diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 90bc3db243b..89ed8ca06e1 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -128,6 +128,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Fixed typo in log message. {pull}17897[17897] - Unescape file name from SQS message. {pull}18370[18370] - Improve cisco asa and ftd pipelines' failure handler to avoid mapping temporary fields. {issue}18391[18391] {pull}18392[18392] +- Fix PANW module wrong mappings for bytes and packets counters. {issue}18522[18522] {pull}18525[18525] *Heartbeat* diff --git a/x-pack/filebeat/module/panw/panos/config/input.yml b/x-pack/filebeat/module/panw/panos/config/input.yml index 7998f04511a..2ef8dbad433 100644 --- a/x-pack/filebeat/module/panw/panos/config/input.yml +++ b/x-pack/filebeat/module/panw/panos/config/input.yml @@ -50,7 +50,9 @@ processors: destination.ip: 8 destination.address: 8 source.nat.ip: 9 + client.nat.ip: 9 destination.nat.ip: 10 + server.nat.ip: 10 panw.panos.ruleset: 11 client.user.name: 12 source.user.name: 12 @@ -58,33 +60,39 @@ processors: destination.user.name: 13 network.application: 14 panw.panos.source.zone: 16 + observer.ingress.zone: 16 panw.panos.destination.zone: 17 + observer.egress.zone: 17 panw.panos.source.interface: 18 + observer.ingress.interface.name: 18 panw.panos.destination.interface: 19 + observer.egress.interface.name: 19 panw.panos.flow_id: 22 client.port: 24 source.port: 24 destination.port: 25 server.port: 25 source.nat.port: 26 + client.nat.port: 26 destination.nat.port: 27 + server.nat.port: 27 _temp_.labels: 28 network.transport: 29 event.outcome: 30 network.bytes: 31 client.bytes: 32 - destination.bytes: 32 + source.bytes: 32 server.bytes: 33 - source.bytes: 33 + destination.bytes: 33 network.packets: 34 event.start: 35 event.duration: 36 panw.panos.url.category: 37 panw.panos.sequence_number: 39 - server.packets: 44 - destination.packets: 44 - client.packets: 45 - source.packets: 45 + client.packets: 44 + source.packets: 44 + server.packets: 45 + destination.packets: 45 observer.hostname: 52 - extract_array: @@ -103,7 +111,9 @@ processors: destination.ip: 8 destination.address: 8 source.nat.ip: 9 + client.nat.ip: 9 destination.nat.ip: 10 + server.nat.ip: 10 panw.panos.ruleset: 11 client.user.name: 12 source.user.name: 12 @@ -111,16 +121,22 @@ processors: destination.user.name: 13 network.application: 14 panw.panos.source.zone: 16 + observer.ingress.zone: 16 panw.panos.destination.zone: 17 + observer.egress.zone: 17 panw.panos.source.interface: 18 + observer.ingress.interface.name: 18 panw.panos.destination.interface: 19 + observer.egress.interface.name: 19 panw.panos.flow_id: 22 client.port: 24 source.port: 24 destination.port: 25 server.port: 25 source.nat.port: 26 + client.nat.port: 26 destination.nat.port: 27 + server.nat.port: 27 _temp_.labels: 28 network.transport: 29 event.outcome: 30 diff --git a/x-pack/filebeat/module/panw/panos/ingest/pipeline.yml b/x-pack/filebeat/module/panw/panos/ingest/pipeline.yml index 135d90a04dc..28ba5294cd8 100644 --- a/x-pack/filebeat/module/panw/panos/ingest/pipeline.yml +++ b/x-pack/filebeat/module/panw/panos/ingest/pipeline.yml @@ -75,6 +75,8 @@ processors: - convert: { type: long, ignore_missing: true, field: panw.panos.sequence_number } - convert: { type: long, ignore_missing: true, field: source.nat.port } - convert: { type: long, ignore_missing: true, field: destination.nat.port } + - convert: { type: long, ignore_missing: true, field: client.nat.port } + - convert: { type: long, ignore_missing: true, field: server.nat.port } # Remove PCAP ID when zero (no packet capture). - remove: @@ -397,6 +399,22 @@ processors: - _temp_ ignore_missing: true +# Remove NAT fields when translation was not done. + - remove: + field: + - source.nat.ip + - source.nat.port + - client.nat.ip + - client.nat.port + if: 'ctx?.source?.nat?.ip == "0.0.0.0" && ctx?.source?.nat?.port == 0' + - remove: + field: + - destination.nat.ip + - destination.nat.port + - server.nat.ip + - server.nat.port + if: 'ctx?.destination?.nat?.ip == "0.0.0.0" && ctx?.destination?.nat?.port == 0' + on_failure: - set: field: "error.message" diff --git a/x-pack/filebeat/module/panw/panos/test/pan_inc_other.log-expected.json b/x-pack/filebeat/module/panw/panos/test/pan_inc_other.log-expected.json index e94019b5a55..75d66278fa5 100644 --- a/x-pack/filebeat/module/panw/panos/test/pan_inc_other.log-expected.json +++ b/x-pack/filebeat/module/panw/panos/test/pan_inc_other.log-expected.json @@ -3,13 +3,13 @@ "@timestamp": "2012-04-10T04:39:56.000-02:00", "client.bytes": 78, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 1, "client.port": 59309, "client.user.name": "crusher", "destination.address": "204.232.231.46", "destination.as.number": 27357, "destination.as.organization.name": "Rackspace Hosting", - "destination.bytes": 78, + "destination.bytes": 0, "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -18,9 +18,7 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 1, + "destination.packets": 0, "destination.port": 80, "event.action": "flow_started", "event.category": "network_traffic", @@ -43,6 +41,10 @@ "network.packets": 1, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -64,15 +66,13 @@ ], "server.bytes": 0, "server.ip": "204.232.231.46", - "server.packets": 1, + "server.packets": 0, "server.port": 80, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 78, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 1, "source.port": 59309, "source.user.name": "crusher", "tags": [ diff --git a/x-pack/filebeat/module/panw/panos/test/pan_inc_threat.log-expected.json b/x-pack/filebeat/module/panw/panos/test/pan_inc_threat.log-expected.json index ecf18d56eb3..d218708be66 100644 --- a/x-pack/filebeat/module/panw/panos/test/pan_inc_threat.log-expected.json +++ b/x-pack/filebeat/module/panw/panos/test/pan_inc_threat.log-expected.json @@ -16,8 +16,6 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 80, "event.action": "url_filtering", "event.category": "security_threat", @@ -37,6 +35,10 @@ "network.community_id": "1:mY2EPMYo0US42k87/2uTzjo/rGA=", "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -64,8 +66,6 @@ "source.address": "192.168.0.2", "source.geo.name": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 59309, "source.user.name": "crusher", "tags": [ @@ -90,8 +90,6 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 80, "event.action": "url_filtering", "event.category": "security_threat", @@ -111,6 +109,10 @@ "network.community_id": "1:0fIOSC1t62T9ExNKvZaxl657EVc=", "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -138,8 +140,6 @@ "source.address": "192.168.0.2", "source.geo.name": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 59313, "source.user.name": "crusher", "tags": [ @@ -164,8 +164,6 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 80, "event.action": "url_filtering", "event.category": "security_threat", @@ -185,6 +183,10 @@ "network.community_id": "1:bZl1JgwyPgfsbSrD+z8I/hpbdc4=", "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -212,8 +214,6 @@ "source.address": "192.168.0.2", "source.geo.name": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 59314, "source.user.name": "crusher", "tags": [ @@ -238,8 +238,6 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 80, "event.action": "url_filtering", "event.category": "security_threat", @@ -259,6 +257,10 @@ "network.community_id": "1:ghLw4NDj0JmAhH9lVtlhdQpqEQ0=", "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -286,8 +288,6 @@ "source.address": "192.168.0.2", "source.geo.name": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 59315, "source.user.name": "crusher", "tags": [ @@ -312,8 +312,6 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 80, "event.action": "url_filtering", "event.category": "security_threat", @@ -333,6 +331,10 @@ "network.community_id": "1:aiB5YppFUGX0pM/1Xtp3qOSFXJw=", "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -360,8 +362,6 @@ "source.address": "192.168.0.2", "source.geo.name": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 59316, "source.user.name": "crusher", "tags": [ @@ -386,8 +386,6 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 80, "event.action": "url_filtering", "event.category": "security_threat", @@ -407,6 +405,10 @@ "network.community_id": "1:GOqfpUTezPkpm6axBI22kY90kU4=", "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -434,8 +436,6 @@ "source.address": "192.168.0.2", "source.geo.name": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 59317, "source.user.name": "crusher", "tags": [ @@ -460,8 +460,6 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 80, "event.action": "url_filtering", "event.category": "security_threat", @@ -481,6 +479,10 @@ "network.community_id": "1:22ouAyA1O0KgUQOEKP20E7gNa2U=", "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -508,8 +510,6 @@ "source.address": "192.168.0.2", "source.geo.name": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 59302, "source.user.name": "crusher", "tags": [ @@ -534,8 +534,6 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 80, "event.action": "url_filtering", "event.category": "security_threat", @@ -555,6 +553,10 @@ "network.community_id": "1:phQpgsVhj3YxNYzeNkqdzDgcMCg=", "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -582,8 +584,6 @@ "source.address": "192.168.0.2", "source.geo.name": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 59301, "source.user.name": "crusher", "tags": [ @@ -608,8 +608,6 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 80, "event.action": "url_filtering", "event.category": "security_threat", @@ -629,6 +627,10 @@ "network.community_id": "1:6kV576B7jMsBLC62npA6Dgi/zMI=", "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -656,8 +658,6 @@ "source.address": "192.168.0.2", "source.geo.name": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 59303, "source.user.name": "crusher", "tags": [ @@ -682,8 +682,6 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 80, "event.action": "url_filtering", "event.category": "security_threat", @@ -703,6 +701,10 @@ "network.community_id": "1:h+XKHvMK2Oz7QQvaJdhsJWE2c9E=", "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -730,8 +732,6 @@ "source.address": "192.168.0.2", "source.geo.name": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 59304, "source.user.name": "crusher", "tags": [ @@ -756,8 +756,6 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 80, "event.action": "url_filtering", "event.category": "security_threat", @@ -777,6 +775,10 @@ "network.community_id": "1:Sa+u435/AIAAeEelFduJmiGLOv0=", "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -804,8 +806,6 @@ "source.address": "192.168.0.2", "source.geo.name": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 59297, "source.user.name": "crusher", "tags": [ @@ -830,8 +830,6 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 80, "event.action": "url_filtering", "event.category": "security_threat", @@ -851,6 +849,10 @@ "network.community_id": "1:C9009xCOuCuGvMPT4caMCizoYr0=", "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -878,8 +880,6 @@ "source.address": "192.168.0.2", "source.geo.name": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 59299, "source.user.name": "crusher", "tags": [ @@ -904,8 +904,6 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 80, "event.action": "url_filtering", "event.category": "security_threat", @@ -925,6 +923,10 @@ "network.community_id": "1:BG6Rk6e+H9jRcZHXqRPFG4iA3uU=", "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -952,8 +954,6 @@ "source.address": "192.168.0.2", "source.geo.name": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 59298, "source.user.name": "crusher", "tags": [ @@ -978,8 +978,6 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 80, "event.action": "url_filtering", "event.category": "security_threat", @@ -998,6 +996,10 @@ "network.community_id": "1:YDMNSbru670DK5EMT3E28WFJPz4=", "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -1025,8 +1027,6 @@ "source.address": "192.168.0.2", "source.geo.name": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 59300, "source.user.name": "crusher", "tags": [ @@ -1051,8 +1051,6 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 80, "event.action": "url_filtering", "event.category": "security_threat", @@ -1072,6 +1070,10 @@ "network.community_id": "1:AEtFqIuwxZ9TQ3w9m74nOrboCXE=", "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -1099,8 +1101,6 @@ "source.address": "192.168.0.2", "source.geo.name": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 59295, "source.user.name": "crusher", "tags": [ @@ -1125,8 +1125,6 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 80, "event.action": "url_filtering", "event.category": "security_threat", @@ -1146,6 +1144,10 @@ "network.community_id": "1:AuQEAPptnfXLW8oL/ac3CM4Gnnw=", "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -1173,8 +1175,6 @@ "source.address": "192.168.0.2", "source.geo.name": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 59291, "source.user.name": "crusher", "tags": [ @@ -1196,8 +1196,6 @@ "destination.geo.location.lon": 9.491, "destination.geo.name": "Germany", "destination.ip": "78.159.99.224", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 80, "event.action": "url_filtering", "event.category": "security_threat", @@ -1216,6 +1214,10 @@ "network.community_id": "1:v73LbTZDPLO+1dzNRixeZAmolJ0=", "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -1243,8 +1245,6 @@ "source.address": "192.168.0.2", "source.geo.name": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 59296, "source.user.name": "crusher", "tags": [ @@ -1269,8 +1269,6 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 80, "event.action": "url_filtering", "event.category": "security_threat", @@ -1290,6 +1288,10 @@ "network.community_id": "1:IRI0j5xLyLhwaONpy7gVZdl/Qow=", "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -1317,8 +1319,6 @@ "source.address": "192.168.0.2", "source.geo.name": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 59280, "source.user.name": "crusher", "tags": [ @@ -1343,8 +1343,6 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 80, "event.action": "url_filtering", "event.category": "security_threat", @@ -1364,6 +1362,10 @@ "network.community_id": "1:/tG+YfZ8qFKrUDfQ7EThCBXci9Y=", "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -1391,8 +1393,6 @@ "source.address": "192.168.0.2", "source.geo.name": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 59281, "source.user.name": "crusher", "tags": [ @@ -1417,8 +1417,6 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 80, "event.action": "url_filtering", "event.category": "security_threat", @@ -1438,6 +1436,10 @@ "network.community_id": "1:Vfi4CxQayypb3DoxclNfeNjXdjo=", "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -1465,8 +1467,6 @@ "source.address": "192.168.0.2", "source.geo.name": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 59282, "source.user.name": "crusher", "tags": [ @@ -1491,8 +1491,6 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 80, "event.action": "url_filtering", "event.category": "security_threat", @@ -1512,6 +1510,10 @@ "network.community_id": "1:2UbFMV1DsXMB0b/AUotNCCsHm0s=", "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -1539,8 +1541,6 @@ "source.address": "192.168.0.2", "source.geo.name": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 59290, "source.user.name": "crusher", "tags": [ @@ -1565,8 +1565,6 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 80, "event.action": "url_filtering", "event.category": "security_threat", @@ -1586,6 +1584,10 @@ "network.community_id": "1:M8DHGZjrHyuCRpC9MNNfDUke5g4=", "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -1613,8 +1615,6 @@ "source.address": "192.168.0.2", "source.geo.name": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 59286, "source.user.name": "crusher", "tags": [ @@ -1639,8 +1639,6 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 80, "event.action": "url_filtering", "event.category": "security_threat", @@ -1660,6 +1658,10 @@ "network.community_id": "1:AVMiOufq2owuhWpcu/TfRJ38tv4=", "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -1687,8 +1689,6 @@ "source.address": "192.168.0.2", "source.geo.name": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 59275, "source.user.name": "crusher", "tags": [ @@ -1713,8 +1713,6 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 80, "event.action": "url_filtering", "event.category": "security_threat", @@ -1734,6 +1732,10 @@ "network.community_id": "1:/+Opb16c1ye6uLeu1/TNC+SGnYs=", "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -1761,8 +1763,6 @@ "source.address": "192.168.0.2", "source.geo.name": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 59277, "source.user.name": "crusher", "tags": [ @@ -1787,8 +1787,6 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 80, "event.action": "url_filtering", "event.category": "security_threat", @@ -1808,6 +1806,10 @@ "network.community_id": "1:uslltTePy/m8Gxhk/MgPbZfk6Rg=", "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -1835,8 +1837,6 @@ "source.address": "192.168.0.2", "source.geo.name": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 59276, "source.user.name": "crusher", "tags": [ @@ -1861,8 +1861,6 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 80, "event.action": "url_filtering", "event.category": "security_threat", @@ -1882,6 +1880,10 @@ "network.community_id": "1:WiUImNtgjkeNDi1Qigg7+Y6pDAg=", "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -1909,8 +1911,6 @@ "source.address": "192.168.0.2", "source.geo.name": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 59278, "source.user.name": "crusher", "tags": [ @@ -1935,8 +1935,6 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 80, "event.action": "url_filtering", "event.category": "security_threat", @@ -1956,6 +1954,10 @@ "network.community_id": "1:FmIwID3HJ4Q0574SjlhMHApz/Hs=", "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -1983,8 +1985,6 @@ "source.address": "192.168.0.2", "source.geo.name": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 59279, "source.user.name": "crusher", "tags": [ @@ -2009,8 +2009,6 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 80, "event.action": "url_filtering", "event.category": "security_threat", @@ -2030,6 +2028,10 @@ "network.community_id": "1:6AuZBrHKsUJjLNgm/mJ5QToaPo8=", "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -2057,8 +2059,6 @@ "source.address": "192.168.0.2", "source.geo.name": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 59271, "source.user.name": "crusher", "tags": [ @@ -2083,8 +2083,6 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 80, "event.action": "url_filtering", "event.category": "security_threat", @@ -2104,6 +2102,10 @@ "network.community_id": "1:NwAT+gtzMjRwKS71Tn+YaKwyOvI=", "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -2131,8 +2133,6 @@ "source.address": "192.168.0.2", "source.geo.name": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 59269, "source.user.name": "crusher", "tags": [ @@ -2157,8 +2157,6 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 80, "event.action": "url_filtering", "event.category": "security_threat", @@ -2178,6 +2176,10 @@ "network.community_id": "1:mTTbk9h6Dgx6lH3l4aEHguufZVE=", "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -2205,8 +2207,6 @@ "source.address": "192.168.0.2", "source.geo.name": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 59270, "source.user.name": "crusher", "tags": [ @@ -2231,8 +2231,6 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 80, "event.action": "url_filtering", "event.category": "security_threat", @@ -2252,6 +2250,10 @@ "network.community_id": "1:/0xM0KlMLwieymkDApfqS3/WWiQ=", "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -2279,8 +2281,6 @@ "source.address": "192.168.0.2", "source.geo.name": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 59274, "source.user.name": "crusher", "tags": [ @@ -2305,8 +2305,6 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 80, "event.action": "url_filtering", "event.category": "security_threat", @@ -2326,6 +2324,10 @@ "network.community_id": "1:VLKKVfau50s2qjTDcucU+VKCAqY=", "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -2353,8 +2355,6 @@ "source.address": "192.168.0.2", "source.geo.name": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 59273, "source.user.name": "crusher", "tags": [ @@ -2379,8 +2379,6 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 80, "event.action": "url_filtering", "event.category": "security_threat", @@ -2400,6 +2398,10 @@ "network.community_id": "1:jAvA0C85T0GFKryKA312lLEtKIM=", "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -2427,8 +2429,6 @@ "source.address": "192.168.0.2", "source.geo.name": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 59272, "source.user.name": "crusher", "tags": [ @@ -2450,8 +2450,6 @@ "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", "destination.ip": "69.43.161.167", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 80, "event.action": "url_filtering", "event.category": "security_threat", @@ -2470,6 +2468,10 @@ "network.community_id": "1:Jqiwb/u74kolY3Y1yGkp+oMAxT4=", "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -2497,8 +2499,6 @@ "source.address": "192.168.0.2", "source.geo.name": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 59261, "source.user.name": "crusher", "tags": [ @@ -2520,8 +2520,6 @@ "destination.geo.location.lon": 126.9741, "destination.geo.name": "Korea Republic Of", "destination.ip": "202.31.187.154", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 80, "event.action": "url_filtering", "event.category": "security_threat", @@ -2540,6 +2538,10 @@ "network.community_id": "1:q84mXt2kLt843wk0Y5vtvJwq+bc=", "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -2567,8 +2569,6 @@ "source.address": "192.168.0.2", "source.geo.name": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 59248, "source.user.name": "crusher", "tags": [ @@ -2590,8 +2590,6 @@ "destination.geo.location.lon": 37.6068, "destination.geo.name": "Russian Federation", "destination.ip": "89.111.176.67", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 80, "event.action": "url_filtering", "event.category": "security_threat", @@ -2610,6 +2608,10 @@ "network.community_id": "1:1jDSU+BTdTOAQSrWGRbSjxehwNg=", "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -2637,8 +2639,6 @@ "source.address": "192.168.0.2", "source.geo.name": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 59251, "source.user.name": "crusher", "tags": [ @@ -2663,8 +2663,6 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 80, "event.action": "url_filtering", "event.category": "security_threat", @@ -2683,6 +2681,10 @@ "network.community_id": "1:vGp9HpobYZmzzLGyDAG6oVAe4dg=", "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -2710,8 +2712,6 @@ "source.address": "192.168.0.2", "source.geo.name": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 59244, "source.user.name": "crusher", "tags": [ @@ -2733,8 +2733,6 @@ "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", "destination.ip": "208.73.210.29", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 80, "event.action": "url_filtering", "event.category": "security_threat", @@ -2753,6 +2751,10 @@ "network.community_id": "1:8JiI5Ka3Oyz6yaLm3xObTqAo/Jw=", "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -2780,8 +2782,6 @@ "source.address": "192.168.0.2", "source.geo.name": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 59237, "source.user.name": "crusher", "tags": [ @@ -2803,8 +2803,6 @@ "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", "destination.ip": "208.73.210.29", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 80, "event.action": "url_filtering", "event.category": "security_threat", @@ -2823,6 +2821,10 @@ "network.community_id": "1:lOdKYo+aMIHRMMJPawuXy8Bk2I0=", "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -2850,8 +2852,6 @@ "source.address": "192.168.0.2", "source.geo.name": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 59238, "source.user.name": "crusher", "tags": [ @@ -2876,8 +2876,6 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 80, "event.action": "url_filtering", "event.category": "security_threat", @@ -2896,6 +2894,10 @@ "network.community_id": "1:rDRkkTH2aHta89i52OraqG5WcDI=", "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -2923,8 +2925,6 @@ "source.address": "192.168.0.2", "source.geo.name": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 59010, "source.user.name": "crusher", "tags": [ @@ -2946,8 +2946,6 @@ "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", "destination.ip": "208.73.210.29", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 80, "event.action": "url_filtering", "event.category": "security_threat", @@ -2966,6 +2964,10 @@ "network.community_id": "1:00fHGTkjtblnJQ9P4Wiw9QuDEpI=", "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -2993,8 +2995,6 @@ "source.address": "192.168.0.2", "source.geo.name": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 58969, "source.user.name": "crusher", "tags": [ @@ -3016,8 +3016,6 @@ "destination.geo.location.lon": 37.6068, "destination.geo.name": "Russian Federation", "destination.ip": "89.108.64.156", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 80, "event.action": "url_filtering", "event.category": "security_threat", @@ -3036,6 +3034,10 @@ "network.community_id": "1:sQ6YL9T0OZftMg71BK+1IHpXIRM=", "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -3063,8 +3065,6 @@ "source.address": "192.168.0.2", "source.geo.name": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 58941, "source.user.name": "crusher", "tags": [ @@ -3086,8 +3086,6 @@ "destination.geo.location.lon": 37.6068, "destination.geo.name": "Russian Federation", "destination.ip": "89.108.64.156", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 80, "event.action": "url_filtering", "event.category": "security_threat", @@ -3106,6 +3104,10 @@ "network.community_id": "1:a3rlKRtYt43mps+uHBznJUtG3Qg=", "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -3133,8 +3135,6 @@ "source.address": "192.168.0.2", "source.geo.name": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 58942, "source.user.name": "crusher", "tags": [ @@ -3149,8 +3149,6 @@ "destination.address": "192.168.0.2", "destination.geo.name": "192.168.0.0-192.168.255.255", "destination.ip": "192.168.0.2", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 58849, "destination.user.name": "crusher", "event.action": "spyware_detected", @@ -3170,6 +3168,10 @@ "network.community_id": "1:gfZAOGdC3xAoPZCFZCwHJJ7Iin4=", "network.direction": "outbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "trust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "untrust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -3207,8 +3209,6 @@ "source.geo.region_iso_code": "US-FL", "source.geo.region_name": "Florida", "source.ip": "204.232.231.46", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 80, "tags": [ "pan-os" @@ -3232,8 +3232,6 @@ "destination.geo.region_iso_code": "CA-ON", "destination.geo.region_name": "Ontario", "destination.ip": "216.8.179.25", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 80, "event.action": "url_filtering", "event.category": "security_threat", @@ -3252,6 +3250,10 @@ "network.community_id": "1:VeoAydUSFUdh8ZddIqbsMY32sBU=", "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -3279,8 +3281,6 @@ "source.address": "192.168.0.2", "source.geo.name": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 58856, "source.user.name": "crusher", "tags": [ @@ -3302,8 +3302,6 @@ "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", "destination.ip": "69.43.161.154", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 80, "event.action": "url_filtering", "event.category": "security_threat", @@ -3322,6 +3320,10 @@ "network.community_id": "1:ZsFVG8FJVifp8WmzI9Zj/lo+dB4=", "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -3349,8 +3351,6 @@ "source.address": "192.168.0.2", "source.geo.name": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 58847, "source.user.name": "crusher", "tags": [ @@ -3372,8 +3372,6 @@ "destination.geo.location.lon": -64.5, "destination.geo.name": "Virgin Islands British", "destination.ip": "208.91.196.252", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 80, "event.action": "url_filtering", "event.category": "security_threat", @@ -3392,6 +3390,10 @@ "network.community_id": "1:NAfQ33YdKJSvbcxpFK8HIhI39lk=", "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -3419,8 +3421,6 @@ "source.address": "192.168.0.2", "source.geo.name": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 58841, "source.user.name": "crusher", "tags": [ @@ -3442,8 +3442,6 @@ "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", "destination.ip": "208.73.210.29", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 80, "event.action": "url_filtering", "event.category": "security_threat", @@ -3462,6 +3460,10 @@ "network.community_id": "1:AMcTUl91PN0z8TJr2QwdEOP+Fmo=", "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -3489,8 +3491,6 @@ "source.address": "192.168.0.2", "source.geo.name": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 58795, "source.user.name": "crusher", "tags": [ @@ -3515,8 +3515,6 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 80, "event.action": "url_filtering", "event.category": "security_threat", @@ -3535,6 +3533,10 @@ "network.community_id": "1:7Tdwe73AJMSdJL4hxpQDyl5Lwn4=", "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -3562,8 +3564,6 @@ "source.address": "192.168.0.2", "source.geo.name": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 58753, "source.user.name": "crusher", "tags": [ @@ -3588,8 +3588,6 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 80, "event.action": "url_filtering", "event.category": "security_threat", @@ -3608,6 +3606,10 @@ "network.community_id": "1:q7ERSuCoAPSiI8xLXZCI+1M9B8I=", "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -3635,8 +3637,6 @@ "source.address": "192.168.0.2", "source.geo.name": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 58708, "source.user.name": "crusher", "tags": [ @@ -3661,8 +3661,6 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 80, "event.action": "url_filtering", "event.category": "security_threat", @@ -3681,6 +3679,10 @@ "network.community_id": "1:AsPpOgQhhKdBtPhY4zahdBuNcTc=", "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -3708,8 +3710,6 @@ "source.address": "192.168.0.2", "source.geo.name": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 58707, "source.user.name": "crusher", "tags": [ @@ -3734,8 +3734,6 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 80, "event.action": "url_filtering", "event.category": "security_threat", @@ -3754,6 +3752,10 @@ "network.community_id": "1:Inta5pHrKZ+nIMo9QJjgmv1raGE=", "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "1606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -3781,8 +3783,6 @@ "source.address": "192.168.0.2", "source.geo.name": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 58603, "source.user.name": "crusher", "tags": [ @@ -3807,8 +3807,6 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 80, "event.action": "url_filtering", "event.category": "security_threat", @@ -3827,6 +3825,10 @@ "network.community_id": "1:Inta5pHrKZ+nIMo9QJjgmv1raGE=", "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "1606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -3854,8 +3856,6 @@ "source.address": "192.168.0.2", "source.geo.name": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 58603, "source.user.name": "crusher", "tags": [ @@ -3870,8 +3870,6 @@ "destination.address": "192.168.0.2", "destination.geo.name": "192.168.0.0-192.168.255.255", "destination.ip": "192.168.0.2", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 54431, "destination.user.name": "crusher", "event.action": "file_match", @@ -3891,6 +3889,10 @@ "network.community_id": "1:to6WA2KM9vqO74DfMPJ8+v0cKPs=", "network.direction": "outbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "trust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "untrust", "observer.serial_number": "1606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -3928,8 +3930,6 @@ "source.geo.region_iso_code": "US-CA", "source.geo.region_name": "California", "source.ip": "173.236.179.57", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 80, "tags": [ "pan-os" @@ -3953,8 +3953,6 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 80, "event.action": "url_filtering", "event.category": "security_threat", @@ -3973,6 +3971,10 @@ "network.community_id": "1:Inta5pHrKZ+nIMo9QJjgmv1raGE=", "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "1606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -4000,8 +4002,6 @@ "source.address": "192.168.0.2", "source.geo.name": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 58603, "source.user.name": "crusher", "tags": [ @@ -4016,8 +4016,6 @@ "destination.address": "192.168.0.2", "destination.geo.name": "192.168.0.0-192.168.255.255", "destination.ip": "192.168.0.2", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 61220, "destination.user.name": "crusher", "event.action": "file_match", @@ -4037,6 +4035,10 @@ "network.community_id": "1:dHpseryW+AZk/t5IUvlyhaLSGI0=", "network.direction": "outbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "trust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "untrust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -4074,8 +4076,6 @@ "source.geo.region_iso_code": "CA-QC", "source.geo.region_name": "Quebec", "source.ip": "91.209.163.202", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 80, "tags": [ "pan-os" @@ -4089,8 +4089,6 @@ "destination.address": "192.168.0.2", "destination.geo.name": "192.168.0.0-192.168.255.255", "destination.ip": "192.168.0.2", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 61726, "destination.user.name": "crusher", "event.action": "file_match", @@ -4110,6 +4108,10 @@ "network.community_id": "1:lIp7rPLlF21gCwZ63WafZ2HbNKA=", "network.direction": "outbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "trust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "untrust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -4146,8 +4148,6 @@ "source.geo.region_iso_code": "CN-ZJ", "source.geo.region_name": "Zhejiang", "source.ip": "122.226.169.183", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 80, "tags": [ "pan-os" @@ -4171,8 +4171,6 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 80, "event.action": "url_filtering", "event.category": "security_threat", @@ -4191,6 +4189,10 @@ "network.community_id": "1:n39Q6RPkLwPiDU/pfHT7uRZGkXY=", "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -4218,8 +4220,6 @@ "source.address": "192.168.0.2", "source.geo.name": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 63007, "source.user.name": "crusher", "tags": [ @@ -4234,8 +4234,6 @@ "destination.address": "192.168.0.2", "destination.geo.name": "192.168.0.0-192.168.255.255", "destination.ip": "192.168.0.2", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 60212, "destination.user.name": "crusher", "event.action": "file_match", @@ -4255,6 +4253,10 @@ "network.community_id": "1:69YGwS9/vtp36Khj80nU/Q0TTfM=", "network.direction": "outbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "trust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "untrust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -4289,8 +4291,6 @@ "source.geo.location.lon": 4.8995, "source.geo.name": "Netherlands", "source.ip": "109.201.131.15", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 80, "tags": [ "pan-os" @@ -4304,8 +4304,6 @@ "destination.address": "192.168.0.2", "destination.geo.name": "192.168.0.0-192.168.255.255", "destination.ip": "192.168.0.2", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 60392, "destination.user.name": "crusher", "event.action": "file_match", @@ -4325,6 +4323,10 @@ "network.community_id": "1:MKMWzixtfYaSoShU7T3wN6MLk5g=", "network.direction": "outbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "trust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "untrust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -4362,8 +4364,6 @@ "source.geo.region_iso_code": "CA-QC", "source.geo.region_name": "Quebec", "source.ip": "91.209.163.202", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 80, "tags": [ "pan-os" @@ -4384,8 +4384,6 @@ "destination.geo.location.lon": 37.6068, "destination.geo.name": "Russian Federation", "destination.ip": "213.180.199.61", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 80, "event.action": "url_filtering", "event.category": "security_threat", @@ -4404,6 +4402,10 @@ "network.community_id": "1:J4hfLZVy8UJEkW68RkW2hMu84Wk=", "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -4431,8 +4433,6 @@ "source.address": "192.168.0.2", "source.geo.name": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 59709, "source.user.name": "crusher", "tags": [ @@ -4454,8 +4454,6 @@ "destination.geo.location.lon": 37.6068, "destination.geo.name": "Russian Federation", "destination.ip": "213.180.199.61", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 80, "event.action": "url_filtering", "event.category": "security_threat", @@ -4474,6 +4472,10 @@ "network.community_id": "1:1211QM61Juawz4PBXLQBL9Q2FNA=", "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -4501,8 +4503,6 @@ "source.address": "192.168.0.2", "source.geo.name": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 59721, "source.user.name": "crusher", "tags": [ @@ -4524,8 +4524,6 @@ "destination.geo.location.lon": 37.6068, "destination.geo.name": "Russian Federation", "destination.ip": "213.180.199.61", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 80, "event.action": "url_filtering", "event.category": "security_threat", @@ -4544,6 +4542,10 @@ "network.community_id": "1:MQfJlERz16LAn6Hn1YhCNKLOjjA=", "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -4571,8 +4573,6 @@ "source.address": "192.168.0.2", "source.geo.name": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 59752, "source.user.name": "crusher", "tags": [ @@ -4587,8 +4587,6 @@ "destination.address": "192.168.0.2", "destination.geo.name": "192.168.0.0-192.168.255.255", "destination.ip": "192.168.0.2", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 54431, "destination.user.name": "crusher", "event.action": "file_match", @@ -4608,6 +4606,10 @@ "network.community_id": "1:to6WA2KM9vqO74DfMPJ8+v0cKPs=", "network.direction": "outbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "trust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "untrust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -4645,8 +4647,6 @@ "source.geo.region_iso_code": "US-CA", "source.geo.region_name": "California", "source.ip": "173.236.179.57", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 80, "tags": [ "pan-os" @@ -4670,8 +4670,6 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 80, "event.action": "url_filtering", "event.category": "security_threat", @@ -4690,6 +4688,10 @@ "network.community_id": "1:uO6RhHsqSUg1LHv5h+n+FE4cqrE=", "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -4717,8 +4719,6 @@ "source.address": "192.168.0.2", "source.geo.name": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 63183, "source.user.name": "crusher", "tags": [ @@ -4743,8 +4743,6 @@ "destination.geo.region_iso_code": "HK-HCW", "destination.geo.region_name": "Central and Western District", "destination.ip": "207.46.140.