tuple': [], 'key': None, 'priority': 1, 'alert': False, 'fields': {}}, 'index_name': 'gl-events_1', 'index_type': 'message'}, {'event': {'id': 'ABCD', 'event_definition_type': 'aggregation-v1', 'event_definition_id': '5f7436c60f4d9c360092a3ac', 'origin_context': 'urn:graylog:message🇪🇸graylog_0:c805f451-094c-11eb-a959-000c29d42d8e', 'timestamp': '2020-10-08T09:58:15.169Z', 'timestamp_processing': '2020-10-08T10:02:04.510Z', 'timerange_start': None, 'timerange_end': None, 'streams': ['000000000000000000000002'], 'source_streams': [], 'message': 'Gmail', 'source': 'graylog', 'key_tuple': [], 'key': None, 'priority': 1, 'alert': False, 'fields': {}}, 'index_name': 'gl-events_1', 'index_type': 'message'}, {'event': {'id': 'ABCD', 'event_definition_type': 'aggregation-v1', 'event_definition_id': '5f7436c60f4d9c360092a3ac', 'origin_context': 'urn:graylog:message🇪🇸graylog_0:a441c3f0-094c-11eb-a959-000c29d42d8e', 'timestamp': '2020-10-08T09:57:15.169Z', 'timestamp_processing': '2020-10-08T10:02:04.510Z', 'timerange_start': None, 'timerange_end': None, 'streams': ['000000000000000000000002'], 'source_streams': [], 'message': 'Gmail', 'source': 'graylog', 'key_tuple': [], 'key': None, 'priority': 1, 'alert': False, 'fields': {}}, 'index_name': 'gl-events_1', 'index_type': 'message'}	page: 1 per_page: 10 timerange: {"type": "relative", "range": 1000} query: gmail filter: {"alerts": "include", "event_definitions": []} sort_by: timestamp sort_direction: desc	14	gl-events_1, gl-system-events_1

graylog-search-absolute

---

Search with absolute times

Base Command

graylog-search-absolute

Input

Argument Name	Description	Required
query	Query in lucene syntax	Required
from	Search for messages using an absolute timerange, specified as from/to with format yyyy-MM-ddTHH:mm:ss.SSSZ (e.g. 2014-01-23T15:34:49.000Z) or yyyy-MM-dd HH:mm:ss.	Required
to	Search for messages using an absolute timerange, specified as from/to with format yyyy-MM-ddTHH:mm:ss.SSSZ (e.g. 2014-01-23T15:34:49.000Z) or yyyy-MM-dd HH:mm:ss.	Required
limit	Maximum number of messages to return.	Optional
offset	Offset	Optional
filter	Filter	Optional
fields	Comma separated list of fields to return	Optional
sort	Sorting (field:asc / field:desc)	Optional
decorate	Run decorators on search result	Optional

Context Output

Path	Type	Description
Graylog.SearchAbsolute	String	Search results of Absolute search

Command Example

!graylog-search-absolute query="\<query here\>" from=<timefrom> to=<timeto>

Context Example

{

"Graylog": {

"SearchAbsolute": {

"built_query": "{\n \"from\" : 0,\n \"size\" : 20,\n \"query\" : {\n \"bool\" : {\n \"must\" : [\n {\n \"query_string\" : {\n \"query\" : \"\<query here\>\",\n \"fields\" : [ ],\n \"use_dis_max\" : true,\n \"tie_breaker\" : 0.0,\n \"default_operator\" : \"or\",\n \"auto_generate_phrase_queries\" : false,\n \"max_determinized_states\" : 10000,\n \"allow_leading_wildcard\" : false,\n \"enable_position_increments\" : true,\n \"fuzziness\" : \"AUTO\",\n \"fuzzy_prefix_length\" : 0,\n \"fuzzy_max_expansions\" : 50,\n \"phrase_slop\" : 0,\n \"escape\" : false,\n \"split_on_whitespace\" : true,\n \"boost\" : 1.0\n }\n }\n ],\n \"filter\" : [\n {\n \"bool\" : {\n \"must\" : [\n {\n \"range\" : {\n \"timestamp\" : {\n \"from\" : \"2020-10-04 15:34:49.000\",\n \"to\" : \"2020-10-08 15:34:49.000\",\n \"include_lower\" : true,\n \"include_upper\" : true,\n \"boost\" : 1.0\n }\n }\n }\n ],\n \"disable_coord\" : false,\n \"adjust_pure_negative\" : true,\n \"boost\" : 1.0\n }\n }\n ],\n \"disable_coord\" : false,\n \"adjust_pure_negative\" : true,\n \"boost\" : 1.0\n }\n },\n \"sort\" : [\n {\n \"timestamp\" : {\n \"order\" : \"desc\"\n }\n }\n ]\n}",

