Skip to main content

PANOSQueryLogs

This Script is part of the PAN-OS by Palo Alto Networks Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.1.0 and later.

A polling wrapper script; This script searches Palo Alto Networks firewall logs across eight different log types (threat, traffic, wildfire, URL, data, correlation, system, and decryption). It provides flexible filtering capabilities including IP addresses, time ranges, network zones, rules, ports, URLs, file hashes, and custom query strings, with configurable result limits up to 5,000 logs. This enables security teams to efficiently investigate network activity, analyze traffic patterns, and perform forensic analysis across their Panorama and Firewall infrastructure through automated log retrieval. This script depends on the Panorama integration and can be executed against either a Firewall device or a Panorama device, depending on the configured integration instance.

Script Data#


NameDescription
Script Typepython3
TagsUtilities
Cortex XSOAR Version6.1.0

Inputs#


Argument NameDescription
log_typeThe log type. Options: threat, traffic, wildfire, url, data, corr, system, decryption.
url_categoryFilters logs by a specific URL category. Optional values are: Malware, Phishing, Command and Control, Dynamic DNS, Encrypted DNS, Parked, Unknown, Newly Registered Domains, Grayware, Hacking, Proxy Avoidance And Anonymizers, Ransomware, Scanning Activity, Artificial Intelligence, High Risk, Compromised Website. This argument cannot be used in combination with the following arguments: time-generated, time-generated-after, addr-src, addr-dst, zone-src, zone-dst, action, port-dst, rule, url, filedigest. It can only be used with log_type set to "url". For all other log_type values, this argument is ignored.
time_generatedThe time the log was generated from the timestamp and prior to it.
For example "2019/08/11 01:10:44, will get logs before the specified date.".
time_generated_afterThe time the log was generated from the timestamp and prior to it.
For example "2019/08/11 01:10:44", will get logs after the specified date.
addr_srcThe source address.
addr_dstThe destination address.
ipThe source or destination IP address.
zone_srcThe source zone.
zone_dstThe destination source.
actionThe rule action.
port_dstThe destination port.
ruleThe rule name, for example "Allow all outbound".
urlThe URL, for example "safebrowsing.googleapis.com".
filedigestThe file hash (for WildFire logs only).
number_of_logsThe maximum number of logs to retrieve. If empty, the default is 100. The maximum is 5,000.
show_detailWhether to show only `after-change-preview`, and `before-change-preview`, or get full data for it. The full data are under the fields `after-change-detail`, and `before-change-detail`.

