├── .gitignore
├── README.md
├── bin
├── data
│ ├── pan_endpoint.txt
│ ├── pan_globalprotect.txt
│ ├── pan_incident.txt
│ ├── pan_incident_data_config.txt
│ ├── pan_netflow.txt
│ └── reports
│ │ ├── report000.evt
│ │ ├── report001.evt
│ │ ├── report002.evt
│ │ ├── report003.evt
│ │ ├── report004.evt
│ │ ├── report005.evt
│ │ ├── report006.evt
│ │ ├── report007.evt
│ │ ├── report008.evt
│ │ ├── report009.evt
│ │ ├── report010.evt
│ │ ├── report011.evt
│ │ ├── report012.evt
│ │ ├── report013.evt
│ │ └── report014.evt
└── scripts
│ ├── pan_endpoint.py
│ ├── pan_globalprotect.py
│ ├── pan_inc_data_config.py
│ ├── pan_inc_wildfire_report.py
│ └── pan_incident.py
├── default
├── app.conf
├── authorize.conf
├── indexes.conf
└── inputs.conf
├── logs
├── pan_inc.log
└── pan_inc_data_config.log
└── metadata
└── default.meta
/.gitignore:
--------------------------------------------------------------------------------
1 | # Borrowed from https://github.com/splunk/splunk-app-splunkgit
2 |
3 | # OSX noise
4 | .DS_Store
5 |
6 | # Compiled python files
7 | *.pyc
8 |
9 | # Eclipse project files
10 | .project
11 | .pydevproject
12 |
13 | # Local stuff
14 | local.meta
15 | local/*
16 | !local/inputs.conf.sample
17 |
18 | # Git repositories folder
19 | git-repositories/
20 |
21 | # PyCharm/IntelliJ meta-directory
22 | .idea
23 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 |
2 | Sample Data Generator for Palo Alto Networks Splunk App
3 | =======================================================
4 |
5 | ## Description ##
6 |
7 | This app installs on Splunk side-by-side with the SplunkforPaloAltoNetworks
8 | app. When this app is enabled, it will generate events for the
9 | SplunkforPaloAltoNetworks app to parse and display.
10 |
11 | ## Requirements ##
12 |
13 | - Splunk 5.x or 6.x
14 | - SplunkforPaloAltoNetworks app (http://apps.splunk.com/app/491)
15 |
16 | ## Installation ##
17 |
18 | All steps must be performed in order. The examples assume Splunk is
19 | installed in /opt/splunk, but you can install Splunk in another directory.
20 |
21 | - Install this pan_datagen app on Splunk using the .zip file or git.
22 | - Restart Splunk
23 | - Create a new user called 'pan' with password 'pan' and role 'pan'
24 | (this is required for the data generator)
25 |
26 | For example, on the command line:
27 | (replace `changeme` with your Splunk admin password)
28 |
29 | /opt/splunk/bin/splunk add user pan -password pan -role pan -auth admin:changeme
30 |
31 | - Restart Splunk again
32 | - Verify you are getting events by going to the
33 | Palo Alto Networks app Overview Dashboard
34 |
35 | ## Known issues ##
36 |
37 | - This app can consume a lot of resources, so it's not advised to run it on
38 | a production Splunk environment. It should only be used for testing or
39 | demonstration.
40 | - The sample data may not always be in the form of the latest PAN-OS syslogs.
41 | It may use older PAN-OS syslog formats, or a mix of old and new.
42 |
--------------------------------------------------------------------------------
/bin/data/pan_endpoint.txt:
--------------------------------------------------------------------------------
1 | Oct 06 2015 12:55:02 Host CEF:0|Palo Alto Networks|Traps Agent|3.3.2.9456|Access Violation|Threat|9|rt=Mar 09 2016 16:45:17 shost=SERVER2008R2QA duser=Administrator cs2Label=Module cs2= msg=Access Violation- child process: notepad.exe
2 | Oct 06 2015 12:55:02 Host CEF:0|Palo Alto Networks|Traps Agent|3.3.2.9456|Agent Policy Changed|Agent|3|rt=Mar 09 2016 15:50:04 shost=SERVER2008R2QA suser=Administrator msg=Policy changed
3 | Oct 06 2015 12:55:02 Host CEF:0|Palo Alto Networks|Traps Agent|3.3.2.9456|Heartbeat|Agent|3|rt=Mar 09 2016 15:54:27 dhost=WIN7-DOMAIN-64 duser=Administrator msg=Service is alive
4 | Oct 06 2015 12:55:02 Host CEF:0|Palo Alto Networks|Traps Agent|3.3.2.9456|Heartbeat|Agent|3|rt=Mar 09 2016 16:03:10 dhost=WIN7-DOMAIN-64 duser=Administrator msg=Service is alive
5 | Oct 06 2015 12:55:02 Host CEF:0|Palo Alto Networks|Traps Agent|3.3.2.9456|Heartbeat|Agent|3|rt=Mar 09 2016 16:09:25 dhost=WIN7-DOMAIN-64 duser=Administrator msg=Service is alive
6 | Oct 06 2015 12:55:02 Host CEF:0|Palo Alto Networks|Traps Agent|3.3.2.9456|Process Crashed|Agent|6|rt=Mar 09 2016 16:02:26 dhost=WIN7-DOMAIN-64 duser=Administrator deviceProcessName= msg= Process had crashed
7 | Oct 06 2015 12:55:02 Host CEF:0|Palo Alto Networks|Traps Agent|3.3.2.9456|Process Injection Time Out|Agent|6|rt=Mar 09 2016 17:17:19 dhost=WIN7-DOMAIN-64 duser=Administrator deviceProcessName=notepad msg=Injection Timeout
8 | Oct 06 2015 12:55:02 Host CEF:0|Palo Alto Networks|Traps Agent|3.3.2.9456|Reporting Service Start Failed|Agent|9|rt=Mar 10 2016 13:40:39 dhost=WIN7-DOMAIN-64 duser=Administrator msg=ReportingService start failed.
9 | Oct 06 2015 12:55:02 Host CEF:0|Palo Alto Networks|Traps Agent|3.3.2.9456|Reporting Service Start Failed|Agent|9|rt=Mar 10 2016 13:42:56 dhost=WIN7-DOMAIN-64 duser=Administrator msg=ReportingService start failed.
10 | Oct 06 2015 12:55:02 Host CEF:0|Palo Alto Networks|Traps Agent|3.3.2.9456|Service Alive|Agent|3|rt=Mar 09 2016 15:50:04 dhost=WIN7-DOMAIN-64 duser=Administrator msg=Service start
11 | Oct 06 2015 12:55:02 Host CEF:0|Palo Alto Networks|Traps Agent|3.3.2.9456|Service Stopped|Agent|3|rt=Mar 09 2016 15:53:59 dhost=WIN7-DOMAIN-64 duser=Administrator msg=Service stopped
12 | Oct 06 2015 12:55:02 Host CEF:0|Palo Alto Networks|Traps Agent|3.3.2.9456|System Shutdown|Agent|3|rt=Mar 09 2016 16:06:13 dhost=WIN7-DOMAIN-64 duser=Administrator msg=Service shutdown
13 | Oct 06 2015 12:55:02 Host CEF:0|Palo Alto Networks|Traps ESM|3.3.2.9456|Agent Install|Agent|6|rt=Mar 09 2016 16:16:52 dhost=WIN7-DOMAIN-64 duser=Administrator msg=Agent installed
14 | Oct 06 2015 12:55:02 Host CEF:0|Palo Alto Networks|Traps ESM|3.3.2.9456|Agent Uninstall|Agent|6|rt=Mar 09 2016 16:14:14 dhost=WIN7-DOMAIN-64 duser=Administrator msg=Agent uninstalled
15 | Oct 06 2015 12:55:02 Host CEF:0|Palo Alto Networks|Traps ESM|3.3.2.9456|Agent Upgrade|Agent|6|rt=Mar 10 2016 10:12:49 dhost=WIN7-DOMAIN-64 duser=Administrator msg=Agent upgraded
16 | Oct 06 2015 12:55:02 Host CEF:0|Palo Alto Networks|Traps ESM|3.3.2.9456|File Upload Failure|System|3|rt=Mar 09 2016 16:42:42 shost=SERVER2008R2QA duser=Traps management core fname=Logs_WIN7-DOMAIN-64_09_03_2016-06_42_31_534_d5af177e-2c1b-45d7-b8c9-6ac04a3c9fe7.zip msg=File failed to upload.