"decoration_stats": null,

"fields": [

"event_received_time",

"pan_log_subtype",

"pan_dev_group_level_4",

"pan_dev_group_level_3",

"network_interface_out",

"source",

"pan_url_index",

"vendor_event_action",

"pan_dev_group_level_2",

"pan_dev_group_level_1",

"source_ip",

"host_virtfw_id",

"application_name",

"destination_ip",

"pan_ppid",

"alert_indicator",

"host_hostname",

"source_location_name",

"alert_signature_id",

"rule_name",

"source_zone",

"gl2_message_id",

"network_protocol",

"network_tunnel_type",

"alert_definitions_version",

"destination_nat_ip",

"pan_log_action",

"pan_http2",

"source_nat_ip",

"destination_nat_port",

"http_url_category",

"policy_uid",

"destination_port",

"pan_log_panorama",

"pan_tunnel_id",

"pan_alert_direction",

"vendor_alert_severity",

"event_uid",

"destination_location_name",

"source_port",

"event_log_name",

"event_repeat_count",

"timestamp",

"event_source_product",

"source_nat_port",

"destination_zone",

"session_id",

"message",

"alert_category",

"pan_parent_session_id",

"host_id",

"network_interface_in",

"pan_wildfire_report_id",

"pan_pcap_id",

"pan_flags",

"pan_assoc_id",

"pan_monitor_tag"

],

"from": "2020-10-04T15:34:49.000Z",

"messages": [

{

"decoration_stats": null,

"highlight_ranges": {},

"index": "graylog_0",

"message": {

"_id": "1acb0472-0923-11eb-a959-000c29d42d8e",

"alert_category": "news",

"alert_definitions_version": "AppThreat-0-0",

"alert_indicator": "\<query here\>/",

"alert_signature_id": "(9999)",

"application_name": "ssl",

"destination_ip": "aaa.aaa.aaa.aaa",

"destination_location_name": "United States",

"destination_nat_ip": "aaa.aaa.aaa.aaa",

"destination_nat_port": 443,

"destination_port": 443,

"destination_zone": "Untrust-L3",

"event_log_name": "THREAT",

"event_received_time": "2020/10/08 07:59:53",

"event_repeat_count": 1,

"event_source_product": "PAN",

"event_uid": "7665475",

"gl2_accounted_message_size": 2027,

"gl2_message_id": "ABCD",

"gl2_remote_ip": "bbb.bbb.bbb.bbb",

"gl2_remote_port": 51371,

"gl2_source_input": "5f7433f60f4d9c360092a070",

"gl2_source_node": "95ba5102-13c9-4520-ac75-c8736f206953",

"host_hostname": "PA-220",

"host_id": "ABCDEFGHIJK",

"host_virtfw_id": "vsys1",

"http_url_category": "news,low-risk",

"message": "1,2020/10/08 07:59:53,ABCDEFGHIJK,THREAT,url,2560,2020/10/08 07:59:53,ccc.ccc.ccc.ccc,aaa.aaa.aaa.aaa,ddd.ddd.ddd.ddd,aaa.aaa.aaa.aaa,FromTrust,,,ssl,vsys1,Trust-L3,Untrust-L3,ethernet1/3,ethernet1/4,default,2020/10/08 07:59:53,23366,1,61323,443,48189,443,0x816400,tcp,alert,\"\<query here\>/\",(9999),news,informational,client-to-server,7665475,0xa000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,,\"news,low-risk\",4093544d-2f66-4d80-af2d-17f361609984,0,,0.0.0.0,,,,,,,,,,,,,,,,,,,,,,,,,,,0,2020-10-08T07:59:54.289+03:00,,,",