Outputs#


PathDescriptionType
Panorama.Monitor.JobIDThe job ID of the logs query.String
Panorama.Monitor.StatusThe status of the logs query.String
Panorama.Monitor.MessageThe message of the logs query.String
Panorama.Monitor.Logs.ActionThe action taken for the session. Can be "alert", "allow", "deny", "drop", "drop-all-packets", "reset-client", "reset-server", "reset-both", or "block-url".String
Panorama.Monitor.Logs.ApplicationThe application associated with the session.String
Panorama.Monitor.Logs.CategoryThe URL category of the URL subtype. For WildFire subtype, it is the verdict on the file, and can be either "malicious", "phishing", "grayware", or "benign". For other subtypes, the value is "any".String
Panorama.Monitor.Logs.DeviceNameThe hostname of the firewall on which the session was logged.String
Panorama.Monitor.Logs.DestinationAddressThe original session destination IP address.String
Panorama.Monitor.Logs.DestinationUserThe username of the user to which the session was destined.String
Panorama.Monitor.Logs.DestinationCountryThe destination country or internal region for private addresses. Maximum length is 32 bytes.String
Panorama.Monitor.Logs.DestinationPortThe destination port utilized by the session.String
Panorama.Monitor.Logs.FileDigestOnly for the WildFire subtype, all other types do not use this field. The filedigest string shows the binary hash of the file sent to be analyzed by the WildFire service.String
Panorama.Monitor.Logs.FileNameFile name or file type when the subtype is file.
File name when the subtype is virus.
File name when the subtype is wildfire-virus.
File name when the subtype is wildfire.
String
Panorama.Monitor.Logs.FileTypeOnly for the WildFire subtype, all other types do not use this field.
Specifies the type of file that the firewall forwarded for WildFire analysis.
String
Panorama.Monitor.Logs.FromZoneThe zone from which the session was sourced.String
Panorama.Monitor.Logs.URLOrFilenameThe actual URL when the subtype is url.
The file name or file type when the subtype is file.
The file name when the subtype is virus.
The file name when the subtype is wildfire-virus.
The file name when the subtype is wildfire.
The URL or file name when the subtype is vulnerability (if applicable).
String
Panorama.Monitor.Logs.NATDestinationIPThe post-NAT destination IP address if destination NAT was performed.String
Panorama.Monitor.Logs.NATDestinationPortThe post-NAT destination port.String
Panorama.Monitor.Logs.NATSourceIPThe post-NAT source IP address if source NAT was performed.String
Panorama.Monitor.Logs.NATSourcePortThe post-NAT source port.String
Panorama.Monitor.Logs.PCAPidThe packet capture (pcap) ID is a 64 bit unsigned integral denoting
an ID to correlate threat pcap files with extended pcaps taken as a part of
that flow. All threat logs will contain either a pcap_id of 0 (no associated
pcap), or an ID referencing the extended pcap file.
String
Panorama.Monitor.Logs.IPProtocolThe IP protocol associated with the session.String
Panorama.Monitor.Logs.RecipientOnly for the WildFire subtype, all other types do not use this field.
Specifies the name of the receiver of an email that WildFire determined to be malicious when analyzing an email link forwarded by the firewall.
String
Panorama.Monitor.Logs.RuleThe name of the rule that the session matched.String
Panorama.Monitor.Logs.RuleIDThe ID of the rule that the session matched.String
Panorama.Monitor.Logs.ReceiveTimeThe time the log was received at the management plane.String
Panorama.Monitor.Logs.SenderOnly for the WildFire subtype; all other types do not use this field.
Specifies the name of the sender of an email that WildFire determined to be malicious when analyzing an email link forwarded by the firewall.
String
Panorama.Monitor.Logs.SessionIDAn internal numerical identifier applied to each session.String
Panorama.Monitor.Logs.DeviceSNThe serial number of the firewall on which the session was logged.String
Panorama.Monitor.Logs.SeverityThe severity associated with the threat. Can be "informational", "low",
"medium", "high", or "critical".
String
Panorama.Monitor.Logs.SourceAddressThe original session source IP address.String
Panorama.Monitor.Logs.SourceCountryThe source country or internal region for private addresses. Maximum
length is 32 bytes.
String
Panorama.Monitor.Logs.SourceUserThe username of the user who initiated the session.String
Panorama.Monitor.Logs.SourcePortThe source port utilized by the session.String
Panorama.Monitor.Logs.ThreatCategoryThe threat categories used to classify different types of
threat signatures.
String
Panorama.Monitor.Logs.NameThe Palo Alto Networks identifier for the threat. A description
string followed by a 64-bit numerical identifier.
String
Panorama.Monitor.Logs.IDThe Palo Alto Networks ID for the threat.String
Panorama.Monitor.Logs.ToZoneThe zone to which the session was destined.String
Panorama.Monitor.Logs.TimeGeneratedThe time the log was generated on the data plane.String
Panorama.Monitor.Logs.URLCategoryListA list of the URL filtering categories the firewall used to
enforce the policy.
String
Panorama.Monitor.Logs.BytesThe total log bytes.String
Panorama.Monitor.Logs.BytesReceivedThe log bytes received.String
Panorama.Monitor.Logs.BytesSentThe log bytes sent.String
Panorama.Monitor.Logs.VsysThe VSYS on the firewall that generated the log.String