17 | Oct 06 2015 12:55:02 Host CEF:0|Palo Alto Networks|Traps ESM|3.3.2.9456|Traps Service Status Change|Agent|6|rt=Mar 09 2016 15:50:05 dhost=win7-domain-64 duser=Administrator msg=Agent Service Status Changed: Stopped-> Running
18 | Mar 30 2016 06:42:21 Host CEF:0|Palo Alto Networks|Traps Agent|3.3.2.9847|Prevention Event|Threat|9|rt=Mar 30 2016 06:42:21 shost=TLVESMVW01P duser=Administrator cs2Label=Module cs2=Library Preallocation deviceProcessName=firefox.exe fileHash=0A124E92BFADBD8E77878D6F69CCF6ABEB88F4C3AC34B9293B24203AA56EB330 msg=New prevention event. Prevention Key: d768fdc0-2f0e-4fdc-aab7-22f7256d6aa7
19 | Mar 29 2016 11:23:23 Host CEF:0|Palo Alto Networks|Traps Agent|3.3.2.9847|Notification Event|Threat|6|rt=Mar 29 2016 11:23:23 shost=TLVESMVW01P duser=Administrator cs2Label=Module cs2=WildFire Unknown deviceProcessName=rasutility.exe fileHash=a23cb8f179518f4f261a93bc9ba7d1ee330c8ad1b7f30c25f9bf5fc991b0ef50 msg=New Notification event. Prevention Key: 4dd8719d-86d6-4e29-9fd8-df24637809e8
--------------------------------------------------------------------------------
/bin/data/pan_globalprotect.txt:
--------------------------------------------------------------------------------
1 | Feb 24 22:09:26 10.5.172.40 Feb 24 22:06:07 BD-Panorama 1,2016/02/24 22:06:06,007200001165,SYSTEM,globalprotect,0,2016/02/24 22:01:41,,globalprotectgateway-logout-succ,VPN-GW-N,0,0,general,informational,"GlobalProtect gateway user logout succeeded. User name: user3, Client OS version: Microsoft Windows Server 2008 R2 Enterprise Edition Service Pac, Reason: client logout.",641977,0x8000000000000000,0,0,0,0,,PA-VM
2 | Feb 24 22:09:26 10.5.172.40 Feb 24 22:06:07 BD-Panorama 1,2016/02/24 22:06:06,007200001165,SYSTEM,globalprotect,0,2016/02/24 22:01:41,,globalprotectgateway-config-release,VPN-GW-N,0,0,general,informational,"GlobalProtect gateway client configuration released. User name: user3, Private IP: 192.168.55.101, Client version: 2.3.4-4, Device name: BD-CLIENT, Client OS version: Microsoft Wi",641976,0x8000000000000000,0,0,0,0,,PA-VM
3 | Feb 24 21:50:30 10.5.172.40 Feb 24 21:47:11 BD-Panorama 1,2016/02/24 21:47:11,007200001165,TRAFFIC,end,1,2016/02/24 21:42:31,192.168.55.101,8.8.8.8,0.0.0.0,0.0.0.0,Permit All,user3,,dns,vsys1,trust,untrust,tunnel.2,ethernet1/1,Syslog To Panorama,2016/02/24 21:42:31,235961,1,53909,53,0,0,0x64,udp,allow,74,74,0,1,2016/02/24 21:42:01,0,any,0,13457861041,0x8000000000000000,192.168.0.0-192.168.255.255,United States,0,1,0,aged-out,15,0,0,0,,PA-VM,from-policy
4 | Feb 24 21:50:30 10.5.172.40 Feb 24 21:47:11 BD-Panorama 1,2016/02/24 21:47:11,007200001165,TRAFFIC,end,1,2016/02/24 21:42:30,192.168.55.101,2.2.2.2,0.0.0.0,0.0.0.0,Permit All,user3,,dns,vsys1,trust,untrust,tunnel.2,ethernet1/1,Syslog To Panorama,2016/02/24 21:42:30,57753,1,53909,53,0,0,0x64,udp,allow,74,74,0,1,2016/02/24 21:42:00,0,any,0,13457860836,0x8000000000000000,192.168.0.0-192.168.255.255,France,0,1,0,aged-out,15,0,0,0,,PA-VM,from-policy
5 | Feb 24 21:49:59 10.5.172.40 Feb 24 21:46:40 BD-Panorama 1,2016/02/24 21:46:40,007200001165,TRAFFIC,start,1,2016/02/24 21:42:01,192.168.55.101,8.8.8.8,0.0.0.0,0.0.0.0,Permit All,user3,,dns,vsys1,trust,untrust,tunnel.2,ethernet1/1,Syslog To Panorama,2016/02/24 21:42:01,235961,1,53909,53,0,0,0x0,udp,allow,74,74,0,1,2016/02/24 21:42:01,0,any,0,13457854447,0x8000000000000000,192.168.0.0-192.168.255.255,United States,0,1,0,n/a,15,0,0,0,,PA-VM,from-policy
6 | Feb 24 21:49:59 10.5.172.40 Feb 24 21:46:40 BD-Panorama 1,2016/02/24 21:46:40,007200001165,TRAFFIC,start,1,2016/02/24 21:42:00,192.168.55.101,2.2.2.2,0.0.0.0,0.0.0.0,Permit All,user3,,dns,vsys1,trust,untrust,tunnel.2,ethernet1/1,Syslog To Panorama,2016/02/24 21:42:00,57753,1,53909,53,0,0,0x0,udp,allow,74,74,0,1,2016/02/24 21:42:00,0,any,0,13457854225,0x8000000000000000,192.168.0.0-192.168.255.255,France,0,1,0,n/a,15,0,0,0,,PA-VM,from-policy
7 | Feb 24 21:49:28 10.5.172.40 Feb 24 21:46:09 BD-Panorama 1,2016/02/24 21:46:09,007200001165,TRAFFIC,end,1,2016/02/24 21:41:41,192.168.55.101,2.2.2.2,0.0.0.0,0.0.0.0,Permit All,user3,,dns,vsys1,trust,untrust,tunnel.2,ethernet1/1,Syslog To Panorama,2016/02/24 21:41:41,134486,1,56815,53,0,0,0x64,udp,allow,74,74,0,1,2016/02/24 21:41:11,0,any,0,13457849797,0x8000000000000000,192.168.0.0-192.168.255.255,France,0,1,0,aged-out,15,0,0,0,,PA-VM,from-policy
8 | Feb 24 21:49:28 10.5.172.40 Feb 24 21:46:09 BD-Panorama 1,2016/02/24 21:46:09,007200001165,TRAFFIC,end,1,2016/02/24 21:41:40,192.168.55.101,8.8.8.8,0.0.0.0,0.0.0.0,Permit All,user3,,dns,vsys1,trust,untrust,tunnel.2,ethernet1/1,Syslog To Panorama,2016/02/24 21:41:40,226780,1,56815,53,0,0,0x64,udp,allow,74,74,0,1,2016/02/24 21:41:10,0,any,0,13457849502,0x8000000000000000,192.168.0.0-192.168.255.255,United States,0,1,0,aged-out,15,0,0,0,,PA-VM,from-policy
9 | Feb 24 21:48:57 10.5.172.40 Feb 24 21:45:38 BD-Panorama 1,2016/02/24 21:45:37,007200001165,TRAFFIC,start,1,2016/02/24 21:41:10,192.168.55.101,2.2.2.2,0.0.0.0,0.0.0.0,Permit All,user3,,dns,vsys1,trust,untrust,tunnel.2,ethernet1/1,Syslog To Panorama,2016/02/24 21:41:10,134486,1,56815,53,0,0,0x0,udp,allow,74,74,0,1,2016/02/24 21:41:11,0,any,0,13457840291,0x8000000000000000,192.168.0.0-192.168.255.255,France,0,1,0,n/a,15,0,0,0,,PA-VM,from-policy
10 | Feb 24 21:48:28 10.5.172.40 Feb 24 21:45:09 BD-Panorama 1,2016/02/24 21:45:08,007200001165,SYSTEM,globalprotect,0,2016/02/24 21:40:54,,globalprotectgateway-config-succ,VPN-GW-N,0,0,general,informational,"GlobalProtect gateway client configuration generated. User name: user3, Private IP: 192.168.55.101, Client version: 2.3.4-4, Device name: BD-CLIENT, Client OS version: Microsoft W",641955,0x8000000000000000,0,0,0,0,,PA-VM
11 | Feb 24 21:48:28 10.5.172.40 Feb 24 21:45:09 BD-Panorama 1,2016/02/24 21:45:08,007200001165,SYSTEM,globalprotect,0,2016/02/24 21:40:52,,globalprotectgateway-regist-succ,VPN-GW-N,0,0,general,informational,"GlobalProtect gateway user login succeeded. Login from: 216.113.183.230, User name: user3, Client OS version: Microsoft Windows Server 2008 R2 Enterprise Edition Service Pack 1, 64-b",641954,0x8000000000000000,0,0,0,0,,PA-VM
12 | Feb 24 21:48:28 10.5.172.40 Feb 24 21:45:09 BD-Panorama 1,2016/02/24 21:45:08,007200001165,SYSTEM,globalprotect,0,2016/02/24 21:40:52,,globalprotectgateway-auth-succ,VPN-GW-N,0,0,general,informational,"GlobalProtect gateway user authentication succeeded. Login from: 216.113.183.230, User name: user3, Auth type: profile, Client OS version: Microsoft Windows Server 2008 R2 Enterprise",641953,0x8000000000000000,0,0,0,0,,PA-VM
13 | Feb 24 21:48:28 10.5.172.40 Feb 24 21:45:09 BD-Panorama 1,2016/02/24 21:45:08,007200001165,SYSTEM,globalprotect,0,2016/02/24 21:40:28,,globalprotectportal-config-succ,GP-Portal-1,0,0,general,informational,"GlobalProtect portal client configuration generated. Login from: 216.113.183.230, User name: user3, Config name: VPN-GW-1.",641950,0x8000000000000000,0,0,0,0,,PA-VM
14 | Feb 24 21:48:28 10.5.172.40 Feb 24 21:45:09 BD-Panorama 1,2016/02/24 21:45:08,007200001165,SYSTEM,globalprotect,0,2016/02/24 21:40:28,,globalprotectportal-auth-succ,GP-Portal-1,0,0,general,informational,"GlobalProtect portal user authentication succeeded. Login from: 216.113.183.230, User name: user3, Auth type: profile.",641949,0x8000000000000000,0,0,0,0,,PA-VM