"network_interface_in": "ethernet1/3",

"network_interface_out": "ethernet1/4",

"network_protocol": "tcp",

"network_tunnel_type": "N/A",

"pan_alert_direction": "client-to-server",

"pan_assoc_id": 0,

"pan_dev_group_level_1": 0,

"pan_dev_group_level_2": 0,

"pan_dev_group_level_3": 0,

"pan_dev_group_level_4": 0,

"pan_flags": "0x816400",

"pan_http2": "0",

"pan_log_action": "default",

"pan_log_panorama": "0xa000000000000000",

"pan_log_subtype": "url",

"pan_monitor_tag": 0,

"pan_parent_session_id": "0",

"pan_pcap_id": "0",

"pan_ppid": 4294967295,

"pan_tunnel_id": "0",

"pan_url_index": 0,

"pan_wildfire_report_id": 0,

"policy_uid": "4093544d-2f66-4d80-af2d-17f361609984",

"rule_name": "FromTrust",

"session_id": 23366,

"source": "PA-220",

"source_ip": "ccc.ccc.ccc.ccc",

"source_location_name": "192.168.0.0-192.168.255.255",

"source_nat_ip": "ddd.ddd.ddd.ddd",

"source_nat_port": 48189,

"source_port": 61323,

"source_zone": "Trust-L3",

"streams": [

"000000000000000000000001"

],

"timestamp": "2020-10-08T04:59:55.169Z",

"vendor_alert_severity": "informational",

"vendor_event_action": "alert"

}

},

{

"decoration_stats": null,

"highlight_ranges": {},

"index": "graylog_0",

"message": {

"_id": "1acb0470-0923-11eb-a959-000c29d42d8e",

"alert_category": "news",

"alert_definitions_version": "AppThreat-0-0",

"alert_indicator": "\<query here\>/",

"alert_signature_id": "(9999)",

"application_name": "ssl",

"destination_ip": "aaa.aaa.aaa.aaa",

"destination_location_name": "United States",

"destination_nat_ip": "aaa.aaa.aaa.aaa",

"destination_nat_port": 443,

"destination_port": 443,

"destination_zone": "Untrust-L3",

"event_log_name": "THREAT",

"event_received_time": "2020/10/08 07:59:53",

"event_repeat_count": 1,

"event_source_product": "PAN",

"event_uid": "7665473",

"gl2_accounted_message_size": 2027,

"gl2_message_id": "ABCD",

"gl2_remote_ip": "bbb.bbb.bbb.bbb",

"gl2_remote_port": 51371,

"gl2_source_input": "5f7433f60f4d9c360092a070",

"gl2_source_node": "95ba5102-13c9-4520-ac75-c8736f206953",

"host_hostname": "PA-220",

"host_id": "ABCDEFGHIJK",

"host_virtfw_id": "vsys1",

"http_url_category": "news,low-risk",

"message": "1,2020/10/08 07:59:53,ABCDEFGHIJK,THREAT,url,2560,2020/10/08 07:59:53,ccc.ccc.ccc.ccc,aaa.aaa.aaa.aaa,ddd.ddd.ddd.ddd,aaa.aaa.aaa.aaa,FromTrust,,,ssl,vsys1,Trust-L3,Untrust-L3,ethernet1/3,ethernet1/4,default,2020/10/08 07:59:53,24085,1,61322,443,29959,443,0x816400,tcp,alert,\"\<query here\>/\",(9999),news,informational,client-to-server,7665473,0xa000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,,\"news,low-risk\",4093544d-2f66-4d80-af2d-17f361609984,0,,0.0.0.0,,,,,,,,,,,,,,,,,,,,,,,,,,,0,2020-10-08T07:59:54.289+03:00,,,",