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 80, "event.action": "data_match", "event.category": "security_threat", @@ -4763,6 +4761,10 @@ "network.community_id": "1:KC3xpBK9CdouZqamG9S6Mjl6LIo=", "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -4790,8 +4792,6 @@ "source.address": "192.168.0.6", "source.geo.name": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.6", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 1047, "source.user.name": "jordy", "tags": [ @@ -4806,8 +4806,6 @@ "destination.address": "192.168.0.6", "destination.geo.name": "192.168.0.0-192.168.255.255", "destination.ip": "192.168.0.6", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 1039, "destination.user.name": "jordy", "event.action": "data_match", @@ -4827,6 +4825,10 @@ "network.community_id": "1:qtNTXnMjHLAldLWQ5/jdyuCV6Yk=", "network.direction": "outbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "trust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "untrust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -4864,8 +4866,6 @@ "source.geo.region_iso_code": "US-WA", "source.geo.region_name": "Washington", "source.ip": "65.54.161.34", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 80, "tags": [ "pan-os" @@ -4879,8 +4879,6 @@ "destination.address": "192.168.0.6", "destination.geo.name": "192.168.0.0-192.168.255.255", "destination.ip": "192.168.0.6", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 1064, "destination.user.name": "jordy", "event.action": "data_match", @@ -4900,6 +4898,10 @@ "network.community_id": "1:OSQCnxYE2CqKztyfnzJHya/llPw=", "network.direction": "outbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "trust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "untrust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -4937,8 +4939,6 @@ "source.geo.region_iso_code": "US-WA", "source.geo.region_name": "Washington", "source.ip": "65.55.5.231", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 80, "tags": [ "pan-os" @@ -4962,8 +4962,6 @@ "destination.geo.region_iso_code": "US-CA", "destination.geo.region_name": "California", "destination.ip": "65.54.71.11", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 80, "event.action": "data_match", "event.category": "security_threat", @@ -4982,6 +4980,10 @@ "network.community_id": "1:MeB0cefg5kMN7f+LW+cirwH2nA8=", "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -5009,8 +5011,6 @@ "source.address": "192.168.0.6", "source.geo.name": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.6", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 1048, "source.user.name": "jordy", "tags": [ @@ -5025,8 +5025,6 @@ "destination.address": "192.168.0.6", "destination.geo.name": "192.168.0.0-192.168.255.255", "destination.ip": "192.168.0.6", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 1071, "destination.user.name": "jordy", "event.action": "data_match", @@ -5046,6 +5044,10 @@ "network.community_id": "1:iDmf9CnG+CdUuHWmwVsmhee3/Qs=", "network.direction": "outbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "trust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "untrust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -5080,8 +5082,6 @@ "source.geo.location.lon": -97.822, "source.geo.name": "United States", "source.ip": "74.125.239.17", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 80, "tags": [ "pan-os" @@ -5102,8 +5102,6 @@ "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", "destination.ip": "208.85.40.48", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 80, "event.action": "data_match", "event.category": "security_threat", @@ -5122,6 +5120,10 @@ "network.community_id": "1:c67I85z1uJV7VW6M9MR5Q8fjHQM=", "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -5149,8 +5151,6 @@ "source.address": "192.168.0.2", "source.geo.name": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 57502, "source.user.name": "picard", "tags": [ @@ -5165,8 +5165,6 @@ "destination.address": "192.168.0.2", "destination.geo.name": "192.168.0.0-192.168.255.255", "destination.ip": "192.168.0.2", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 57876, "destination.user.name": "picard", "event.action": "data_match", @@ -5186,6 +5184,10 @@ "network.community_id": "1:w5GKumufuJCv3Gw8bvP3vTxap24=", "network.direction": "outbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "trust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "untrust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -5220,8 +5222,6 @@ "source.geo.location.lon": -97.822, "source.geo.name": "United States", "source.ip": "74.125.224.198", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 80, "tags": [ "pan-os" @@ -5235,8 +5235,6 @@ "destination.address": "192.168.0.6", "destination.geo.name": "192.168.0.0-192.168.255.255", "destination.ip": "192.168.0.6", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 1082, "destination.user.name": "jordy", "event.action": "file_match", @@ -5256,6 +5254,10 @@ "network.community_id": "1:a7oyQr47OdJP8ZnG9SCELvH8aco=", "network.direction": "outbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "trust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "untrust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -5293,8 +5295,6 @@ "source.geo.region_iso_code": "ES-V", "source.geo.region_name": "Valencia", "source.ip": "188.190.124.75", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 80, "tags": [ "pan-os" @@ -5308,8 +5308,6 @@ "destination.address": "192.168.0.2", "destination.geo.name": "192.168.0.0-192.168.255.255", "destination.ip": "192.168.0.2", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 50986, "destination.user.name": "picard", "event.action": "data_match", @@ -5329,6 +5327,10 @@ "network.community_id": "1:yyAK8WOE46l0/k8dVOECI6qa2zQ=", "network.direction": "outbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "trust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "untrust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -5363,8 +5365,6 @@ "source.geo.location.lon": -97.822, "source.geo.name": "United States", "source.ip": "74.125.224.200", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 80, "tags": [ "pan-os" @@ -5378,8 +5378,6 @@ "destination.address": "192.168.0.2", "destination.geo.name": "192.168.0.0-192.168.255.255", "destination.ip": "192.168.0.2", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 51716, "destination.user.name": "picard", "event.action": "data_match", @@ -5399,6 +5397,10 @@ "network.community_id": "1:15fj8zz0nlNi/Fnz8ibhS9Ihqdg=", "network.direction": "outbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "trust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "untrust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -5433,8 +5435,6 @@ "source.geo.location.lon": -97.822, "source.geo.name": "United States", "source.ip": "74.125.239.3", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 80, "tags": [ "pan-os" @@ -5448,8 +5448,6 @@ "destination.address": "192.168.0.2", "destination.geo.name": "192.168.0.0-192.168.255.255", "destination.ip": "192.168.0.2", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 52119, "destination.user.name": "picard", "event.action": "data_match", @@ -5469,6 +5467,10 @@ "network.community_id": "1:fl9AVyrQeXPX/eoeKOy+6/UoR8M=", "network.direction": "outbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "trust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "untrust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -5503,8 +5505,6 @@ "source.geo.location.lon": -97.822, "source.geo.name": "United States", "source.ip": "74.125.239.3", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 80, "tags": [ "pan-os" @@ -5518,8 +5518,6 @@ "destination.address": "192.168.0.2", "destination.geo.name": "192.168.0.0-192.168.255.255", "destination.ip": "192.168.0.2", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 52411, "destination.user.name": "picard", "event.action": "data_match", @@ -5539,6 +5537,10 @@ "network.community_id": "1:cHzYL+SCc86AntedL6fbRx+2wzE=", "network.direction": "outbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "trust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "untrust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -5573,8 +5575,6 @@ "source.geo.location.lon": -97.822, "source.geo.name": "United States", "source.ip": "74.125.224.200", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 80, "tags": [ "pan-os" @@ -5595,8 +5595,6 @@ "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", "destination.ip": "74.125.239.6", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 80, "event.action": "data_match", "event.category": "security_threat", @@ -5615,6 +5613,10 @@ "network.community_id": "1:pRuFj5DzdmtFceU+OTawbYPhbJg=", "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -5642,8 +5644,6 @@ "source.address": "192.168.0.2", "source.geo.name": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 52366, "source.user.name": "picard", "tags": [ @@ -5658,8 +5658,6 @@ "destination.address": "192.168.0.2", "destination.geo.name": "192.168.0.0-192.168.255.255", "destination.ip": "192.168.0.2", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 53026, "destination.user.name": "picard", "event.action": "data_match", @@ -5679,6 +5677,10 @@ "network.community_id": "1:e27i7C6aBac+TOOJNFkXsvos7v0=", "network.direction": "outbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "trust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "untrust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -5713,8 +5715,6 @@ "source.geo.location.lon": -97.822, "source.geo.name": "United States", "source.ip": "74.125.224.193", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 80, "tags": [ "pan-os" @@ -5728,8 +5728,6 @@ "destination.address": "192.168.0.2", "destination.geo.name": "192.168.0.0-192.168.255.255", "destination.ip": "192.168.0.2", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 53809, "destination.user.name": "picard", "event.action": "data_match", @@ -5749,6 +5747,10 @@ "network.community_id": "1:I0nRW7fXHKg0He8sWEMh90mqrd8=", "network.direction": "outbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "trust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "untrust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -5783,8 +5785,6 @@ "source.geo.location.lon": -97.822, "source.geo.name": "United States", "source.ip": "74.125.239.20", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 80, "tags": [ "pan-os" @@ -5798,8 +5798,6 @@ "destination.address": "192.168.0.2", "destination.geo.name": "192.168.0.0-192.168.255.255", "destination.ip": "192.168.0.2", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 55912, "destination.user.name": "picard", "event.action": "data_match", @@ -5819,6 +5817,10 @@ "network.community_id": "1:W08oA4XVHxagaCryNLen9OoTnPk=", "network.direction": "outbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "trust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "untrust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -5853,8 +5855,6 @@ "source.geo.location.lon": -97.822, "source.geo.name": "United States", "source.ip": "208.80.154.225", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 80, "tags": [ "pan-os" @@ -5868,8 +5868,6 @@ "destination.address": "192.168.0.2", "destination.geo.name": "192.168.0.0-192.168.255.255", "destination.ip": "192.168.0.2", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 55916, "destination.user.name": "picard", "event.action": "data_match", @@ -5889,6 +5887,10 @@ "network.community_id": "1:tvB7u/5+rW38IXXGXjbdYYdzJ5s=", "network.direction": "outbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "trust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "untrust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -5923,8 +5925,6 @@ "source.geo.location.lon": -97.822, "source.geo.name": "United States", "source.ip": "208.80.154.234", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 80, "tags": [ "pan-os" @@ -5938,8 +5938,6 @@ "destination.address": "192.168.0.6", "destination.geo.name": "192.168.0.0-192.168.255.255", "destination.ip": "192.168.0.6", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 1046, "destination.user.name": "jordy", "event.action": "data_match", @@ -5959,6 +5957,10 @@ "network.community_id": "1:LvKTW1EWi7nem/oAlX14Sg2W9kU=", "network.direction": "outbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "trust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "untrust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -5996,8 +5998,6 @@ "source.geo.region_iso_code": "US-CA", "source.geo.region_name": "California", "source.ip": "65.54.75.25", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 80, "tags": [ "pan-os" @@ -6011,8 +6011,6 @@ "destination.address": "192.168.0.2", "destination.geo.name": "192.168.0.0-192.168.255.255", "destination.ip": "192.168.0.2", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 61734, "destination.user.name": "jordy", "event.action": "data_match", @@ -6032,6 +6030,10 @@ "network.community_id": "1:Iur0h7DmmxbVfmJ8EKqn0v73b88=", "network.direction": "outbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "trust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "untrust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -6066,8 +6068,6 @@ "source.geo.location.lon": -97.822, "source.geo.name": "United States", "source.ip": "74.125.224.206", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 80, "tags": [ "pan-os" @@ -6081,8 +6081,6 @@ "destination.address": "192.168.0.2", "destination.geo.name": "192.168.0.0-192.168.255.255", "destination.ip": "192.168.0.2", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 62292, "destination.user.name": "jordy", "event.action": "data_match", @@ -6102,6 +6100,10 @@ "network.community_id": "1:n3f9RX9U3DOM57vpn8aB1QSo2Yw=", "network.direction": "outbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "trust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "untrust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -6136,8 +6138,6 @@ "source.geo.location.lon": -97.822, "source.geo.name": "United States", "source.ip": "74.125.224.195", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 80, "tags": [ "pan-os" @@ -6151,8 +6151,6 @@ "destination.address": "192.168.0.2", "destination.geo.name": "192.168.0.0-192.168.255.255", "destination.ip": "192.168.0.2", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 64669, "destination.user.name": "jordy", "event.action": "data_match", @@ -6172,6 +6170,10 @@ "network.community_id": "1:K6mY9EnrwYs1/a01d++OZ3kna2g=", "network.direction": "outbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "trust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "untrust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -6209,8 +6211,6 @@ "source.geo.region_iso_code": "US-KS", "source.geo.region_name": "Kansas", "source.ip": "207.178.96.34", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 80, "tags": [ "pan-os" @@ -6224,8 +6224,6 @@ "destination.address": "192.168.0.2", "destination.geo.name": "192.168.0.0-192.168.255.255", "destination.ip": "192.168.0.2", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 65265, "destination.user.name": "picard", "event.action": "data_match", @@ -6245,6 +6243,10 @@ "network.community_id": "1:u89cWOeFF4sWlYYJHVB+nr6g6Qg=", "network.direction": "outbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "trust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "untrust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -6279,8 +6281,6 @@ "source.geo.location.lon": -97.822, "source.geo.name": "United States", "source.ip": "74.125.224.195", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 80, "tags": [ "pan-os" @@ -6294,8 +6294,6 @@ "destination.address": "192.168.0.2", "destination.geo.name": "192.168.0.0-192.168.255.255", "destination.ip": "192.168.0.2", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 64979, "destination.user.name": "picard", "event.action": "data_match", @@ -6315,6 +6313,10 @@ "network.community_id": "1:QmMWJ0pdk04yRgDj9m6OAKnXpDY=", "network.direction": "outbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "trust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "untrust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -6349,8 +6351,6 @@ "source.geo.location.lon": -97.822, "source.geo.name": "United States", "source.ip": "74.125.239.20", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 80, "tags": [ "pan-os" @@ -6364,8 +6364,6 @@ "destination.address": "192.168.0.2", "destination.geo.name": "192.168.0.0-192.168.255.255", "destination.ip": "192.168.0.2", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 49432, "destination.user.name": "picard", "event.action": "data_match", @@ -6385,6 +6383,10 @@ "network.community_id": "1:d3Kvg96HWrCNAfAK3vx2Uqglkdo=", "network.direction": "outbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "trust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "untrust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -6422,8 +6424,6 @@ "source.geo.region_iso_code": "US-NY", "source.geo.region_name": "New York", "source.ip": "66.152.109.24", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 80, "tags": [ "pan-os" @@ -6437,8 +6437,6 @@ "destination.address": "192.168.0.2", "destination.geo.name": "192.168.0.0-192.168.255.255", "destination.ip": "192.168.0.2", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 49722, "destination.user.name": "picard", "event.action": "data_match", @@ -6458,6 +6456,10 @@ "network.community_id": "1:+c2DVc+anjtRZ3iRsjbG51UM+JA=", "network.direction": "outbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "trust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "untrust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -6492,8 +6494,6 @@ "source.geo.location.lon": -97.822, "source.geo.name": "United States", "source.ip": "74.125.224.200", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 80, "tags": [ "pan-os" @@ -6514,8 +6514,6 @@ "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", "destination.ip": "74.125.224.201", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 80, "event.action": "data_match", "event.category": "security_threat", @@ -6534,6 +6532,10 @@ "network.community_id": "1:5z6QdMj01RaYM1NdZtQSRQgE9gk=", "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -6561,8 +6563,6 @@ "source.address": "192.168.0.2", "source.geo.name": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 49681, "source.user.name": "picard", "tags": [ @@ -6577,8 +6577,6 @@ "destination.address": "192.168.0.2", "destination.geo.name": "192.168.0.0-192.168.255.255", "destination.ip": "192.168.0.2", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 50108, "destination.user.name": "picard", "event.action": "data_match", @@ -6598,6 +6596,10 @@ "network.community_id": "1:Ut9W+vlgpMAH7M4p87nZ/gF7zO8=", "network.direction": "outbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "trust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "untrust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -6632,8 +6634,6 @@ "source.geo.location.lon": -97.822, "source.geo.name": "United States", "source.ip": "74.125.224.200", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 80, "tags": [ "pan-os" @@ -6647,8 +6647,6 @@ "destination.address": "192.168.0.2", "destination.geo.name": "192.168.0.0-192.168.255.255", "destination.ip": "192.168.0.2", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 50387, "destination.user.name": "picard", "event.action": "data_match", @@ -6668,6 +6666,10 @@ "network.community_id": "1:MNjszUBgbVupAxKdr7W7OIvU2lo=", "network.direction": "outbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "trust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "untrust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -6702,8 +6704,6 @@ "source.geo.location.lon": -97.822, "source.geo.name": "United States", "source.ip": "74.125.224.200", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 80, "tags": [ "pan-os" @@ -6724,8 +6724,6 @@ "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", "destination.ip": "208.85.40.48", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 80, "event.action": "data_match", "event.category": "security_threat", @@ -6744,6 +6742,10 @@ "network.community_id": "1:PzMJQoALQDxnDaqwOEEz4zxyhHU=", "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -6771,8 +6773,6 @@ "source.address": "192.168.0.2", "source.geo.name": "192.168.0.0-192.168.255.255", "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 59781, "source.user.name": "jordy", "tags": [ @@ -6787,8 +6787,6 @@ "destination.address": "192.168.0.2", "destination.geo.name": "192.168.0.0-192.168.255.255", "destination.ip": "192.168.0.2", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 60005, "destination.user.name": "jordy", "event.action": "data_match", @@ -6808,6 +6806,10 @@ "network.community_id": "1:ThkQfWduH5PZoI7qa/R4rWqT2VM=", "network.direction": "outbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "trust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "untrust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -6842,8 +6844,6 @@ "source.geo.location.lon": -97.822, "source.geo.name": "United States", "source.ip": "74.125.224.201", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 80, "tags": [ "pan-os" @@ -6857,8 +6857,6 @@ "destination.address": "192.168.0.2", "destination.geo.name": "192.168.0.0-192.168.255.255", "destination.ip": "192.168.0.2", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 60443, "destination.user.name": "jordy", "event.action": "data_match", @@ -6878,6 +6876,10 @@ "network.community_id": "1:Fd/TWc6RIS9q2bsgzztXrAAL4Ek=", "network.direction": "outbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "trust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "untrust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -6912,8 +6914,6 @@ "source.geo.location.lon": -97.822, "source.geo.name": "United States", "source.ip": "74.125.224.201", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 80, "tags": [ "pan-os" @@ -6927,8 +6927,6 @@ "destination.address": "192.168.0.2", "destination.geo.name": "192.168.0.0-192.168.255.255", "destination.ip": "192.168.0.2", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 60822, "destination.user.name": "jordy", "event.action": "data_match", @@ -6948,6 +6946,10 @@ "network.community_id": "1:7gqxhjxtnxyQnsvGukcI+WZWzAY=", "network.direction": "outbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "trust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "untrust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -6982,8 +6984,6 @@ "source.geo.location.lon": -97.822, "source.geo.name": "United States", "source.ip": "74.125.224.200", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 80, "tags": [ "pan-os" @@ -6997,8 +6997,6 @@ "destination.address": "192.168.0.2", "destination.geo.name": "192.168.0.0-192.168.255.255", "destination.ip": "192.168.0.2", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 61105, "destination.user.name": "jordy", "event.action": "data_match", @@ -7018,6 +7016,10 @@ "network.community_id": "1:ZzHOd7AFzjbGqVCj9S3bTNHFX4Q=", "network.direction": "outbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "trust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "untrust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -7052,8 +7054,6 @@ "source.geo.location.lon": -97.822, "source.geo.name": "United States", "source.ip": "74.125.224.200", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 80, "tags": [ "pan-os" @@ -7067,8 +7067,6 @@ "destination.address": "192.168.0.2", "destination.geo.name": "192.168.0.0-192.168.255.255", "destination.ip": "192.168.0.2", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 60782, "destination.user.name": "jordy", "event.action": "data_match", @@ -7088,6 +7086,10 @@ "network.community_id": "1:uH37XIov0Sgv5kARW8dP9vrOs7w=", "network.direction": "outbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "trust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "untrust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -7122,8 +7124,6 @@ "source.geo.location.lon": -97.822, "source.geo.name": "United States", "source.ip": "74.125.224.198", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 80, "tags": [ "pan-os" @@ -7137,8 +7137,6 @@ "destination.address": "192.168.0.2", "destination.geo.name": "192.168.0.0-192.168.255.255", "destination.ip": "192.168.0.2", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.port": 61470, "destination.user.name": "jordy", "event.action": "data_match", @@ -7158,6 +7156,10 @@ "network.community_id": "1:9jnjFXERN6VFakI1U/qwzyqifzg=", "network.direction": "outbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "trust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "untrust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -7192,8 +7194,6 @@ "source.geo.location.lon": -97.822, "source.geo.name": "United States", "source.ip": "74.125.224.200", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.port": 80, "tags": [ "pan-os" diff --git a/x-pack/filebeat/module/panw/panos/test/pan_inc_traffic.log-expected.json b/x-pack/filebeat/module/panw/panos/test/pan_inc_traffic.log-expected.json index 4565c577acd..97b6866d9af 100644 --- a/x-pack/filebeat/module/panw/panos/test/pan_inc_traffic.log-expected.json +++ b/x-pack/filebeat/module/panw/panos/test/pan_inc_traffic.log-expected.json @@ -3,13 +3,13 @@ "@timestamp": "2012-04-10T04:39:58.000-02:00", "client.bytes": 78, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 1, "client.port": 59324, "client.user.name": "crusher", "destination.address": "204.232.231.46", "destination.as.number": 27357, "destination.as.organization.name": "Rackspace Hosting", - "destination.bytes": 78, + "destination.bytes": 0, "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -18,9 +18,7 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 1, + "destination.packets": 0, "destination.port": 80, "event.action": "flow_started", "event.category": "network_traffic", @@ -43,6 +41,10 @@ "network.packets": 1, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -64,15 +66,13 @@ ], "server.bytes": 0, "server.ip": "204.232.231.46", - "server.packets": 1, + "server.packets": 0, "server.port": 80, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 78, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 1, "source.port": 59324, "source.user.name": "crusher", "tags": [ @@ -83,21 +83,19 @@ "@timestamp": "2012-04-10T04:39:58.000-02:00", "client.bytes": 76, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 1, "client.port": 54448, "client.user.name": "crusher", "destination.address": "205.171.2.25", "destination.as.number": 209, "destination.as.organization.name": "CenturyLink Communications, LLC", - "destination.bytes": 76, + "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 1, + "destination.packets": 0, "destination.port": 53, "event.action": "flow_started", "event.category": "network_traffic", @@ -120,6 +118,10 @@ "network.packets": 1, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -141,15 +143,13 @@ ], "server.bytes": 0, "server.ip": "205.171.2.25", - "server.packets": 1, + "server.packets": 0, "server.port": 53, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 76, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 1, "source.port": 54448, "source.user.name": "crusher", "tags": [ @@ -160,21 +160,19 @@ "@timestamp": "2012-04-10T04:39:58.000-02:00", "client.bytes": 76, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 1, "client.port": 53121, "client.user.name": "crusher", "destination.address": "205.171.2.25", "destination.as.number": 209, "destination.as.organization.name": "CenturyLink Communications, LLC", - "destination.bytes": 76, + "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 1, + "destination.packets": 0, "destination.port": 53, "event.action": "flow_started", "event.category": "network_traffic", @@ -197,6 +195,10 @@ "network.packets": 1, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -218,15 +220,13 @@ ], "server.bytes": 0, "server.ip": "205.171.2.25", - "server.packets": 1, + "server.packets": 0, "server.port": 53, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 76, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 1, "source.port": 53121, "source.user.name": "crusher", "tags": [ @@ -237,13 +237,13 @@ "@timestamp": "2012-04-10T04:39:58.000-02:00", "client.bytes": 78, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 1, "client.port": 59323, "client.user.name": "crusher", "destination.address": "204.232.231.46", "destination.as.number": 27357, "destination.as.organization.name": "Rackspace Hosting", - "destination.bytes": 78, + "destination.bytes": 0, "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -252,9 +252,7 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 1, + "destination.packets": 0, "destination.port": 80, "event.action": "flow_started", "event.category": "network_traffic", @@ -277,6 +275,10 @@ "network.packets": 1, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -298,15 +300,13 @@ ], "server.bytes": 0, "server.ip": "204.232.231.46", - "server.packets": 1, + "server.packets": 0, "server.port": 80, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 78, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 1, "source.port": 59323, "source.user.name": "crusher", "tags": [ @@ -317,13 +317,13 @@ "@timestamp": "2012-04-10T04:39:58.000-02:00", "client.bytes": 78, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 1, "client.port": 59322, "client.user.name": "crusher", "destination.address": "204.232.231.46", "destination.as.number": 27357, "destination.as.organization.name": "Rackspace Hosting", - "destination.bytes": 78, + "destination.bytes": 0, "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -332,9 +332,7 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 1, + "destination.packets": 0, "destination.port": 80, "event.action": "flow_started", "event.category": "network_traffic", @@ -357,6 +355,10 @@ "network.packets": 1, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -378,15 +380,13 @@ ], "server.bytes": 0, "server.ip": "204.232.231.46", - "server.packets": 1, + "server.packets": 0, "server.port": 80, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 78, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 1, "source.port": 59322, "source.user.name": "crusher", "tags": [ @@ -397,21 +397,19 @@ "@timestamp": "2012-04-10T04:39:58.000-02:00", "client.bytes": 74, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 1, "client.port": 55766, "client.user.name": "crusher", "destination.address": "205.171.2.25", "destination.as.number": 209, "destination.as.organization.name": "CenturyLink Communications, LLC", - "destination.bytes": 74, + "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 1, + "destination.packets": 0, "destination.port": 53, "event.action": "flow_started", "event.category": "network_traffic", @@ -434,6 +432,10 @@ "network.packets": 1, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -455,15 +457,13 @@ ], "server.bytes": 0, "server.ip": "205.171.2.25", - "server.packets": 1, + "server.packets": 0, "server.port": 53, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 74, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 1, "source.port": 55766, "source.user.name": "crusher", "tags": [ @@ -474,21 +474,19 @@ "@timestamp": "2012-04-10T04:39:58.000-02:00", "client.bytes": 74, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 1, "client.port": 55072, "client.user.name": "crusher", "destination.address": "205.171.2.25", "destination.as.number": 209, "destination.as.organization.name": "CenturyLink Communications, LLC", - "destination.bytes": 74, + "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 1, + "destination.packets": 0, "destination.port": 53, "event.action": "flow_started", "event.category": "network_traffic", @@ -511,6 +509,10 @@ "network.packets": 1, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -532,15 +534,13 @@ ], "server.bytes": 0, "server.ip": "205.171.2.25", - "server.packets": 1, + "server.packets": 0, "server.port": 53, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 74, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 1, "source.port": 55072, "source.user.name": "crusher", "tags": [ @@ -551,13 +551,13 @@ "@timestamp": "2012-04-10T04:39:58.000-02:00", "client.bytes": 549, "client.ip": "192.168.0.2", - "client.packets": 4, + "client.packets": 6, "client.port": 59207, "client.user.name": "crusher", "destination.address": "204.232.231.46", "destination.as.number": 27357, "destination.as.organization.name": "Rackspace Hosting", - "destination.bytes": 549, + "destination.bytes": 806, "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -566,9 +566,7 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 6, + "destination.packets": 4, "destination.port": 80, "event.action": "flow_terminated", "event.category": "network_traffic", @@ -591,6 +589,10 @@ "network.packets": 10, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -612,15 +614,13 @@ ], "server.bytes": 806, "server.ip": "204.232.231.46", - "server.packets": 6, + "server.packets": 4, "server.port": 80, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 806, + "source.bytes": 549, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 4, + "source.packets": 6, "source.port": 59207, "source.user.name": "crusher", "tags": [ @@ -631,13 +631,13 @@ "@timestamp": "2012-04-10T04:39:58.000-02:00", "client.bytes": 549, "client.ip": "192.168.0.2", - "client.packets": 4, + "client.packets": 6, "client.port": 59209, "client.user.name": "crusher", "destination.address": "204.232.231.46", "destination.as.number": 27357, "destination.as.organization.name": "Rackspace Hosting", - "destination.bytes": 549, + "destination.bytes": 806, "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -646,9 +646,7 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 6, + "destination.packets": 4, "destination.port": 80, "event.action": "flow_terminated", "event.category": "network_traffic", @@ -671,6 +669,10 @@ "network.packets": 10, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -692,15 +694,13 @@ ], "server.bytes": 806, "server.ip": "204.232.231.46", - "server.packets": 6, + "server.packets": 4, "server.port": 80, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 806, + "source.bytes": 549, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 4, + "source.packets": 6, "source.port": 59209, "source.user.name": "crusher", "tags": [ @@ -711,13 +711,13 @@ "@timestamp": "2012-04-10T04:39:58.000-02:00", "client.bytes": 549, "client.ip": "192.168.0.2", - "client.packets": 4, + "client.packets": 6, "client.port": 59208, "client.user.name": "crusher", "destination.address": "204.232.231.46", "destination.as.number": 27357, "destination.as.organization.name": "Rackspace Hosting", - "destination.bytes": 549, + "destination.bytes": 806, "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -726,9 +726,7 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 6, + "destination.packets": 4, "destination.port": 80, "event.action": "flow_terminated", "event.category": "network_traffic", @@ -751,6 +749,10 @@ "network.packets": 10, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -772,15 +774,13 @@ ], "server.bytes": 806, "server.ip": "204.232.231.46", - "server.packets": 6, + "server.packets": 4, "server.port": 80, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 806, + "source.bytes": 549, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 4, + "source.packets": 6, "source.port": 59208, "source.user.name": "crusher", "tags": [ @@ -791,13 +791,13 @@ "@timestamp": "2012-04-10T04:39:57.000-02:00", "client.bytes": 78, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 1, "client.port": 59318, "client.user.name": "crusher", "destination.address": "204.232.231.46", "destination.as.number": 27357, "destination.as.organization.name": "Rackspace Hosting", - "destination.bytes": 78, + "destination.bytes": 0, "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -806,9 +806,7 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 1, + "destination.packets": 0, "destination.port": 80, "event.action": "flow_started", "event.category": "network_traffic", @@ -831,6 +829,10 @@ "network.packets": 1, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -852,15 +854,13 @@ ], "server.bytes": 0, "server.ip": "204.232.231.46", - "server.packets": 1, + "server.packets": 0, "server.port": 80, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 78, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 1, "source.port": 59318, "source.user.name": "crusher", "tags": [ @@ -871,13 +871,13 @@ "@timestamp": "2012-04-10T04:39:57.000-02:00", "client.bytes": 78, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 1, "client.port": 59317, "client.user.name": "crusher", "destination.address": "204.232.231.46", "destination.as.number": 27357, "destination.as.organization.name": "Rackspace Hosting", - "destination.bytes": 78, + "destination.bytes": 0, "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -886,9 +886,7 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 1, + "destination.packets": 0, "destination.port": 80, "event.action": "flow_started", "event.category": "network_traffic", @@ -911,6 +909,10 @@ "network.packets": 1, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -932,15 +934,13 @@ ], "server.bytes": 0, "server.ip": "204.232.231.46", - "server.packets": 1, + "server.packets": 0, "server.port": 80, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 78, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 1, "source.port": 59317, "source.user.name": "crusher", "tags": [ @@ -951,13 +951,13 @@ "@timestamp": "2012-04-10T04:39:57.000-02:00", "client.bytes": 78, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 1, "client.port": 59316, "client.user.name": "crusher", "destination.address": "204.232.231.46", "destination.as.number": 27357, "destination.as.organization.name": "Rackspace Hosting", - "destination.bytes": 78, + "destination.bytes": 0, "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -966,9 +966,7 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 1, + "destination.packets": 0, "destination.port": 80, "event.action": "flow_started", "event.category": "network_traffic", @@ -991,6 +989,10 @@ "network.packets": 1, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -1012,15 +1014,13 @@ ], "server.bytes": 0, "server.ip": "204.232.231.46", - "server.packets": 1, + "server.packets": 0, "server.port": 80, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 78, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 1, "source.port": 59316, "source.user.name": "crusher", "tags": [ @@ -1031,13 +1031,13 @@ "@timestamp": "2012-04-10T04:39:57.000-02:00", "client.bytes": 78, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 1, "client.port": 59315, "client.user.name": "crusher", "destination.address": "204.232.231.46", "destination.as.number": 27357, "destination.as.organization.name": "Rackspace Hosting", - "destination.bytes": 78, + "destination.bytes": 0, "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -1046,9 +1046,7 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 1, + "destination.packets": 0, "destination.port": 80, "event.action": "flow_started", "event.category": "network_traffic", @@ -1071,6 +1069,10 @@ "network.packets": 1, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -1092,15 +1094,13 @@ ], "server.bytes": 0, "server.ip": "204.232.231.46", - "server.packets": 1, + "server.packets": 0, "server.port": 80, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 78, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 1, "source.port": 59315, "source.user.name": "crusher", "tags": [ @@ -1111,13 +1111,13 @@ "@timestamp": "2012-04-10T04:39:57.000-02:00", "client.bytes": 549, "client.ip": "192.168.0.2", - "client.packets": 4, + "client.packets": 6, "client.port": 59206, "client.user.name": "crusher", "destination.address": "204.232.231.46", "destination.as.number": 27357, "destination.as.organization.name": "Rackspace Hosting", - "destination.bytes": 549, + "destination.bytes": 806, "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -1126,9 +1126,7 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 6, + "destination.packets": 4, "destination.port": 80, "event.action": "flow_terminated", "event.category": "network_traffic", @@ -1151,6 +1149,10 @@ "network.packets": 10, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -1172,15 +1174,13 @@ ], "server.bytes": 806, "server.ip": "204.232.231.46", - "server.packets": 6, + "server.packets": 4, "server.port": 80, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 806, + "source.bytes": 549, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 4, + "source.packets": 6, "source.port": 59206, "source.user.name": "crusher", "tags": [ @@ -1191,13 +1191,13 @@ "@timestamp": "2012-04-10T04:39:57.000-02:00", "client.bytes": 549, "client.ip": "192.168.0.2", - "client.packets": 4, + "client.packets": 6, "client.port": 59205, "client.user.name": "crusher", "destination.address": "204.232.231.46", "destination.as.number": 27357, "destination.as.organization.name": "Rackspace Hosting", - "destination.bytes": 549, + "destination.bytes": 806, "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -1206,9 +1206,7 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 6, + "destination.packets": 4, "destination.port": 80, "event.action": "flow_terminated", "event.category": "network_traffic", @@ -1231,6 +1229,10 @@ "network.packets": 10, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -1252,15 +1254,13 @@ ], "server.bytes": 806, "server.ip": "204.232.231.46", - "server.packets": 6, + "server.packets": 4, "server.port": 80, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 806, + "source.bytes": 549, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 4, + "source.packets": 6, "source.port": 59205, "source.user.name": "crusher", "tags": [ @@ -1271,13 +1271,13 @@ "@timestamp": "2012-04-10T04:39:56.000-02:00", "client.bytes": 1359, "client.ip": "192.168.0.2", - "client.packets": 3, + "client.packets": 18, "client.port": 56858, "client.user.name": "crusher", "destination.address": "204.232.231.46", "destination.as.number": 27357, "destination.as.organization.name": "Rackspace Hosting", - "destination.bytes": 1359, + "destination.bytes": 551, "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -1286,9 +1286,7 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 18, + "destination.packets": 3, "destination.port": 80, "event.action": "flow_terminated", "event.category": "network_traffic", @@ -1311,6 +1309,10 @@ "network.packets": 21, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -1332,15 +1334,13 @@ ], "server.bytes": 551, "server.ip": "204.232.231.46", - "server.packets": 18, + "server.packets": 3, "server.port": 80, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 551, + "source.bytes": 1359, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 3, + "source.packets": 18, "source.port": 56858, "source.user.name": "crusher", "tags": [ @@ -1351,13 +1351,13 @@ "@timestamp": "2012-04-10T04:39:56.000-02:00", "client.bytes": 78, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 1, "client.port": 59314, "client.user.name": "crusher", "destination.address": "204.232.231.46", "destination.as.number": 27357, "destination.as.organization.name": "Rackspace Hosting", - "destination.bytes": 78, + "destination.bytes": 0, "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -1366,9 +1366,7 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 1, + "destination.packets": 0, "destination.port": 80, "event.action": "flow_started", "event.category": "network_traffic", @@ -1391,6 +1389,10 @@ "network.packets": 1, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -1412,15 +1414,13 @@ ], "server.bytes": 0, "server.ip": "204.232.231.46", - "server.packets": 1, + "server.packets": 0, "server.port": 80, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 78, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 1, "source.port": 59314, "source.user.name": "crusher", "tags": [ @@ -1431,13 +1431,13 @@ "@timestamp": "2012-04-10T04:39:56.000-02:00", "client.bytes": 78, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 1, "client.port": 59313, "client.user.name": "crusher", "destination.address": "204.232.231.46", "destination.as.number": 27357, "destination.as.organization.name": "Rackspace Hosting", - "destination.bytes": 78, + "destination.bytes": 0, "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -1446,9 +1446,7 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 1, + "destination.packets": 0, "destination.port": 80, "event.action": "flow_started", "event.category": "network_traffic", @@ -1471,6 +1469,10 @@ "network.packets": 1, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -1492,15 +1494,13 @@ ], "server.bytes": 0, "server.ip": "204.232.231.46", - "server.packets": 1, + "server.packets": 0, "server.port": 80, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 78, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 1, "source.port": 59313, "source.user.name": "crusher", "tags": [ @@ -1511,21 +1511,19 @@ "@timestamp": "2012-04-10T04:39:56.000-02:00", "client.bytes": 69, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 1, "client.port": 52139, "client.user.name": "crusher", "destination.address": "205.171.2.25", "destination.as.number": 209, "destination.as.organization.name": "CenturyLink Communications, LLC", - "destination.bytes": 69, + "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 1, + "destination.packets": 0, "destination.port": 53, "event.action": "flow_started", "event.category": "network_traffic", @@ -1548,6 +1546,10 @@ "network.packets": 1, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -1569,15 +1571,13 @@ ], "server.bytes": 0, "server.ip": "205.171.2.25", - "server.packets": 1, + "server.packets": 0, "server.port": 53, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 69, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 1, "source.port": 52139, "source.user.name": "crusher", "tags": [ @@ -1588,21 +1588,19 @@ "@timestamp": "2012-04-10T04:39:56.000-02:00", "client.bytes": 69, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 1, "client.port": 60592, "client.user.name": "crusher", "destination.address": "205.171.2.25", "destination.as.number": 209, "destination.as.organization.name": "CenturyLink Communications, LLC", - "destination.bytes": 69, + "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 1, + "destination.packets": 0, "destination.port": 53, "event.action": "flow_started", "event.category": "network_traffic", @@ -1625,6 +1623,10 @@ "network.packets": 1, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -1646,15 +1648,13 @@ ], "server.bytes": 0, "server.ip": "205.171.2.25", - "server.packets": 1, + "server.packets": 0, "server.port": 53, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 69, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 1, "source.port": 60592, "source.user.name": "crusher", "tags": [ @@ -1665,13 +1665,13 @@ "@timestamp": "2012-04-10T04:39:56.000-02:00", "client.bytes": 78, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 1, "client.port": 59309, "client.user.name": "crusher", "destination.address": "204.232.231.46", "destination.as.number": 27357, "destination.as.organization.name": "Rackspace Hosting", - "destination.bytes": 78, + "destination.bytes": 0, "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -1680,9 +1680,7 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 1, + "destination.packets": 0, "destination.port": 80, "event.action": "flow_started", "event.category": "network_traffic", @@ -1705,6 +1703,10 @@ "network.packets": 1, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -1726,15 +1728,13 @@ ], "server.bytes": 0, "server.ip": "204.232.231.46", - "server.packets": 1, + "server.packets": 0, "server.port": 80, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 78, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 1, "source.port": 59309, "source.user.name": "crusher", "tags": [ @@ -1751,14 +1751,12 @@ "destination.address": "205.171.2.25", "destination.as.number": 209, "destination.as.organization.name": "CenturyLink Communications, LLC", - "destination.bytes": 66, + "destination.bytes": 98, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.packets": 1, "destination.port": 53, "event.action": "flow_terminated", @@ -1782,6 +1780,10 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -1807,10 +1809,8 @@ "server.port": 53, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 98, + "source.bytes": 66, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.packets": 1, "source.port": 57322, "source.user.name": "crusher", @@ -1822,13 +1822,13 @@ "@timestamp": "2012-04-10T04:39:56.000-02:00", "client.bytes": 549, "client.ip": "192.168.0.2", - "client.packets": 4, + "client.packets": 6, "client.port": 59204, "client.user.name": "crusher", "destination.address": "204.232.231.46", "destination.as.number": 27357, "destination.as.organization.name": "Rackspace Hosting", - "destination.bytes": 549, + "destination.bytes": 806, "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -1837,9 +1837,7 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 6, + "destination.packets": 4, "destination.port": 80, "event.action": "flow_terminated", "event.category": "network_traffic", @@ -1862,6 +1860,10 @@ "network.packets": 10, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -1883,15 +1885,13 @@ ], "server.bytes": 806, "server.ip": "204.232.231.46", - "server.packets": 6, + "server.packets": 4, "server.port": 80, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 806, + "source.bytes": 549, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 4, + "source.packets": 6, "source.port": 59204, "source.user.name": "crusher", "tags": [ @@ -1902,13 +1902,13 @@ "@timestamp": "2012-04-10T04:39:56.000-02:00", "client.bytes": 549, "client.ip": "192.168.0.2", - "client.packets": 4, + "client.packets": 6, "client.port": 59203, "client.user.name": "crusher", "destination.address": "204.232.231.46", "destination.as.number": 27357, "destination.as.organization.name": "Rackspace Hosting", - "destination.bytes": 549, + "destination.bytes": 806, "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -1917,9 +1917,7 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 6, + "destination.packets": 4, "destination.port": 80, "event.action": "flow_terminated", "event.category": "network_traffic", @@ -1942,6 +1940,10 @@ "network.packets": 10, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -1963,15 +1965,13 @@ ], "server.bytes": 806, "server.ip": "204.232.231.46", - "server.packets": 6, + "server.packets": 4, "server.port": 80, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 806, + "source.bytes": 549, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 4, + "source.packets": 6, "source.port": 59203, "source.user.name": "crusher", "tags": [ @@ -1982,13 +1982,13 @@ "@timestamp": "2012-04-10T04:39:55.000-02:00", "client.bytes": 78, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 1, "client.port": 59305, "client.user.name": "crusher", "destination.address": "204.232.231.46", "destination.as.number": 27357, "destination.as.organization.name": "Rackspace Hosting", - "destination.bytes": 78, + "destination.bytes": 0, "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -1997,9 +1997,7 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 1, + "destination.packets": 0, "destination.port": 80, "event.action": "flow_started", "event.category": "network_traffic", @@ -2022,6 +2020,10 @@ "network.packets": 1, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -2043,15 +2045,13 @@ ], "server.bytes": 0, "server.ip": "204.232.231.46", - "server.packets": 1, + "server.packets": 0, "server.port": 80, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 78, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 1, "source.port": 59305, "source.user.name": "crusher", "tags": [ @@ -2062,21 +2062,19 @@ "@timestamp": "2012-04-10T04:39:55.000-02:00", "client.bytes": 69, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 1, "client.port": 64005, "client.user.name": "crusher", "destination.address": "205.171.2.25", "destination.as.number": 209, "destination.as.organization.name": "CenturyLink Communications, LLC", - "destination.bytes": 69, + "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 1, + "destination.packets": 0, "destination.port": 53, "event.action": "flow_started", "event.category": "network_traffic", @@ -2099,6 +2097,10 @@ "network.packets": 1, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -2120,15 +2122,13 @@ ], "server.bytes": 0, "server.ip": "205.171.2.25", - "server.packets": 1, + "server.packets": 0, "server.port": 53, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 69, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 1, "source.port": 64005, "source.user.name": "crusher", "tags": [ @@ -2139,21 +2139,19 @@ "@timestamp": "2012-04-10T04:39:55.000-02:00", "client.bytes": 69, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 1, "client.port": 58768, "client.user.name": "crusher", "destination.address": "205.171.2.25", "destination.as.number": 209, "destination.as.organization.name": "CenturyLink Communications, LLC", - "destination.bytes": 69, + "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 1, + "destination.packets": 0, "destination.port": 53, "event.action": "flow_started", "event.category": "network_traffic", @@ -2176,6 +2174,10 @@ "network.packets": 1, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -2197,15 +2199,13 @@ ], "server.bytes": 0, "server.ip": "205.171.2.25", - "server.packets": 1, + "server.packets": 0, "server.port": 53, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 69, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 1, "source.port": 58768, "source.user.name": "crusher", "tags": [ @@ -2231,8 +2231,6 @@ "destination.geo.region_iso_code": "US-CA", "destination.geo.region_name": "California", "destination.ip": "98.149.55.63", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.packets": 8, "destination.port": 13069, "event.action": "flow_started", @@ -2256,6 +2254,10 @@ "network.packets": 16, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -2283,8 +2285,6 @@ "source.address": "192.168.0.2", "source.bytes": 504, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.packets": 8, "source.port": 47752, "source.user.name": "crusher", @@ -2296,13 +2296,13 @@ "@timestamp": "2012-04-10T04:39:55.000-02:00", "client.bytes": 78, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 1, "client.port": 59304, "client.user.name": "crusher", "destination.address": "204.232.231.46", "destination.as.number": 27357, "destination.as.organization.name": "Rackspace Hosting", - "destination.bytes": 78, + "destination.bytes": 0, "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -2311,9 +2311,7 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 1, + "destination.packets": 0, "destination.port": 80, "event.action": "flow_started", "event.category": "network_traffic", @@ -2336,6 +2334,10 @@ "network.packets": 1, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -2357,15 +2359,13 @@ ], "server.bytes": 0, "server.ip": "204.232.231.46", - "server.packets": 1, + "server.packets": 0, "server.port": 80, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 78, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 1, "source.port": 59304, "source.user.name": "crusher", "tags": [ @@ -2376,21 +2376,19 @@ "@timestamp": "2012-04-10T04:39:55.000-02:00", "client.bytes": 71, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 1, "client.port": 54533, "client.user.name": "crusher", "destination.address": "205.171.2.25", "destination.as.number": 209, "destination.as.organization.name": "CenturyLink Communications, LLC", - "destination.bytes": 71, + "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 1, + "destination.packets": 0, "destination.port": 53, "event.action": "flow_started", "event.category": "network_traffic", @@ -2413,6 +2411,10 @@ "network.packets": 1, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -2434,15 +2436,13 @@ ], "server.bytes": 0, "server.ip": "205.171.2.25", - "server.packets": 1, + "server.packets": 0, "server.port": 53, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 71, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 1, "source.port": 54533, "source.user.name": "crusher", "tags": [ @@ -2459,7 +2459,7 @@ "destination.address": "212.48.10.58", "destination.as.number": 8660, "destination.as.organization.name": "Italiaonline S.p.A.", - "destination.bytes": 837, + "destination.bytes": 9130, "destination.geo.city_name": "Assago", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "IT", @@ -2468,8 +2468,6 @@ "destination.geo.region_iso_code": "IT-MI", "destination.geo.region_name": "Milan", "destination.ip": "212.48.10.58", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.packets": 10, "destination.port": 80, "event.action": "flow_terminated", @@ -2493,6 +2491,10 @@ "network.packets": 20, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -2518,10 +2520,8 @@ "server.port": 80, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 9130, + "source.bytes": 837, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.packets": 10, "source.port": 59201, "source.user.name": "crusher", @@ -2533,13 +2533,13 @@ "@timestamp": "2012-04-10T04:39:54.000-02:00", "client.bytes": 78, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 1, "client.port": 59303, "client.user.name": "crusher", "destination.address": "204.232.231.46", "destination.as.number": 27357, "destination.as.organization.name": "Rackspace Hosting", - "destination.bytes": 78, + "destination.bytes": 0, "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -2548,9 +2548,7 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 1, + "destination.packets": 0, "destination.port": 80, "event.action": "flow_started", "event.category": "network_traffic", @@ -2573,6 +2571,10 @@ "network.packets": 1, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -2594,15 +2596,13 @@ ], "server.bytes": 0, "server.ip": "204.232.231.46", - "server.packets": 1, + "server.packets": 0, "server.port": 80, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 78, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 1, "source.port": 59303, "source.user.name": "crusher", "tags": [ @@ -2613,21 +2613,19 @@ "@timestamp": "2012-04-10T04:39:54.000-02:00", "client.bytes": 76, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 1, "client.port": 50876, "client.user.name": "crusher", "destination.address": "205.171.2.25", "destination.as.number": 209, "destination.as.organization.name": "CenturyLink Communications, LLC", - "destination.bytes": 76, + "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 1, + "destination.packets": 0, "destination.port": 53, "event.action": "flow_started", "event.category": "network_traffic", @@ -2650,6 +2648,10 @@ "network.packets": 1, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -2671,15 +2673,13 @@ ], "server.bytes": 0, "server.ip": "205.171.2.25", - "server.packets": 1, + "server.packets": 0, "server.port": 53, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 76, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 1, "source.port": 50876, "source.user.name": "crusher", "tags": [ @@ -2690,21 +2690,19 @@ "@timestamp": "2012-04-10T04:39:54.000-02:00", "client.bytes": 76, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 1, "client.port": 57657, "client.user.name": "crusher", "destination.address": "205.171.2.25", "destination.as.number": 209, "destination.as.organization.name": "CenturyLink Communications, LLC", - "destination.bytes": 76, + "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 1, + "destination.packets": 0, "destination.port": 53, "event.action": "flow_started", "event.category": "network_traffic", @@ -2727,6 +2725,10 @@ "network.packets": 1, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -2748,15 +2750,13 @@ ], "server.bytes": 0, "server.ip": "205.171.2.25", - "server.packets": 1, + "server.packets": 0, "server.port": 53, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 76, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 1, "source.port": 57657, "source.user.name": "crusher", "tags": [ @@ -2767,13 +2767,13 @@ "@timestamp": "2012-04-10T04:39:54.000-02:00", "client.bytes": 78, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 1, "client.port": 59302, "client.user.name": "crusher", "destination.address": "204.232.231.46", "destination.as.number": 27357, "destination.as.organization.name": "Rackspace Hosting", - "destination.bytes": 78, + "destination.bytes": 0, "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -2782,9 +2782,7 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 1, + "destination.packets": 0, "destination.port": 80, "event.action": "flow_started", "event.category": "network_traffic", @@ -2807,6 +2805,10 @@ "network.packets": 1, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -2828,15 +2830,13 @@ ], "server.bytes": 0, "server.ip": "204.232.231.46", - "server.packets": 1, + "server.packets": 0, "server.port": 80, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 78, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 1, "source.port": 59302, "source.user.name": "crusher", "tags": [ @@ -2847,13 +2847,13 @@ "@timestamp": "2012-04-10T04:39:54.000-02:00", "client.bytes": 78, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 1, "client.port": 59301, "client.user.name": "crusher", "destination.address": "204.232.231.46", "destination.as.number": 27357, "destination.as.organization.name": "Rackspace Hosting", - "destination.bytes": 78, + "destination.bytes": 0, "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -2862,9 +2862,7 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 1, + "destination.packets": 0, "destination.port": 80, "event.action": "flow_started", "event.category": "network_traffic", @@ -2887,6 +2885,10 @@ "network.packets": 1, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -2908,15 +2910,13 @@ ], "server.bytes": 0, "server.ip": "204.232.231.46", - "server.packets": 1, + "server.packets": 0, "server.port": 80, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 78, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 1, "source.port": 59301, "source.user.name": "crusher", "tags": [ @@ -2927,21 +2927,19 @@ "@timestamp": "2012-04-10T04:39:54.000-02:00", "client.bytes": 80, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 1, "client.port": 64844, "client.user.name": "crusher", "destination.address": "205.171.2.25", "destination.as.number": 209, "destination.as.organization.name": "CenturyLink Communications, LLC", - "destination.bytes": 80, + "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 1, + "destination.packets": 0, "destination.port": 53, "event.action": "flow_started", "event.category": "network_traffic", @@ -2964,6 +2962,10 @@ "network.packets": 1, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -2985,15 +2987,13 @@ ], "server.bytes": 0, "server.ip": "205.171.2.25", - "server.packets": 1, + "server.packets": 0, "server.port": 53, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 80, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 1, "source.port": 64844, "source.user.name": "crusher", "tags": [ @@ -3004,21 +3004,19 @@ "@timestamp": "2012-04-10T04:39:54.000-02:00", "client.bytes": 80, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 1, "client.port": 52257, "client.user.name": "crusher", "destination.address": "205.171.2.25", "destination.as.number": 209, "destination.as.organization.name": "CenturyLink Communications, LLC", - "destination.bytes": 80, + "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 1, + "destination.packets": 0, "destination.port": 53, "event.action": "flow_started", "event.category": "network_traffic", @@ -3041,6 +3039,10 @@ "network.packets": 1, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -3062,15 +3064,13 @@ ], "server.bytes": 0, "server.ip": "205.171.2.25", - "server.packets": 1, + "server.packets": 0, "server.port": 53, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 80, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 1, "source.port": 52257, "source.user.name": "crusher", "tags": [ @@ -3086,14 +3086,12 @@ "destination.address": "8.8.8.8", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", - "destination.bytes": 95, + "destination.bytes": 111, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.packets": 1, "destination.port": 53, "event.action": "flow_terminated", @@ -3116,6 +3114,10 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -3141,10 +3143,8 @@ "server.port": 53, "service.type": "panw", "source.address": "192.168.0.100", - "source.bytes": 111, + "source.bytes": 95, "source.ip": "192.168.0.100", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.packets": 1, "source.port": 38796, "tags": [ @@ -3155,21 +3155,19 @@ "@timestamp": "2012-04-10T04:39:54.000-02:00", "client.bytes": 597, "client.ip": "192.168.0.2", - "client.packets": 7, + "client.packets": 6, "client.port": 59200, "client.user.name": "crusher", "destination.address": "62.211.68.12", "destination.as.number": 3269, "destination.as.organization.name": "Telecom Italia", - "destination.bytes": 597, + "destination.bytes": 906, "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "IT", "destination.geo.location.lat": 43.1479, "destination.geo.location.lon": 12.1097, "destination.ip": "62.211.68.12", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 6, + "destination.packets": 7, "destination.port": 80, "event.action": "flow_terminated", "event.category": "network_traffic", @@ -3192,6 +3190,10 @@ "network.packets": 13, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -3213,15 +3215,13 @@ ], "server.bytes": 906, "server.ip": "62.211.68.12", - "server.packets": 6, + "server.packets": 7, "server.port": 80, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 906, + "source.bytes": 597, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 7, + "source.packets": 6, "source.port": 59200, "source.user.name": "crusher", "tags": [ @@ -3232,12 +3232,12 @@ "@timestamp": "2012-04-10T04:39:54.000-02:00", "client.bytes": 804, "client.ip": "192.168.0.100", - "client.packets": 7, + "client.packets": 10, "client.port": 48412, "destination.address": "50.19.102.116", "destination.as.number": 14618, "destination.as.organization.name": "Amazon.com, Inc.", - "destination.bytes": 804, + "destination.bytes": 5013, "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -3246,9 +3246,7 @@ "destination.geo.region_iso_code": "US-VA", "destination.geo.region_name": "Virginia", "destination.ip": "50.19.102.116", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 10, + "destination.packets": 7, "destination.port": 443, "event.action": "flow_terminated", "event.category": "network_traffic", @@ -3270,6 +3268,10 @@ "network.packets": 17, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -3291,15 +3293,13 @@ ], "server.bytes": 5013, "server.ip": "50.19.102.116", - "server.packets": 10, + "server.packets": 7, "server.port": 443, "service.type": "panw", "source.address": "192.168.0.100", - "source.bytes": 5013, + "source.bytes": 804, "source.ip": "192.168.0.100", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 7, + "source.packets": 10, "source.port": 48412, "tags": [ "pan-os" @@ -3315,7 +3315,7 @@ "destination.address": "65.55.223.19", "destination.as.number": 8075, "destination.as.organization.name": "Microsoft Corporation", - "destination.bytes": 187, + "destination.bytes": 99, "destination.geo.city_name": "Washington", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -3324,8 +3324,6 @@ "destination.geo.region_iso_code": "US-VA", "destination.geo.region_name": "Virginia", "destination.ip": "65.55.223.19", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.packets": 1, "destination.port": 40026, "event.action": "flow_terminated", @@ -3349,6 +3347,10 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -3374,10 +3376,8 @@ "server.port": 40026, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 99, + "source.bytes": 187, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.packets": 1, "source.port": 47752, "source.user.name": "crusher", @@ -3395,7 +3395,7 @@ "destination.address": "65.55.223.24", "destination.as.number": 8075, "destination.as.organization.name": "Microsoft Corporation", - "destination.bytes": 76, + "destination.bytes": 902, "destination.geo.city_name": "Washington", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -3404,8 +3404,6 @@ "destination.geo.region_iso_code": "US-VA", "destination.geo.region_name": "Virginia", "destination.ip": "65.55.223.24", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.packets": 1, "destination.port": 40029, "event.action": "flow_terminated", @@ -3429,6 +3427,10 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -3454,10 +3456,8 @@ "server.port": 40029, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 902, + "source.bytes": 76, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.packets": 1, "source.port": 47752, "source.user.name": "crusher", @@ -3474,14 +3474,12 @@ "destination.address": "8.8.8.8", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", - "destination.bytes": 86, + "destination.bytes": 141, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.packets": 1, "destination.port": 53, "event.action": "flow_terminated", @@ -3504,6 +3502,10 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -3529,10 +3531,8 @@ "server.port": 53, "service.type": "panw", "source.address": "192.168.0.100", - "source.bytes": 141, + "source.bytes": 86, "source.ip": "192.168.0.100", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.packets": 1, "source.port": 52189, "tags": [ @@ -3543,13 +3543,13 @@ "@timestamp": "2012-04-10T04:39:53.000-02:00", "client.bytes": 78, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 1, "client.port": 59300, "client.user.name": "crusher", "destination.address": "204.232.231.46", "destination.as.number": 27357, "destination.as.organization.name": "Rackspace Hosting", - "destination.bytes": 78, + "destination.bytes": 0, "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -3558,9 +3558,7 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 1, + "destination.packets": 0, "destination.port": 80, "event.action": "flow_started", "event.category": "network_traffic", @@ -3583,6 +3581,10 @@ "network.packets": 1, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -3604,15 +3606,13 @@ ], "server.bytes": 0, "server.ip": "204.232.231.46", - "server.packets": 1, + "server.packets": 0, "server.port": 80, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 78, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 1, "source.port": 59300, "source.user.name": "crusher", "tags": [ @@ -3623,21 +3623,19 @@ "@timestamp": "2012-04-10T04:39:53.000-02:00", "client.bytes": 73, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 1, "client.port": 54414, "client.user.name": "crusher", "destination.address": "205.171.2.25", "destination.as.number": 209, "destination.as.organization.name": "CenturyLink Communications, LLC", - "destination.bytes": 73, + "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 1, + "destination.packets": 0, "destination.port": 53, "event.action": "flow_started", "event.category": "network_traffic", @@ -3660,6 +3658,10 @@ "network.packets": 1, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -3681,15 +3683,13 @@ ], "server.bytes": 0, "server.ip": "205.171.2.25", - "server.packets": 1, + "server.packets": 0, "server.port": 53, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 73, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 1, "source.port": 54414, "source.user.name": "crusher", "tags": [ @@ -3700,13 +3700,13 @@ "@timestamp": "2012-04-10T04:39:53.000-02:00", "client.bytes": 78, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 1, "client.port": 59299, "client.user.name": "crusher", "destination.address": "204.232.231.46", "destination.as.number": 27357, "destination.as.organization.name": "Rackspace Hosting", - "destination.bytes": 78, + "destination.bytes": 0, "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -3715,9 +3715,7 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 1, + "destination.packets": 0, "destination.port": 80, "event.action": "flow_started", "event.category": "network_traffic", @@ -3740,6 +3738,10 @@ "network.packets": 1, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -3761,15 +3763,13 @@ ], "server.bytes": 0, "server.ip": "204.232.231.46", - "server.packets": 1, + "server.packets": 0, "server.port": 80, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 78, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 1, "source.port": 59299, "source.user.name": "crusher", "tags": [ @@ -3780,21 +3780,19 @@ "@timestamp": "2012-04-10T04:39:53.000-02:00", "client.bytes": 80, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 1, "client.port": 60399, "client.user.name": "crusher", "destination.address": "205.171.2.25", "destination.as.number": 209, "destination.as.organization.name": "CenturyLink Communications, LLC", - "destination.bytes": 80, + "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 1, + "destination.packets": 0, "destination.port": 53, "event.action": "flow_started", "event.category": "network_traffic", @@ -3817,6 +3815,10 @@ "network.packets": 1, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -3838,15 +3840,13 @@ ], "server.bytes": 0, "server.ip": "205.171.2.25", - "server.packets": 1, + "server.packets": 0, "server.port": 53, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 80, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 1, "source.port": 60399, "source.user.name": "crusher", "tags": [ @@ -3863,14 +3863,12 @@ "destination.address": "205.171.2.25", "destination.as.number": 209, "destination.as.organization.name": "CenturyLink Communications, LLC", - "destination.bytes": 166, + "destination.bytes": 316, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.packets": 2, "destination.port": 53, "event.action": "flow_terminated", @@ -3894,6 +3892,10 @@ "network.packets": 4, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -3919,10 +3921,8 @@ "server.port": 53, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 316, + "source.bytes": 166, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.packets": 2, "source.port": 59626, "source.user.name": "crusher", @@ -3940,14 +3940,12 @@ "destination.address": "205.171.2.25", "destination.as.number": 209, "destination.as.organization.name": "CenturyLink Communications, LLC", - "destination.bytes": 75, + "destination.bytes": 121, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.packets": 1, "destination.port": 53, "event.action": "flow_terminated", @@ -3971,6 +3969,10 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -3996,10 +3998,8 @@ "server.port": 53, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 121, + "source.bytes": 75, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.packets": 1, "source.port": 51542, "source.user.name": "crusher", @@ -4017,14 +4017,12 @@ "destination.address": "205.171.2.25", "destination.as.number": 209, "destination.as.organization.name": "CenturyLink Communications, LLC", - "destination.bytes": 75, + "destination.bytes": 169, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.packets": 1, "destination.port": 53, "event.action": "flow_terminated", @@ -4048,6 +4046,10 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -4073,10 +4075,8 @@ "server.port": 53, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 169, + "source.bytes": 75, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.packets": 1, "source.port": 54182, "source.user.name": "crusher", @@ -4088,21 +4088,19 @@ "@timestamp": "2012-04-10T04:39:53.000-02:00", "client.bytes": 594, "client.ip": "192.168.0.2", - "client.packets": 7, + "client.packets": 6, "client.port": 59199, "client.user.name": "crusher", "destination.address": "62.211.68.12", "destination.as.number": 3269, "destination.as.organization.name": "Telecom Italia", - "destination.bytes": 594, + "destination.bytes": 954, "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "IT", "destination.geo.location.lat": 43.1479, "destination.geo.location.lon": 12.1097, "destination.ip": "62.211.68.12", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 6, + "destination.packets": 7, "destination.port": 80, "event.action": "flow_terminated", "event.category": "network_traffic", @@ -4125,6 +4123,10 @@ "network.packets": 13, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -4146,15 +4148,13 @@ ], "server.bytes": 954, "server.ip": "62.211.68.12", - "server.packets": 6, + "server.packets": 7, "server.port": 80, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 954, + "source.bytes": 594, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 7, + "source.packets": 6, "source.port": 59199, "source.user.name": "crusher", "tags": [ @@ -4165,13 +4165,13 @@ "@timestamp": "2012-04-10T04:39:53.000-02:00", "client.bytes": 1005, "client.ip": "192.168.0.2", - "client.packets": 10, + "client.packets": 12, "client.port": 59198, "client.user.name": "crusher", "destination.address": "212.48.10.58", "destination.as.number": 8660, "destination.as.organization.name": "Italiaonline S.p.A.", - "destination.bytes": 1005, + "destination.bytes": 9130, "destination.geo.city_name": "Assago", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "IT", @@ -4180,9 +4180,7 @@ "destination.geo.region_iso_code": "IT-MI", "destination.geo.region_name": "Milan", "destination.ip": "212.48.10.58", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 12, + "destination.packets": 10, "destination.port": 80, "event.action": "flow_terminated", "event.category": "network_traffic", @@ -4205,6 +4203,10 @@ "network.packets": 22, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -4226,15 +4228,13 @@ ], "server.bytes": 9130, "server.ip": "212.48.10.58", - "server.packets": 12, + "server.packets": 10, "server.port": 80, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 9130, + "source.bytes": 1005, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 10, + "source.packets": 12, "source.port": 59198, "source.user.name": "crusher", "tags": [ @@ -4245,13 +4245,13 @@ "@timestamp": "2012-04-10T04:39:53.000-02:00", "client.bytes": 1363, "client.ip": "192.168.0.2", - "client.packets": 3, + "client.packets": 18, "client.port": 56856, "client.user.name": "crusher", "destination.address": "204.232.231.46", "destination.as.number": 27357, "destination.as.organization.name": "Rackspace Hosting", - "destination.bytes": 1363, + "destination.bytes": 555, "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -4260,9 +4260,7 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 18, + "destination.packets": 3, "destination.port": 80, "event.action": "flow_terminated", "event.category": "network_traffic", @@ -4285,6 +4283,10 @@ "network.packets": 21, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -4306,15 +4308,13 @@ ], "server.bytes": 555, "server.ip": "204.232.231.46", - "server.packets": 18, + "server.packets": 3, "server.port": 80, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 555, + "source.bytes": 1363, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 3, + "source.packets": 18, "source.port": 56856, "source.user.name": "crusher", "tags": [ @@ -4325,21 +4325,19 @@ "@timestamp": "2012-04-10T04:39:53.000-02:00", "client.bytes": 80, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 1, "client.port": 52489, "client.user.name": "crusher", "destination.address": "205.171.2.25", "destination.as.number": 209, "destination.as.organization.name": "CenturyLink Communications, LLC", - "destination.bytes": 80, + "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 1, + "destination.packets": 0, "destination.port": 53, "event.action": "flow_started", "event.category": "network_traffic", @@ -4362,6 +4360,10 @@ "network.packets": 1, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -4383,15 +4385,13 @@ ], "server.bytes": 0, "server.ip": "205.171.2.25", - "server.packets": 1, + "server.packets": 0, "server.port": 53, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 80, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 1, "source.port": 52489, "source.user.name": "crusher", "tags": [ @@ -4402,13 +4402,13 @@ "@timestamp": "2012-04-10T04:39:52.000-02:00", "client.bytes": 78, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 1, "client.port": 59298, "client.user.name": "crusher", "destination.address": "204.232.231.46", "destination.as.number": 27357, "destination.as.organization.name": "Rackspace Hosting", - "destination.bytes": 78, + "destination.bytes": 0, "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -4417,9 +4417,7 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 1, + "destination.packets": 0, "destination.port": 80, "event.action": "flow_started", "event.category": "network_traffic", @@ -4442,6 +4440,10 @@ "network.packets": 1, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -4463,15 +4465,13 @@ ], "server.bytes": 0, "server.ip": "204.232.231.46", - "server.packets": 1, + "server.packets": 0, "server.port": 80, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 78, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 1, "source.port": 59298, "source.user.name": "crusher", "tags": [ @@ -4482,21 +4482,19 @@ "@timestamp": "2012-04-10T04:39:52.000-02:00", "client.bytes": 76, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 1, "client.port": 60185, "client.user.name": "crusher", "destination.address": "205.171.2.25", "destination.as.number": 209, "destination.as.organization.name": "CenturyLink Communications, LLC", - "destination.bytes": 76, + "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 1, + "destination.packets": 0, "destination.port": 53, "event.action": "flow_started", "event.category": "network_traffic", @@ -4519,6 +4517,10 @@ "network.packets": 1, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -4540,15 +4542,13 @@ ], "server.bytes": 0, "server.ip": "205.171.2.25", - "server.packets": 1, + "server.packets": 0, "server.port": 53, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 76, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 1, "source.port": 60185, "source.user.name": "crusher", "tags": [ @@ -4559,21 +4559,19 @@ "@timestamp": "2012-04-10T04:39:52.000-02:00", "client.bytes": 76, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 1, "client.port": 51817, "client.user.name": "crusher", "destination.address": "205.171.2.25", "destination.as.number": 209, "destination.as.organization.name": "CenturyLink Communications, LLC", - "destination.bytes": 76, + "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 1, + "destination.packets": 0, "destination.port": 53, "event.action": "flow_started", "event.category": "network_traffic", @@ -4596,6 +4594,10 @@ "network.packets": 1, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -4617,15 +4619,13 @@ ], "server.bytes": 0, "server.ip": "205.171.2.25", - "server.packets": 1, + "server.packets": 0, "server.port": 53, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 76, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 1, "source.port": 51817, "source.user.name": "crusher", "tags": [ @@ -4636,13 +4636,13 @@ "@timestamp": "2012-04-10T04:39:52.000-02:00", "client.bytes": 186, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 1, "client.port": 47752, "client.user.name": "crusher", "destination.address": "65.55.223.31", "destination.as.number": 8075, "destination.as.organization.name": "Microsoft Corporation", - "destination.bytes": 186, + "destination.bytes": 0, "destination.geo.city_name": "Washington", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -4651,9 +4651,7 @@ "destination.geo.region_iso_code": "US-VA", "destination.geo.region_name": "Virginia", "destination.ip": "65.55.223.31", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 1, + "destination.packets": 0, "destination.port": 40043, "event.action": "flow_started", "event.category": "network_traffic", @@ -4676,6 +4674,10 @@ "network.packets": 1, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -4697,15 +4699,13 @@ ], "server.bytes": 0, "server.ip": "65.55.223.31", - "server.packets": 1, + "server.packets": 0, "server.port": 40043, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 186, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 1, "source.port": 47752, "source.user.name": "crusher", "tags": [ @@ -4716,13 +4716,13 @@ "@timestamp": "2012-04-10T04:39:52.000-02:00", "client.bytes": 78, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 1, "client.port": 59297, "client.user.name": "crusher", "destination.address": "204.232.231.46", "destination.as.number": 27357, "destination.as.organization.name": "Rackspace Hosting", - "destination.bytes": 78, + "destination.bytes": 0, "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -4731,9 +4731,7 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 1, + "destination.packets": 0, "destination.port": 80, "event.action": "flow_started", "event.category": "network_traffic", @@ -4756,6 +4754,10 @@ "network.packets": 1, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -4777,15 +4779,13 @@ ], "server.bytes": 0, "server.ip": "204.232.231.46", - "server.packets": 1, + "server.packets": 0, "server.port": 80, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 78, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 1, "source.port": 59297, "source.user.name": "crusher", "tags": [ @@ -4796,21 +4796,19 @@ "@timestamp": "2012-04-10T04:39:52.000-02:00", "client.bytes": 82, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 1, "client.port": 52537, "client.user.name": "crusher", "destination.address": "205.171.2.25", "destination.as.number": 209, "destination.as.organization.name": "CenturyLink Communications, LLC", - "destination.bytes": 82, + "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 1, + "destination.packets": 0, "destination.port": 53, "event.action": "flow_started", "event.category": "network_traffic", @@ -4833,6 +4831,10 @@ "network.packets": 1, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -4854,15 +4856,13 @@ ], "server.bytes": 0, "server.ip": "205.171.2.25", - "server.packets": 1, + "server.packets": 0, "server.port": 53, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 82, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 1, "source.port": 52537, "source.user.name": "crusher", "tags": [ @@ -4873,21 +4873,19 @@ "@timestamp": "2012-04-10T04:39:52.000-02:00", "client.bytes": 82, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 1, "client.port": 53155, "client.user.name": "crusher", "destination.address": "205.171.2.25", "destination.as.number": 209, "destination.as.organization.name": "CenturyLink Communications, LLC", - "destination.bytes": 82, + "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 1, + "destination.packets": 0, "destination.port": 53, "event.action": "flow_started", "event.category": "network_traffic", @@ -4910,6 +4908,10 @@ "network.packets": 1, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -4931,15 +4933,13 @@ ], "server.bytes": 0, "server.ip": "205.171.2.25", - "server.packets": 1, + "server.packets": 0, "server.port": 53, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 82, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 1, "source.port": 53155, "source.user.name": "crusher", "tags": [ @@ -4950,21 +4950,19 @@ "@timestamp": "2012-04-10T04:39:52.000-02:00", "client.bytes": 581, "client.ip": "192.168.0.2", - "client.packets": 7, + "client.packets": 6, "client.port": 59197, "client.user.name": "crusher", "destination.address": "62.211.68.12", "destination.as.number": 3269, "destination.as.organization.name": "Telecom Italia", - "destination.bytes": 581, + "destination.bytes": 906, "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "IT", "destination.geo.location.lat": 43.1479, "destination.geo.location.lon": 12.1097, "destination.ip": "62.211.68.12", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 6, + "destination.packets": 7, "destination.port": 80, "event.action": "flow_terminated", "event.category": "network_traffic", @@ -4987,6 +4985,10 @@ "network.packets": 13, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -5008,15 +5010,13 @@ ], "server.bytes": 906, "server.ip": "62.211.68.12", - "server.packets": 6, + "server.packets": 7, "server.port": 80, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 906, + "source.bytes": 581, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 7, + "source.packets": 6, "source.port": 59197, "source.user.name": "crusher", "tags": [ @@ -5033,14 +5033,12 @@ "destination.address": "205.171.2.25", "destination.as.number": 209, "destination.as.organization.name": "CenturyLink Communications, LLC", - "destination.bytes": 88, + "destination.bytes": 163, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.packets": 1, "destination.port": 53, "event.action": "flow_terminated", @@ -5064,6 +5062,10 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -5089,10 +5091,8 @@ "server.port": 53, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 163, + "source.bytes": 88, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.packets": 1, "source.port": 56995, "source.user.name": "crusher", @@ -5104,21 +5104,19 @@ "@timestamp": "2012-04-10T04:39:51.000-02:00", "client.bytes": 76, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 1, "client.port": 59069, "client.user.name": "crusher", "destination.address": "205.171.2.25", "destination.as.number": 209, "destination.as.organization.name": "CenturyLink Communications, LLC", - "destination.bytes": 76, + "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 1, + "destination.packets": 0, "destination.port": 53, "event.action": "flow_started", "event.category": "network_traffic", @@ -5141,6 +5139,10 @@ "network.packets": 1, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -5162,15 +5164,13 @@ ], "server.bytes": 0, "server.ip": "205.171.2.25", - "server.packets": 1, + "server.packets": 0, "server.port": 53, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 76, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 1, "source.port": 59069, "source.user.name": "crusher", "tags": [ @@ -5181,21 +5181,19 @@ "@timestamp": "2012-04-10T04:39:51.000-02:00", "client.bytes": 76, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 1, "client.port": 55697, "client.user.name": "crusher", "destination.address": "205.171.2.25", "destination.as.number": 209, "destination.as.organization.name": "CenturyLink Communications, LLC", - "destination.bytes": 76, + "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 1, + "destination.packets": 0, "destination.port": 53, "event.action": "flow_started", "event.category": "network_traffic", @@ -5218,6 +5216,10 @@ "network.packets": 1, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -5239,15 +5241,13 @@ ], "server.bytes": 0, "server.ip": "205.171.2.25", - "server.packets": 1, + "server.packets": 0, "server.port": 53, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 76, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 1, "source.port": 55697, "source.user.name": "crusher", "tags": [ @@ -5258,13 +5258,13 @@ "@timestamp": "2012-04-10T04:39:51.000-02:00", "client.bytes": 78, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 1, "client.port": 59295, "client.user.name": "crusher", "destination.address": "204.232.231.46", "destination.as.number": 27357, "destination.as.organization.name": "Rackspace Hosting", - "destination.bytes": 78, + "destination.bytes": 0, "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -5273,9 +5273,7 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 1, + "destination.packets": 0, "destination.port": 80, "event.action": "flow_started", "event.category": "network_traffic", @@ -5298,6 +5296,10 @@ "network.packets": 1, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -5319,15 +5321,13 @@ ], "server.bytes": 0, "server.ip": "204.232.231.46", - "server.packets": 1, + "server.packets": 0, "server.port": 80, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 78, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 1, "source.port": 59295, "source.user.name": "crusher", "tags": [ @@ -5338,21 +5338,19 @@ "@timestamp": "2012-04-10T04:39:51.000-02:00", "client.bytes": 578, "client.ip": "192.168.0.2", - "client.packets": 7, + "client.packets": 6, "client.port": 59196, "client.user.name": "crusher", "destination.address": "62.211.68.12", "destination.as.number": 3269, "destination.as.organization.name": "Telecom Italia", - "destination.bytes": 578, + "destination.bytes": 922, "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "IT", "destination.geo.location.lat": 43.1479, "destination.geo.location.lon": 12.1097, "destination.ip": "62.211.68.12", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 6, + "destination.packets": 7, "destination.port": 80, "event.action": "flow_terminated", "event.category": "network_traffic", @@ -5375,6 +5373,10 @@ "network.packets": 13, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -5396,15 +5398,13 @@ ], "server.bytes": 922, "server.ip": "62.211.68.12", - "server.packets": 6, + "server.packets": 7, "server.port": 80, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 922, + "source.bytes": 578, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 7, + "source.packets": 6, "source.port": 59196, "source.user.name": "crusher", "tags": [ @@ -5415,13 +5415,13 @@ "@timestamp": "2012-04-10T04:39:50.000-02:00", "client.bytes": 78, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 1, "client.port": 59291, "client.user.name": "crusher", "destination.address": "204.232.231.46", "destination.as.number": 27357, "destination.as.organization.name": "Rackspace Hosting", - "destination.bytes": 78, + "destination.bytes": 0, "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -5430,9 +5430,7 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 1, + "destination.packets": 0, "destination.port": 80, "event.action": "flow_started", "event.category": "network_traffic", @@ -5455,6 +5453,10 @@ "network.packets": 1, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -5476,15 +5478,13 @@ ], "server.bytes": 0, "server.ip": "204.232.231.46", - "server.packets": 1, + "server.packets": 0, "server.port": 80, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 78, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 1, "source.port": 59291, "source.user.name": "crusher", "tags": [ @@ -5495,21 +5495,19 @@ "@timestamp": "2012-04-10T04:39:50.000-02:00", "client.bytes": 77, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 1, "client.port": 52858, "client.user.name": "crusher", "destination.address": "205.171.2.25", "destination.as.number": 209, "destination.as.organization.name": "CenturyLink Communications, LLC", - "destination.bytes": 77, + "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 1, + "destination.packets": 0, "destination.port": 53, "event.action": "flow_started", "event.category": "network_traffic", @@ -5532,6 +5530,10 @@ "network.packets": 1, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -5553,15 +5555,13 @@ ], "server.bytes": 0, "server.ip": "205.171.2.25", - "server.packets": 1, + "server.packets": 0, "server.port": 53, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 77, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 1, "source.port": 52858, "source.user.name": "crusher", "tags": [ @@ -5572,21 +5572,19 @@ "@timestamp": "2012-04-10T04:39:50.000-02:00", "client.bytes": 77, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 1, "client.port": 61383, "client.user.name": "crusher", "destination.address": "205.171.2.25", "destination.as.number": 209, "destination.as.organization.name": "CenturyLink Communications, LLC", - "destination.bytes": 77, + "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 1, + "destination.packets": 0, "destination.port": 53, "event.action": "flow_started", "event.category": "network_traffic", @@ -5609,6 +5607,10 @@ "network.packets": 1, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -5630,15 +5632,13 @@ ], "server.bytes": 0, "server.ip": "205.171.2.25", - "server.packets": 1, + "server.packets": 0, "server.port": 53, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 77, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 1, "source.port": 61383, "source.user.name": "crusher", "tags": [ @@ -5649,13 +5649,13 @@ "@timestamp": "2012-04-10T04:39:50.000-02:00", "client.bytes": 78, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 1, "client.port": 59290, "client.user.name": "crusher", "destination.address": "204.232.231.46", "destination.as.number": 27357, "destination.as.organization.name": "Rackspace Hosting", - "destination.bytes": 78, + "destination.bytes": 0, "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -5664,9 +5664,7 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 1, + "destination.packets": 0, "destination.port": 80, "event.action": "flow_started", "event.category": "network_traffic", @@ -5689,6 +5687,10 @@ "network.packets": 1, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -5710,15 +5712,13 @@ ], "server.bytes": 0, "server.ip": "204.232.231.46", - "server.packets": 1, + "server.packets": 0, "server.port": 80, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 78, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 1, "source.port": 59290, "source.user.name": "crusher", "tags": [ @@ -5729,21 +5729,19 @@ "@timestamp": "2012-04-10T04:39:50.000-02:00", "client.bytes": 1310, "client.ip": "192.168.0.2", - "client.packets": 22, + "client.packets": 17, "client.port": 59195, "client.user.name": "crusher", "destination.address": "8.5.1.1", "destination.as.number": 3356, "destination.as.organization.name": "Level 3 Parent, LLC", - "destination.bytes": 1310, + "destination.bytes": 26786, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.5.1.1", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 17, + "destination.packets": 22, "destination.port": 80, "event.action": "flow_terminated", "event.category": "network_traffic", @@ -5766,6 +5764,10 @@ "network.packets": 39, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -5787,15 +5789,13 @@ ], "server.bytes": 26786, "server.ip": "8.5.1.1", - "server.packets": 17, + "server.packets": 22, "server.port": 80, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 26786, + "source.bytes": 1310, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 22, + "source.packets": 17, "source.port": 59195, "source.user.name": "crusher", "tags": [ @@ -5806,21 +5806,19 @@ "@timestamp": "2012-04-10T04:39:50.000-02:00", "client.bytes": 83, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 1, "client.port": 49812, "client.user.name": "crusher", "destination.address": "205.171.2.25", "destination.as.number": 209, "destination.as.organization.name": "CenturyLink Communications, LLC", - "destination.bytes": 83, + "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 1, + "destination.packets": 0, "destination.port": 53, "event.action": "flow_started", "event.category": "network_traffic", @@ -5843,6 +5841,10 @@ "network.packets": 1, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -5864,15 +5866,13 @@ ], "server.bytes": 0, "server.ip": "205.171.2.25", - "server.packets": 1, + "server.packets": 0, "server.port": 53, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 83, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 1, "source.port": 49812, "source.user.name": "crusher", "tags": [ @@ -5883,21 +5883,19 @@ "@timestamp": "2012-04-10T04:39:50.000-02:00", "client.bytes": 83, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 1, "client.port": 50185, "client.user.name": "crusher", "destination.address": "205.171.2.25", "destination.as.number": 209, "destination.as.organization.name": "CenturyLink Communications, LLC", - "destination.bytes": 83, + "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 1, + "destination.packets": 0, "destination.port": 53, "event.action": "flow_started", "event.category": "network_traffic", @@ -5920,6 +5918,10 @@ "network.packets": 1, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -5941,15 +5943,13 @@ ], "server.bytes": 0, "server.ip": "205.171.2.25", - "server.packets": 1, + "server.packets": 0, "server.port": 53, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 83, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 1, "source.port": 50185, "source.user.name": "crusher", "tags": [ @@ -5960,13 +5960,13 @@ "@timestamp": "2012-04-10T04:39:50.000-02:00", "client.bytes": 78, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 1, "client.port": 59286, "client.user.name": "crusher", "destination.address": "204.232.231.46", "destination.as.number": 27357, "destination.as.organization.name": "Rackspace Hosting", - "destination.bytes": 78, + "destination.bytes": 0, "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -5975,9 +5975,7 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 1, + "destination.packets": 0, "destination.port": 80, "event.action": "flow_started", "event.category": "network_traffic", @@ -6000,6 +5998,10 @@ "network.packets": 1, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -6021,15 +6023,13 @@ ], "server.bytes": 0, "server.ip": "204.232.231.46", - "server.packets": 1, + "server.packets": 0, "server.port": 80, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 78, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 1, "source.port": 59286, "source.user.name": "crusher", "tags": [ @@ -6044,10 +6044,8 @@ "client.port": 52531, "client.user.name": "crusher", "destination.address": "192.168.0.1", - "destination.bytes": 75, + "destination.bytes": 169, "destination.ip": "192.168.0.1", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.packets": 1, "destination.port": 53, "event.action": "flow_terminated", @@ -6071,6 +6069,10 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -6096,10 +6098,8 @@ "server.port": 53, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 169, + "source.bytes": 75, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.packets": 1, "source.port": 52531, "source.user.name": "crusher", @@ -6111,13 +6111,13 @@ "@timestamp": "2012-04-10T04:39:50.000-02:00", "client.bytes": 1033, "client.ip": "192.168.0.2", - "client.packets": 9, + "client.packets": 12, "client.port": 59194, "client.user.name": "crusher", "destination.address": "212.48.10.58", "destination.as.number": 8660, "destination.as.organization.name": "Italiaonline S.p.A.", - "destination.bytes": 1033, + "destination.bytes": 9064, "destination.geo.city_name": "Assago", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "IT", @@ -6126,9 +6126,7 @@ "destination.geo.region_iso_code": "IT-MI", "destination.geo.region_name": "Milan", "destination.ip": "212.48.10.58", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 12, + "destination.packets": 9, "destination.port": 80, "event.action": "flow_terminated", "event.category": "network_traffic", @@ -6151,6 +6149,10 @@ "network.packets": 21, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -6172,15 +6174,13 @@ ], "server.bytes": 9064, "server.ip": "212.48.10.58", - "server.packets": 12, + "server.packets": 9, "server.port": 80, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 9064, + "source.bytes": 1033, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 9, + "source.packets": 12, "source.port": 59194, "source.user.name": "crusher", "tags": [ @@ -6191,13 +6191,13 @@ "@timestamp": "2012-04-10T04:39:50.000-02:00", "client.bytes": 981, "client.ip": "192.168.0.2", - "client.packets": 10, + "client.packets": 12, "client.port": 59192, "client.user.name": "crusher", "destination.address": "212.48.10.58", "destination.as.number": 8660, "destination.as.organization.name": "Italiaonline S.p.A.", - "destination.bytes": 981, + "destination.bytes": 9124, "destination.geo.city_name": "Assago", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "IT", @@ -6206,9 +6206,7 @@ "destination.geo.region_iso_code": "IT-MI", "destination.geo.region_name": "Milan", "destination.ip": "212.48.10.58", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 12, + "destination.packets": 10, "destination.port": 80, "event.action": "flow_terminated", "event.category": "network_traffic", @@ -6231,6 +6229,10 @@ "network.packets": 22, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -6252,15 +6254,13 @@ ], "server.bytes": 9124, "server.ip": "212.48.10.58", - "server.packets": 12, + "server.packets": 10, "server.port": 80, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 9124, + "source.bytes": 981, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 10, + "source.packets": 12, "source.port": 59192, "source.user.name": "crusher", "tags": [ @@ -6275,10 +6275,8 @@ "client.port": 56463, "client.user.name": "crusher", "destination.address": "192.168.0.1", - "destination.bytes": 77, + "destination.bytes": 137, "destination.ip": "192.168.0.1", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.packets": 1, "destination.port": 53, "event.action": "flow_terminated", @@ -6302,6 +6300,10 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -6327,10 +6329,8 @@ "server.port": 53, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 137, + "source.bytes": 77, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.packets": 1, "source.port": 56463, "source.user.name": "crusher", @@ -6346,10 +6346,8 @@ "client.port": 55849, "client.user.name": "crusher", "destination.address": "192.168.0.1", - "destination.bytes": 77, + "destination.bytes": 93, "destination.ip": "192.168.0.1", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, "destination.packets": 1, "destination.port": 53, "event.action": "flow_terminated", @@ -6373,6 +6371,10 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -6398,10 +6400,8 @@ "server.port": 53, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 93, + "source.bytes": 77, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, "source.packets": 1, "source.port": 55849, "source.user.name": "crusher", @@ -6413,13 +6413,13 @@ "@timestamp": "2012-04-10T04:39:49.000-02:00", "client.bytes": 78, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 1, "client.port": 59282, "client.user.name": "crusher", "destination.address": "204.232.231.46", "destination.as.number": 27357, "destination.as.organization.name": "Rackspace Hosting", - "destination.bytes": 78, + "destination.bytes": 0, "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -6428,9 +6428,7 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 1, + "destination.packets": 0, "destination.port": 80, "event.action": "flow_started", "event.category": "network_traffic", @@ -6453,6 +6451,10 @@ "network.packets": 1, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -6474,15 +6476,13 @@ ], "server.bytes": 0, "server.ip": "204.232.231.46", - "server.packets": 1, + "server.packets": 0, "server.port": 80, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 78, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 1, "source.port": 59282, "source.user.name": "crusher", "tags": [ @@ -6493,21 +6493,19 @@ "@timestamp": "2012-04-10T04:39:49.000-02:00", "client.bytes": 71, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 1, "client.port": 57846, "client.user.name": "crusher", "destination.address": "205.171.2.25", "destination.as.number": 209, "destination.as.organization.name": "CenturyLink Communications, LLC", - "destination.bytes": 71, + "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 1, + "destination.packets": 0, "destination.port": 53, "event.action": "flow_started", "event.category": "network_traffic", @@ -6530,6 +6528,10 @@ "network.packets": 1, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -6551,15 +6553,13 @@ ], "server.bytes": 0, "server.ip": "205.171.2.25", - "server.packets": 1, + "server.packets": 0, "server.port": 53, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 71, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 1, "source.port": 57846, "source.user.name": "crusher", "tags": [ @@ -6570,21 +6570,19 @@ "@timestamp": "2012-04-10T04:39:49.000-02:00", "client.bytes": 71, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 1, "client.port": 51008, "client.user.name": "crusher", "destination.address": "205.171.2.25", "destination.as.number": 209, "destination.as.organization.name": "CenturyLink Communications, LLC", - "destination.bytes": 71, + "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 1, + "destination.packets": 0, "destination.port": 53, "event.action": "flow_started", "event.category": "network_traffic", @@ -6607,6 +6605,10 @@ "network.packets": 1, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -6628,15 +6630,13 @@ ], "server.bytes": 0, "server.ip": "205.171.2.25", - "server.packets": 1, + "server.packets": 0, "server.port": 53, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 71, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 1, "source.port": 51008, "source.user.name": "crusher", "tags": [ @@ -6647,13 +6647,13 @@ "@timestamp": "2012-04-10T04:39:49.000-02:00", "client.bytes": 78, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 1, "client.port": 59281, "client.user.name": "crusher", "destination.address": "204.232.231.46", "destination.as.number": 27357, "destination.as.organization.name": "Rackspace Hosting", - "destination.bytes": 78, + "destination.bytes": 0, "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -6662,9 +6662,7 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 1, + "destination.packets": 0, "destination.port": 80, "event.action": "flow_started", "event.category": "network_traffic", @@ -6687,6 +6685,10 @@ "network.packets": 1, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -6708,15 +6710,13 @@ ], "server.bytes": 0, "server.ip": "204.232.231.46", - "server.packets": 1, + "server.packets": 0, "server.port": 80, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 78, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 1, "source.port": 59281, "source.user.name": "crusher", "tags": [ @@ -6727,21 +6727,19 @@ "@timestamp": "2012-04-10T04:39:49.000-02:00", "client.bytes": 80, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 1, "client.port": 55252, "client.user.name": "crusher", "destination.address": "205.171.2.25", "destination.as.number": 209, "destination.as.organization.name": "CenturyLink Communications, LLC", - "destination.bytes": 80, + "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 1, + "destination.packets": 0, "destination.port": 53, "event.action": "flow_started", "event.category": "network_traffic", @@ -6764,6 +6762,10 @@ "network.packets": 1, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -6785,15 +6787,13 @@ ], "server.bytes": 0, "server.ip": "205.171.2.25", - "server.packets": 1, + "server.packets": 0, "server.port": 53, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 80, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 1, "source.port": 55252, "source.user.name": "crusher", "tags": [ @@ -6804,15 +6804,13 @@ "@timestamp": "2012-04-10T04:39:49.000-02:00", "client.bytes": 176, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 2, "client.port": 56995, "client.user.name": "crusher", "destination.address": "192.168.0.1", - "destination.bytes": 176, + "destination.bytes": 0, "destination.ip": "192.168.0.1", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 2, + "destination.packets": 0, "destination.port": 53, "event.action": "flow_terminated", "event.category": "network_traffic", @@ -6835,6 +6833,10 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -6856,15 +6858,13 @@ ], "server.bytes": 0, "server.ip": "192.168.0.1", - "server.packets": 2, + "server.packets": 0, "server.port": 53, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 176, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 2, "source.port": 56995, "source.user.name": "crusher", "tags": [ @@ -6875,21 +6875,19 @@ "@timestamp": "2012-04-10T04:39:49.000-02:00", "client.bytes": 80, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 1, "client.port": 60989, "client.user.name": "crusher", "destination.address": "205.171.2.25", "destination.as.number": 209, "destination.as.organization.name": "CenturyLink Communications, LLC", - "destination.bytes": 80, + "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 1, + "destination.packets": 0, "destination.port": 53, "event.action": "flow_started", "event.category": "network_traffic", @@ -6912,6 +6910,10 @@ "network.packets": 1, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -6933,15 +6935,13 @@ ], "server.bytes": 0, "server.ip": "205.171.2.25", - "server.packets": 1, + "server.packets": 0, "server.port": 53, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 80, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 1, "source.port": 60989, "source.user.name": "crusher", "tags": [ @@ -6952,13 +6952,13 @@ "@timestamp": "2012-04-10T04:39:48.000-02:00", "client.bytes": 78, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 1, "client.port": 59280, "client.user.name": "crusher", "destination.address": "204.232.231.46", "destination.as.number": 27357, "destination.as.organization.name": "Rackspace Hosting", - "destination.bytes": 78, + "destination.bytes": 0, "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -6967,9 +6967,7 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 1, + "destination.packets": 0, "destination.port": 80, "event.action": "flow_started", "event.category": "network_traffic", @@ -6992,6 +6990,10 @@ "network.packets": 1, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -7013,15 +7015,13 @@ ], "server.bytes": 0, "server.ip": "204.232.231.46", - "server.packets": 1, + "server.packets": 0, "server.port": 80, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 78, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 1, "source.port": 59280, "source.user.name": "crusher", "tags": [ @@ -7032,21 +7032,19 @@ "@timestamp": "2012-04-10T04:39:48.000-02:00", "client.bytes": 81, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 1, "client.port": 53766, "client.user.name": "crusher", "destination.address": "205.171.2.25", "destination.as.number": 209, "destination.as.organization.name": "CenturyLink Communications, LLC", - "destination.bytes": 81, + "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 1, + "destination.packets": 0, "destination.port": 53, "event.action": "flow_started", "event.category": "network_traffic", @@ -7069,6 +7067,10 @@ "network.packets": 1, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -7090,15 +7092,13 @@ ], "server.bytes": 0, "server.ip": "205.171.2.25", - "server.packets": 1, + "server.packets": 0, "server.port": 53, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 81, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 1, "source.port": 53766, "source.user.name": "crusher", "tags": [ @@ -7109,21 +7109,19 @@ "@timestamp": "2012-04-10T04:39:48.000-02:00", "client.bytes": 81, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 1, "client.port": 56032, "client.user.name": "crusher", "destination.address": "205.171.2.25", "destination.as.number": 209, "destination.as.organization.name": "CenturyLink Communications, LLC", - "destination.bytes": 81, + "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 1, + "destination.packets": 0, "destination.port": 53, "event.action": "flow_started", "event.category": "network_traffic", @@ -7146,6 +7144,10 @@ "network.packets": 1, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -7167,15 +7169,13 @@ ], "server.bytes": 0, "server.ip": "205.171.2.25", - "server.packets": 1, + "server.packets": 0, "server.port": 53, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 81, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 1, "source.port": 56032, "source.user.name": "crusher", "tags": [ @@ -7186,21 +7186,19 @@ "@timestamp": "2012-04-10T04:39:48.000-02:00", "client.bytes": 581, "client.ip": "192.168.0.2", - "client.packets": 7, + "client.packets": 6, "client.port": 59193, "client.user.name": "crusher", "destination.address": "62.211.68.12", "destination.as.number": 3269, "destination.as.organization.name": "Telecom Italia", - "destination.bytes": 581, + "destination.bytes": 906, "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "IT", "destination.geo.location.lat": 43.1479, "destination.geo.location.lon": 12.1097, "destination.ip": "62.211.68.12", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 6, + "destination.packets": 7, "destination.port": 80, "event.action": "flow_terminated", "event.category": "network_traffic", @@ -7223,6 +7221,10 @@ "network.packets": 13, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -7244,15 +7246,13 @@ ], "server.bytes": 906, "server.ip": "62.211.68.12", - "server.packets": 6, + "server.packets": 7, "server.port": 80, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 906, + "source.bytes": 581, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 7, + "source.packets": 6, "source.port": 59193, "source.user.name": "crusher", "tags": [ @@ -7263,13 +7263,13 @@ "@timestamp": "2012-04-10T04:39:48.000-02:00", "client.bytes": 78, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 1, "client.port": 59279, "client.user.name": "crusher", "destination.address": "204.232.231.46", "destination.as.number": 27357, "destination.as.organization.name": "Rackspace Hosting", - "destination.bytes": 78, + "destination.bytes": 0, "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -7278,9 +7278,7 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 1, + "destination.packets": 0, "destination.port": 80, "event.action": "flow_started", "event.category": "network_traffic", @@ -7303,6 +7301,10 @@ "network.packets": 1, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -7324,15 +7326,13 @@ ], "server.bytes": 0, "server.ip": "204.232.231.46", - "server.packets": 1, + "server.packets": 0, "server.port": 80, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 78, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 1, "source.port": 59279, "source.user.name": "crusher", "tags": [ @@ -7343,13 +7343,13 @@ "@timestamp": "2012-04-10T04:39:47.000-02:00", "client.bytes": 78, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 1, "client.port": 59278, "client.user.name": "crusher", "destination.address": "204.232.231.46", "destination.as.number": 27357, "destination.as.organization.name": "Rackspace Hosting", - "destination.bytes": 78, + "destination.bytes": 0, "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -7358,9 +7358,7 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 1, + "destination.packets": 0, "destination.port": 80, "event.action": "flow_started", "event.category": "network_traffic", @@ -7383,6 +7381,10 @@ "network.packets": 1, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -7404,15 +7406,13 @@ ], "server.bytes": 0, "server.ip": "204.232.231.46", - "server.packets": 1, + "server.packets": 0, "server.port": 80, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 78, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 1, "source.port": 59278, "source.user.name": "crusher", "tags": [ @@ -7423,13 +7423,13 @@ "@timestamp": "2012-04-10T04:39:47.000-02:00", "client.bytes": 78, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 1, "client.port": 59277, "client.user.name": "crusher", "destination.address": "204.232.231.46", "destination.as.number": 27357, "destination.as.organization.name": "Rackspace Hosting", - "destination.bytes": 78, + "destination.bytes": 0, "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -7438,9 +7438,7 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 1, + "destination.packets": 0, "destination.port": 80, "event.action": "flow_started", "event.category": "network_traffic", @@ -7463,6 +7461,10 @@ "network.packets": 1, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -7484,15 +7486,13 @@ ], "server.bytes": 0, "server.ip": "204.232.231.46", - "server.packets": 1, + "server.packets": 0, "server.port": 80, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 78, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 1, "source.port": 59277, "source.user.name": "crusher", "tags": [ @@ -7503,15 +7503,13 @@ "@timestamp": "2012-04-10T04:39:47.000-02:00", "client.bytes": 166, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 2, "client.port": 60026, "client.user.name": "crusher", "destination.address": "192.168.0.1", - "destination.bytes": 166, + "destination.bytes": 0, "destination.ip": "192.168.0.1", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 2, + "destination.packets": 0, "destination.port": 53, "event.action": "flow_terminated", "event.category": "network_traffic", @@ -7534,6 +7532,10 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -7555,15 +7557,13 @@ ], "server.bytes": 0, "server.ip": "192.168.0.1", - "server.packets": 2, + "server.packets": 0, "server.port": 53, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 166, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 2, "source.port": 60026, "source.user.name": "crusher", "tags": [ @@ -7574,13 +7574,13 @@ "@timestamp": "2012-04-10T04:39:47.000-02:00", "client.bytes": 351, "client.ip": "192.168.0.2", - "client.packets": 1, + "client.packets": 3, "client.port": 59276, "client.user.name": "crusher", "destination.address": "204.232.231.46", "destination.as.number": 27357, "destination.as.organization.name": "Rackspace Hosting", - "destination.bytes": 351, + "destination.bytes": 78, "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -7589,9 +7589,7 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 3, + "destination.packets": 1, "destination.port": 80, "event.action": "flow_started", "event.category": "network_traffic", @@ -7614,6 +7612,10 @@ "network.packets": 4, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -7635,15 +7637,13 @@ ], "server.bytes": 78, "server.ip": "204.232.231.46", - "server.packets": 3, + "server.packets": 1, "server.port": 80, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 78, + "source.bytes": 351, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 1, + "source.packets": 3, "source.port": 59276, "source.user.name": "crusher", "tags": [ @@ -7654,13 +7654,13 @@ "@timestamp": "2012-04-10T04:39:47.000-02:00", "client.bytes": 351, "client.ip": "192.168.0.2", - "client.packets": 1, + "client.packets": 3, "client.port": 59275, "client.user.name": "crusher", "destination.address": "204.232.231.46", "destination.as.number": 27357, "destination.as.organization.name": "Rackspace Hosting", - "destination.bytes": 351, + "destination.bytes": 78, "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -7669,9 +7669,7 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 3, + "destination.packets": 1, "destination.port": 80, "event.action": "flow_started", "event.category": "network_traffic", @@ -7694,6 +7692,10 @@ "network.packets": 4, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -7715,15 +7717,13 @@ ], "server.bytes": 78, "server.ip": "204.232.231.46", - "server.packets": 3, + "server.packets": 1, "server.port": 80, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 78, + "source.bytes": 351, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 1, + "source.packets": 3, "source.port": 59275, "source.user.name": "crusher", "tags": [ @@ -7734,13 +7734,13 @@ "@timestamp": "2012-04-10T04:39:46.000-02:00", "client.bytes": 78, "client.ip": "192.168.0.2", - "client.packets": 0, + "client.packets": 1, "client.port": 59274, "client.user.name": "crusher", "destination.address": "204.232.231.46", "destination.as.number": 27357, "destination.as.organization.name": "Rackspace Hosting", - "destination.bytes": 78, + "destination.bytes": 0, "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -7749,9 +7749,7 @@ "destination.geo.region_iso_code": "US-FL", "destination.geo.region_name": "Florida", "destination.ip": "204.232.231.46", - "destination.nat.ip": "0.0.0.0", - "destination.nat.port": 0, - "destination.packets": 1, + "destination.packets": 0, "destination.port": 80, "event.action": "flow_started", "event.category": "network_traffic", @@ -7774,6 +7772,10 @@ "network.packets": 1, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "01606001116", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -7795,15 +7797,13 @@ ], "server.bytes": 0, "server.ip": "204.232.231.46", - "server.packets": 1, + "server.packets": 0, "server.port": 80, "service.type": "panw", "source.address": "192.168.0.2", - "source.bytes": 0, + "source.bytes": 78, "source.ip": "192.168.0.2", - "source.nat.ip": "0.0.0.0", - "source.nat.port": 0, - "source.packets": 0, + "source.packets": 1, "source.port": 59274, "source.user.name": "crusher", "tags": [ diff --git a/x-pack/filebeat/module/panw/panos/test/threat.log-expected.json b/x-pack/filebeat/module/panw/panos/test/threat.log-expected.json index c8c9082e093..ebb81f8b101 100644 --- a/x-pack/filebeat/module/panw/panos/test/threat.log-expected.json +++ b/x-pack/filebeat/module/panw/panos/test/threat.log-expected.json @@ -2,6 +2,8 @@ { "@timestamp": "2018-11-30T16:44:36.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 37679, "client.port": 52984, "destination.address": "152.195.55.192", "destination.as.number": 15133, @@ -36,7 +38,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "152.195.55.192", @@ -60,6 +66,8 @@ "152.195.55.192" ], "server.ip": "152.195.55.192", + "server.nat.ip": "152.195.55.192", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -76,6 +84,8 @@ { "@timestamp": "2018-11-30T16:44:36.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 28249, "client.port": 52983, "destination.address": "152.195.55.192", "destination.as.number": 15133, @@ -110,7 +120,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "152.195.55.192", @@ -134,6 +148,8 @@ "152.195.55.192" ], "server.ip": "152.195.55.192", + "server.nat.ip": "152.195.55.192", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -150,6 +166,8 @@ { "@timestamp": "2018-11-30T16:44:36.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 63898, "client.port": 52986, "destination.address": "152.195.55.192", "destination.as.number": 15133, @@ -184,7 +202,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "152.195.55.192", @@ -208,6 +230,8 @@ "152.195.55.192" ], "server.ip": "152.195.55.192", + "server.nat.ip": "152.195.55.192", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -224,6 +248,8 @@ { "@timestamp": "2018-11-30T16:44:36.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 7515, "client.port": 52985, "destination.address": "152.195.55.192", "destination.as.number": 15133, @@ -258,7 +284,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "152.195.55.192", @@ -282,6 +312,8 @@ "152.195.55.192" ], "server.ip": "152.195.55.192", + "server.nat.ip": "152.195.55.192", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -298,6 +330,8 @@ { "@timestamp": "2018-11-30T16:44:36.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 3225, "client.port": 52987, "destination.address": "152.195.55.192", "destination.as.number": 15133, @@ -332,7 +366,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "152.195.55.192", @@ -356,6 +394,8 @@ "152.195.55.192" ], "server.ip": "152.195.55.192", + "server.nat.ip": "152.195.55.192", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -372,6 +412,8 @@ { "@timestamp": "2018-11-30T16:44:36.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 60449, "client.port": 52988, "destination.address": "152.195.55.192", "destination.as.number": 15133, @@ -406,7 +448,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "152.195.55.192", @@ -430,6 +476,8 @@ "152.195.55.192" ], "server.ip": "152.195.55.192", + "server.nat.ip": "152.195.55.192", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -446,6 +494,8 @@ { "@timestamp": "2018-11-30T16:44:36.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 60559, "client.port": 52990, "destination.address": "152.195.55.192", "destination.as.number": 15133, @@ -480,7 +530,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "152.195.55.192", @@ -504,6 +558,8 @@ "152.195.55.192" ], "server.ip": "152.195.55.192", + "server.nat.ip": "152.195.55.192", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -520,6 +576,8 @@ { "@timestamp": "2018-11-30T16:44:36.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 47414, "client.port": 52989, "destination.address": "152.195.55.192", "destination.as.number": 15133, @@ -554,7 +612,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "152.195.55.192", @@ -578,6 +640,8 @@ "152.195.55.192" ], "server.ip": "152.195.55.192", + "server.nat.ip": "152.195.55.192", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -594,6 +658,8 @@ { "@timestamp": "2018-11-30T16:44:36.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 37673, "client.port": 52992, "destination.address": "152.195.55.192", "destination.as.number": 15133, @@ -628,7 +694,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "152.195.55.192", @@ -652,6 +722,8 @@ "152.195.55.192" ], "server.ip": "152.195.55.192", + "server.nat.ip": "152.195.55.192", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -668,6 +740,8 @@ { "@timestamp": "2018-11-30T16:44:36.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 8232, "client.port": 52991, "destination.address": "152.195.55.192", "destination.as.number": 15133, @@ -702,7 +776,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "152.195.55.192", @@ -726,6 +804,8 @@ "152.195.55.192" ], "server.ip": "152.195.55.192", + "server.nat.ip": "152.195.55.192", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -742,6 +822,8 @@ { "@timestamp": "2018-11-30T16:44:36.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 32982, "client.port": 52994, "destination.address": "152.195.55.192", "destination.as.number": 15133, @@ -776,7 +858,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "152.195.55.192", @@ -800,6 +886,8 @@ "152.195.55.192" ], "server.ip": "152.195.55.192", + "server.nat.ip": "152.195.55.192", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -816,6 +904,8 @@ { "@timestamp": "2018-11-30T16:44:36.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 10473, "client.port": 52993, "destination.address": "152.195.55.192", "destination.as.number": 15133, @@ -850,7 +940,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "152.195.55.192", @@ -874,6 +968,8 @@ "152.195.55.192" ], "server.ip": "152.195.55.192", + "server.nat.ip": "152.195.55.192", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -890,6 +986,8 @@ { "@timestamp": "2018-11-30T16:44:36.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 20446, "client.port": 52995, "destination.address": "152.195.55.192", "destination.as.number": 15133, @@ -924,7 +1022,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "152.195.55.192", @@ -948,6 +1050,8 @@ "152.195.55.192" ], "server.ip": "152.195.55.192", + "server.nat.ip": "152.195.55.192", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -964,6 +1068,8 @@ { "@timestamp": "2018-11-30T16:44:36.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 34699, "client.port": 52996, "destination.address": "152.195.55.192", "destination.as.number": 15133, @@ -998,7 +1104,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "152.195.55.192", @@ -1022,6 +1132,8 @@ "152.195.55.192" ], "server.ip": "152.195.55.192", + "server.nat.ip": "152.195.55.192", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -1038,6 +1150,8 @@ { "@timestamp": "2018-11-30T16:44:36.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 22820, "client.port": 52997, "destination.address": "152.195.55.192", "destination.as.number": 15133, @@ -1072,7 +1186,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "152.195.55.192", @@ -1096,6 +1214,8 @@ "152.195.55.192" ], "server.ip": "152.195.55.192", + "server.nat.ip": "152.195.55.192", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -1112,6 +1232,8 @@ { "@timestamp": "2018-11-30T16:44:37.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 41060, "client.port": 52998, "destination.address": "152.195.55.192", "destination.as.number": 15133, @@ -1146,7 +1268,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "152.195.55.192", @@ -1170,6 +1296,8 @@ "152.195.55.192" ], "server.ip": "152.195.55.192", + "server.nat.ip": "152.195.55.192", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -1186,6 +1314,8 @@ { "@timestamp": "2018-11-30T16:44:37.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 9058, "client.port": 52999, "destination.address": "152.195.55.192", "destination.as.number": 15133, @@ -1220,7 +1350,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "152.195.55.192", @@ -1244,6 +1378,8 @@ "152.195.55.192" ], "server.ip": "152.195.55.192", + "server.nat.ip": "152.195.55.192", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -1260,6 +1396,8 @@ { "@timestamp": "2018-11-30T16:44:37.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 54846, "client.port": 53001, "destination.address": "152.195.55.192", "destination.as.number": 15133, @@ -1294,7 +1432,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "152.195.55.192", @@ -1318,6 +1460,8 @@ "152.195.55.192" ], "server.ip": "152.195.55.192", + "server.nat.ip": "152.195.55.192", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -1334,6 +1478,8 @@ { "@timestamp": "2018-11-30T16:44:37.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 52731, "client.port": 53002, "destination.address": "152.195.55.192", "destination.as.number": 15133, @@ -1368,7 +1514,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "152.195.55.192", @@ -1392,6 +1542,8 @@ "152.195.55.192" ], "server.ip": "152.195.55.192", + "server.nat.ip": "152.195.55.192", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -1408,6 +1560,8 @@ { "@timestamp": "2018-11-30T16:44:38.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 15165, "client.port": 53003, "destination.address": "152.195.55.192", "destination.as.number": 15133, @@ -1442,7 +1596,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "152.195.55.192", @@ -1466,6 +1624,8 @@ "152.195.55.192" ], "server.ip": "152.195.55.192", + "server.nat.ip": "152.195.55.192", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -1482,6 +1642,8 @@ { "@timestamp": "2018-11-30T16:44:38.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 53918, "client.port": 53004, "destination.address": "23.72.137.131", "destination.as.number": 20940, @@ -1516,7 +1678,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "23.72.137.131", @@ -1540,6 +1706,8 @@ "23.72.137.131" ], "server.ip": "23.72.137.131", + "server.nat.ip": "23.72.137.131", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -1556,6 +1724,8 @@ { "@timestamp": "2018-11-30T16:44:38.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 40792, "client.port": 53000, "destination.address": "152.195.55.192", "destination.as.number": 15133, @@ -1590,7 +1760,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "152.195.55.192", @@ -1614,6 +1788,8 @@ "152.195.55.192" ], "server.ip": "152.195.55.192", + "server.nat.ip": "152.195.55.192", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -1630,6 +1806,8 @@ { "@timestamp": "2018-11-30T16:44:46.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 54044, "client.port": 53006, "destination.address": "152.195.55.192", "destination.as.number": 15133, @@ -1664,7 +1842,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "152.195.55.192", @@ -1688,6 +1870,8 @@ "152.195.55.192" ], "server.ip": "152.195.55.192", + "server.nat.ip": "152.195.55.192", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -1704,6 +1888,8 @@ { "@timestamp": "2018-11-30T16:44:46.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 19544, "client.port": 53007, "destination.address": "152.195.55.192", "destination.as.number": 15133, @@ -1738,7 +1924,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "152.195.55.192", @@ -1762,6 +1952,8 @@ "152.195.55.192" ], "server.ip": "152.195.55.192", + "server.nat.ip": "152.195.55.192", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -1778,6 +1970,8 @@ { "@timestamp": "2018-11-30T16:44:46.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 13462, "client.port": 53008, "destination.address": "152.195.55.192", "destination.as.number": 15133, @@ -1812,7 +2006,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "152.195.55.192", @@ -1836,6 +2034,8 @@ "152.195.55.192" ], "server.ip": "152.195.55.192", + "server.nat.ip": "152.195.55.192", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -1852,6 +2052,8 @@ { "@timestamp": "2018-11-30T16:44:46.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 44892, "client.port": 53010, "destination.address": "152.195.55.192", "destination.as.number": 15133, @@ -1886,7 +2088,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "152.195.55.192", @@ -1910,6 +2116,8 @@ "152.195.55.192" ], "server.ip": "152.195.55.192", + "server.nat.ip": "152.195.55.192", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -1926,6 +2134,8 @@ { "@timestamp": "2018-11-30T16:44:46.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 16487, "client.port": 53011, "destination.address": "152.195.55.192", "destination.as.number": 15133, @@ -1960,7 +2170,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "152.195.55.192", @@ -1984,6 +2198,8 @@ "152.195.55.192" ], "server.ip": "152.195.55.192", + "server.nat.ip": "152.195.55.192", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -2000,6 +2216,8 @@ { "@timestamp": "2018-11-30T16:44:46.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 23952, "client.port": 53012, "destination.address": "152.195.55.192", "destination.as.number": 15133, @@ -2034,7 +2252,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "152.195.55.192", @@ -2058,6 +2280,8 @@ "152.195.55.192" ], "server.ip": "152.195.55.192", + "server.nat.ip": "152.195.55.192", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -2074,6 +2298,8 @@ { "@timestamp": "2018-11-30T16:44:46.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 2810, "client.port": 53013, "destination.address": "152.195.55.192", "destination.as.number": 15133, @@ -2108,7 +2334,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "152.195.55.192", @@ -2132,6 +2362,8 @@ "152.195.55.192" ], "server.ip": "152.195.55.192", + "server.nat.ip": "152.195.55.192", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -2148,6 +2380,8 @@ { "@timestamp": "2018-11-30T16:44:46.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 13272, "client.port": 53014, "destination.address": "152.195.55.192", "destination.as.number": 15133, @@ -2182,7 +2416,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "152.195.55.192", @@ -2206,6 +2444,8 @@ "152.195.55.192" ], "server.ip": "152.195.55.192", + "server.nat.ip": "152.195.55.192", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -2222,6 +2462,8 @@ { "@timestamp": "2018-11-30T16:44:46.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 8663, "client.port": 53022, "destination.address": "152.195.55.192", "destination.as.number": 15133, @@ -2256,7 +2498,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "152.195.55.192", @@ -2280,6 +2526,8 @@ "152.195.55.192" ], "server.ip": "152.195.55.192", + "server.nat.ip": "152.195.55.192", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -2296,6 +2544,8 @@ { "@timestamp": "2018-11-30T16:44:46.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 55738, "client.port": 53023, "destination.address": "152.195.55.192", "destination.as.number": 15133, @@ -2330,7 +2580,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "152.195.55.192", @@ -2354,6 +2608,8 @@ "152.195.55.192" ], "server.ip": "152.195.55.192", + "server.nat.ip": "152.195.55.192", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -2370,6 +2626,8 @@ { "@timestamp": "2018-11-30T16:44:46.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 10650, "client.port": 53024, "destination.address": "152.195.55.192", "destination.as.number": 15133, @@ -2404,7 +2662,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "152.195.55.192", @@ -2428,6 +2690,8 @@ "152.195.55.192" ], "server.ip": "152.195.55.192", + "server.nat.ip": "152.195.55.192", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -2444,6 +2708,8 @@ { "@timestamp": "2018-11-30T16:44:46.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 44087, "client.port": 53025, "destination.address": "152.195.55.192", "destination.as.number": 15133, @@ -2478,7 +2744,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "152.195.55.192", @@ -2502,6 +2772,8 @@ "152.195.55.192" ], "server.ip": "152.195.55.192", + "server.nat.ip": "152.195.55.192", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -2518,6 +2790,8 @@ { "@timestamp": "2018-11-30T16:44:46.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 15915, "client.port": 53026, "destination.address": "152.195.55.192", "destination.as.number": 15133, @@ -2552,7 +2826,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "152.195.55.192", @@ -2576,6 +2854,8 @@ "152.195.55.192" ], "server.ip": "152.195.55.192", + "server.nat.ip": "152.195.55.192", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -2592,6 +2872,8 @@ { "@timestamp": "2018-11-30T16:44:53.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 41165, "client.port": 53041, "destination.address": "151.101.2.2", "destination.as.number": 54113, @@ -2626,7 +2908,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "151.101.2.2", @@ -2650,6 +2936,8 @@ "151.101.2.2" ], "server.ip": "151.101.2.2", + "server.nat.ip": "151.101.2.2", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -2666,6 +2954,8 @@ { "@timestamp": "2018-11-30T16:44:54.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 54133, "client.port": 53040, "destination.address": "54.192.7.152", "destination.as.number": 16509, @@ -2703,7 +2993,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "54.192.7.152", @@ -2727,6 +3021,8 @@ "54.192.7.152" ], "server.ip": "54.192.7.152", + "server.nat.ip": "54.192.7.152", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -2743,6 +3039,8 @@ { "@timestamp": "2018-11-30T16:44:58.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 8485, "client.port": 53093, "destination.address": "52.4.120.175", "destination.as.number": 14618, @@ -2780,7 +3078,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "52.4.120.175", @@ -2804,6 +3106,8 @@ "52.4.120.175" ], "server.ip": "52.4.120.175", + "server.nat.ip": "52.4.120.175", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -2820,6 +3124,8 @@ { "@timestamp": "2018-11-30T16:44:58.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 12496, "client.port": 53094, "destination.address": "52.4.120.175", "destination.as.number": 14618, @@ -2857,7 +3163,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "52.4.120.175", @@ -2881,6 +3191,8 @@ "52.4.120.175" ], "server.ip": "52.4.120.175", + "server.nat.ip": "52.4.120.175", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -2897,6 +3209,8 @@ { "@timestamp": "2018-11-30T16:44:58.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 17029, "client.port": 53095, "destination.address": "52.4.120.175", "destination.as.number": 14618, @@ -2934,7 +3248,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "52.4.120.175", @@ -2958,6 +3276,8 @@ "52.4.120.175" ], "server.ip": "52.4.120.175", + "server.nat.ip": "52.4.120.175", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -2974,6 +3294,8 @@ { "@timestamp": "2018-11-30T16:44:58.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 23696, "client.port": 53096, "destination.address": "52.4.120.175", "destination.as.number": 14618, @@ -3011,7 +3333,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "52.4.120.175", @@ -3035,6 +3361,8 @@ "52.4.120.175" ], "server.ip": "52.4.120.175", + "server.nat.ip": "52.4.120.175", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -3051,6 +3379,8 @@ { "@timestamp": "2018-11-30T16:44:59.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 34769, "client.port": 53097, "destination.address": "52.4.120.175", "destination.as.number": 14618, @@ -3088,7 +3418,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "52.4.120.175", @@ -3112,6 +3446,8 @@ "52.4.120.175" ], "server.ip": "52.4.120.175", + "server.nat.ip": "52.4.120.175", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -3128,6 +3464,8 @@ { "@timestamp": "2018-11-30T16:44:59.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 22486, "client.port": 53099, "destination.address": "52.4.120.175", "destination.as.number": 14618, @@ -3165,7 +3503,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "52.4.120.175", @@ -3189,6 +3531,8 @@ "52.4.120.175" ], "server.ip": "52.4.120.175", + "server.nat.ip": "52.4.120.175", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -3205,6 +3549,8 @@ { "@timestamp": "2018-11-30T16:44:59.