15 | Feb 24 21:48:28 10.5.172.40 Feb 24 21:45:09 BD-Panorama 1,2016/02/24 21:45:08,007200001165,SYSTEM,globalprotect,0,2016/02/24 21:40:25,,globalprotectportal-auth-fail,GP-Portal-1,0,0,general,informational,"GlobalProtect portal user authentication failed. Login from: 60.28.233.48, User name: Administrator, Reason: Authentication failed: Invalid username or password , Auth type: profi",641947,0x8000000000000000,0,0,0,0,,PA-VM
16 | Feb 24 22:49:52 10.5.172.40 Feb 24 22:46:33 BD-Panorama 1,2016/02/24 22:46:32,007200001165,TRAFFIC,end,1,2016/02/24 22:42:17,192.168.55.103,8.8.8.8,0.0.0.0,0.0.0.0,Permit All,user1,,dns,vsys1,trust,untrust,tunnel.2,ethernet1/1,Syslog To Panorama,2016/02/24 22:42:17,31842,1,56862,53,0,0,0x64,udp,allow,84,84,0,1,2016/02/24 22:41:46,0,any,0,13458897271,0x8000000000000000,192.168.0.0-192.168.255.255,United States,0,1,0,aged-out,15,0,0,0,,PA-VM,from-policy
17 | Feb 24 22:49:52 10.5.172.40 Feb 24 22:46:33 BD-Panorama 1,2016/02/24 22:46:32,007200001165,TRAFFIC,end,1,2016/02/24 22:42:16,192.168.55.103,2.2.2.2,0.0.0.0,0.0.0.0,Permit All,user1,,dns,vsys1,trust,untrust,tunnel.2,ethernet1/1,Syslog To Panorama,2016/02/24 22:42:16,178405,1,56862,53,0,0,0x64,udp,allow,84,84,0,1,2016/02/24 22:41:46,0,any,0,13458896907,0x8000000000000000,192.168.0.0-192.168.255.255,France,0,1,0,aged-out,15,0,0,0,,PA-VM,from-policy
18 | Feb 24 22:49:52 10.5.172.40 Feb 24 22:46:32 BD-Panorama 1,2016/02/24 22:46:32,007200001165,TRAFFIC,end,1,2016/02/24 22:42:10,192.168.55.103,2.2.2.2,0.0.0.0,0.0.0.0,Permit All,user1,,dns,vsys1,trust,untrust,tunnel.2,ethernet1/1,Syslog To Panorama,2016/02/24 22:42:10,55192,1,49285,53,0,0,0x64,udp,allow,89,89,0,1,2016/02/24 22:41:40,0,any,0,13458894961,0x8000000000000000,192.168.0.0-192.168.255.255,France,0,1,0,aged-out,15,0,0,0,,PA-VM,from-policy
19 | Feb 24 22:49:51 10.5.172.40 Feb 24 22:46:32 BD-Panorama 1,2016/02/24 22:46:32,007200001165,TRAFFIC,end,1,2016/02/24 22:42:08,192.168.55.103,8.8.8.8,0.0.0.0,0.0.0.0,Permit All,user1,,dns,vsys1,trust,untrust,tunnel.2,ethernet1/1,Syslog To Panorama,2016/02/24 22:42:08,54446,1,49285,53,0,0,0x64,udp,allow,89,89,0,1,2016/02/24 22:41:39,0,any,0,13458894428,0x8000000000000000,192.168.0.0-192.168.255.255,United States,0,1,0,aged-out,15,0,0,0,,PA-VM,from-policy
20 | Feb 24 22:49:22 10.5.172.40 Feb 24 22:46:02 BD-Panorama 1,2016/02/24 22:46:01,007200001165,SYSTEM,globalprotect,0,2016/02/24 22:41:26,,globalprotectgateway-config-succ,VPN-GW-N,0,0,general,informational,"GlobalProtect gateway client configuration generated. User name: user1, Private IP: 192.168.55.103, Client version: 2.3.4-4, Device name: BD-CLIENT, Client OS version: Microsoft W",642018,0x8000000000000000,0,0,0,0,,PA-VM
21 | Feb 24 22:49:22 10.5.172.40 Feb 24 22:46:02 BD-Panorama 1,2016/02/24 22:46:01,007200001165,SYSTEM,globalprotect,0,2016/02/24 22:41:24,,globalprotectgateway-regist-succ,VPN-GW-N,0,0,general,informational,"GlobalProtect gateway user login succeeded. Login from: 64.147.162.160, User name: user1, Client OS version: Microsoft Windows Server 2008 R2 Enterprise Edition Service Pack 1, 64-b",642017,0x8000000000000000,0,0,0,0,,PA-VM
22 | Feb 24 22:49:22 10.5.172.40 Feb 24 22:46:02 BD-Panorama 1,2016/02/24 22:46:01,007200001165,SYSTEM,globalprotect,0,2016/02/24 22:41:24,,globalprotectgateway-auth-succ,VPN-GW-N,0,0,general,informational,"GlobalProtect gateway user authentication succeeded. Login from: 64.147.162.160, User name: user1, Auth type: profile, Client OS version: Microsoft Windows Server 2008 R2 Enterprise",642016,0x8000000000000000,0,0,0,0,,PA-VM
23 | Feb 24 22:49:22 10.5.172.40 Feb 24 22:46:02 BD-Panorama 1,2016/02/24 22:46:01,007200001165,SYSTEM,globalprotect,0,2016/02/24 22:41:24,,globalprotectportal-config-succ,GP-Portal-1,0,0,general,informational,"GlobalProtect portal client configuration generated. Login from: 64.147.162.160, User name: user1, Config name: VPN-GW-1.",642014,0x8000000000000000,0,0,0,0,,PA-VM
24 | Feb 24 22:49:22 10.5.172.40 Feb 24 22:46:02 BD-Panorama 1,2016/02/24 22:46:01,007200001165,SYSTEM,globalprotect,0,2016/02/24 22:41:24,,globalprotectportal-auth-succ,GP-Portal-1,0,0,general,informational,"GlobalProtect portal user authentication succeeded. Login from: 64.147.162.160, User name: user1, Auth type: profile.",642013,0x8000000000000000,0,0,0,0,,PA-VM
25 | Feb 24 22:49:21 10.5.172.40 Feb 24 22:46:02 BD-Panorama 1,2016/02/24 22:46:01,007200001165,TRAFFIC,start,1,2016/02/24 22:41:46,192.168.55.103,8.8.8.8,0.0.0.0,0.0.0.0,Permit All,user1,,dns,vsys1,trust,untrust,tunnel.2,ethernet1/1,Syslog To Panorama,2016/02/24 22:41:46,31842,1,56862,53,0,0,0x0,udp,allow,84,84,0,1,2016/02/24 22:41:47,0,any,0,13458887722,0x8000000000000000,192.168.0.0-192.168.255.255,United States,0,1,0,n/a,15,0,0,0,,PA-VM,from-policy
26 | Feb 24 22:49:21 10.5.172.40 Feb 24 22:46:02 BD-Panorama 1,2016/02/24 22:46:01,007200001165,TRAFFIC,start,1,2016/02/24 22:41:45,192.168.55.103,2.2.2.2,0.0.0.0,0.0.0.0,Permit All,user1,,dns,vsys1,trust,untrust,tunnel.2,ethernet1/1,Syslog To Panorama,2016/02/24 22:41:45,178405,1,56862,53,0,0,0x0,udp,allow,84,84,0,1,2016/02/24 22:41:46,0,any,0,13458887420,0x8000000000000000,192.168.0.0-192.168.255.255,France,0,1,0,n/a,15,0,0,0,,PA-VM,from-policy
27 | Feb 24 22:49:21 10.5.172.40 Feb 24 22:46:02 BD-Panorama 1,2016/02/24 22:46:01,007200001165,TRAFFIC,start,1,2016/02/24 22:41:39,192.168.55.103,2.2.2.2,0.0.0.0,0.0.0.0,Permit All,user1,,dns,vsys1,trust,untrust,tunnel.2,ethernet1/1,Syslog To Panorama,2016/02/24 22:41:39,55192,1,49285,53,0,0,0x0,udp,allow,89,89,0,1,2016/02/24 22:41:40,0,any,0,13458885400,0x8000000000000000,192.168.0.0-192.168.255.255,France,0,1,0,n/a,15,0,0,0,,PA-VM,from-policy
28 | Feb 24 22:49:21 10.5.172.40 Feb 24 22:46:01 BD-Panorama 1,2016/02/24 22:46:01,007200001165,TRAFFIC,start,1,2016/02/24 22:41:38,192.168.55.103,8.8.8.8,0.0.0.0,0.0.0.0,Permit All,user1,,dns,vsys1,trust,untrust,tunnel.2,ethernet1/1,Syslog To Panorama,2016/02/24 22:41:38,54446,1,49285,53,0,0,0x0,udp,allow,89,89,0,1,2016/02/24 22:41:39,0,any,0,13458885036,0x8000000000000000,192.168.0.0-192.168.255.255,United States,0,1,0,n/a,15,0,0,0,,PA-VM,from-policy
29 | Feb 24 22:48:51 10.5.172.40 Feb 24 22:45:32 BD-Panorama 1,2016/02/24 22:45:30,007200001165,SYSTEM,globalprotect,0,2016/02/24 22:41:12,,globalprotectportal-auth-fail,GP-Portal-1,0,0,general,informational,"GlobalProtect portal user authentication failed. Login from: 64.135.77.120, User name: Admin, Reason: Authentication failed: Invalid username or password , Auth type: profi",642008,0x8000000000000000,0,0,0,0,,PA-VM
30 | Feb 24 19:48:48 10.5.172.40 Feb 24 19:45:29 BD-Panorama 1,2016/02/24 19:45:28,007200001165,TRAFFIC,end,1,2016/02/24 19:41:07,192.168.55.100,2.2.2.2,0.0.0.0,0.0.0.0,Permit All,user2,,dns,vsys1,trust,untrust,tunnel.2,ethernet1/1,Syslog To Panorama,2016/02/24 19:41:07,98982,1,59479,53,0,0,0x64,udp,allow,89,89,0,1,2016/02/24 19:40:37,0,any,0,13455761995,0x8000000000000000,192.168.0.0-192.168.255.255,France,0,1,0,aged-out,15,0,0,0,,PA-VM,from-policy
31 | Feb 24 19:48:17 10.5.172.40 Feb 24 19:44:58 BD-Panorama 1,2016/02/24 19:44:57,007200001165,SYSTEM,globalprotect,0,2016/02/24 19:40:39,,globalprotectgateway-logout-succ,VPN-GW-N,0,0,general,informational,"GlobalProtect gateway user logout succeeded. User name: user2, Client OS version: Microsoft Windows Server 2008 R2 Enterprise Edition Service Pac, Reason: client logout.",641827,0x8000000000000000,0,0,0,0,,PA-VM