"network_interface_in": "ethernet1/3",

"network_interface_out": "ethernet1/4",

"network_protocol": "tcp",

"network_tunnel_type": "N/A",

"pan_alert_direction": "client-to-server",

"pan_assoc_id": 0,

"pan_dev_group_level_1": 0,

"pan_dev_group_level_2": 0,

"pan_dev_group_level_3": 0,

"pan_dev_group_level_4": 0,

"pan_flags": "0x816400",

"pan_http2": "0",

"pan_log_action": "default",

"pan_log_panorama": "0xa000000000000000",

"pan_log_subtype": "url",

"pan_monitor_tag": 0,

"pan_parent_session_id": "0",

"pan_pcap_id": "0",

"pan_ppid": 4294967295,

"pan_tunnel_id": "0",

"pan_url_index": 0,

"pan_wildfire_report_id": 0,

"policy_uid": "4093544d-2f66-4d80-af2d-17f361609984",

"rule_name": "FromTrust",

"session_id": 24085,

"source": "PA-220",

"source_ip": "ccc.ccc.ccc.ccc",

"source_location_name": "192.168.0.0-192.168.255.255",

"source_nat_ip": "ddd.ddd.ddd.ddd",

"source_nat_port": 29959,

"source_port": 61322,

"source_zone": "Trust-L3",

"streams": [

"000000000000000000000001"

],

"timestamp": "2020-10-08T04:59:55.169Z",

"vendor_alert_severity": "informational",

"vendor_event_action": "alert"

}

},

],

"query": "\<query here\>",

"time": 2,

"to": "2020-10-08T15:34:49.000Z",

"total_results": 2,

"used_indices": [

{

"begin": "1970-01-01T00:00:00.000Z",

"calculated_at": "2020-09-30T07:24:40.163Z",

"end": "1970-01-01T00:00:00.000Z",

"index_name": "graylog_0",

"took_ms": 0

}

]

