Skip to main content

PANOSQueryLogs

This Script is part of the PAN-OS by Palo Alto Networks Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.1.0 and later.

A polling wrapper script; This script searches Palo Alto Networks firewall logs across eight different log types (threat, traffic, wildfire, URL, data, correlation, system, and decryption). It provides flexible filtering capabilities including IP addresses, time ranges, network zones, rules, ports, URLs, file hashes, and custom query strings, with configurable result limits up to 5,000 logs. This enables security teams to efficiently investigate network activity, analyze traffic patterns, and perform forensic analysis across their Panorama and Firewall infrastructure through automated log retrieval. This script depends on the Panorama integration and can be executed against either a Firewall device or a Panorama device, depending on the configured integration instance.

Script Data#


NameDescription
Script Typepython3
TagsUtilities
Cortex XSOAR Version6.1.0

Inputs#


Argument NameDescription
log-typeThe log type. Options: threat, traffic, wildfire, url, data, corr, system, decryption.
queryThe query string by which to match criteria for the logs. This is similar to the query provided in the web interface under the Monitor tab when viewing the logs. Do not use the query argument in combination with the following arguments: time-generated, time-generated-after, addr-src, addr-dst, zone-src, zone-dst, action, port-dst, rule, url, filedigest.
time-generatedThe time the log was generated from the timestamp and prior to it. For example "2019/08/11 01:10:44, will get logs before the specified date.".
time-generated-afterThe time the log was generated from the timestamp and prior to it. For example "2019/08/11 01:10:44", will get logs after the specified date.
addr-srcThe source address.
addr-dstThe destination address.
ipThe source or destination IP address.
zone-srcThe source zone.
zone-dstThe destination source.
actionThe rule action.
port-dstThe destination port.
ruleThe rule name, for example "Allow all outbound".
urlThe URL, for example "safebrowsing.googleapis.com".
filedigestThe file hash (for WildFire logs only).
number_of_logsThe maximum number of logs to retrieve. If empty, the default is 100. The maximum is 5,000. Default: 100.
show-detailWhether to show only after-change-preview, and before-change-preview, or get full data for it. The full data are under the fields after-change-detail, and before-change-detail. Default: no.

Outputs#


Context PathTypeDescription
Panorama.Monitor.JobIDStringThe job ID of the logs query.
Panorama.Monitor.StatusStringThe status of the logs query.
Panorama.Monitor.MessageStringThe message of the logs query.
Panorama.Monitor.Logs.ActionStringThe action taken for the session. Can be "alert", "allow", "deny", "drop", "drop-all-packets", "reset-client", "reset-server", "reset-both", or "block-url".
Panorama.Monitor.Logs.ApplicationStringThe application associated with the session.
Panorama.Monitor.Logs.CategoryStringThe URL category of the URL subtype. For WildFire subtype, it is the verdict on the file, and can be either "malicious", "phishing", "grayware", or "benign". For other subtypes, the value is "any".
Panorama.Monitor.Logs.DeviceNameStringThe hostname of the firewall on which the session was logged.
Panorama.Monitor.Logs.DestinationAddressStringThe original session destination IP address.
Panorama.Monitor.Logs.DestinationUserStringThe username of the user to which the session was destined.
Panorama.Monitor.Logs.DestinationCountryStringThe destination country or internal region for private addresses. Maximum length is 32 bytes.
Panorama.Monitor.Logs.DestinationPortStringThe destination port utilized by the session.
Panorama.Monitor.Logs.FileDigestStringOnly for the WildFire subtype, all other types do not use this field. The filedigest string shows the binary hash of the file sent to be analyzed by the WildFire service.
Panorama.Monitor.Logs.FileNameStringFile name or file type when the subtype is file. File name when the subtype is virus. File name when the subtype is wildfire-virus. File name when the subtype is wildfire.
Panorama.Monitor.Logs.FileTypeStringOnly for the WildFire subtype, all other types do not use this field. Specifies the type of file that the firewall forwarded for WildFire analysis.
Panorama.Monitor.Logs.FromZoneStringThe zone from which the session was sourced.
Panorama.Monitor.Logs.URLOrFilenameStringThe actual URL when the subtype is url. The file name or file type when the subtype is file. The file name when the subtype is virus. The file name when the subtype is wildfire-virus. The file name when the subtype is wildfire. The URL or file name when the subtype is vulnerability (if applicable).
Panorama.Monitor.Logs.NATDestinationIPStringThe post-NAT destination IP address if destination NAT was performed.
Panorama.Monitor.Logs.NATDestinationPortStringThe post-NAT destination port.
Panorama.Monitor.Logs.NATSourceIPStringThe post-NAT source IP address if source NAT was performed.
Panorama.Monitor.Logs.NATSourcePortStringThe post-NAT source port.
Panorama.Monitor.Logs.PCAPidStringThe packet capture (pcap) ID is a 64 bit unsigned integral denoting an ID to correlate threat pcap files with extended pcaps taken as a part of that flow. All threat logs will contain either a pcap_id of 0 (no associated pcap), or an ID