32 | Feb 24 19:48:17 10.5.172.40 Feb 24 19:44:58 BD-Panorama 1,2016/02/24 19:44:57,007200001165,SYSTEM,globalprotect,0,2016/02/24 19:40:39,,globalprotectgateway-config-release,VPN-GW-N,0,0,general,informational,"GlobalProtect gateway client configuration released. User name: user2, Private IP: 192.168.55.100, Client version: 2.3.4-4, Device name: BD-CLIENT, Client OS version: Microsoft Wi",641826,0x8000000000000000,0,0,0,0,,PA-VM
33 | Feb 24 19:48:17 10.5.172.40 Feb 24 19:44:58 BD-Panorama 1,2016/02/24 19:44:57,007200001165,SYSTEM,globalprotect,0,2016/02/24 19:40:39,,globalprotectgateway-agent-msg,VPN-GW-N,0,0,general,informational,"GlobalProtect gateway agent message. Login from: 192.168.55.100, User name: user2, Time: Wed Feb 24 11:48:04 2016., Message: Agent Disable, Comment: none. Override(s)=1.",641825,0x8000000000000000,0,0,0,0,,PA-VM
34 | Feb 24 19:48:16 10.5.172.40 Feb 24 19:44:57 BD-Panorama 1,2016/02/24 19:44:56,007200001165,TRAFFIC,start,1,2016/02/24 19:40:37,192.168.55.100,2.2.2.2,0.0.0.0,0.0.0.0,Permit All,user2,,dns,vsys1,trust,untrust,tunnel.2,ethernet1/1,Syslog To Panorama,2016/02/24 19:40:37,98982,1,59479,53,0,0,0x0,udp,allow,89,89,0,1,2016/02/24 19:40:38,0,any,0,13455753639,0x8000000000000000,192.168.0.0-192.168.255.255,France,0,1,0,n/a,15,0,0,0,,PA-VM,from-policy
35 | Feb 24 19:36:15 10.5.172.40 Feb 24 19:32:56 BD-Panorama 1,2016/02/24 19:32:56,007200001165,TRAFFIC,end,1,2016/02/24 19:28:37,192.168.55.100,8.8.8.8,0.0.0.0,0.0.0.0,Permit All,user2,,dns,vsys1,trust,untrust,tunnel.2,ethernet1/1,Syslog To Panorama,2016/02/24 19:28:37,83047,1,64027,53,0,0,0x64,udp,allow,84,84,0,1,2016/02/24 19:28:08,0,any,0,13455546698,0x8000000000000000,192.168.0.0-192.168.255.255,United States,0,1,0,aged-out,15,0,0,0,,PA-VM,from-policy
36 | Feb 24 19:36:15 10.5.172.40 Feb 24 19:32:56 BD-Panorama 1,2016/02/24 19:32:56,007200001165,TRAFFIC,end,1,2016/02/24 19:28:36,192.168.55.100,2.2.2.2,0.0.0.0,0.0.0.0,Permit All,user2,,dns,vsys1,trust,untrust,tunnel.2,ethernet1/1,Syslog To Panorama,2016/02/24 19:28:36,145234,1,64027,53,0,0,0x64,udp,allow,84,84,0,1,2016/02/24 19:28:07,0,any,0,13455546411,0x8000000000000000,192.168.0.0-192.168.255.255,France,0,1,0,aged-out,15,0,0,0,,PA-VM,from-policy
37 | Feb 24 19:36:13 10.5.172.40 Feb 24 19:32:54 BD-Panorama 1,2016/02/24 19:32:53,007200001165,TRAFFIC,end,1,2016/02/24 19:28:28,192.168.55.100,2.2.2.2,0.0.0.0,0.0.0.0,Permit All,user2,,dns,vsys1,trust,untrust,tunnel.2,ethernet1/1,Syslog To Panorama,2016/02/24 19:28:28,124303,1,60134,53,0,0,0x64,udp,allow,89,89,0,1,2016/02/24 19:27:58,0,any,0,13455543701,0x8000000000000000,192.168.0.0-192.168.255.255,France,0,1,0,aged-out,15,0,0,0,,PA-VM,from-policy
38 | Feb 24 19:36:13 10.5.172.40 Feb 24 19:32:54 BD-Panorama 1,2016/02/24 19:32:53,007200001165,TRAFFIC,end,1,2016/02/24 19:28:26,192.168.55.100,8.8.8.8,0.0.0.0,0.0.0.0,Permit All,user2,,dns,vsys1,trust,untrust,tunnel.2,ethernet1/1,Syslog To Panorama,2016/02/24 19:28:26,90092,1,60134,53,0,0,0x64,udp,allow,89,89,0,1,2016/02/24 19:27:56,0,any,0,13455543324,0x8000000000000000,192.168.0.0-192.168.255.255,United States,0,1,0,aged-out,15,0,0,0,,PA-VM,from-policy
39 | Feb 24 19:35:42 10.5.172.40 Feb 24 19:32:23 BD-Panorama 1,2016/02/24 19:32:22,007200001165,SYSTEM,globalprotect,0,2016/02/24 19:27:44,,globalprotectgateway-config-succ,VPN-GW-N,0,0,general,informational,"GlobalProtect gateway client configuration generated. User name: user2, Private IP: 192.168.55.100, Client version: 2.3.4-4, Device name: BD-CLIENT, Client OS version: Microsoft W",641813,0x8000000000000000,0,0,0,0,,PA-VM
40 | Feb 24 19:35:42 10.5.172.40 Feb 24 19:32:23 BD-Panorama 1,2016/02/24 19:32:22,007200001165,SYSTEM,globalprotect,0,2016/02/24 19:27:42,,globalprotectgateway-regist-succ,VPN-GW-N,0,0,general,informational,"GlobalProtect gateway user login succeeded. Login from: 205.178.144.19, User name: user2, Client OS version: Microsoft Windows Server 2008 R2 Enterprise Edition Service Pack 1, 64-b",641812,0x8000000000000000,0,0,0,0,,PA-VM
41 | Feb 24 19:35:42 10.5.172.40 Feb 24 19:32:23 BD-Panorama 1,2016/02/24 19:32:22,007200001165,SYSTEM,globalprotect,0,2016/02/24 19:27:42,,globalprotectgateway-auth-succ,VPN-GW-N,0,0,general,informational,"GlobalProtect gateway user authentication succeeded. Login from: 205.178.144.19, User name: user2, Auth type: profile, Client OS version: Microsoft Windows Server 2008 R2 Enterprise",641811,0x8000000000000000,0,0,0,0,,PA-VM
42 | Feb 24 19:35:42 10.5.172.40 Feb 24 19:32:23 BD-Panorama 1,2016/02/24 19:32:22,007200001165,SYSTEM,globalprotect,0,2016/02/24 19:27:41,,globalprotectportal-config-succ,GP-Portal-1,0,0,general,informational,"GlobalProtect portal client configuration generated. Login from: 205.178.144.19, User name: user2, Config name: VPN-GW-1.",641809,0x8000000000000000,0,0,0,0,,PA-VM
43 | Feb 24 19:35:42 10.5.172.40 Feb 24 19:32:23 BD-Panorama 1,2016/02/24 19:32:22,007200001165,SYSTEM,globalprotect,0,2016/02/24 19:27:41,,globalprotectportal-auth-succ,GP-Portal-1,0,0,general,informational,"GlobalProtect portal user authentication succeeded. Login from: 205.178.144.19, User name: user2, Auth type: profile.",641808,0x8000000000000000,0,0,0,0,,PA-VM
44 | Feb 24 19:35:42 10.5.172.40 Feb 24 19:32:23 BD-Panorama 1,2016/02/24 19:32:22,007200001165,TRAFFIC,start,1,2016/02/24 19:28:07,192.168.55.100,8.8.8.8,0.0.0.0,0.0.0.0,Permit All,user2,,dns,vsys1,trust,untrust,tunnel.2,ethernet1/1,Syslog To Panorama,2016/02/24 19:28:07,83047,1,64027,53,0,0,0x0,udp,allow,84,84,0,1,2016/02/24 19:28:08,0,any,0,13455537714,0x8000000000000000,192.168.0.0-192.168.255.255,United States,0,1,0,n/a,15,0,0,0,,PA-VM,from-policy
45 | Feb 24 19:35:41 10.5.172.40 Feb 24 19:32:22 BD-Panorama 1,2016/02/24 19:32:22,007200001165,TRAFFIC,start,1,2016/02/24 19:27:58,192.168.55.100,2.2.2.2,0.0.0.0,0.0.0.0,Permit All,user2,,dns,vsys1,trust,untrust,tunnel.2,ethernet1/1,Syslog To Panorama,2016/02/24 19:27:58,124303,1,60134,53,0,0,0x0,udp,allow,89,89,0,1,2016/02/24 19:27:58,0,any,0,13455534930,0x8000000000000000,192.168.0.0-192.168.255.255,France,0,1,0,n/a,15,0,0,0,,PA-VM,from-policy
46 | Feb 24 19:35:41 10.5.172.40 Feb 24 19:32:22 BD-Panorama 1,2016/02/24 19:32:22,007200001165,TRAFFIC,start,1,2016/02/24 19:27:57,192.168.55.100,8.8.8.8,0.0.0.0,0.0.0.0,Permit All,user2,,dns,vsys1,trust,untrust,tunnel.2,ethernet1/1,Syslog To Panorama,2016/02/24 19:27:57,90092,1,60134,53,0,0,0x0,udp,allow,89,89,0,1,2016/02/24 19:27:57,0,any,0,13455534583,0x8000000000000000,192.168.0.0-192.168.255.255,United States,0,1,0,n/a,15,0,0,0,,PA-VM,from-policy
47 | Feb 24 22:09:26 10.5.172.40 Feb 24 22:06:07 BD-Panorama 1,2016/02/24 22:06:06,007200001165,SYSTEM,globalprotect,0,2016/02/24 22:01:41,,globalprotectgateway-logout-succ,VPN-GW-N,0,0,general,informational,"GlobalProtect gateway user logout succeeded. User name: user4, Client OS version: Microsoft Windows Server 2008 R2 Enterprise Edition Service Pac, Reason: client logout.",641977,0x8000000000000000,0,0,0,0,,PA-VM