}

}

}

Human Readable Output

Results

built_query	decoration_stats	fields	from	messages	query	time	to	total_results	used_indices
{ "from" : 0, "size" : 20, "query" : { "bool" : { "must" : [ { "query_string" : { "query" : "\<query here>", "fields" : [ ], "use_dis_max" : true, "tie_breaker" : 0.0, "default_operator" : "or", "auto_generate_phrase_queries" : false, "max_determinized_states" : 10000, "allow_leading_wildcard" : false, "enable_position_increments" : true, "fuzziness" : "AUTO", "fuzzy_prefix_length" : 0, "fuzzy_max_expansions" : 50, "phrase_slop" : 0, "escape" : false, "split_on_whitespace" : true, "boost" : 1.0 } } ], "filter" : [ { "bool" : { "must" : [ { "range" : { "timestamp" : { "from" : "2020-10-04 15:34:49.000", "to" : "2020-10-08 15:34:49.000", "include_lower" : true, "include_upper" : true, "boost" : 1.0 } } } ], "disable_coord" : false, "adjust_pure_negative" : true, "boost" : 1.0 } } ], "disable_coord" : false, "adjust_pure_negative" : true, "boost" : 1.0 } }, "sort" : [ { "timestamp" : { "order" : "desc" } } ] }		event_received_time, pan_log_subtype, pan_dev_group_level_4, pan_dev_group_level_3, network_interface_out, source, pan_url_index, vendor_event_action, pan_dev_group_level_2, pan_dev_group_level_1, source_ip, host_virtfw_id, application_name, destination_ip, pan_ppid, alert_indicator, host_hostname, source_location_name, alert_signature_id, rule_name, source_zone, gl2_message_id, network_protocol, network_tunnel_type, alert_definitions_version, destination_nat_ip, pan_log_action, pan_http2, source_nat_ip, destination_nat_port, http_url_category, policy_uid, destination_port, pan_log_panorama, pan_tunnel_id, pan_alert_direction, vendor_alert_severity, event_uid, destination_location_name, source_port, event_log_name, event_repeat_count, timestamp, event_source_product, source_nat_port, destination_zone, session_id, message, alert_category, pan_parent_session_id, host_id, network_interface_in, pan_wildfire_report_id, pan_pcap_id, pan_flags, pan_assoc_id, pan_monitor_tag	2020-10-04T15:34:49.000Z	{'highlight_ranges': {}, 'message': {'event_received_time': '2020/10/08 07:59:53', 'pan_log_subtype': 'url', 'gl2_remote_ip': 'bbb.bbb.bbb.bbb', 'gl2_remote_port': 51371, 'pan_dev_group_level_4': 0, 'pan_dev_group_level_3': 0, 'network_interface_out': 'ethernet1/4', 'source': 'PA-220', 'gl2_source_input': '5f7433f60f4d9c360092a070', 'pan_url_index': 0, 'vendor_event_action': 'alert', 'pan_dev_group_level_2': 0, 'pan_dev_group_level_1': 0, 'source_ip': 'ccc.ccc.ccc.ccc', 'host_virtfw_id': 'vsys1', 'application_name': 'ssl', 'destination_ip': 'aaa.aaa.aaa.aaa', 'pan_ppid': 4294967295, 'gl2_source_node': '95ba5102-13c9-4520-ac75-c8736f206953', 'alert_indicator': '\<query here>/', 'host_hostname': 'PA-220', 'source_location_name': '192.168.0.0-192.168.255.255', 'gl2_accounted_message_size': 2027, 'alert_signature_id': '(9999)', 'rule_name': 'FromTrust', 'source_zone': 'Trust-L3', 'streams': ['000000000000000000000001'], 'gl2_message_id': 'ABCD', 'network_protocol': 'tcp', 'network_tunnel_type': 'N/A', 'alert_definitions_version': 'AppThreat-0-0', 'destination_nat_ip': 'aaa.aaa.aaa.aaa', 'pan_log_action': 'default', 'pan_http2': '0', 'source_nat_ip': 'ddd.ddd.ddd.ddd', '_id': '1acb0472-0923-11eb-a959-000c29d42d8e', 'destination_nat_port': 443, 'http_url_category': 'news,low-risk', 'policy_uid': '4093544d-2f66-4d80-af2d-17f361609984', 'destination_port': 443, 'pan_log_panorama': '0xa000000000000000', 'pan_tunnel_id': '0', 'pan_alert_direction': 'client-to-server', 'vendor_alert_severity': 'informational', 'event_uid': '7665475', 'destination_location_name': 'United States', 'source_port': 61323, 'event_log_name': 'THREAT', 'event_repeat_count': 1, 'timestamp': '2020-10-08T04:59:55.169Z', 'event_source_product': 'PAN', 'source_nat_port': 48189, 