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 12894, "client.port": 53100, "destination.address": "52.4.120.175", "destination.as.number": 14618, @@ -3242,7 +3588,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "52.4.120.175", @@ -3266,6 +3616,8 @@ "52.4.120.175" ], "server.ip": "52.4.120.175", + "server.nat.ip": "52.4.120.175", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -3282,6 +3634,8 @@ { "@timestamp": "2018-11-30T16:45:00.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 62348, "client.port": 53101, "destination.address": "52.4.120.175", "destination.as.number": 14618, @@ -3319,7 +3673,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "52.4.120.175", @@ -3343,6 +3701,8 @@ "52.4.120.175" ], "server.ip": "52.4.120.175", + "server.nat.ip": "52.4.120.175", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -3359,6 +3719,8 @@ { "@timestamp": "2018-11-30T16:45:00.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 6224, "client.port": 53104, "destination.address": "52.4.120.175", "destination.as.number": 14618, @@ -3396,7 +3758,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "52.4.120.175", @@ -3420,6 +3786,8 @@ "52.4.120.175" ], "server.ip": "52.4.120.175", + "server.nat.ip": "52.4.120.175", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -3436,6 +3804,8 @@ { "@timestamp": "2018-11-30T16:45:00.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 44120, "client.port": 53107, "destination.address": "52.4.120.175", "destination.as.number": 14618, @@ -3473,7 +3843,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "52.4.120.175", @@ -3497,6 +3871,8 @@ "52.4.120.175" ], "server.ip": "52.4.120.175", + "server.nat.ip": "52.4.120.175", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -3513,6 +3889,8 @@ { "@timestamp": "2018-11-30T16:45:00.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 44228, "client.port": 53108, "destination.address": "52.4.120.175", "destination.as.number": 14618, @@ -3550,7 +3928,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "52.4.120.175", @@ -3574,6 +3956,8 @@ "52.4.120.175" ], "server.ip": "52.4.120.175", + "server.nat.ip": "52.4.120.175", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -3590,6 +3974,8 @@ { "@timestamp": "2018-11-30T16:45:00.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 31322, "client.port": 53109, "destination.address": "52.4.120.175", "destination.as.number": 14618, @@ -3627,7 +4013,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "52.4.120.175", @@ -3651,6 +4041,8 @@ "52.4.120.175" ], "server.ip": "52.4.120.175", + "server.nat.ip": "52.4.120.175", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -3667,6 +4059,8 @@ { "@timestamp": "2018-11-30T16:45:13.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 1672, "client.port": 53118, "destination.address": "216.58.194.98", "destination.as.number": 15169, @@ -3704,7 +4098,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "216.58.194.98", @@ -3728,6 +4126,8 @@ "216.58.194.98" ], "server.ip": "216.58.194.98", + "server.nat.ip": "216.58.194.98", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -3744,6 +4144,8 @@ { "@timestamp": "2018-11-30T16:45:15.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 20801, "client.port": 53126, "destination.address": "23.72.145.245", "destination.as.number": 16625, @@ -3778,7 +4180,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "23.72.145.245", @@ -3802,6 +4208,8 @@ "23.72.145.245" ], "server.ip": "23.72.145.245", + "server.nat.ip": "23.72.145.245", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -3818,6 +4226,8 @@ { "@timestamp": "2018-11-30T16:45:15.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 24533, "client.port": 53127, "destination.address": "23.72.145.245", "destination.as.number": 16625, @@ -3852,7 +4262,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "23.72.145.245", @@ -3876,6 +4290,8 @@ "23.72.145.245" ], "server.ip": "23.72.145.245", + "server.nat.ip": "23.72.145.245", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -3892,6 +4308,8 @@ { "@timestamp": "2018-11-30T16:45:15.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 30150, "client.port": 53128, "destination.address": "23.72.145.245", "destination.as.number": 16625, @@ -3926,7 +4344,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "23.72.145.245", @@ -3950,6 +4372,8 @@ "23.72.145.245" ], "server.ip": "23.72.145.245", + "server.nat.ip": "23.72.145.245", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -3966,6 +4390,8 @@ { "@timestamp": "2018-11-30T16:45:15.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 36305, "client.port": 53129, "destination.address": "23.72.145.245", "destination.as.number": 16625, @@ -4000,7 +4426,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "23.72.145.245", @@ -4024,6 +4454,8 @@ "23.72.145.245" ], "server.ip": "23.72.145.245", + "server.nat.ip": "23.72.145.245", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -4040,6 +4472,8 @@ { "@timestamp": "2018-11-30T16:45:16.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 42682, "client.port": 53130, "destination.address": "23.72.145.245", "destination.as.number": 16625, @@ -4074,7 +4508,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "23.72.145.245", @@ -4098,6 +4536,8 @@ "23.72.145.245" ], "server.ip": "23.72.145.245", + "server.nat.ip": "23.72.145.245", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -4114,6 +4554,8 @@ { "@timestamp": "2018-11-30T16:45:16.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 22530, "client.port": 53131, "destination.address": "23.72.145.245", "destination.as.number": 16625, @@ -4148,7 +4590,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "23.72.145.245", @@ -4172,6 +4618,8 @@ "23.72.145.245" ], "server.ip": "23.72.145.245", + "server.nat.ip": "23.72.145.245", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -4188,6 +4636,8 @@ { "@timestamp": "2018-11-30T16:45:16.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 43713, "client.port": 53132, "destination.address": "23.72.145.245", "destination.as.number": 16625, @@ -4222,7 +4672,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "23.72.145.245", @@ -4246,6 +4700,8 @@ "23.72.145.245" ], "server.ip": "23.72.145.245", + "server.nat.ip": "23.72.145.245", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -4262,6 +4718,8 @@ { "@timestamp": "2018-11-30T16:45:16.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 60608, "client.port": 53133, "destination.address": "23.72.145.245", "destination.as.number": 16625, @@ -4296,7 +4754,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "23.72.145.245", @@ -4320,6 +4782,8 @@ "23.72.145.245" ], "server.ip": "23.72.145.245", + "server.nat.ip": "23.72.145.245", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -4336,6 +4800,8 @@ { "@timestamp": "2018-11-30T16:45:16.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 9302, "client.port": 53134, "destination.address": "23.72.145.245", "destination.as.number": 16625, @@ -4370,7 +4836,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "23.72.145.245", @@ -4394,6 +4864,8 @@ "23.72.145.245" ], "server.ip": "23.72.145.245", + "server.nat.ip": "23.72.145.245", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -4410,6 +4882,8 @@ { "@timestamp": "2018-11-30T16:45:16.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 11634, "client.port": 53135, "destination.address": "23.72.145.245", "destination.as.number": 16625, @@ -4444,7 +4918,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "23.72.145.245", @@ -4468,6 +4946,8 @@ "23.72.145.245" ], "server.ip": "23.72.145.245", + "server.nat.ip": "23.72.145.245", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -4484,6 +4964,8 @@ { "@timestamp": "2018-11-30T16:45:26.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 30818, "client.port": 53152, "destination.address": "54.209.101.70", "destination.as.number": 14618, @@ -4521,7 +5003,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "54.209.101.70", @@ -4545,6 +5031,8 @@ "54.209.101.70" ], "server.ip": "54.209.101.70", + "server.nat.ip": "54.209.101.70", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -4561,6 +5049,8 @@ { "@timestamp": "2018-11-30T16:45:26.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 64260, "client.port": 53155, "destination.address": "54.209.101.70", "destination.as.number": 14618, @@ -4598,7 +5088,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "54.209.101.70", @@ -4622,6 +5116,8 @@ "54.209.101.70" ], "server.ip": "54.209.101.70", + "server.nat.ip": "54.209.101.70", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -4638,6 +5134,8 @@ { "@timestamp": "2018-11-30T16:45:26.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 7071, "client.port": 53158, "destination.address": "54.209.101.70", "destination.as.number": 14618, @@ -4675,7 +5173,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "54.209.101.70", @@ -4699,6 +5201,8 @@ "54.209.101.70" ], "server.ip": "54.209.101.70", + "server.nat.ip": "54.209.101.70", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -4715,6 +5219,8 @@ { "@timestamp": "2018-11-30T16:45:26.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 4512, "client.port": 53160, "destination.address": "54.209.101.70", "destination.as.number": 14618, @@ -4752,7 +5258,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "54.209.101.70", @@ -4776,6 +5286,8 @@ "54.209.101.70" ], "server.ip": "54.209.101.70", + "server.nat.ip": "54.209.101.70", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -4792,6 +5304,8 @@ { "@timestamp": "2018-11-30T16:45:26.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 3422, "client.port": 53161, "destination.address": "54.209.101.70", "destination.as.number": 14618, @@ -4829,7 +5343,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "54.209.101.70", @@ -4853,6 +5371,8 @@ "54.209.101.70" ], "server.ip": "54.209.101.70", + "server.nat.ip": "54.209.101.70", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -4869,6 +5389,8 @@ { "@timestamp": "2018-11-30T16:45:27.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 4651, "client.port": 53162, "destination.address": "54.209.101.70", "destination.as.number": 14618, @@ -4906,7 +5428,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "54.209.101.70", @@ -4930,6 +5456,8 @@ "54.209.101.70" ], "server.ip": "54.209.101.70", + "server.nat.ip": "54.209.101.70", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -4946,6 +5474,8 @@ { "@timestamp": "2018-11-30T16:45:27.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 19068, "client.port": 53163, "destination.address": "54.209.101.70", "destination.as.number": 14618, @@ -4983,7 +5513,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "54.209.101.70", @@ -5007,6 +5541,8 @@ "54.209.101.70" ], "server.ip": "54.209.101.70", + "server.nat.ip": "54.209.101.70", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -5023,6 +5559,8 @@ { "@timestamp": "2018-11-30T16:45:27.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 5831, "client.port": 53164, "destination.address": "54.209.101.70", "destination.as.number": 14618, @@ -5060,7 +5598,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "54.209.101.70", @@ -5084,6 +5626,8 @@ "54.209.101.70" ], "server.ip": "54.209.101.70", + "server.nat.ip": "54.209.101.70", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -5100,6 +5644,8 @@ { "@timestamp": "2018-11-30T16:45:27.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 7084, "client.port": 53165, "destination.address": "54.209.101.70", "destination.as.number": 14618, @@ -5137,7 +5683,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "54.209.101.70", @@ -5161,6 +5711,8 @@ "54.209.101.70" ], "server.ip": "54.209.101.70", + "server.nat.ip": "54.209.101.70", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -5177,6 +5729,8 @@ { "@timestamp": "2018-11-30T16:45:27.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 18633, "client.port": 53166, "destination.address": "54.209.101.70", "destination.as.number": 14618, @@ -5214,7 +5768,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "54.209.101.70", @@ -5238,6 +5796,8 @@ "54.209.101.70" ], "server.ip": "54.209.101.70", + "server.nat.ip": "54.209.101.70", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -5254,6 +5814,8 @@ { "@timestamp": "2018-11-30T16:45:27.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 25557, "client.port": 53167, "destination.address": "54.209.101.70", "destination.as.number": 14618, @@ -5291,7 +5853,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "54.209.101.70", @@ -5315,6 +5881,8 @@ "54.209.101.70" ], "server.ip": "54.209.101.70", + "server.nat.ip": "54.209.101.70", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -5331,6 +5899,8 @@ { "@timestamp": "2018-11-30T16:45:27.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 20661, "client.port": 53150, "destination.address": "54.209.101.70", "destination.as.number": 14618, @@ -5368,7 +5938,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "54.209.101.70", @@ -5392,6 +5966,8 @@ "54.209.101.70" ], "server.ip": "54.209.101.70", + "server.nat.ip": "54.209.101.70", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -5408,6 +5984,8 @@ { "@timestamp": "2018-11-30T16:45:28.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 65438, "client.port": 53185, "destination.address": "54.209.101.70", "destination.as.number": 14618, @@ -5445,7 +6023,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "54.209.101.70", @@ -5469,6 +6051,8 @@ "54.209.101.70" ], "server.ip": "54.209.101.70", + "server.nat.ip": "54.209.101.70", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -5485,6 +6069,8 @@ { "@timestamp": "2018-11-30T16:45:28.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 53101, "client.port": 53187, "destination.address": "54.209.101.70", "destination.as.number": 14618, @@ -5522,7 +6108,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "54.209.101.70", @@ -5546,6 +6136,8 @@ "54.209.101.70" ], "server.ip": "54.209.101.70", + "server.nat.ip": "54.209.101.70", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -5562,6 +6154,8 @@ { "@timestamp": "2018-11-30T16:45:28.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 35463, "client.port": 53188, "destination.address": "54.209.101.70", "destination.as.number": 14618, @@ -5599,7 +6193,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "54.209.101.70", @@ -5623,6 +6221,8 @@ "54.209.101.70" ], "server.ip": "54.209.101.70", + "server.nat.ip": "54.209.101.70", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", @@ -5639,6 +6239,8 @@ { "@timestamp": "2018-11-30T16:45:29.000-02:00", "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 45769, "client.port": 53178, "destination.address": "54.209.101.70", "destination.as.number": 14618, @@ -5676,7 +6278,11 @@ ], "network.direction": "inbound", "network.transport": "tcp", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "54.209.101.70", @@ -5700,6 +6306,8 @@ "54.209.101.70" ], "server.ip": "54.209.101.70", + "server.nat.ip": "54.209.101.70", + "server.nat.port": 443, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", diff --git a/x-pack/filebeat/module/panw/panos/test/traffic.log-expected.json b/x-pack/filebeat/module/panw/panos/test/traffic.log-expected.json index 563290f9dba..0ddc8f895ae 100644 --- a/x-pack/filebeat/module/panw/panos/test/traffic.log-expected.json +++ b/x-pack/filebeat/module/panw/panos/test/traffic.log-expected.json @@ -3,12 +3,14 @@ "@timestamp": "2018-11-30T16:09:07.000-02:00", "client.bytes": 1758, "client.ip": "192.168.15.207", - "client.packets": 20, + "client.nat.ip": "192.168.1.63", + "client.nat.port": 16418, + "client.packets": 16, "client.port": 55113, "destination.address": "184.51.253.152", "destination.as.number": 16625, "destination.as.organization.name": "Akamai Technologies, Inc.", - "destination.bytes": 1758, + "destination.bytes": 5976, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -16,7 +18,7 @@ "destination.ip": "184.51.253.152", "destination.nat.ip": "184.51.253.152", "destination.nat.port": 443, - "destination.packets": 16, + "destination.packets": 20, "destination.port": 443, "event.action": "flow_terminated", "event.category": "network_traffic", @@ -42,7 +44,11 @@ "network.packets": 36, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "184.51.253.152", @@ -65,15 +71,17 @@ ], "server.bytes": 5976, "server.ip": "184.51.253.152", - "server.packets": 16, + "server.nat.ip": "184.51.253.152", + "server.nat.port": 443, + "server.packets": 20, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.207", - "source.bytes": 5976, + "source.bytes": 1758, "source.ip": "192.168.15.207", "source.nat.ip": "192.168.1.63", "source.nat.port": 16418, - "source.packets": 20, + "source.packets": 16, "source.port": 55113, "tags": [ "pan-os" @@ -83,6 +91,8 @@ "@timestamp": "2018-11-30T16:09:09.000-02:00", "client.bytes": 588, "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 0, "client.packets": 6, "client.port": 0, "destination.address": "8.8.8.8", @@ -122,7 +132,11 @@ "network.packets": 12, "network.transport": "icmp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -145,6 +159,8 @@ ], "server.bytes": 588, "server.ip": "8.8.8.8", + "server.nat.ip": "8.8.8.8", + "server.nat.port": 0, "server.packets": 6, "server.port": 0, "service.type": "panw", @@ -163,12 +179,14 @@ "@timestamp": "2018-11-30T16:09:09.000-02:00", "client.bytes": 539, "client.ip": "192.168.15.207", - "client.packets": 5, + "client.nat.ip": "192.168.1.63", + "client.nat.port": 51990, + "client.packets": 6, "client.port": 55114, "destination.address": "17.253.3.202", "destination.as.number": 6185, "destination.as.organization.name": "Apple Inc.", - "destination.bytes": 539, + "destination.bytes": 1035, "destination.geo.city_name": "Dallas", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -179,7 +197,7 @@ "destination.ip": "17.253.3.202", "destination.nat.ip": "17.253.3.202", "destination.nat.port": 80, - "destination.packets": 6, + "destination.packets": 5, "destination.port": 80, "event.action": "flow_terminated", "event.category": "network_traffic", @@ -205,7 +223,11 @@ "network.packets": 11, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "17.253.3.202", @@ -228,15 +250,17 @@ ], "server.bytes": 1035, "server.ip": "17.253.3.202", - "server.packets": 6, + "server.nat.ip": "17.253.3.202", + "server.nat.port": 80, + "server.packets": 5, "server.port": 80, "service.type": "panw", "source.address": "192.168.15.207", - "source.bytes": 1035, + "source.bytes": 539, "source.ip": "192.168.15.207", "source.nat.ip": "192.168.1.63", "source.nat.port": 51990, - "source.packets": 5, + "source.packets": 6, "source.port": 55114, "tags": [ "pan-os" @@ -246,6 +270,8 @@ "@timestamp": "2018-11-30T16:09:15.000-02:00", "client.bytes": 588, "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 0, "client.packets": 6, "client.port": 0, "destination.address": "8.8.8.8", @@ -285,7 +311,11 @@ "network.packets": 12, "network.transport": "icmp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -308,6 +338,8 @@ ], "server.bytes": 588, "server.ip": "8.8.8.8", + "server.nat.ip": "8.8.8.8", + "server.nat.port": 0, "server.packets": 6, "server.port": 0, "service.type": "panw", @@ -326,12 +358,14 @@ "@timestamp": "2018-11-30T16:09:15.000-02:00", "client.bytes": 2014, "client.ip": "192.168.15.196", - "client.packets": 3, + "client.nat.ip": "192.168.1.63", + "client.nat.port": 15252, + "client.packets": 5, "client.port": 46774, "destination.address": "216.58.194.99", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", - "destination.bytes": 2014, + "destination.bytes": 1613, "destination.geo.city_name": "Mountain View", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -342,7 +376,7 @@ "destination.ip": "216.58.194.99", "destination.nat.ip": "216.58.194.99", "destination.nat.port": 443, - "destination.packets": 5, + "destination.packets": 3, "destination.port": 443, "event.action": "flow_terminated", "event.category": "network_traffic", @@ -368,7 +402,11 @@ "network.packets": 8, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "216.58.194.99", @@ -391,15 +429,17 @@ ], "server.bytes": 1613, "server.ip": "216.58.194.99", - "server.packets": 5, + "server.nat.ip": "216.58.194.99", + "server.nat.port": 443, + "server.packets": 3, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.196", - "source.bytes": 1613, + "source.bytes": 2014, "source.ip": "192.168.15.196", "source.nat.ip": "192.168.1.63", "source.nat.port": 15252, - "source.packets": 3, + "source.packets": 5, "source.port": 46774, "tags": [ "pan-os" @@ -409,12 +449,14 @@ "@timestamp": "2018-11-30T16:09:15.000-02:00", "client.bytes": 20642, "client.ip": "192.168.15.224", - "client.packets": 51, + "client.nat.ip": "192.168.1.63", + "client.nat.port": 40763, + "client.packets": 62, "client.port": 52408, "destination.address": "209.234.224.22", "destination.as.number": 395162, "destination.as.organization.name": "Markit On Demand, Inc.", - "destination.bytes": 20642, + "destination.bytes": 21111, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -422,7 +464,7 @@ "destination.ip": "209.234.224.22", "destination.nat.ip": "209.234.224.22", "destination.nat.port": 443, - "destination.packets": 62, + "destination.packets": 51, "destination.port": 443, "event.action": "flow_terminated", "event.category": "network_traffic", @@ -448,7 +490,11 @@ "network.packets": 113, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "209.234.224.22", @@ -471,15 +517,17 @@ ], "server.bytes": 21111, "server.ip": "209.234.224.22", - "server.packets": 62, + "server.nat.ip": "209.234.224.22", + "server.nat.port": 443, + "server.packets": 51, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 21111, + "source.bytes": 20642, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 40763, - "source.packets": 51, + "source.packets": 62, "source.port": 52408, "tags": [ "pan-os" @@ -489,6 +537,8 @@ "@timestamp": "2018-11-30T16:09:21.000-02:00", "client.bytes": 588, "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 0, "client.packets": 6, "client.port": 0, "destination.address": "8.8.8.8", @@ -528,7 +578,11 @@ "network.packets": 12, "network.transport": "icmp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -551,6 +605,8 @@ ], "server.bytes": 588, "server.ip": "8.8.8.8", + "server.nat.ip": "8.8.8.8", + "server.nat.port": 0, "server.packets": 6, "server.port": 0, "service.type": "panw", @@ -569,12 +625,14 @@ "@timestamp": "2018-11-30T16:09:21.000-02:00", "client.bytes": 3365, "client.ip": "192.168.15.224", - "client.packets": 9, + "client.nat.ip": "192.168.1.63", + "client.nat.port": 52881, + "client.packets": 7, "client.port": 59190, "destination.address": "172.217.2.238", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", - "destination.bytes": 3365, + "destination.bytes": 3732, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -582,7 +640,7 @@ "destination.ip": "172.217.2.238", "destination.nat.ip": "172.217.2.238", "destination.nat.port": 443, - "destination.packets": 7, + "destination.packets": 9, "destination.port": 443, "event.action": "flow_terminated", "event.category": "network_traffic", @@ -608,7 +666,11 @@ "network.packets": 16, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "172.217.2.238", @@ -631,15 +693,17 @@ ], "server.bytes": 3732, "server.ip": "172.217.2.238", - "server.packets": 7, + "server.nat.ip": "172.217.2.238", + "server.nat.port": 443, + "server.packets": 9, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 3732, + "source.bytes": 3365, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 52881, - "source.packets": 9, + "source.packets": 7, "source.port": 59190, "tags": [ "pan-os" @@ -649,12 +713,14 @@ "@timestamp": "2018-11-30T16:09:22.000-02:00", "client.bytes": 80, "client.ip": "192.168.15.207", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 26654, "client.packets": 1, "client.port": 49728, "destination.address": "8.8.8.8", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", - "destination.bytes": 80, + "destination.bytes": 221, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -688,7 +754,11 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -711,11 +781,13 @@ ], "server.bytes": 221, "server.ip": "8.8.8.8", + "server.nat.ip": "8.8.8.8", + "server.nat.port": 53, "server.packets": 1, "server.port": 53, "service.type": "panw", "source.address": "192.168.15.207", - "source.bytes": 221, + "source.bytes": 80, "source.ip": "192.168.15.207", "source.nat.ip": "192.168.1.63", "source.nat.port": 26654, @@ -729,12 +801,14 @@ "@timestamp": "2018-11-30T16:09:23.000-02:00", "client.bytes": 77, "client.ip": "192.168.15.207", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 2486, "client.packets": 1, "client.port": 50500, "destination.address": "8.8.8.8", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", - "destination.bytes": 77, + "destination.bytes": 221, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -768,7 +842,11 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -791,11 +869,13 @@ ], "server.bytes": 221, "server.ip": "8.8.8.8", + "server.nat.ip": "8.8.8.8", + "server.nat.port": 53, "server.packets": 1, "server.port": 53, "service.type": "panw", "source.address": "192.168.15.207", - "source.bytes": 221, + "source.bytes": 77, "source.ip": "192.168.15.207", "source.nat.ip": "192.168.1.63", "source.nat.port": 2486, @@ -809,12 +889,14 @@ "@timestamp": "2018-11-30T16:09:24.000-02:00", "client.bytes": 4509, "client.ip": "192.168.15.207", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 42021, "client.packets": 16, "client.port": 55112, "destination.address": "17.249.60.78", "destination.as.number": 714, "destination.as.organization.name": "Apple Inc.", - "destination.bytes": 4509, + "destination.bytes": 5469, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -848,7 +930,11 @@ "network.packets": 32, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "17.249.60.78", @@ -871,11 +957,13 @@ ], "server.bytes": 5469, "server.ip": "17.249.60.78", + "server.nat.ip": "17.249.60.78", + "server.nat.port": 443, "server.packets": 16, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.207", - "source.bytes": 5469, + "source.bytes": 4509, "source.ip": "192.168.15.207", "source.nat.ip": "192.168.1.63", "source.nat.port": 42021, @@ -889,12 +977,14 @@ "@timestamp": "2018-11-30T16:09:24.000-02:00", "client.bytes": 73, "client.ip": "192.168.15.207", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 24377, "client.packets": 1, "client.port": 57632, "destination.address": "8.8.8.8", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", - "destination.bytes": 73, + "destination.bytes": 224, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -928,7 +1018,11 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -951,11 +1045,13 @@ ], "server.bytes": 224, "server.ip": "8.8.8.8", + "server.nat.ip": "8.8.8.8", + "server.nat.port": 53, "server.packets": 1, "server.port": 53, "service.type": "panw", "source.address": "192.168.15.207", - "source.bytes": 224, + "source.bytes": 73, "source.ip": "192.168.15.207", "source.nat.ip": "192.168.1.63", "source.nat.port": 24377, @@ -969,12 +1065,14 @@ "@timestamp": "2018-11-30T16:09:24.000-02:00", "client.bytes": 69, "client.ip": "192.168.15.207", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 48792, "client.packets": 1, "client.port": 50271, "destination.address": "8.8.8.8", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", - "destination.bytes": 69, + "destination.bytes": 117, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -1008,7 +1106,11 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -1031,11 +1133,13 @@ ], "server.bytes": 117, "server.ip": "8.8.8.8", + "server.nat.ip": "8.8.8.8", + "server.nat.port": 53, "server.packets": 1, "server.port": 53, "service.type": "panw", "source.address": "192.168.15.207", - "source.bytes": 117, + "source.bytes": 69, "source.ip": "192.168.15.207", "source.nat.ip": "192.168.1.63", "source.nat.port": 48792, @@ -1049,12 +1153,14 @@ "@timestamp": "2018-11-30T16:09:24.000-02:00", "client.bytes": 85, "client.ip": "192.168.15.207", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 2987, "client.packets": 1, "client.port": 54061, "destination.address": "8.8.8.8", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", - "destination.bytes": 85, + "destination.bytes": 307, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -1088,7 +1194,11 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -1111,11 +1221,13 @@ ], "server.bytes": 307, "server.ip": "8.8.8.8", + "server.nat.ip": "8.8.8.8", + "server.nat.port": 53, "server.packets": 1, "server.port": 53, "service.type": "panw", "source.address": "192.168.15.207", - "source.bytes": 307, + "source.bytes": 85, "source.ip": "192.168.15.207", "source.nat.ip": "192.168.1.63", "source.nat.port": 2987, @@ -1129,12 +1241,14 @@ "@timestamp": "2018-11-30T16:09:24.000-02:00", "client.bytes": 75, "client.ip": "192.168.15.207", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 6945, "client.packets": 1, "client.port": 52701, "destination.address": "8.8.8.8", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", - "destination.bytes": 75, + "destination.bytes": 365, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -1168,7 +1282,11 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -1191,11 +1309,13 @@ ], "server.bytes": 365, "server.ip": "8.8.8.8", + "server.nat.ip": "8.8.8.8", + "server.nat.port": 53, "server.packets": 1, "server.port": 53, "service.type": "panw", "source.address": "192.168.15.207", - "source.bytes": 365, + "source.bytes": 75, "source.ip": "192.168.15.207", "source.nat.ip": "192.168.1.63", "source.nat.port": 6945, @@ -1209,6 +1329,8 @@ "@timestamp": "2018-11-30T16:09:27.000-02:00", "client.bytes": 588, "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 0, "client.packets": 6, "client.port": 0, "destination.address": "8.8.8.8", @@ -1248,7 +1370,11 @@ "network.packets": 12, "network.transport": "icmp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -1271,6 +1397,8 @@ ], "server.bytes": 588, "server.ip": "8.8.8.8", + "server.nat.ip": "8.8.8.8", + "server.nat.port": 0, "server.packets": 6, "server.port": 0, "service.type": "panw", @@ -1289,12 +1417,14 @@ "@timestamp": "2018-11-30T16:09:27.000-02:00", "client.bytes": 97, "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 42208, "client.packets": 1, "client.port": 62503, "destination.address": "8.8.8.8", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", - "destination.bytes": 97, + "destination.bytes": 161, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -1328,7 +1458,11 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -1351,11 +1485,13 @@ ], "server.bytes": 161, "server.ip": "8.8.8.8", + "server.nat.ip": "8.8.8.8", + "server.nat.port": 53, "server.packets": 1, "server.port": 53, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 161, + "source.bytes": 97, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 42208, @@ -1369,12 +1505,14 @@ "@timestamp": "2018-11-30T16:09:28.000-02:00", "client.bytes": 2086, "client.ip": "192.168.15.224", - "client.packets": 13, + "client.nat.ip": "192.168.1.63", + "client.nat.port": 14660, + "client.packets": 14, "client.port": 52442, "destination.address": "98.138.49.44", "destination.as.number": 36646, "destination.as.organization.name": "Oath Holdings Inc.", - "destination.bytes": 2086, + "destination.bytes": 7805, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -1382,7 +1520,7 @@ "destination.ip": "98.138.49.44", "destination.nat.ip": "98.138.49.44", "destination.nat.port": 443, - "destination.packets": 14, + "destination.packets": 13, "destination.port": 443, "event.action": "flow_terminated", "event.category": "network_traffic", @@ -1408,7 +1546,11 @@ "network.packets": 27, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "98.138.49.44", @@ -1431,15 +1573,17 @@ ], "server.bytes": 7805, "server.ip": "98.138.49.44", - "server.packets": 14, + "server.nat.ip": "98.138.49.44", + "server.nat.port": 443, + "server.packets": 13, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 7805, + "source.bytes": 2086, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 14660, - "source.packets": 13, + "source.packets": 14, "source.port": 52442, "tags": [ "pan-os" @@ -1449,12 +1593,14 @@ "@timestamp": "2018-11-30T16:09:28.000-02:00", "client.bytes": 2354, "client.ip": "192.168.15.224", - "client.packets": 11, + "client.nat.ip": "192.168.1.63", + "client.nat.port": 16483, + "client.packets": 13, "client.port": 52441, "destination.address": "72.30.3.43", "destination.as.number": 26101, "destination.as.organization.name": "Oath Holdings Inc.", - "destination.bytes": 2354, + "destination.bytes": 6106, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -1462,7 +1608,7 @@ "destination.ip": "72.30.3.43", "destination.nat.ip": "72.30.3.43", "destination.nat.port": 443, - "destination.packets": 13, + "destination.packets": 11, "destination.port": 443, "event.action": "flow_terminated", "event.category": "network_traffic", @@ -1488,7 +1634,11 @@ "network.packets": 24, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "72.30.3.43", @@ -1511,15 +1661,17 @@ ], "server.bytes": 6106, "server.ip": "72.30.3.43", - "server.packets": 13, + "server.nat.ip": "72.30.3.43", + "server.nat.port": 443, + "server.packets": 11, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 6106, + "source.bytes": 2354, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 16483, - "source.packets": 11, + "source.packets": 13, "source.port": 52441, "tags": [ "pan-os" @@ -1529,6 +1681,8 @@ "@timestamp": "2018-11-30T16:09:29.000-02:00", "client.bytes": 196, "client.ip": "192.168.15.196", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 0, "client.packets": 2, "client.port": 0, "destination.address": "8.8.8.8", @@ -1568,7 +1722,11 @@ "network.packets": 4, "network.transport": "icmp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -1591,6 +1749,8 @@ ], "server.bytes": 196, "server.ip": "8.8.8.8", + "server.nat.ip": "8.8.8.8", + "server.nat.port": 0, "server.packets": 2, "server.port": 0, "service.type": "panw", @@ -1609,12 +1769,14 @@ "@timestamp": "2018-11-30T16:09:29.000-02:00", "client.bytes": 2545, "client.ip": "192.168.15.224", - "client.packets": 17, + "client.nat.ip": "192.168.1.63", + "client.nat.port": 5570, + "client.packets": 19, "client.port": 52355, "destination.address": "172.217.9.142", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", - "destination.bytes": 2545, + "destination.bytes": 3245, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -1622,7 +1784,7 @@ "destination.ip": "172.217.9.142", "destination.nat.ip": "172.217.9.142", "destination.nat.port": 80, - "destination.packets": 19, + "destination.packets": 17, "destination.port": 80, "event.action": "flow_terminated", "event.category": "network_traffic", @@ -1648,7 +1810,11 @@ "network.packets": 36, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "172.217.9.142", @@ -1671,15 +1837,17 @@ ], "server.bytes": 3245, "server.ip": "172.217.9.142", - "server.packets": 19, + "server.nat.ip": "172.217.9.142", + "server.nat.port": 80, + "server.packets": 17, "server.port": 80, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 3245, + "source.bytes": 2545, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 5570, - "source.packets": 17, + "source.packets": 19, "source.port": 52355, "tags": [ "pan-os" @@ -1689,12 +1857,14 @@ "@timestamp": "2018-11-30T16:09:29.000-02:00", "client.bytes": 82, "client.ip": "192.168.15.207", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 24430, "client.packets": 1, "client.port": 50196, "destination.address": "8.8.8.8", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", - "destination.bytes": 82, + "destination.bytes": 179, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -1728,7 +1898,11 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -1751,11 +1925,13 @@ ], "server.bytes": 179, "server.ip": "8.8.8.8", + "server.nat.ip": "8.8.8.8", + "server.nat.port": 53, "server.packets": 1, "server.port": 53, "service.type": "panw", "source.address": "192.168.15.207", - "source.bytes": 179, + "source.bytes": 82, "source.ip": "192.168.15.207", "source.nat.ip": "192.168.1.63", "source.nat.port": 24430, @@ -1769,12 +1945,14 @@ "@timestamp": "2018-11-30T16:09:30.000-02:00", "client.bytes": 1758, "client.ip": "192.168.15.224", - "client.packets": 12, + "client.nat.ip": "192.168.1.63", + "client.nat.port": 12122, + "client.packets": 13, "client.port": 52454, "destination.address": "54.84.80.198", "destination.as.number": 14618, "destination.as.organization.name": "Amazon.com, Inc.", - "destination.bytes": 1758, + "destination.bytes": 4537, "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -1785,7 +1963,7 @@ "destination.ip": "54.84.80.198", "destination.nat.ip": "54.84.80.198", "destination.nat.port": 443, - "destination.packets": 13, + "destination.packets": 12, "destination.port": 443, "event.action": "flow_started", "event.category": "network_traffic", @@ -1811,7 +1989,11 @@ "network.packets": 25, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "54.84.80.198", @@ -1834,15 +2016,17 @@ ], "server.bytes": 4537, "server.ip": "54.84.80.198", - "server.packets": 13, + "server.nat.ip": "54.84.80.198", + "server.nat.port": 443, + "server.packets": 12, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 4537, + "source.bytes": 1758, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 12122, - "source.packets": 12, + "source.packets": 13, "source.port": 52454, "tags": [ "pan-os" @@ -1852,10 +2036,12 @@ "@timestamp": "2018-11-30T16:09:32.000-02:00", "client.bytes": 624, "client.ip": "192.168.15.224", - "client.packets": 0, + "client.nat.ip": "192.168.1.63", + "client.nat.port": 49145, + "client.packets": 8, "client.port": 52445, "destination.address": "199.167.55.52", - "destination.bytes": 624, + "destination.bytes": 0, "destination.geo.city_name": "Sunnyvale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -1866,7 +2052,7 @@ "destination.ip": "199.167.55.52", "destination.nat.ip": "199.167.55.52", "destination.nat.port": 4282, - "destination.packets": 8, + "destination.packets": 0, "destination.port": 4282, "event.action": "flow_dropped", "event.category": "network_traffic", @@ -1892,7 +2078,11 @@ "network.packets": 8, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "199.167.55.52", @@ -1915,15 +2105,17 @@ ], "server.bytes": 0, "server.ip": "199.167.55.52", - "server.packets": 8, + "server.nat.ip": "199.167.55.52", + "server.nat.port": 4282, + "server.packets": 0, "server.port": 4282, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 0, + "source.bytes": 624, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 49145, - "source.packets": 0, + "source.packets": 8, "source.port": 52445, "tags": [ "pan-os" @@ -1933,6 +2125,8 @@ "@timestamp": "2018-11-30T16:09:33.000-02:00", "client.bytes": 588, "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 0, "client.packets": 6, "client.port": 0, "destination.address": "8.8.8.8", @@ -1972,7 +2166,11 @@ "network.packets": 12, "network.transport": "icmp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -1995,6 +2193,8 @@ ], "server.bytes": 588, "server.ip": "8.8.8.8", + "server.nat.ip": "8.8.8.8", + "server.nat.port": 0, "server.packets": 6, "server.port": 0, "service.type": "panw", @@ -2013,12 +2213,14 @@ "@timestamp": "2018-11-30T16:09:34.000-02:00", "client.bytes": 85, "client.ip": "192.168.15.210", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 33110, "client.packets": 1, "client.port": 35485, "destination.address": "8.8.8.8", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", - "destination.bytes": 85, + "destination.bytes": 130, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -2051,7 +2253,11 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -2074,11 +2280,13 @@ ], "server.bytes": 130, "server.ip": "8.8.8.8", + "server.nat.ip": "8.8.8.8", + "server.nat.port": 53, "server.packets": 1, "server.port": 53, "service.type": "panw", "source.address": "192.168.15.210", - "source.bytes": 130, + "source.bytes": 85, "source.ip": "192.168.15.210", "source.nat.ip": "192.168.1.63", "source.nat.port": 33110, @@ -2092,12 +2300,14 @@ "@timestamp": "2018-11-30T16:09:37.000-02:00", "client.bytes": 2876, "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 9299, "client.packets": 6, "client.port": 62730, "destination.address": "172.217.9.142", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", - "destination.bytes": 2876, + "destination.bytes": 1991, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -2130,7 +2340,11 @@ "network.packets": 12, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "172.217.9.142", @@ -2153,11 +2367,13 @@ ], "server.bytes": 1991, "server.ip": "172.217.9.142", + "server.nat.ip": "172.217.9.142", + "server.nat.port": 443, "server.packets": 6, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 1991, + "source.bytes": 2876, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 9299, @@ -2171,12 +2387,14 @@ "@timestamp": "2018-11-30T16:09:38.000-02:00", "client.bytes": 1100, "client.ip": "192.168.15.224", - "client.packets": 5, + "client.nat.ip": "192.168.1.63", + "client.nat.port": 47194, + "client.packets": 8, "client.port": 52506, "destination.address": "151.101.2.2", "destination.as.number": 54113, "destination.as.organization.name": "Fastly", - "destination.bytes": 1100, + "destination.bytes": 523, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -2184,7 +2402,7 @@ "destination.ip": "151.101.2.2", "destination.nat.ip": "151.101.2.2", "destination.nat.port": 443, - "destination.packets": 8, + "destination.packets": 5, "destination.port": 443, "event.action": "flow_terminated", "event.category": "network_traffic", @@ -2210,7 +2428,11 @@ "network.packets": 13, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "151.101.2.2", @@ -2233,15 +2455,17 @@ ], "server.bytes": 523, "server.ip": "151.101.2.2", - "server.packets": 8, + "server.nat.ip": "151.101.2.2", + "server.nat.port": 443, + "server.packets": 5, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 523, + "source.bytes": 1100, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 47194, - "source.packets": 5, + "source.packets": 8, "source.port": 52506, "tags": [ "pan-os" @@ -2251,12 +2475,14 @@ "@timestamp": "2018-11-30T16:09:38.000-02:00", "client.bytes": 1977, "client.ip": "192.168.15.224", - "client.packets": 4, + "client.nat.ip": "192.168.1.63", + "client.nat.port": 62921, + "client.packets": 5, "client.port": 60596, "destination.address": "216.58.194.66", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", - "destination.bytes": 1977, + "destination.bytes": 2428, "destination.geo.city_name": "Mountain View", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -2267,7 +2493,7 @@ "destination.ip": "216.58.194.66", "destination.nat.ip": "216.58.194.66", "destination.nat.port": 443, - "destination.packets": 5, + "destination.packets": 4, "destination.port": 443, "event.action": "flow_terminated", "event.category": "network_traffic", @@ -2293,7 +2519,11 @@ "network.packets": 9, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "216.58.194.66", @@ -2316,15 +2546,17 @@ ], "server.bytes": 2428, "server.ip": "216.58.194.66", - "server.packets": 5, + "server.nat.ip": "216.58.194.66", + "server.nat.port": 443, + "server.packets": 4, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 2428, + "source.bytes": 1977, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 62921, - "source.packets": 4, + "source.packets": 5, "source.port": 60596, "tags": [ "pan-os" @@ -2334,6 +2566,8 @@ "@timestamp": "2018-11-30T16:09:39.000-02:00", "client.bytes": 588, "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 0, "client.packets": 6, "client.port": 0, "destination.address": "8.8.8.8", @@ -2373,7 +2607,11 @@ "network.packets": 12, "network.transport": "icmp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -2396,6 +2634,8 @@ ], "server.bytes": 588, "server.ip": "8.8.8.8", + "server.nat.ip": "8.8.8.8", + "server.nat.port": 0, "server.packets": 6, "server.port": 0, "service.type": "panw", @@ -2414,6 +2654,8 @@ "@timestamp": "2018-11-30T16:09:39.000-02:00", "client.bytes": 196, "client.ip": "192.168.15.210", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 0, "client.packets": 2, "client.port": 0, "destination.address": "8.8.8.8", @@ -2453,7 +2695,11 @@ "network.packets": 4, "network.transport": "icmp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -2476,6 +2722,8 @@ ], "server.bytes": 196, "server.ip": "8.8.8.8", + "server.nat.ip": "8.8.8.8", + "server.nat.port": 0, "server.packets": 2, "server.port": 0, "service.type": "panw", @@ -2494,12 +2742,14 @@ "@timestamp": "2018-11-30T16:09:39.000-02:00", "client.bytes": 2228, "client.ip": "192.168.15.224", - "client.packets": 10, + "client.nat.ip": "192.168.1.63", + "client.nat.port": 41958, + "client.packets": 12, "client.port": 52514, "destination.address": "184.51.253.193", "destination.as.number": 16625, "destination.as.organization.name": "Akamai Technologies, Inc.", - "destination.bytes": 2228, + "destination.bytes": 5003, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -2507,7 +2757,7 @@ "destination.ip": "184.51.253.193", "destination.nat.ip": "184.51.253.193", "destination.nat.port": 443, - "destination.packets": 12, + "destination.packets": 10, "destination.port": 443, "event.action": "flow_terminated", "event.category": "network_traffic", @@ -2533,7 +2783,11 @@ "network.packets": 22, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "184.51.253.193", @@ -2556,15 +2810,17 @@ ], "server.bytes": 5003, "server.ip": "184.51.253.193", - "server.packets": 12, + "server.nat.ip": "184.51.253.193", + "server.nat.port": 443, + "server.packets": 10, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 5003, + "source.bytes": 2228, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 41958, - "source.packets": 10, + "source.packets": 12, "source.port": 52514, "tags": [ "pan-os" @@ -2574,12 +2830,14 @@ "@timestamp": "2018-11-30T16:09:40.000-02:00", "client.bytes": 96, "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 51374, "client.packets": 1, "client.port": 55155, "destination.address": "8.8.8.8", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", - "destination.bytes": 96, + "destination.bytes": 171, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -2613,7 +2871,11 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -2636,11 +2898,13 @@ ], "server.bytes": 171, "server.ip": "8.8.8.8", + "server.nat.ip": "8.8.8.8", + "server.nat.port": 53, "server.packets": 1, "server.port": 53, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 171, + "source.bytes": 96, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 51374, @@ -2654,10 +2918,12 @@ "@timestamp": "2018-11-30T16:09:40.000-02:00", "client.bytes": 78, "client.ip": "192.168.15.224", - "client.packets": 0, + "client.nat.ip": "192.168.1.63", + "client.nat.port": 25566, + "client.packets": 1, "client.port": 52445, "destination.address": "199.167.55.52", - "destination.bytes": 78, + "destination.bytes": 0, "destination.geo.city_name": "Sunnyvale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -2668,7 +2934,7 @@ "destination.ip": "199.167.55.52", "destination.nat.ip": "199.167.55.52", "destination.nat.port": 4282, - "destination.packets": 1, + "destination.packets": 0, "destination.port": 4282, "event.action": "flow_terminated", "event.category": "network_traffic", @@ -2694,7 +2960,11 @@ "network.packets": 1, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "199.167.55.52", @@ -2717,15 +2987,17 @@ ], "server.bytes": 0, "server.ip": "199.167.55.52", - "server.packets": 1, + "server.nat.ip": "199.167.55.52", + "server.nat.port": 4282, + "server.packets": 0, "server.port": 4282, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 0, + "source.bytes": 78, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 25566, - "source.packets": 0, + "source.packets": 1, "source.port": 52445, "tags": [ "pan-os" @@ -2735,12 +3007,14 @@ "@timestamp": "2018-11-30T16:09:42.000-02:00", "client.bytes": 1086, "client.ip": "192.168.15.224", - "client.packets": 9, + "client.nat.ip": "192.168.1.63", + "client.nat.port": 63757, + "client.packets": 11, "client.port": 52516, "destination.address": "199.167.52.219", "destination.as.number": 54538, "destination.as.organization.name": "PALO ALTO NETWORKS", - "destination.bytes": 1086, + "destination.bytes": 2316, "destination.geo.city_name": "Sunnyvale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -2751,7 +3025,7 @@ "destination.ip": "199.167.52.219", "destination.nat.ip": "199.167.52.219", "destination.nat.port": 17472, - "destination.packets": 11, + "destination.packets": 9, "destination.port": 17472, "event.action": "flow_terminated", "event.category": "network_traffic", @@ -2777,7 +3051,11 @@ "network.packets": 20, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "199.167.52.219", @@ -2800,15 +3078,17 @@ ], "server.bytes": 2316, "server.ip": "199.167.52.219", - "server.packets": 11, + "server.nat.ip": "199.167.52.219", + "server.nat.port": 17472, + "server.packets": 9, "server.port": 17472, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 2316, + "source.bytes": 1086, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 63757, - "source.packets": 9, + "source.packets": 11, "source.port": 52516, "tags": [ "pan-os" @@ -2818,12 +3098,14 @@ "@timestamp": "2018-11-30T16:09:42.000-02:00", "client.bytes": 2628, "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 3803, "client.packets": 19, "client.port": 52511, "destination.address": "52.71.117.196", "destination.as.number": 14618, "destination.as.organization.name": "Amazon.com, Inc.", - "destination.bytes": 2628, + "destination.bytes": 13966, "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -2860,7 +3142,11 @@ "network.packets": 38, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "52.71.117.196", @@ -2883,11 +3169,13 @@ ], "server.bytes": 13966, "server.ip": "52.71.117.196", + "server.nat.ip": "52.71.117.196", + "server.nat.port": 443, "server.packets": 19, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 13966, + "source.bytes": 2628, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 3803, @@ -2901,12 +3189,14 @@ "@timestamp": "2018-11-30T16:09:45.000-02:00", "client.bytes": 79, "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 34994, "client.packets": 1, "client.port": 3018, "destination.address": "8.8.8.8", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", - "destination.bytes": 79, + "destination.bytes": 244, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -2940,7 +3230,11 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -2963,11 +3257,13 @@ ], "server.bytes": 244, "server.ip": "8.8.8.8", + "server.nat.ip": "8.8.8.8", + "server.nat.port": 53, "server.packets": 1, "server.port": 53, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 244, + "source.bytes": 79, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 34994, @@ -2981,12 +3277,14 @@ "@timestamp": "2018-11-30T16:09:45.000-02:00", "client.bytes": 95, "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 38064, "client.packets": 1, "client.port": 16569, "destination.address": "8.8.8.8", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", - "destination.bytes": 95, + "destination.bytes": 205, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -3020,7 +3318,11 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -3043,11 +3345,13 @@ ], "server.bytes": 205, "server.ip": "8.8.8.8", + "server.nat.ip": "8.8.8.8", + "server.nat.port": 53, "server.packets": 1, "server.port": 53, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 205, + "source.bytes": 95, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 38064, @@ -3061,12 +3365,14 @@ "@timestamp": "2018-11-30T16:09:45.000-02:00", "client.bytes": 4296, "client.ip": "192.168.15.224", - "client.packets": 20, + "client.nat.ip": "192.168.1.63", + "client.nat.port": 42924, + "client.packets": 24, "client.port": 52479, "destination.address": "35.186.194.41", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", - "destination.bytes": 4296, + "destination.bytes": 2302, "destination.geo.city_name": "Mountain View", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -3077,7 +3383,7 @@ "destination.ip": "35.186.194.41", "destination.nat.ip": "35.186.194.41", "destination.nat.port": 443, - "destination.packets": 24, + "destination.packets": 20, "destination.port": 443, "event.action": "flow_terminated", "event.category": "network_traffic", @@ -3103,7 +3409,11 @@ "network.packets": 44, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "35.186.194.41", @@ -3126,15 +3436,17 @@ ], "server.bytes": 2302, "server.ip": "35.186.194.41", - "server.packets": 24, + "server.nat.ip": "35.186.194.41", + "server.nat.port": 443, + "server.packets": 20, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 2302, + "source.bytes": 4296, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 42924, - "source.packets": 20, + "source.packets": 24, "source.port": 52479, "tags": [ "pan-os" @@ -3144,19 +3456,21 @@ "@timestamp": "2018-11-30T16:09:45.000-02:00", "client.bytes": 58831, "client.ip": "192.168.15.224", - "client.packets": 41, + "client.nat.ip": "192.168.1.63", + "client.nat.port": 58977, + "client.packets": 63, "client.port": 52478, "destination.address": "35.201.124.9", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", - "destination.bytes": 58831, + "destination.bytes": 6757, "destination.geo.continent_name": "Asia", "destination.geo.location.lat": 35.0, "destination.geo.location.lon": 105.0, "destination.ip": "35.201.124.9", "destination.nat.ip": "35.201.124.9", "destination.nat.port": 443, - "destination.packets": 63, + "destination.packets": 41, "destination.port": 443, "event.action": "flow_terminated", "event.category": "network_traffic", @@ -3182,7 +3496,11 @@ "network.packets": 104, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "35.201.124.9", @@ -3205,15 +3523,17 @@ ], "server.bytes": 6757, "server.ip": "35.201.124.9", - "server.packets": 63, + "server.nat.ip": "35.201.124.9", + "server.nat.port": 443, + "server.packets": 41, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 6757, + "source.bytes": 58831, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 58977, - "source.packets": 41, + "source.packets": 63, "source.port": 52478, "tags": [ "pan-os" @@ -3223,12 +3543,14 @@ "@timestamp": "2018-11-30T16:09:45.000-02:00", "client.bytes": 4069, "client.ip": "192.168.15.224", - "client.packets": 15, + "client.nat.ip": "192.168.1.63", + "client.nat.port": 64732, + "client.packets": 17, "client.port": 52502, "destination.address": "100.24.131.237", "destination.as.number": 14618, "destination.as.organization.name": "Amazon.com, Inc.", - "destination.bytes": 4069, + "destination.bytes": 9007, "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -3239,7 +3561,7 @@ "destination.ip": "100.24.131.237", "destination.nat.ip": "100.24.131.237", "destination.nat.port": 443, - "destination.packets": 17, + "destination.packets": 15, "destination.port": 443, "event.action": "flow_terminated", "event.category": "network_traffic", @@ -3265,7 +3587,11 @@ "network.packets": 32, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "100.24.131.237", @@ -3288,15 +3614,17 @@ ], "server.bytes": 9007, "server.ip": "100.24.131.237", - "server.packets": 17, + "server.nat.ip": "100.24.131.237", + "server.nat.port": 443, + "server.packets": 15, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 9007, + "source.bytes": 4069, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 64732, - "source.packets": 15, + "source.packets": 17, "source.port": 52502, "tags": [ "pan-os" @@ -3306,12 +3634,14 @@ "@timestamp": "2018-11-30T16:09:45.000-02:00", "client.bytes": 1100, "client.ip": "192.168.15.224", - "client.packets": 7, + "client.nat.ip": "192.168.1.63", + "client.nat.port": 58292, + "client.packets": 8, "client.port": 52458, "destination.address": "184.51.252.247", "destination.as.number": 16625, "destination.as.organization.name": "Akamai Technologies, Inc.", - "destination.bytes": 1100, + "destination.bytes": 661, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -3319,7 +3649,7 @@ "destination.ip": "184.51.252.247", "destination.nat.ip": "184.51.252.247", "destination.nat.port": 443, - "destination.packets": 8, + "destination.packets": 7, "destination.port": 443, "event.action": "flow_terminated", "event.category": "network_traffic", @@ -3345,7 +3675,11 @@ "network.packets": 15, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "184.51.252.247", @@ -3368,15 +3702,17 @@ ], "server.bytes": 661, "server.ip": "184.51.252.247", - "server.packets": 8, + "server.nat.ip": "184.51.252.247", + "server.nat.port": 443, + "server.packets": 7, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 661, + "source.bytes": 1100, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 58292, - "source.packets": 7, + "source.packets": 8, "source.port": 52458, "tags": [ "pan-os" @@ -3386,12 +3722,14 @@ "@timestamp": "2018-11-30T16:09:45.000-02:00", "client.bytes": 3596, "client.ip": "192.168.15.224", - "client.packets": 16, + "client.nat.ip": "192.168.1.63", + "client.nat.port": 32209, + "client.packets": 15, "client.port": 52484, "destination.address": "35.190.88.148", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", - "destination.bytes": 3596, + "destination.bytes": 11136, "destination.geo.city_name": "Mountain View", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -3402,7 +3740,7 @@ "destination.ip": "35.190.88.148", "destination.nat.ip": "35.190.88.148", "destination.nat.port": 443, - "destination.packets": 15, + "destination.packets": 16, "destination.port": 443, "event.action": "flow_terminated", "event.category": "network_traffic", @@ -3428,7 +3766,11 @@ "network.packets": 31, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "35.190.88.148", @@ -3451,15 +3793,17 @@ ], "server.bytes": 11136, "server.ip": "35.190.88.148", - "server.packets": 15, + "server.nat.ip": "35.190.88.148", + "server.nat.port": 443, + "server.packets": 16, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 11136, + "source.bytes": 3596, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 32209, - "source.packets": 16, + "source.packets": 15, "source.port": 52484, "tags": [ "pan-os" @@ -3469,12 +3813,14 @@ "@timestamp": "2018-11-30T16:09:45.000-02:00", "client.bytes": 3596, "client.ip": "192.168.15.224", - "client.packets": 16, + "client.nat.ip": "192.168.1.63", + "client.nat.port": 38822, + "client.packets": 15, "client.port": 52482, "destination.address": "35.186.243.83", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", - "destination.bytes": 3596, + "destination.bytes": 11136, "destination.geo.city_name": "Mountain View", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -3485,7 +3831,7 @@ "destination.ip": "35.186.243.83", "destination.nat.ip": "35.186.243.83", "destination.nat.port": 443, - "destination.packets": 15, + "destination.packets": 16, "destination.port": 443, "event.action": "flow_terminated", "event.category": "network_traffic", @@ -3511,7 +3857,11 @@ "network.packets": 31, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "35.186.243.83", @@ -3534,15 +3884,17 @@ ], "server.bytes": 11136, "server.ip": "35.186.243.83", - "server.packets": 15, + "server.nat.ip": "35.186.243.83", + "server.nat.port": 443, + "server.packets": 16, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 11136, + "source.bytes": 3596, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 38822, - "source.packets": 16, + "source.packets": 15, "source.port": 52482, "tags": [ "pan-os" @@ -3552,12 +3904,14 @@ "@timestamp": "2018-11-30T16:09:45.000-02:00", "client.bytes": 84, "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 16044, "client.packets": 1, "client.port": 33769, "destination.address": "8.8.8.8", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", - "destination.bytes": 84, + "destination.bytes": 182, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -3591,7 +3945,11 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "untrust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -3614,11 +3972,13 @@ ], "server.bytes": 182, "server.ip": "8.8.8.8", + "server.nat.ip": "8.8.8.8", + "server.nat.port": 53, "server.packets": 1, "server.port": 53, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 182, + "source.bytes": 84, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 16044, @@ -3632,12 +3992,14 @@ "@timestamp": "2018-11-30T16:09:45.000-02:00", "client.bytes": 74, "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 56614, "client.packets": 1, "client.port": 14106, "destination.address": "8.8.8.8", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", - "destination.bytes": 74, + "destination.bytes": 90, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -3671,7 +4033,11 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "trust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -3694,11 +4060,13 @@ ], "server.bytes": 90, "server.ip": "8.8.8.8", + "server.nat.ip": "8.8.8.8", + "server.nat.port": 53, "server.packets": 1, "server.port": 53, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 90, + "source.bytes": 74, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 56614, @@ -3712,12 +4080,14 @@ "@timestamp": "2018-11-30T16:09:45.000-02:00", "client.bytes": 2731, "client.ip": "192.168.15.224", - "client.packets": 13, + "client.nat.ip": "192.168.1.63", + "client.nat.port": 53168, + "client.packets": 17, "client.port": 52503, "destination.address": "100.24.165.74", "destination.as.number": 14618, "destination.as.organization.name": "Amazon.com, Inc.", - "destination.bytes": 2731, + "destination.bytes": 6669, "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -3728,7 +4098,7 @@ "destination.ip": "100.24.165.74", "destination.nat.ip": "100.24.165.74", "destination.nat.port": 443, - "destination.packets": 17, + "destination.packets": 13, "destination.port": 443, "event.action": "flow_terminated", "event.category": "network_traffic", @@ -3754,7 +4124,11 @@ "network.packets": 30, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "trust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "untrust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "100.24.165.74", @@ -3777,15 +4151,17 @@ ], "server.bytes": 6669, "server.ip": "100.24.165.74", - "server.packets": 17, + "server.nat.ip": "100.24.165.74", + "server.nat.port": 443, + "server.packets": 13, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 6669, + "source.bytes": 2731, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 53168, - "source.packets": 13, + "source.packets": 17, "source.port": 52503, "tags": [ "pan-os" @@ -3795,12 +4171,14 @@ "@timestamp": "2018-11-30T16:09:45.000-02:00", "client.bytes": 1100, "client.ip": "192.168.15.224", - "client.packets": 7, + "client.nat.ip": "192.168.1.63", + "client.nat.port": 28012, + "client.packets": 8, "client.port": 52459, "destination.address": "184.51.252.247", "destination.as.number": 16625, "destination.as.organization.name": "Akamai Technologies, Inc.", - "destination.bytes": 1100, + "destination.bytes": 661, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -3808,7 +4186,7 @@ "destination.ip": "184.51.252.247", "destination.nat.ip": "184.51.252.247", "destination.nat.port": 443, - "destination.packets": 8, + "destination.packets": 7, "destination.port": 443, "event.action": "flow_terminated", "event.category": "network_traffic", @@ -3834,7 +4212,11 @@ "network.packets": 15, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "xtrust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "184.51.252.247", @@ -3857,15 +4239,17 @@ ], "server.bytes": 661, "server.ip": "184.51.252.247", - "server.packets": 8, + "server.nat.ip": "184.51.252.247", + "server.nat.port": 443, + "server.packets": 7, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 661, + "source.bytes": 1100, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 28012, - "source.packets": 7, + "source.packets": 8, "source.port": 52459, "tags": [ "pan-os" @@ -3875,19 +4259,21 @@ "@timestamp": "2018-11-30T16:09:45.000-02:00", "client.bytes": 3596, "client.ip": "192.168.15.224", - "client.packets": 16, + "client.nat.ip": "192.168.1.63", + "client.nat.port": 16050, + "client.packets": 15, "client.port": 52483, "destination.address": "35.201.94.140", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", - "destination.bytes": 3596, + "destination.bytes": 11136, "destination.geo.continent_name": "Asia", "destination.geo.location.lat": 35.0, "destination.geo.location.lon": 105.0, "destination.ip": "35.201.94.140", "destination.nat.ip": "35.201.94.140", "destination.nat.port": 443, - "destination.packets": 15, + "destination.packets": 16, "destination.port": 443, "event.action": "flow_terminated", "event.category": "network_traffic", @@ -3913,7 +4299,11 @@ "network.packets": 31, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "xuntrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "35.201.94.140", @@ -3936,15 +4326,17 @@ ], "server.bytes": 11136, "server.ip": "35.201.94.140", - "server.packets": 15, + "server.nat.ip": "35.201.94.140", + "server.nat.port": 443, + "server.packets": 16, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 11136, + "source.bytes": 3596, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 16050, - "source.packets": 16, + "source.packets": 15, "source.port": 52483, "tags": [ "pan-os" @@ -3954,6 +4346,8 @@ "@timestamp": "2018-11-30T16:09:46.000-02:00", "client.bytes": 588, "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 0, "client.packets": 6, "client.port": 0, "destination.address": "8.8.8.8", @@ -3993,7 +4387,9 @@ "network.packets": 12, "network.transport": "icmp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -4014,6 +4410,8 @@ ], "server.bytes": 588, "server.ip": "8.8.8.8", + "server.nat.ip": "8.8.8.8", + "server.nat.port": 0, "server.packets": 6, "server.port": 0, "service.type": "panw", @@ -4032,12 +4430,14 @@ "@timestamp": "2018-11-30T16:09:46.000-02:00", "client.bytes": 84, "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 61722, "client.packets": 1, "client.port": 38663, "destination.address": "8.8.8.8", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", - "destination.bytes": 84, + "destination.bytes": 144, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -4071,7 +4471,11 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -4094,11 +4498,13 @@ ], "server.bytes": 144, "server.ip": "8.8.8.8", + "server.nat.ip": "8.8.8.8", + "server.nat.port": 53, "server.packets": 1, "server.port": 53, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 144, + "source.bytes": 84, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 61722, @@ -4112,12 +4518,14 @@ "@timestamp": "2018-11-30T16:09:46.000-02:00", "client.bytes": 131, "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 14247, "client.packets": 1, "client.port": 50443, "destination.address": "8.8.8.8", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", - "destination.bytes": 131, + "destination.bytes": 206, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -4151,7 +4559,11 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -4174,11 +4586,13 @@ ], "server.bytes": 206, "server.ip": "8.8.8.8", + "server.nat.ip": "8.8.8.8", + "server.nat.port": 53, "server.packets": 1, "server.port": 53, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 206, + "source.bytes": 131, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 14247, @@ -4192,12 +4606,14 @@ "@timestamp": "2018-11-30T16:09:46.000-02:00", "client.bytes": 131, "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 33580, "client.packets": 1, "client.port": 54215, "destination.address": "8.8.8.8", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", - "destination.bytes": 131, + "destination.bytes": 206, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -4231,7 +4647,11 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -4254,11 +4674,13 @@ ], "server.bytes": 206, "server.ip": "8.8.8.8", + "server.nat.ip": "8.8.8.8", + "server.nat.port": 53, "server.packets": 1, "server.port": 53, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 206, + "source.bytes": 131, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 33580, @@ -4272,12 +4694,14 @@ "@timestamp": "2018-11-30T16:09:46.000-02:00", "client.bytes": 83, "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 13498, "client.packets": 1, "client.port": 35827, "destination.address": "8.8.8.8", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", - "destination.bytes": 83, + "destination.bytes": 169, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -4311,7 +4735,11 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -4334,11 +4762,13 @@ ], "server.bytes": 169, "server.ip": "8.8.8.8", + "server.nat.ip": "8.8.8.8", + "server.nat.port": 53, "server.packets": 1, "server.port": 53, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 169, + "source.bytes": 83, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 13498, @@ -4352,12 +4782,14 @@ "@timestamp": "2018-11-30T16:09:46.000-02:00", "client.bytes": 100, "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 20365, "client.packets": 1, "client.port": 60609, "destination.address": "8.8.8.8", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", - "destination.bytes": 100, + "destination.bytes": 132, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -4391,7 +4823,11 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -4414,11 +4850,13 @@ ], "server.bytes": 132, "server.ip": "8.8.8.8", + "server.nat.ip": "8.8.8.8", + "server.nat.port": 53, "server.packets": 1, "server.port": 53, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 132, + "source.bytes": 100, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 20365, @@ -4432,12 +4870,14 @@ "@timestamp": "2018-11-30T16:09:46.000-02:00", "client.bytes": 79, "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 61464, "client.packets": 1, "client.port": 3248, "destination.address": "8.8.8.8", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", - "destination.bytes": 79, + "destination.bytes": 127, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -4471,7 +4911,11 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -4494,11 +4938,13 @@ ], "server.bytes": 127, "server.ip": "8.8.8.8", + "server.nat.ip": "8.8.8.8", + "server.nat.port": 53, "server.packets": 1, "server.port": 53, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 127, + "source.bytes": 79, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 61464, @@ -4512,12 +4958,14 @@ "@timestamp": "2018-11-30T16:09:46.000-02:00", "client.bytes": 89, "client.ip": "192.168.15.196", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 42877, "client.packets": 1, "client.port": 49284, "destination.address": "8.8.8.8", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", - "destination.bytes": 89, + "destination.bytes": 105, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -4551,7 +4999,11 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -4574,11 +5026,13 @@ ], "server.bytes": 105, "server.ip": "8.8.8.8", + "server.nat.ip": "8.8.8.8", + "server.nat.port": 53, "server.packets": 1, "server.port": 53, "service.type": "panw", "source.address": "192.168.15.196", - "source.bytes": 105, + "source.bytes": 89, "source.ip": "192.168.15.196", "source.nat.ip": "192.168.1.63", "source.nat.port": 42877, @@ -4592,12 +5046,14 @@ "@timestamp": "2018-11-30T16:09:46.000-02:00", "client.bytes": 97, "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 5918, "client.packets": 1, "client.port": 57732, "destination.address": "8.8.8.8", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", - "destination.bytes": 97, + "destination.bytes": 172, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -4631,7 +5087,11 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -4654,11 +5114,13 @@ ], "server.bytes": 172, "server.ip": "8.8.8.8", + "server.nat.ip": "8.8.8.8", + "server.nat.port": 53, "server.packets": 1, "server.port": 53, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 172, + "source.bytes": 97, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 5918, @@ -4672,12 +5134,14 @@ "@timestamp": "2018-11-30T16:09:46.000-02:00", "client.bytes": 78, "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 28944, "client.packets": 1, "client.port": 49195, "destination.address": "8.8.8.8", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", - "destination.bytes": 78, + "destination.bytes": 134, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -4711,7 +5175,11 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -4734,11 +5202,13 @@ ], "server.bytes": 134, "server.ip": "8.8.8.8", + "server.nat.ip": "8.8.8.8", + "server.nat.port": 53, "server.packets": 1, "server.port": 53, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 134, + "source.bytes": 78, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 28944, @@ -4752,12 +5222,14 @@ "@timestamp": "2018-11-30T16:09:46.000-02:00", "client.bytes": 73, "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 13415, "client.packets": 1, "client.port": 17266, "destination.address": "8.8.8.8", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", - "destination.bytes": 73, + "destination.bytes": 179, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -4791,7 +5263,11 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -4814,11 +5290,13 @@ ], "server.bytes": 179, "server.ip": "8.8.8.8", + "server.nat.ip": "8.8.8.8", + "server.nat.port": 53, "server.packets": 1, "server.port": 53, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 179, + "source.bytes": 73, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 13415, @@ -4832,12 +5310,14 @@ "@timestamp": "2018-11-30T16:09:46.000-02:00", "client.bytes": 90, "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 2489, "client.packets": 1, "client.port": 48631, "destination.address": "8.8.8.8", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", - "destination.bytes": 90, + "destination.bytes": 218, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -4871,7 +5351,11 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -4894,11 +5378,13 @@ ], "server.bytes": 218, "server.ip": "8.8.8.8", + "server.nat.ip": "8.8.8.8", + "server.nat.port": 53, "server.packets": 1, "server.port": 53, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 218, + "source.bytes": 90, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 2489, @@ -4912,12 +5398,14 @@ "@timestamp": "2018-11-30T16:09:46.000-02:00", "client.bytes": 77, "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 49328, "client.packets": 1, "client.port": 58540, "destination.address": "8.8.8.8", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", - "destination.bytes": 77, + "destination.bytes": 172, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -4951,7 +5439,11 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -4974,11 +5466,13 @@ ], "server.bytes": 172, "server.ip": "8.8.8.8", + "server.nat.ip": "8.8.8.8", + "server.nat.port": 53, "server.packets": 1, "server.port": 53, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 172, + "source.bytes": 77, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 49328, @@ -4992,12 +5486,14 @@ "@timestamp": "2018-11-30T16:09:46.000-02:00", "client.bytes": 74, "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 36036, "client.packets": 1, "client.port": 42678, "destination.address": "8.8.8.8", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", - "destination.bytes": 74, + "destination.bytes": 305, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -5031,7 +5527,11 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -5054,11 +5554,13 @@ ], "server.bytes": 305, "server.ip": "8.8.8.8", + "server.nat.ip": "8.8.8.8", + "server.nat.port": 53, "server.packets": 1, "server.port": 53, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 305, + "source.bytes": 74, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 36036, @@ -5072,12 +5574,14 @@ "@timestamp": "2018-11-30T16:09:47.000-02:00", "client.bytes": 76, "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 33744, "client.packets": 1, "client.port": 16576, "destination.address": "66.28.0.45", "destination.as.number": 174, "destination.as.organization.name": "Cogent Communications", - "destination.bytes": 76, + "destination.bytes": 527, "destination.geo.city_name": "Lanham", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -5114,7 +5618,11 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "66.28.0.45", @@ -5137,11 +5645,13 @@ ], "server.bytes": 527, "server.ip": "66.28.0.45", + "server.nat.ip": "66.28.0.45", + "server.nat.port": 53, "server.packets": 1, "server.port": 53, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 527, + "source.bytes": 76, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 33744, @@ -5155,12 +5665,14 @@ "@timestamp": "2018-11-30T16:09:47.000-02:00", "client.bytes": 89, "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 45809, "client.packets": 1, "client.port": 39830, "destination.address": "8.8.8.8", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", - "destination.bytes": 89, + "destination.bytes": 153, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -5194,7 +5706,11 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -5217,11 +5733,13 @@ ], "server.bytes": 153, "server.ip": "8.8.8.8", + "server.nat.ip": "8.8.8.8", + "server.nat.port": 53, "server.packets": 1, "server.port": 53, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 153, + "source.bytes": 89, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 45809, @@ -5235,12 +5753,14 @@ "@timestamp": "2018-11-30T16:09:47.000-02:00", "client.bytes": 71, "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 3675, "client.packets": 1, "client.port": 6185, "destination.address": "8.8.8.8", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", - "destination.bytes": 71, + "destination.bytes": 169, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -5274,7 +5794,11 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -5297,11 +5821,13 @@ ], "server.bytes": 169, "server.ip": "8.8.8.8", + "server.nat.ip": "8.8.8.8", + "server.nat.port": 53, "server.packets": 1, "server.port": 53, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 169, + "source.bytes": 71, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 3675, @@ -5315,12 +5841,14 @@ "@timestamp": "2018-11-30T16:09:47.000-02:00", "client.bytes": 80, "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 5787, "client.packets": 1, "client.port": 8781, "destination.address": "8.8.8.8", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", - "destination.bytes": 80, + "destination.bytes": 128, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -5354,7 +5882,11 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -5377,11 +5909,13 @@ ], "server.bytes": 128, "server.ip": "8.8.8.8", + "server.nat.ip": "8.8.8.8", + "server.nat.port": 53, "server.packets": 1, "server.port": 53, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 128, + "source.bytes": 80, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 5787, @@ -5395,12 +5929,14 @@ "@timestamp": "2018-11-30T16:09:47.000-02:00", "client.bytes": 72, "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 12342, "client.packets": 1, "client.port": 16788, "destination.address": "8.8.8.8", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", - "destination.bytes": 72, + "destination.bytes": 181, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -5434,7 +5970,11 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -5457,11 +5997,13 @@ ], "server.bytes": 181, "server.ip": "8.8.8.8", + "server.nat.ip": "8.8.8.8", + "server.nat.port": 53, "server.packets": 1, "server.port": 53, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 181, + "source.bytes": 72, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 12342, @@ -5475,12 +6017,14 @@ "@timestamp": "2018-11-30T16:09:47.000-02:00", "client.bytes": 76, "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 18729, "client.packets": 1, "client.port": 45307, "destination.address": "8.8.8.8", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", - "destination.bytes": 76, + "destination.bytes": 121, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -5514,7 +6058,11 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -5537,11 +6085,13 @@ ], "server.bytes": 121, "server.ip": "8.8.8.8", + "server.nat.ip": "8.8.8.8", + "server.nat.port": 53, "server.packets": 1, "server.port": 53, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 121, + "source.bytes": 76, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 18729, @@ -5555,12 +6105,14 @@ "@timestamp": "2018-11-30T16:09:47.000-02:00", "client.bytes": 681, "client.ip": "192.168.15.224", - "client.packets": 5, + "client.nat.ip": "192.168.1.63", + "client.nat.port": 57858, + "client.packets": 6, "client.port": 52520, "destination.address": "23.52.174.25", "destination.as.number": 20940, "destination.as.organization.name": "Akamai International B.V.", - "destination.bytes": 681, + "destination.bytes": 1246, "destination.geo.city_name": "San Antonio", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -5571,7 +6123,7 @@ "destination.ip": "23.52.174.25", "destination.nat.ip": "23.52.174.25", "destination.nat.port": 80, - "destination.packets": 6, + "destination.packets": 5, "destination.port": 80, "event.action": "flow_terminated", "event.category": "network_traffic", @@ -5597,7 +6149,11 @@ "network.packets": 11, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "23.52.174.25", @@ -5620,15 +6176,17 @@ ], "server.bytes": 1246, "server.ip": "23.52.174.25", - "server.packets": 6, + "server.nat.ip": "23.52.174.25", + "server.nat.port": 80, + "server.packets": 5, "server.port": 80, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 1246, + "source.bytes": 681, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 57858, - "source.packets": 5, + "source.packets": 6, "source.port": 52520, "tags": [ "pan-os" @@ -5638,12 +6196,14 @@ "@timestamp": "2018-11-30T16:09:47.000-02:00", "client.bytes": 79, "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 2722, "client.packets": 1, "client.port": 8503, "destination.address": "8.8.8.8", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", - "destination.bytes": 79, + "destination.bytes": 315, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -5677,7 +6237,11 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -5700,11 +6264,13 @@ ], "server.bytes": 315, "server.ip": "8.8.8.8", + "server.nat.ip": "8.8.8.8", + "server.nat.port": 53, "server.packets": 1, "server.port": 53, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 315, + "source.bytes": 79, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 2722, @@ -5718,12 +6284,14 @@ "@timestamp": "2018-11-30T16:09:47.000-02:00", "client.bytes": 82, "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 6674, "client.packets": 1, "client.port": 6910, "destination.address": "8.8.8.8", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", - "destination.bytes": 82, + "destination.bytes": 130, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -5757,7 +6325,11 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -5780,11 +6352,13 @@ ], "server.bytes": 130, "server.ip": "8.8.8.8", + "server.nat.ip": "8.8.8.8", + "server.nat.port": 53, "server.packets": 1, "server.port": 53, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 130, + "source.bytes": 82, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 6674, @@ -5798,12 +6372,14 @@ "@timestamp": "2018-11-30T16:09:47.000-02:00", "client.bytes": 354, "client.ip": "192.168.15.224", - "client.packets": 4, + "client.nat.ip": "192.168.1.63", + "client.nat.port": 37427, + "client.packets": 5, "client.port": 52475, "destination.address": "54.230.5.228", "destination.as.number": 16509, "destination.as.organization.name": "Amazon.com, Inc.", - "destination.bytes": 354, + "destination.bytes": 288, "destination.geo.city_name": "Seattle", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -5814,7 +6390,7 @@ "destination.ip": "54.230.5.228", "destination.nat.ip": "54.230.5.228", "destination.nat.port": 443, - "destination.packets": 5, + "destination.packets": 4, "destination.port": 443, "event.action": "flow_terminated", "event.category": "network_traffic", @@ -5840,7 +6416,11 @@ "network.packets": 9, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "54.230.5.228", @@ -5863,15 +6443,17 @@ ], "server.bytes": 288, "server.ip": "54.230.5.228", - "server.packets": 5, + "server.nat.ip": "54.230.5.228", + "server.nat.port": 443, + "server.packets": 4, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 288, + "source.bytes": 354, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 37427, - "source.packets": 4, + "source.packets": 5, "source.port": 52475, "tags": [ "pan-os" @@ -5881,12 +6463,14 @@ "@timestamp": "2018-11-30T16:09:47.000-02:00", "client.bytes": 76, "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 22408, "client.packets": 1, "client.port": 14342, "destination.address": "8.8.8.8", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", - "destination.bytes": 76, + "destination.bytes": 149, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -5920,7 +6504,11 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -5943,11 +6531,13 @@ ], "server.bytes": 149, "server.ip": "8.8.8.8", + "server.nat.ip": "8.8.8.8", + "server.nat.port": 53, "server.packets": 1, "server.port": 53, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 149, + "source.bytes": 76, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 22408, @@ -5961,12 +6551,14 @@ "@timestamp": "2018-11-30T16:09:48.000-02:00", "client.bytes": 71, "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 27899, "client.packets": 1, "client.port": 48197, "destination.address": "8.8.8.8", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", - "destination.bytes": 71, + "destination.bytes": 202, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -6000,7 +6592,11 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -6023,11 +6619,13 @@ ], "server.bytes": 202, "server.ip": "8.8.8.8", + "server.nat.ip": "8.8.8.8", + "server.nat.port": 53, "server.packets": 1, "server.port": 53, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 202, + "source.bytes": 71, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 27899, @@ -6041,12 +6639,14 @@ "@timestamp": "2018-11-30T16:09:48.000-02:00", "client.bytes": 75, "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 52939, "client.packets": 1, "client.port": 32296, "destination.address": "8.8.8.8", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", - "destination.bytes": 75, + "destination.bytes": 195, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -6080,7 +6680,11 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -6103,11 +6707,13 @@ ], "server.bytes": 195, "server.ip": "8.8.8.8", + "server.nat.ip": "8.8.8.8", + "server.nat.port": 53, "server.packets": 1, "server.port": 53, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 195, + "source.bytes": 75, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 52939, @@ -6121,6 +6727,8 @@ "@timestamp": "2018-11-30T16:09:48.000-02:00", "client.bytes": 90, "client.ip": "192.168.15.195", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 42907, "client.packets": 1, "client.port": 33870, "destination.address": "208.83.246.20", @@ -6160,7 +6768,11 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "208.83.246.20", @@ -6183,6 +6795,8 @@ ], "server.bytes": 90, "server.ip": "208.83.246.20", + "server.nat.ip": "208.83.246.20", + "server.nat.port": 123, "server.packets": 1, "server.port": 123, "service.type": "panw", @@ -6201,12 +6815,14 @@ "@timestamp": "2018-11-30T16:09:49.000-02:00", "client.bytes": 148, "client.ip": "192.168.15.196", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 19658, "client.packets": 2, "client.port": 54659, "destination.address": "8.8.8.8", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", - "destination.bytes": 148, + "destination.bytes": 192, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -6240,7 +6856,11 @@ "network.packets": 4, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -6263,11 +6883,13 @@ ], "server.bytes": 192, "server.ip": "8.8.8.8", + "server.nat.ip": "8.8.8.8", + "server.nat.port": 53, "server.packets": 2, "server.port": 53, "service.type": "panw", "source.address": "192.168.15.196", - "source.bytes": 192, + "source.bytes": 148, "source.ip": "192.168.15.196", "source.nat.ip": "192.168.1.63", "source.nat.port": 19658, @@ -6281,12 +6903,14 @@ "@timestamp": "2018-11-30T16:09:49.000-02:00", "client.bytes": 83, "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 64352, "client.packets": 1, "client.port": 57446, "destination.address": "8.8.8.8", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", - "destination.bytes": 83, + "destination.bytes": 208, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -6320,7 +6944,11 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -6343,11 +6971,13 @@ ], "server.bytes": 208, "server.ip": "8.8.8.8", + "server.nat.ip": "8.8.8.8", + "server.nat.port": 53, "server.packets": 1, "server.port": 53, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 208, + "source.bytes": 83, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 64352, @@ -6361,12 +6991,14 @@ "@timestamp": "2018-11-30T16:09:49.000-02:00", "client.bytes": 84, "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 60126, "client.packets": 1, "client.port": 22655, "destination.address": "8.8.8.8", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", - "destination.bytes": 84, + "destination.bytes": 100, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -6400,7 +7032,11 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -6423,11 +7059,13 @@ ], "server.bytes": 100, "server.ip": "8.8.8.8", + "server.nat.ip": "8.8.8.8", + "server.nat.port": 53, "server.packets": 1, "server.port": 53, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 100, + "source.bytes": 84, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 60126, @@ -6441,12 +7079,14 @@ "@timestamp": "2018-11-30T16:09:49.000-02:00", "client.bytes": 2053, "client.ip": "192.168.15.224", - "client.packets": 11, + "client.nat.ip": "192.168.1.63", + "client.nat.port": 59771, + "client.packets": 13, "client.port": 52509, "destination.address": "35.185.88.112", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", - "destination.bytes": 2053, + "destination.bytes": 7237, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 38.6583, @@ -6456,7 +7096,7 @@ "destination.ip": "35.185.88.112", "destination.nat.ip": "35.185.88.112", "destination.nat.port": 443, - "destination.packets": 13, + "destination.packets": 11, "destination.port": 443, "event.action": "flow_terminated", "event.category": "network_traffic", @@ -6482,7 +7122,11 @@ "network.packets": 24, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "35.185.88.112", @@ -6505,15 +7149,17 @@ ], "server.bytes": 7237, "server.ip": "35.185.88.112", - "server.packets": 13, + "server.nat.ip": "35.185.88.112", + "server.nat.port": 443, + "server.packets": 11, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 7237, + "source.bytes": 2053, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 59771, - "source.packets": 11, + "source.packets": 13, "source.port": 52509, "tags": [ "pan-os" @@ -6523,12 +7169,14 @@ "@timestamp": "2018-11-30T16:09:49.000-02:00", "client.bytes": 93, "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 35748, "client.packets": 1, "client.port": 27192, "destination.address": "8.8.8.8", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", - "destination.bytes": 93, + "destination.bytes": 109, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -6562,7 +7210,11 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -6585,11 +7237,13 @@ ], "server.bytes": 109, "server.ip": "8.8.8.8", + "server.nat.ip": "8.8.8.8", + "server.nat.port": 53, "server.packets": 1, "server.port": 53, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 109, + "source.bytes": 93, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 35748, @@ -6603,12 +7257,14 @@ "@timestamp": "2018-11-30T16:09:49.000-02:00", "client.bytes": 84, "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 63701, "client.packets": 1, "client.port": 30221, "destination.address": "8.8.8.8", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", - "destination.bytes": 84, + "destination.bytes": 116, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -6642,7 +7298,11 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -6665,11 +7325,13 @@ ], "server.bytes": 116, "server.ip": "8.8.8.8", + "server.nat.ip": "8.8.8.8", + "server.nat.port": 53, "server.packets": 1, "server.port": 53, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 116, + "source.bytes": 84, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 63701, @@ -6683,12 +7345,14 @@ "@timestamp": "2018-11-30T16:09:49.000-02:00", "client.bytes": 64, "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 57872, "client.packets": 1, "client.port": 30570, "destination.address": "8.8.8.8", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", - "destination.bytes": 64, + "destination.bytes": 96, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -6722,7 +7386,11 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -6745,11 +7413,13 @@ ], "server.bytes": 96, "server.ip": "8.8.8.8", + "server.nat.ip": "8.8.8.8", + "server.nat.port": 53, "server.packets": 1, "server.port": 53, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 96, + "source.bytes": 64, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 57872, @@ -6763,12 +7433,14 @@ "@timestamp": "2018-11-30T16:09:50.000-02:00", "client.bytes": 1100, "client.ip": "192.168.15.224", - "client.packets": 7, + "client.nat.ip": "192.168.1.63", + "client.nat.port": 37581, + "client.packets": 8, "client.port": 52497, "destination.address": "50.19.85.24", "destination.as.number": 14618, "destination.as.organization.name": "Amazon.com, Inc.", - "destination.bytes": 1100, + "destination.bytes": 654, "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -6779,7 +7451,7 @@ "destination.ip": "50.19.85.24", "destination.nat.ip": "50.19.85.24", "destination.nat.port": 443, - "destination.packets": 8, + "destination.packets": 7, "destination.port": 443, "event.action": "flow_terminated", "event.category": "network_traffic", @@ -6805,7 +7477,11 @@ "network.packets": 15, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "50.19.85.24", @@ -6828,15 +7504,17 @@ ], "server.bytes": 654, "server.ip": "50.19.85.24", - "server.packets": 8, + "server.nat.ip": "50.19.85.24", + "server.nat.port": 443, + "server.packets": 7, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 654, + "source.bytes": 1100, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 37581, - "source.packets": 7, + "source.packets": 8, "source.port": 52497, "tags": [ "pan-os" @@ -6846,12 +7524,14 @@ "@timestamp": "2018-11-30T16:09:50.000-02:00", "client.bytes": 1100, "client.ip": "192.168.15.224", - "client.packets": 7, + "client.nat.ip": "192.168.1.63", + "client.nat.port": 19226, + "client.packets": 8, "client.port": 52498, "destination.address": "50.19.85.24", "destination.as.number": 14618, "destination.as.organization.name": "Amazon.com, Inc.", - "destination.bytes": 1100, + "destination.bytes": 654, "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -6862,7 +7542,7 @@ "destination.ip": "50.19.85.24", "destination.nat.ip": "50.19.85.24", "destination.nat.port": 443, - "destination.packets": 8, + "destination.packets": 7, "destination.port": 443, "event.action": "flow_terminated", "event.category": "network_traffic", @@ -6888,7 +7568,11 @@ "network.packets": 15, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "50.19.85.24", @@ -6911,15 +7595,17 @@ ], "server.bytes": 654, "server.ip": "50.19.85.24", - "server.packets": 8, + "server.nat.ip": "50.19.85.24", + "server.nat.port": 443, + "server.packets": 7, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 654, + "source.bytes": 1100, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 19226, - "source.packets": 7, + "source.packets": 8, "source.port": 52498, "tags": [ "pan-os" @@ -6929,12 +7615,14 @@ "@timestamp": "2018-11-30T16:09:50.000-02:00", "client.bytes": 1100, "client.ip": "192.168.15.224", - "client.packets": 7, + "client.nat.ip": "192.168.1.63", + "client.nat.port": 61721, + "client.packets": 8, "client.port": 52496, "destination.address": "50.19.85.24", "destination.as.number": 14618, "destination.as.organization.name": "Amazon.com, Inc.", - "destination.bytes": 1100, + "destination.bytes": 654, "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -6945,7 +7633,7 @@ "destination.ip": "50.19.85.24", "destination.nat.ip": "50.19.85.24", "destination.nat.port": 443, - "destination.packets": 8, + "destination.packets": 7, "destination.port": 443, "event.action": "flow_terminated", "event.category": "network_traffic", @@ -6971,7 +7659,11 @@ "network.packets": 15, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "50.19.85.24", @@ -6994,15 +7686,17 @@ ], "server.bytes": 654, "server.ip": "50.19.85.24", - "server.packets": 8, + "server.nat.ip": "50.19.85.24", + "server.nat.port": 443, + "server.packets": 7, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 654, + "source.bytes": 1100, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 61721, - "source.packets": 7, + "source.packets": 8, "source.port": 52496, "tags": [ "pan-os" @@ -7012,12 +7706,14 @@ "@timestamp": "2018-11-30T16:09:50.000-02:00", "client.bytes": 2691, "client.ip": "192.168.15.224", - "client.packets": 10, + "client.nat.ip": "192.168.1.63", + "client.nat.port": 10098, + "client.packets": 12, "client.port": 52510, "destination.address": "104.254.150.9", "destination.as.number": 29990, "destination.as.organization.name": "AppNexus, Inc", - "destination.bytes": 2691, + "destination.bytes": 7820, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -7025,7 +7721,7 @@ "destination.ip": "104.254.150.9", "destination.nat.ip": "104.254.150.9", "destination.nat.port": 443, - "destination.packets": 12, + "destination.packets": 10, "destination.port": 443, "event.action": "flow_terminated", "event.category": "network_traffic", @@ -7051,7 +7747,11 @@ "network.packets": 22, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "104.254.150.9", @@ -7074,15 +7774,17 @@ ], "server.bytes": 7820, "server.ip": "104.254.150.9", - "server.packets": 12, + "server.nat.ip": "104.254.150.9", + "server.nat.port": 443, + "server.packets": 10, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 7820, + "source.bytes": 2691, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 10098, - "source.packets": 10, + "source.packets": 12, "source.port": 52510, "tags": [ "pan-os" @@ -7092,12 +7794,14 @@ "@timestamp": "2018-11-30T16:09:50.000-02:00", "client.bytes": 1100, "client.ip": "192.168.15.224", - "client.packets": 7, + "client.nat.ip": "192.168.1.63", + "client.nat.port": 4564, + "client.packets": 8, "client.port": 52495, "destination.address": "50.19.85.24", "destination.as.number": 14618, "destination.as.organization.name": "Amazon.com, Inc.", - "destination.bytes": 1100, + "destination.bytes": 654, "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -7108,7 +7812,7 @@ "destination.ip": "50.19.85.24", "destination.nat.ip": "50.19.85.24", "destination.nat.port": 443, - "destination.packets": 8, + "destination.packets": 7, "destination.port": 443, "event.action": "flow_terminated", "event.category": "network_traffic", @@ -7134,7 +7838,11 @@ "network.packets": 15, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "50.19.85.24", @@ -7157,15 +7865,17 @@ ], "server.bytes": 654, "server.ip": "50.19.85.24", - "server.packets": 8, + "server.nat.ip": "50.19.85.24", + "server.nat.port": 443, + "server.packets": 7, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 654, + "source.bytes": 1100, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 4564, - "source.packets": 7, + "source.packets": 8, "source.port": 52495, "tags": [ "pan-os" @@ -7175,12 +7885,14 @@ "@timestamp": "2018-11-30T16:09:50.000-02:00", "client.bytes": 276, "client.ip": "192.168.15.224", - "client.packets": 3, + "client.nat.ip": "192.168.1.63", + "client.nat.port": 32104, + "client.packets": 4, "client.port": 52486, "destination.address": "52.0.218.108", "destination.as.number": 14618, "destination.as.organization.name": "Amazon.com, Inc.", - "destination.bytes": 276, + "destination.bytes": 214, "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -7191,7 +7903,7 @@ "destination.ip": "52.0.218.108", "destination.nat.ip": "52.0.218.108", "destination.nat.port": 443, - "destination.packets": 4, + "destination.packets": 3, "destination.port": 443, "event.action": "flow_terminated", "event.category": "network_traffic", @@ -7217,7 +7929,11 @@ "network.packets": 7, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "52.0.218.108", @@ -7240,15 +7956,17 @@ ], "server.bytes": 214, "server.ip": "52.0.218.108", - "server.packets": 4, + "server.nat.ip": "52.0.218.108", + "server.nat.port": 443, + "server.packets": 3, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 214, + "source.bytes": 276, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 32104, - "source.packets": 3, + "source.packets": 4, "source.port": 52486, "tags": [ "pan-os" @@ -7258,12 +7976,14 @@ "@timestamp": "2018-11-30T16:09:50.000-02:00", "client.bytes": 276, "client.ip": "192.168.15.224", - "client.packets": 3, + "client.nat.ip": "192.168.1.63", + "client.nat.port": 14172, + "client.packets": 4, "client.port": 52489, "destination.address": "52.6.117.19", "destination.as.number": 14618, "destination.as.organization.name": "Amazon.com, Inc.", - "destination.bytes": 276, + "destination.bytes": 214, "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -7274,7 +7994,7 @@ "destination.ip": "52.6.117.19", "destination.nat.ip": "52.6.117.19", "destination.nat.port": 443, - "destination.packets": 4, + "destination.packets": 3, "destination.port": 443, "event.action": "flow_terminated", "event.category": "network_traffic", @@ -7300,7 +8020,11 @@ "network.packets": 7, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "52.6.117.19", @@ -7323,15 +8047,17 @@ ], "server.bytes": 214, "server.ip": "52.6.117.19", - "server.packets": 4, + "server.nat.ip": "52.6.117.19", + "server.nat.port": 443, + "server.packets": 3, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 214, + "source.bytes": 276, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 14172, - "source.packets": 3, + "source.packets": 4, "source.port": 52489, "tags": [ "pan-os" @@ -7341,12 +8067,14 @@ "@timestamp": "2018-11-30T16:09:50.000-02:00", "client.bytes": 276, "client.ip": "192.168.15.224", - "client.packets": 3, + "client.nat.ip": "192.168.1.63", + "client.nat.port": 10286, + "client.packets": 4, "client.port": 52490, "destination.address": "34.238.96.22", "destination.as.number": 14618, "destination.as.organization.name": "Amazon.com, Inc.", - "destination.bytes": 276, + "destination.bytes": 214, "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -7357,7 +8085,7 @@ "destination.ip": "34.238.96.22", "destination.nat.ip": "34.238.96.22", "destination.nat.port": 443, - "destination.packets": 4, + "destination.packets": 3, "destination.port": 443, "event.action": "flow_terminated", "event.category": "network_traffic", @@ -7383,7 +8111,11 @@ "network.packets": 7, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "34.238.96.22", @@ -7406,15 +8138,17 @@ ], "server.bytes": 214, "server.ip": "34.238.96.22", - "server.packets": 4, + "server.nat.ip": "34.238.96.22", + "server.nat.port": 443, + "server.packets": 3, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 214, + "source.bytes": 276, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 10286, - "source.packets": 3, + "source.packets": 4, "source.port": 52490, "tags": [ "pan-os" @@ -7424,12 +8158,14 @@ "@timestamp": "2018-11-30T16:09:50.000-02:00", "client.bytes": 276, "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 30799, "client.packets": 4, "client.port": 52493, "destination.address": "130.211.47.17", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", - "destination.bytes": 276, + "destination.bytes": 280, "destination.geo.city_name": "Mountain View", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", @@ -7466,7 +8202,11 @@ "network.packets": 8, "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "130.211.47.17", @@ -7489,11 +8229,13 @@ ], "server.bytes": 280, "server.ip": "130.211.47.17", + "server.nat.ip": "130.211.47.17", + "server.nat.port": 443, "server.packets": 4, "server.port": 443, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 280, + "source.bytes": 276, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 30799, @@ -7507,12 +8249,14 @@ "@timestamp": "2018-11-30T16:09:51.000-02:00", "client.bytes": 97, "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 13490, "client.packets": 1, "client.port": 59320, "destination.address": "8.8.8.8", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", - "destination.bytes": 97, + "destination.bytes": 172, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -7546,7 +8290,11 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -7569,11 +8317,13 @@ ], "server.bytes": 172, "server.ip": "8.8.8.8", + "server.nat.ip": "8.8.8.8", + "server.nat.port": 53, "server.packets": 1, "server.port": 53, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 172, + "source.bytes": 97, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 13490, @@ -7587,6 +8337,8 @@ "@timestamp": "2018-11-30T16:09:52.000-02:00", "client.bytes": 588, "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 0, "client.packets": 6, "client.port": 0, "destination.address": "8.8.8.8", @@ -7626,7 +8378,11 @@ "network.packets": 12, "network.transport": "icmp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -7649,6 +8405,8 @@ ], "server.bytes": 588, "server.ip": "8.8.8.8", + "server.nat.ip": "8.8.8.8", + "server.nat.port": 0, "server.packets": 6, "server.port": 0, "service.type": "panw", @@ -7667,12 +8425,14 @@ "@timestamp": "2018-11-30T16:09:52.000-02:00", "client.bytes": 78, "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 53751, "client.packets": 1, "client.port": 13076, "destination.address": "8.8.8.8", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", - "destination.bytes": 78, + "destination.bytes": 94, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -7706,7 +8466,11 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -7729,11 +8493,13 @@ ], "server.bytes": 94, "server.ip": "8.8.8.8", + "server.nat.ip": "8.8.8.8", + "server.nat.port": 53, "server.packets": 1, "server.port": 53, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 94, + "source.bytes": 78, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 53751, @@ -7747,12 +8513,14 @@ "@timestamp": "2018-11-30T16:09:52.000-02:00", "client.bytes": 72, "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 21643, "client.packets": 1, "client.port": 5511, "destination.address": "8.8.8.8", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", - "destination.bytes": 72, + "destination.bytes": 170, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -7786,7 +8554,11 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -7809,11 +8581,13 @@ ], "server.bytes": 170, "server.ip": "8.8.8.8", + "server.nat.ip": "8.8.8.8", + "server.nat.port": 53, "server.packets": 1, "server.port": 53, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 170, + "source.bytes": 72, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 21643, @@ -7827,12 +8601,14 @@ "@timestamp": "2018-11-30T16:09:52.000-02:00", "client.bytes": 78, "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 22446, "client.packets": 1, "client.port": 9799, "destination.address": "8.8.8.8", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", - "destination.bytes": 78, + "destination.bytes": 94, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -7866,7 +8642,11 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -7889,11 +8669,13 @@ ], "server.bytes": 94, "server.ip": "8.8.8.8", + "server.nat.ip": "8.8.8.8", + "server.nat.port": 53, "server.packets": 1, "server.port": 53, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 94, + "source.bytes": 78, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 22446, @@ -7907,12 +8689,14 @@ "@timestamp": "2018-11-30T16:09:52.000-02:00", "client.bytes": 78, "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 22301, "client.packets": 1, "client.port": 39169, "destination.address": "8.8.8.8", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", - "destination.bytes": 78, + "destination.bytes": 94, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -7946,7 +8730,11 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -7969,11 +8757,13 @@ ], "server.bytes": 94, "server.ip": "8.8.8.8", + "server.nat.ip": "8.8.8.8", + "server.nat.port": 53, "server.packets": 1, "server.port": 53, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 94, + "source.bytes": 78, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 22301, @@ -7987,12 +8777,14 @@ "@timestamp": "2018-11-30T16:09:52.000-02:00", "client.bytes": 72, "client.ip": "192.168.15.224", + "client.nat.ip": "192.168.1.63", + "client.nat.port": 58124, "client.packets": 1, "client.port": 42476, "destination.address": "8.8.8.8", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", - "destination.bytes": 72, + "destination.bytes": 166, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", "destination.geo.location.lat": 37.751, @@ -8026,7 +8818,11 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.egress.interface.name": "ethernet1/1", + "observer.egress.zone": "untrust", "observer.hostname": "PA-220", + "observer.ingress.interface.name": "ethernet1/2", + "observer.ingress.zone": "trust", "observer.serial_number": "012801096514", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -8049,11 +8845,13 @@ ], "server.bytes": 166, "server.ip": "8.8.8.8", + "server.nat.ip": "8.8.8.8", + "server.nat.port": 53, "server.packets": 1, "server.port": 53, "service.type": "panw", "source.address": "192.168.15.224", - "source.bytes": 166, + "source.bytes": 72, "source.ip": "192.168.15.224", "source.nat.ip": "192.168.1.63", "source.nat.port": 58124,