48 | Feb 24 22:09:26 10.5.172.40 Feb 24 22:06:07 BD-Panorama 1,2016/02/24 22:06:06,007200001165,SYSTEM,globalprotect,0,2016/02/24 22:01:41,,globalprotectgateway-config-release,VPN-GW-N,0,0,general,informational,"GlobalProtect gateway client configuration released. User name: user4, Private IP: 192.168.55.104, Client version: 2.3.4-4, Device name: BD-CLIENT, Client OS version: Microsoft Wi",641976,0x8000000000000000,0,0,0,0,,PA-VM
49 | Feb 24 21:50:30 10.5.172.40 Feb 24 21:47:11 BD-Panorama 1,2016/02/24 21:47:11,007200001165,TRAFFIC,end,1,2016/02/24 21:42:31,192.168.55.104,8.8.8.8,0.0.0.0,0.0.0.0,Permit All,user4,,dns,vsys1,trust,untrust,tunnel.2,ethernet1/1,Syslog To Panorama,2016/02/24 21:42:31,235961,1,53909,53,0,0,0x64,udp,allow,74,74,0,1,2016/02/24 21:42:01,0,any,0,13457861041,0x8000000000000000,192.168.0.0-192.168.255.255,United States,0,1,0,aged-out,15,0,0,0,,PA-VM,from-policy
50 | Feb 24 21:50:30 10.5.172.40 Feb 24 21:47:11 BD-Panorama 1,2016/02/24 21:47:11,007200001165,TRAFFIC,end,1,2016/02/24 21:42:30,192.168.55.104,2.2.2.2,0.0.0.0,0.0.0.0,Permit All,user4,,dns,vsys1,trust,untrust,tunnel.2,ethernet1/1,Syslog To Panorama,2016/02/24 21:42:30,57753,1,53909,53,0,0,0x64,udp,allow,74,74,0,1,2016/02/24 21:42:00,0,any,0,13457860836,0x8000000000000000,192.168.0.0-192.168.255.255,France,0,1,0,aged-out,15,0,0,0,,PA-VM,from-policy
51 | Feb 24 21:49:59 10.5.172.40 Feb 24 21:46:40 BD-Panorama 1,2016/02/24 21:46:40,007200001165,TRAFFIC,start,1,2016/02/24 21:42:01,192.168.55.104,8.8.8.8,0.0.0.0,0.0.0.0,Permit All,user4,,dns,vsys1,trust,untrust,tunnel.2,ethernet1/1,Syslog To Panorama,2016/02/24 21:42:01,235961,1,53909,53,0,0,0x0,udp,allow,74,74,0,1,2016/02/24 21:42:01,0,any,0,13457854447,0x8000000000000000,192.168.0.0-192.168.255.255,United States,0,1,0,n/a,15,0,0,0,,PA-VM,from-policy
52 | Feb 24 21:49:59 10.5.172.40 Feb 24 21:46:40 BD-Panorama 1,2016/02/24 21:46:40,007200001165,TRAFFIC,start,1,2016/02/24 21:42:00,192.168.55.104,2.2.2.2,0.0.0.0,0.0.0.0,Permit All,user4,,dns,vsys1,trust,untrust,tunnel.2,ethernet1/1,Syslog To Panorama,2016/02/24 21:42:00,57753,1,53909,53,0,0,0x0,udp,allow,74,74,0,1,2016/02/24 21:42:00,0,any,0,13457854225,0x8000000000000000,192.168.0.0-192.168.255.255,France,0,1,0,n/a,15,0,0,0,,PA-VM,from-policy
53 | Feb 24 21:49:28 10.5.172.40 Feb 24 21:46:09 BD-Panorama 1,2016/02/24 21:46:09,007200001165,TRAFFIC,end,1,2016/02/24 21:41:41,192.168.55.104,2.2.2.2,0.0.0.0,0.0.0.0,Permit All,user4,,dns,vsys1,trust,untrust,tunnel.2,ethernet1/1,Syslog To Panorama,2016/02/24 21:41:41,134486,1,56815,53,0,0,0x64,udp,allow,74,74,0,1,2016/02/24 21:41:11,0,any,0,13457849797,0x8000000000000000,192.168.0.0-192.168.255.255,France,0,1,0,aged-out,15,0,0,0,,PA-VM,from-policy
54 | Feb 24 21:49:28 10.5.172.40 Feb 24 21:46:09 BD-Panorama 1,2016/02/24 21:46:09,007200001165,TRAFFIC,end,1,2016/02/24 21:41:40,192.168.55.104,8.8.8.8,0.0.0.0,0.0.0.0,Permit All,user4,,dns,vsys1,trust,untrust,tunnel.2,ethernet1/1,Syslog To Panorama,2016/02/24 21:41:40,226780,1,56815,53,0,0,0x64,udp,allow,74,74,0,1,2016/02/24 21:41:10,0,any,0,13457849502,0x8000000000000000,192.168.0.0-192.168.255.255,United States,0,1,0,aged-out,15,0,0,0,,PA-VM,from-policy
55 | Feb 24 21:48:57 10.5.172.40 Feb 24 21:45:38 BD-Panorama 1,2016/02/24 21:45:37,007200001165,TRAFFIC,start,1,2016/02/24 21:41:10,192.168.55.104,2.2.2.2,0.0.0.0,0.0.0.0,Permit All,user4,,dns,vsys1,trust,untrust,tunnel.2,ethernet1/1,Syslog To Panorama,2016/02/24 21:41:10,134486,1,56815,53,0,0,0x0,udp,allow,74,74,0,1,2016/02/24 21:41:11,0,any,0,13457840291,0x8000000000000000,192.168.0.0-192.168.255.255,France,0,1,0,n/a,15,0,0,0,,PA-VM,from-policy
56 | Feb 24 21:48:28 10.5.172.40 Feb 24 21:45:09 BD-Panorama 1,2016/02/24 21:45:08,007200001165,SYSTEM,globalprotect,0,2016/02/24 21:40:54,,globalprotectgateway-config-succ,VPN-GW-N,0,0,general,informational,"GlobalProtect gateway client configuration generated. User name: user4, Private IP: 192.168.55.104, Client version: 2.3.4-4, Device name: BD-CLIENT, Client OS version: Microsoft W",641955,0x8000000000000000,0,0,0,0,,PA-VM
57 | Feb 24 21:48:28 10.5.172.40 Feb 24 21:45:09 BD-Panorama 1,2016/02/24 21:45:08,007200001165,SYSTEM,globalprotect,0,2016/02/24 21:40:52,,globalprotectgateway-regist-succ,VPN-GW-N,0,0,general,informational,"GlobalProtect gateway user login succeeded. Login from: 216.129.122.242, User name: user4, Client OS version: Microsoft Windows Server 2008 R2 Enterprise Edition Service Pack 1, 64-b",641954,0x8000000000000000,0,0,0,0,,PA-VM
58 | Feb 24 21:48:28 10.5.172.40 Feb 24 21:45:09 BD-Panorama 1,2016/02/24 21:45:08,007200001165,SYSTEM,globalprotect,0,2016/02/24 21:40:52,,globalprotectgateway-auth-succ,VPN-GW-N,0,0,general,informational,"GlobalProtect gateway user authentication succeeded. Login from: 216.129.122.242, User name: user4, Auth type: profile, Client OS version: Microsoft Windows Server 2008 R2 Enterprise",641953,0x8000000000000000,0,0,0,0,,PA-VM
59 | Feb 24 21:48:28 10.5.172.40 Feb 24 21:45:09 BD-Panorama 1,2016/02/24 21:45:08,007200001165,SYSTEM,globalprotect,0,2016/02/24 21:40:28,,globalprotectportal-config-succ,GP-Portal-1,0,0,general,informational,"GlobalProtect portal client configuration generated. Login from: 216.129.122.242, User name: user4, Config name: VPN-GW-1.",641950,0x8000000000000000,0,0,0,0,,PA-VM
60 | Feb 24 21:48:28 10.5.172.40 Feb 24 21:45:09 BD-Panorama 1,2016/02/24 21:45:08,007200001165,SYSTEM,globalprotect,0,2016/02/24 21:40:28,,globalprotectportal-auth-succ,GP-Portal-1,0,0,general,informational,"GlobalProtect portal user authentication succeeded. Login from: 216.129.122.242, User name: user4, Auth type: profile.",641949,0x8000000000000000,0,0,0,0,,PA-VM
61 | Feb 24 21:48:28 10.5.172.40 Feb 24 21:45:09 BD-Panorama 1,2016/02/24 21:45:08,007200001165,SYSTEM,globalprotect,0,2016/02/24 21:40:25,,globalprotectportal-auth-fail,GP-Portal-1,0,0,general,informational,"GlobalProtect portal user authentication failed. Login from: 60.28.233.48, User name: Admin, Reason: Authentication failed: Invalid username or password , Auth type: profi",641947,0x8000000000000000,0,0,0,0,,PA-VM
62 | Feb 24 19:48:17 10.5.172.40 Feb 24 19:44:58 BD-Panorama 1,2016/02/24 19:44:57,007200001165,SYSTEM,globalprotect,0,2016/02/24 19:40:39,,globalprotectgateway-agent-msg,VPN-GW-N,0,0,general,informational,"GlobalProtect gateway agent message. Login from: 192.168.55.104, User name: user4, Time: Wed Feb 24 11:48:04 2016., Message: Agent Disable, Comment: none. Override(s)=1.",641825,0x8000000000000000,0,0,0,0,,PA-VM
63 | Feb 24 22:49:52 10.5.172.40 Feb 24 22:46:33 BD-Panorama 1,2016/02/24 22:46:32,007200001165,TRAFFIC,end,1,2016/02/24 22:42:17,192.168.55.105,8.8.8.8,0.0.0.0,0.0.0.0,Permit All,user5,,dns,vsys1,trust,untrust,tunnel.2,ethernet1/1,Syslog To Panorama,2016/02/24 22:42:17,31842,1,56862,53,0,0,0x64,udp,allow,84,84,0,1,2016/02/24 22:41:46,0,any,0,13458897271,0x8000000000000000,192.168.0.0-192.168.255.255,United States,0,1,0,aged-out,15,0,0,0,,PA-VM,from-policy
64 | Feb 24 22:49:52 10.5.172.40 Feb 24 22:46:33 BD-Panorama 1,2016/02/24 22:46:32,007200001165,TRAFFIC,end,1,2016/02/24 22:42:16,192.168.55.105,2.2.2.2,0.0.0.0,0.0.0.0,Permit All,user5,,dns,vsys1,trust,untrust,tunnel.2,ethernet1/1,Syslog To Panorama,2016/02/24 22:42:16,178405,1,56862,53,0,0,0x64,udp,allow,84,84,0,1,2016/02/24 22:41:46,0,any,0,13458896907,0x8000000000000000,192.168.0.0-192.168.255.255,France,0,1,0,aged-out,15,0,0,0,,PA-VM,from-policy