'destination_zone': 'Untrust-L3', 'session_id': 23366, 'message': '1,2020/10/08 07:59:53,ABCDEFGHIJK,THREAT,url,2560,2020/10/08 07:59:53,ccc.ccc.ccc.ccc,aaa.aaa.aaa.aaa,ddd.ddd.ddd.ddd,aaa.aaa.aaa.aaa,FromTrust,,,ssl,vsys1,Trust-L3,Untrust-L3,ethernet1/3,ethernet1/4,default,2020/10/08 07:59:53,23366,1,61323,443,48189,443,0x816400,tcp,alert,"\<query here>/",(9999),news,informational,client-to-server,7665475,0xa000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,,"news,low-risk",4093544d-2f66-4d80-af2d-17f361609984,0,,0.0.0.0,,,,,,,,,,,,,,,,,,,,,,,,,,,0,2020-10-08T07:59:54.289+03:00,,,', 'alert_category': 'news', 'pan_parent_session_id': '0', 'host_id': 'ABCDEFGHIJK', 'network_interface_in': 'ethernet1/3', 'pan_wildfire_report_id': 0, 'pan_pcap_id': '0', 'pan_flags': '0x816400', 'pan_assoc_id': 0, 'pan_monitor_tag': 0}, 'index': 'graylog_0', 'decoration_stats': None}, {'highlight_ranges': {}, 'message': {'event_received_time': '2020/10/08 07:59:53', 'pan_log_subtype': 'url', 'gl2_remote_ip': 'bbb.bbb.bbb.bbb', 'gl2_remote_port': 51371, 'pan_dev_group_level_4': 0, 'pan_dev_group_level_3': 0, 'network_interface_out': 'ethernet1/4', 'source': 'PA-220', 'gl2_source_input': '5f7433f60f4d9c360092a070', 'pan_url_index': 0, 'vendor_event_action': 'alert', 'pan_dev_group_level_2': 0, 'pan_dev_group_level_1': 0, 'source_ip': 'ccc.ccc.ccc.ccc', 'host_virtfw_id': 'vsys1', 'application_name': 'ssl', 'destination_ip': 'aaa.aaa.aaa.aaa', 'pan_ppid': 4294967295, 'gl2_source_node': '95ba5102-13c9-4520-ac75-c8736f206953', 'alert_indicator': '\<query here>/', 'host_hostname': 'PA-220', 'source_location_name': '192.168.0.0-192.168.255.255', 'gl2_accounted_message_size': 2027, 'alert_signature_id': '(9999)', 'rule_name': 'FromTrust', 'source_zone': 'Trust-L3', 'streams': ['000000000000000000000001'], 'gl2_message_id': 'ABCD', 'network_protocol': 'tcp', 'network_tunnel_type': 'N/A', 'alert_definitions_version': 'AppThreat-0-0', 'destination_nat_ip': 'aaa.aaa.aaa.aaa', 'pan_log_action': 'default', 'pan_http2': '0', 'source_nat_ip': 'ddd.ddd.ddd.ddd', '_id': '1acb0470-0923-11eb-a959-000c29d42d8e', 'destination_nat_port': 443, 'http_url_category': 'news,low-risk', 'policy_uid': '4093544d-2f66-4d80-af2d-17f361609984', 'destination_port': 443, 'pan_log_panorama': '0xa000000000000000', 'pan_tunnel_id': '0', 'pan_alert_direction': 'client-to-server', 'vendor_alert_severity': 'informational', 'event_uid': '7665473', 'destination_location_name': 'United States', 'source_port': 61322, 'event_log_name': 'THREAT', 'event_repeat_count': 1, 'timestamp': '2020-10-08T04:59:55.169Z', 'event_source_product': 'PAN', 'source_nat_port': 29959, 'destination_zone': 'Untrust-L3', 'session_id': 24085, 'message': '1,2020/10/08 07:59:53,ABCDEFGHIJK,THREAT,url,2560,2020/10/08 07:59:53,ccc.ccc.ccc.ccc,aaa.aaa.aaa.aaa,ddd.ddd.ddd.ddd,aaa.aaa.aaa.aaa,FromTrust,,,ssl,vsys1,Trust-L3,Untrust-L3,ethernet1/3,ethernet1/4,default,2020/10/08 07:59:53,24085,1,61322,443,29959,443,0x816400,tcp,alert,"\<query here>/",(9999),news,informational,client-to-server,7665473,0xa000000000000000,192.168.0.0-192.168.255.255,United States,0,,0,,,0,,,,,,,,0,0,0,0,0,,PA-220,,,,,0,,0,,N/A,unknown,AppThreat-0-0,0x0,0,4294967295,,"news,low-risk",4093544d-2f66-4d80-af2d-17f361609984,0,,0.0.0.0,,,,,,,,,,,,,,,,,,,,,,,,,,,0,2020-10-08T07:59:54.289+03:00,,,', 'alert_category': 'news', 'pan_parent_session_id': '0', 'host_id': 'ABCDEFGHIJK', 'network_interface_in': 'ethernet1/3', 'pan_wildfire_report_id': 0, 'pan_pcap_id': '0', 'pan_flags': '0x816400', 'pan_assoc_id': 0, 'pan_monitor_tag': 0}, 'index': 'graylog_0', 'decoration_stats': None}	\<query here>	2	2020-10-08T15:34:49.000Z	2	{'index_name': 'graylog_0', 'begin': '1970-01-01T00:00:00.000Z', 'end': '1970-01-01T00:00:00.000Z', 'calculated_at': '2020-09-30T07:24:40.163Z', 'took_ms': 0}