65 | Feb 24 22:49:52 10.5.172.40 Feb 24 22:46:32 BD-Panorama 1,2016/02/24 22:46:32,007200001165,TRAFFIC,end,1,2016/02/24 22:42:10,192.168.55.105,2.2.2.2,0.0.0.0,0.0.0.0,Permit All,user5,,dns,vsys1,trust,untrust,tunnel.2,ethernet1/1,Syslog To Panorama,2016/02/24 22:42:10,55192,1,49285,53,0,0,0x64,udp,allow,89,89,0,1,2016/02/24 22:41:40,0,any,0,13458894961,0x8000000000000000,192.168.0.0-192.168.255.255,France,0,1,0,aged-out,15,0,0,0,,PA-VM,from-policy
66 | Feb 24 22:49:51 10.5.172.40 Feb 24 22:46:32 BD-Panorama 1,2016/02/24 22:46:32,007200001165,TRAFFIC,end,1,2016/02/24 22:42:08,192.168.55.105,8.8.8.8,0.0.0.0,0.0.0.0,Permit All,user5,,dns,vsys1,trust,untrust,tunnel.2,ethernet1/1,Syslog To Panorama,2016/02/24 22:42:08,54446,1,49285,53,0,0,0x64,udp,allow,89,89,0,1,2016/02/24 22:41:39,0,any,0,13458894428,0x8000000000000000,192.168.0.0-192.168.255.255,United States,0,1,0,aged-out,15,0,0,0,,PA-VM,from-policy
67 | Feb 24 22:49:22 10.5.172.40 Feb 24 22:46:02 BD-Panorama 1,2016/02/24 22:46:01,007200001165,SYSTEM,globalprotect,0,2016/02/24 22:41:26,,globalprotectgateway-config-succ,VPN-GW-N,0,0,general,informational,"GlobalProtect gateway client configuration generated. User name: user5, Private IP: 192.168.55.105, Client version: 2.3.4-4, Device name: BD-CLIENT, Client OS version: Microsoft W",642018,0x8000000000000000,0,0,0,0,,PA-VM
68 | Feb 24 22:49:22 10.5.172.40 Feb 24 22:46:02 BD-Panorama 1,2016/02/24 22:46:01,007200001165,SYSTEM,globalprotect,0,2016/02/24 22:41:24,,globalprotectgateway-regist-succ,VPN-GW-N,0,0,general,informational,"GlobalProtect gateway user login succeeded. Login from: 65.55.223.21, User name: user5, Client OS version: Microsoft Windows Server 2008 R2 Enterprise Edition Service Pack 1, 64-b",642017,0x8000000000000000,0,0,0,0,,PA-VM
69 | Feb 24 22:49:22 10.5.172.40 Feb 24 22:46:02 BD-Panorama 1,2016/02/24 22:46:01,007200001165,SYSTEM,globalprotect,0,2016/02/24 22:41:24,,globalprotectgateway-auth-succ,VPN-GW-N,0,0,general,informational,"GlobalProtect gateway user authentication succeeded. Login from: 65.55.223.21, User name: user5, Auth type: profile, Client OS version: Microsoft Windows Server 2008 R2 Enterprise",642016,0x8000000000000000,0,0,0,0,,PA-VM
70 | Feb 24 22:49:22 10.5.172.40 Feb 24 22:46:02 BD-Panorama 1,2016/02/24 22:46:01,007200001165,SYSTEM,globalprotect,0,2016/02/24 22:41:24,,globalprotectportal-config-succ,GP-Portal-1,0,0,general,informational,"GlobalProtect portal client configuration generated. Login from: 65.55.223.21, User name: user5, Config name: VPN-GW-1.",642014,0x8000000000000000,0,0,0,0,,PA-VM
71 | Feb 24 22:49:22 10.5.172.40 Feb 24 22:46:02 BD-Panorama 1,2016/02/24 22:46:01,007200001165,SYSTEM,globalprotect,0,2016/02/24 22:41:24,,globalprotectportal-auth-succ,GP-Portal-1,0,0,general,informational,"GlobalProtect portal user authentication succeeded. Login from: 65.55.223.21, User name: user5, Auth type: profile.",642013,0x8000000000000000,0,0,0,0,,PA-VM
72 | Feb 24 22:49:21 10.5.172.40 Feb 24 22:46:02 BD-Panorama 1,2016/02/24 22:46:01,007200001165,TRAFFIC,start,1,2016/02/24 22:41:46,192.168.55.105,8.8.8.8,0.0.0.0,0.0.0.0,Permit All,user5,,dns,vsys1,trust,untrust,tunnel.2,ethernet1/1,Syslog To Panorama,2016/02/24 22:41:46,31842,1,56862,53,0,0,0x0,udp,allow,84,84,0,1,2016/02/24 22:41:47,0,any,0,13458887722,0x8000000000000000,192.168.0.0-192.168.255.255,United States,0,1,0,n/a,15,0,0,0,,PA-VM,from-policy
73 | Feb 24 22:49:21 10.5.172.40 Feb 24 22:46:02 BD-Panorama 1,2016/02/24 22:46:01,007200001165,TRAFFIC,start,1,2016/02/24 22:41:45,192.168.55.105,2.2.2.2,0.0.0.0,0.0.0.0,Permit All,user5,,dns,vsys1,trust,untrust,tunnel.2,ethernet1/1,Syslog To Panorama,2016/02/24 22:41:45,178405,1,56862,53,0,0,0x0,udp,allow,84,84,0,1,2016/02/24 22:41:46,0,any,0,13458887420,0x8000000000000000,192.168.0.0-192.168.255.255,France,0,1,0,n/a,15,0,0,0,,PA-VM,from-policy
74 | Feb 24 22:49:21 10.5.172.40 Feb 24 22:46:02 BD-Panorama 1,2016/02/24 22:46:01,007200001165,TRAFFIC,start,1,2016/02/24 22:41:39,192.168.55.105,2.2.2.2,0.0.0.0,0.0.0.0,Permit All,user5,,dns,vsys1,trust,untrust,tunnel.2,ethernet1/1,Syslog To Panorama,2016/02/24 22:41:39,55192,1,49285,53,0,0,0x0,udp,allow,89,89,0,1,2016/02/24 22:41:40,0,any,0,13458885400,0x8000000000000000,192.168.0.0-192.168.255.255,France,0,1,0,n/a,15,0,0,0,,PA-VM,from-policy
75 | Feb 24 22:49:21 10.5.172.40 Feb 24 22:46:01 BD-Panorama 1,2016/02/24 22:46:01,007200001165,TRAFFIC,start,1,2016/02/24 22:41:38,192.168.55.105,8.8.8.8,0.0.0.0,0.0.0.0,Permit All,user5,,dns,vsys1,trust,untrust,tunnel.2,ethernet1/1,Syslog To Panorama,2016/02/24 22:41:38,54446,1,49285,53,0,0,0x0,udp,allow,89,89,0,1,2016/02/24 22:41:39,0,any,0,13458885036,0x8000000000000000,192.168.0.0-192.168.255.255,United States,0,1,0,n/a,15,0,0,0,,PA-VM,from-policy
76 | Feb 24 22:48:51 10.5.172.40 Feb 24 22:45:32 BD-Panorama 1,2016/02/24 22:45:30,007200001165,SYSTEM,globalprotect,0,2016/02/24 22:41:12,,globalprotectportal-auth-fail,GP-Portal-1,0,0,general,informational,"GlobalProtect portal user authentication failed. Login from: 64.135.77.120, User name: Admin, Reason: Authentication failed: Invalid username or password , Auth type: profi",642008,0x8000000000000000,0,0,0,0,,PA-VM
--------------------------------------------------------------------------------
/bin/data/reports/report000.evt:
--------------------------------------------------------------------------------
1 |
2 |
3 | 0.1
4 | 254802168
5 | 366994208
6 | c2a6caacd55751a6dfbfdb677ca9e0e45ac3157fcbd3d93d7fcf5f2053addc4d
7 | 1ea0115fe8a078468f512e34e5f97eff
8 | 316416
9 | yes
10 |
11 | Created or modified files
12 | Sample used a suspicious User-Agent
13 | Spawned new processes
14 | Contained unknown TCP/UDP traffic
15 | Listened on a specific port (backdoor behavior)
16 | Deleted itself
17 | Injected code into another process
18 | Registered a file as auto-start from a local directory
19 | Modified registries or system configuration to enable auto start capability
20 | Modified Windows registries
21 | Changed security settings of Internet Explorer
22 | Changed the proxy settings for Internet Explorer
23 | Modified the network connections setting for Internet Explorer
24 | Created an executable file in a user document folder
25 | Visited an unregistered domain
26 | IP country different from HTTP host TLD
27 | Started a process from a user document folder
28 | Visited a malware domain
29 | Changed the Windows firewall policy
30 |
31 |
32 |
33 |
34 |
35 |
36 |
37 |
38 |
39 |
40 |
41 |
42 |
43 |
44 |
45 |
46 |
47 |
48 |
49 |
50 |
51 |
52 |
53 |
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 |
75 |
76 |
77 |
78 |
79 |
80 |
81 |
82 |
83 |
84 |
85 |
86 |
87 |
88 |
89 |
90 |
91 |
92 |
93 |
94 |
95 |
96 |
97 |
98 |
99 |
100 |
101 |
102 |
103 |
104 |
105 |
106 |
107 |
108 |
109 |
110 |
111 |
112 |
113 |
114 |
115 |
116 |
117 |
118 |
119 |
120 |
121 |
122 |
123 |
124 |
125 |
126 |
127 |
128 |
129 |
130 |
131 |
132 |
133 |
134 |
135 |
136 |
137 |
138 |
139 |
140 |
141 |
142 |
143 |
144 |
145 |
146 |
147 |
148 |
149 |
150 |
151 |
152 |
153 |
154 |
155 |
156 |
157 |
158 |
159 |
160 |
161 |
162 |
163 |
164 |
165 |
166 |
167 |
168 |
169 |
170 |
171 |
172 |
173 |
174 |
175 |
176 |
177 |
178 |
179 |
180 |
181 |
182 |
183 |
184 |
185 |
186 |
187 |
188 |
189 |
190 |
--------------------------------------------------------------------------------
/bin/data/reports/report001.evt:
--------------------------------------------------------------------------------
1 |
2 |
3 | 0.1
4 | 254802158
5 | 366993648
6 | 19d43feb3439f2dda4dc4dacb5cffad44e639564a4007fc93e25905a849f76be
7 | c52b77064604fc7e695261339ba6510c
8 | 942080
9 | yes
10 |
11 | Created or modified files
12 | Spawned new processes
13 | Contained unknown TCP/UDP traffic
14 | Listened on a specific port (backdoor behavior)
15 | Created a hidden executable file
16 | Registered a file as auto-start from a local directory
17 | Modified registries or system configuration to enable auto start capability
18 | Modified Windows registries
19 | Changed security settings of Internet Explorer
20 | Crashed when loaded
21 | Attempted to sleep for a long period
22 | Used direct IP instead of host name
23 | Communicated with new DNS server
24 | Sent out emails
25 | Produced unknown traffic over the HTTP port
26 |
27 |
28 |
29 |
30 |
31 |
32 |
33 |
34 |
35 |
36 |
37 |
38 |
39 |
40 |
41 |
42 |
43 |
44 |
45 |
46 |
47 |
48 |
49 |
50 |
51 |
52 |
53 |
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 |
75 |
76 |
77 |
78 |
79 |
80 |
81 |
82 |
83 |
--------------------------------------------------------------------------------
/bin/data/reports/report002.evt:
--------------------------------------------------------------------------------
1 |
2 |
3 | 0.1
4 | 254801558
5 | 366992338
6 | bcccb59a27945f0fddb8b113a0ce18c9ea44ad2a5bc555b1f68a5a532f94d2af
7 | 7deeb6461caf764bf7ed708b3973072c
8 | 238080
9 | yes
10 |
11 | Created or modified files
12 | Spawned new processes
13 | Modified Windows registries
14 | Changed security settings of Internet Explorer
15 | Changed the proxy settings for Internet Explorer
16 | Modified the network connections setting for Internet Explorer
17 | Attempted to sleep for a long period
18 | Deleted Cookies
19 |
20 |
21 |
22 |
23 |
24 |
25 |
26 |
27 |
28 |
29 |
30 |
31 |
32 |
33 |
34 |
35 |
36 |
37 |
38 |
39 |
40 |
41 |
42 |
43 |
44 |
45 |
46 |
47 |
48 |
49 |
50 |
51 |
52 |
53 |
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 |
75 |
76 |
77 |
--------------------------------------------------------------------------------
/bin/data/reports/report003.evt:
--------------------------------------------------------------------------------
1 |
2 |
3 | 0.1
4 | 254801358
5 | 366990958
6 | 35828da2d6048ee61680b3d64d402ac73f00880ff43f607df4c2de389faa76eb
7 | 16e9e0a7e127ce6fd6cf091fba5d661f
8 | 101376
9 | yes
10 |
11 | Changed security settings of Internet Explorer
12 | Changed the default Windows shell program
13 | Created or modified files
14 | Modified Windows registries
15 | Malware came from a malware domain
16 |
17 |
18 |
19 |
20 |
21 |
22 |
23 |
24 |
25 |
26 |
27 |
28 |
29 |
30 |
31 |
32 |
33 |
34 |
35 |
36 |
37 |
38 |
39 |
40 |
41 |
42 |
43 |
44 |
45 |
46 |
--------------------------------------------------------------------------------
/bin/data/reports/report005.evt:
--------------------------------------------------------------------------------
1 |
2 |
3 | 0.1
4 | 254799658
5 | 366850398
6 | 4c232033e09ff0f7fb3057146cccd675922dccbeeaea18cd5652de3249231990
7 | 6b824521508f6c600dd3348f151e8c45
8 | 438512
9 | yes
10 |
11 | Created or modified files
12 | Started a process from a user document folder
13 | Spawned new processes
14 | Modified Windows registries
15 | Changed security settings of Internet Explorer
16 | Changed the proxy settings for Internet Explorer
17 | Modified the network connections setting for Internet Explorer
18 | Created an executable file in a user document folder
19 | Attempted to sleep for a long period
20 | Sample used a New User-Agent
21 | Deleted Cookies
22 |
23 |
24 |
25 |
26 |
27 |
28 |
29 |
30 |
31 |
32 |
33 |
34 |
35 |
36 |
37 |
38 |
39 |
40 |
41 |
42 |
43 |
44 |
45 |
46 |
47 |
48 |
49 |
50 |
51 |
52 |
53 |
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 |
75 |
76 |
77 |
78 |
79 |
80 |
81 |
82 |
83 |
84 |
85 |
86 |
87 |
88 |
89 |
90 |
91 |
92 |
93 |
94 |
95 |
96 |
97 |
98 |
99 |
100 |
101 |
102 |
103 |
104 |
105 |
106 |
107 |
108 |
109 |
110 |
111 |
112 |
113 |
114 |
115 |
116 |
117 |
--------------------------------------------------------------------------------
/bin/data/reports/report006.evt:
--------------------------------------------------------------------------------
1 |
2 |
3 | 0.1
4 | 254798198
5 | 366988358
6 | 4782788db0c10721bbfdc43e6ad89621acce4baaeed10704bc5826c91972d681
7 | fbb1f75ae5ffb2b2dd29a6105526b1d8
8 | 258160
9 | yes
10 |
11 | Created or modified files
12 | Sample used a Known bad User-Agent
13 | Modified Windows registries
14 | Downloaded executable files
15 | Changed security settings of Internet Explorer
16 | Changed the proxy settings for Internet Explorer
17 | Modified the network connections setting for Internet Explorer
18 | Created an executable file in a user document folder
19 | Attempted to sleep for a long period
20 |
21 |
22 |
23 |
24 |
25 |
26 |
27 |
28 |
29 |
30 |
31 |
32 |
33 |
34 |
35 |
36 |
37 |
38 |
39 |
40 |
41 |
42 |
43 |
44 |
45 |
46 |
47 |
48 |
49 |
50 |
51 |
52 |
53 |
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 |
75 |
76 |
77 |
78 |
79 |
80 |
81 |
82 |
83 |
84 |
85 |
86 |
87 |
88 |
89 |
90 |
91 |
92 |
93 |
94 |
95 |
96 |
--------------------------------------------------------------------------------
/bin/data/reports/report007.evt:
--------------------------------------------------------------------------------
1 |
2 |
3 | 2.0
4 | 254797768
5 |
6 | 95bdb3832b6ee802347f228547d3a0955b3f91a9c8f34645fb99c1037e7753c5
7 | 279f2db47628a630123ce145699b5598
8 | PE
9 | 57216
10 | yes
11 |
12 |
13 |
14 | 2.0
15 | 2
16 | Windows XP, Adobe Reader 9.4.0, Flash 10, Office 2007
17 | 95bdb3832b6ee802347f228547d3a0955b3f91a9c8f34645fb99c1037e7753c5
18 | 279f2db47628a630123ce145699b5598
19 | 57216
20 | yes
21 |
22 | Sample attempted to copy itself
23 | Created an executable file in the Windows system folder
24 | Created or modified files
25 | Contained unknown TCP/UDP traffic
26 | Moved itself
27 | Started or stopped a system service
28 | Modified Windows registries
29 | Changed security settings of Internet Explorer
30 | Scheduled a file name change at next start-up
31 |
32 |
33 |
34 |
35 |
36 |
37 |
38 |
39 |
40 |
41 |
42 |
43 |
44 |
45 |
46 |
47 |
48 |
49 |
50 |
51 |
52 |
53 |
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
--------------------------------------------------------------------------------
/bin/data/reports/report008.evt:
--------------------------------------------------------------------------------
1 |
2 |
3 | 2.0
4 | 254797738
5 |
6 | f00579f0908376f1562556005e398ca536a22bec46974603413bfe33e2a5877f
7 | b20bfeface7d7a549410297253a797a2
8 | PE
9 | 132760
10 | yes
11 |
12 |
13 |
14 | 2.0
15 | 2
16 | Windows XP, Adobe Reader 9.4.0, Flash 10, Office 2007
17 | f00579f0908376f1562556005e398ca536a22bec46974603413bfe33e2a5877f
18 | b20bfeface7d7a549410297253a797a2
19 | 132760
20 | yes
21 |
22 | Created a file in the Windows folder
23 | Used the POST method in HTTP
24 | Injected code into another process
25 | Started a process from a user document folder
26 | Spawned new processes
27 | Moved itself
28 | Modified the network hosts file
29 | Registered a file as auto-start from a local directory
30 | Modified registries or system configuration to enable auto start capability
31 | Modified Windows registries
32 | Changed security settings of Internet Explorer
33 | Created or modified files
34 | Used direct IP instead of host name
35 | Changed the Windows firewall policy
36 |
37 |
38 |
39 |
40 |
41 |
42 |
43 |
44 |
45 |
46 |
47 |
48 |
49 |
50 |
51 |
52 |
53 |
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 |
75 |
76 |
77 |
78 |
79 |
80 |
81 |
82 |
83 |
84 |
85 |
86 |
87 |
--------------------------------------------------------------------------------
/bin/data/reports/report009.evt:
--------------------------------------------------------------------------------
1 |
2 |
3 | 0.1
4 | 254797598
5 | 366988278
6 | 491265dfb70859e64ba3fe9a65b276fefff5cc4b774acf194e8bf7e64823edd8
7 | 3b4eff5d084ce498d76b0cf517aeb201
8 | 258160
9 | yes
10 |
11 | Created or modified files
12 | Sample used a Known bad User-Agent
13 | Modified Windows registries
14 | Downloaded executable files
15 | Changed security settings of Internet Explorer
16 | Changed the proxy settings for Internet Explorer
17 | Modified the network connections setting for Internet Explorer
18 | Created an executable file in a user document folder
19 | Attempted to sleep for a long period
20 |
21 |
22 |
23 |
24 |
25 |
26 |
27 |
28 |
29 |
30 |
31 |
32 |
33 |
34 |
35 |
36 |
37 |
38 |
39 |
40 |
41 |
42 |
43 |
44 |
45 |
46 |
47 |
48 |
49 |
50 |
51 |
52 |
53 |
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 |
75 |
76 |
77 |
78 |
79 |
--------------------------------------------------------------------------------
/bin/data/reports/report010.evt:
--------------------------------------------------------------------------------
1 |
2 |
3 | 0.1
4 | 254796918
5 | 366988118
6 | 08d7b827eb2b25a5180ed6e8f94979601036730b8ea52196e038010905f98674
7 | 7745cc43f03d993655ed449df7b3bee5
8 | 316416
9 | yes
10 |
11 | Created or modified files
12 | Sample used a suspicious User-Agent
13 | Spawned new processes
14 | Contained unknown TCP/UDP traffic
15 | Listened on a specific port (backdoor behavior)
16 | Deleted itself
17 | Injected code into another process
18 | Registered a file as auto-start from a local directory
19 | Modified registries or system configuration to enable auto start capability
20 | Modified Windows registries
21 | Changed security settings of Internet Explorer
22 | Changed the proxy settings for Internet Explorer
23 | Modified the network connections setting for Internet Explorer
24 | Created an executable file in a user document folder
25 | Visited an unregistered domain
26 | Started a process from a user document folder
27 | Visited a malware domain
28 | Changed the Windows firewall policy
29 |
30 |
31 |
32 |
33 |
34 |
35 |
36 |
37 |
38 |
39 |
40 |
41 |
42 |
43 |
44 |
45 |
46 |
47 |
48 |
49 |
50 |
51 |
52 |
53 |
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 |
75 |
76 |
77 |
78 |
79 |
80 |
81 |
82 |
83 |
84 |
85 |
86 |
87 |
88 |
89 |
90 |
91 |
92 |
93 |
94 |
95 |
96 |
97 |
98 |
99 |
100 |
101 |
102 |
103 |
104 |
105 |
106 |
107 |
108 |
109 |
110 |
111 |
112 |
113 |
114 |
115 |
116 |
117 |
118 |
119 |
120 |
121 |
122 |
123 |
124 |
125 |
126 |
127 |
128 |
129 |
130 |
131 |
132 |
133 |
134 |
135 |
136 |
137 |
138 |
139 |
140 |
141 |
142 |
143 |
144 |
145 |
146 |
147 |
148 |
149 |
150 |
151 |
152 |
153 |
154 |
155 |
156 |
157 |
158 |
159 |
160 |
161 |
162 |
163 |
164 |
165 |
166 |
167 |
168 |
169 |
170 |
171 |
172 |
173 |
174 |
175 |
176 |
177 |
178 |
179 |
180 |
181 |
--------------------------------------------------------------------------------
/bin/data/reports/report011.evt:
--------------------------------------------------------------------------------
1 |
2 |
3 | 2.0
4 | 254796538
5 |
6 | 5cffd8d8aad442208575779db500c8d0c42ec0a30b7de0f4c5459fa90a03ed00
7 | 9d8304179be4e6a0bb6180b4c992539b
8 | PE
9 | 693660
10 | yes
11 |
12 |
13 |
14 | 2.0
15 | 2
16 | Windows XP, Adobe Reader 9.4.0, Flash 10, Office 2007
17 | 5cffd8d8aad442208575779db500c8d0c42ec0a30b7de0f4c5459fa90a03ed00
18 | 9d8304179be4e6a0bb6180b4c992539b
19 | 693660
20 | yes
21 |
22 | Sample attempted to copy itself
23 | Created an executable file in a user document folder
24 | Injected code into another process
25 | Started a process from a user document folder
26 | Sample used a Known bad User-Agent
27 | Spawned new processes
28 | Performed a DNS query for a mail server
29 | Created a hidden executable file
30 | Registered a file as auto-start from a local directory
31 | Modified registries or system configuration to enable auto start capability
32 | Modified Windows registries
33 | Changed security settings of Internet Explorer
34 | Created or modified files
35 | Attempted to sleep for a long period
36 | Communicated using IRC over a non-standard port
37 | Sent out emails
38 | Changed the Windows firewall policy
39 |
40 |
41 |
42 |
43 |
44 |
45 |
46 |
47 |
48 |
49 |
50 |
51 |
52 |
53 |
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 |
75 |
76 |
77 |
78 |
79 |
80 |
81 |
82 |
83 |
84 |
85 |
86 |
87 |
88 |
89 |
90 |
91 |
92 |
93 |
94 |
95 |
96 |
97 |
98 |
99 |
100 |
101 |
--------------------------------------------------------------------------------
/bin/data/reports/report012.evt:
--------------------------------------------------------------------------------
1 |
2 |
3 | 0.1
4 | 254796298
5 | 366873438
6 | a2473f5aa013018ec9445f12b94e895310495d63e7fa80f6e33d42d4708eb108
7 | ecc02eeedc39f4af45251c97977a0951
8 | 343778
9 | yes
10 |
11 | Created an executable file in a user document folder
12 | Created or modified files
13 | Modified Windows registries
14 | Triggered known IPS signature ( ZeroAccess.Gen Command and Control Traffic )
15 | Changed security settings of Internet Explorer
16 | Changed the proxy settings for Internet Explorer
17 | Modified the network connections setting for Internet Explorer
18 | Used the POST method in HTTP
19 | Attempted to sleep for a long period
20 | Visited a malware domain
21 | Scheduled a file name change at next start-up
22 |
23 |
24 |
25 |
26 |
27 |
28 |
29 |
30 |
31 |
32 |
33 |
34 |
35 |
36 |
37 |
38 |
39 |
40 |
41 |
42 |
43 |
44 |
45 |
46 |
47 |
48 |
49 |
50 |
51 |
52 |
53 |
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 |
75 |
76 |
77 |
78 |
79 |
80 |
81 |
82 |
83 |
84 |
85 |
86 |
87 |
88 |
89 |
90 |
91 |
92 |
93 |
94 |
95 |
96 |
97 |
98 |
99 |
100 |
101 |
102 |
103 |
104 |
105 |
106 |
--------------------------------------------------------------------------------
/bin/data/reports/report013.evt:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 | 0.1
5 |
6 | 254796028
7 |
8 | 312311728
9 |
10 |
11 | 91aee5831e29087447f0fbbdf3531a56cbd574af54dd7a6d8b54b2d1410684c9
12 |
13 |
14 | d0db4f62648912e4baae34f1d918010b
15 |
16 |
17 | yes
18 |
19 |
20 |
21 | Changed security settings of Internet Explorer
22 |
23 |
24 | Created or modified files
25 |
26 |
27 | Attempted to sleep for a long period
28 |
29 |
30 | Modified Windows registries
31 |
32 |
33 | Malware came from a malware domain
34 |
35 |
36 |
37 |
38 |
39 |
40 |
41 |
42 |
43 |
44 |
45 |
46 |
47 |
48 |
49 |
50 |
51 |
52 |
53 |
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
--------------------------------------------------------------------------------
/bin/data/reports/report014.evt:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 | 0.1
5 |
6 | 254795998
7 |
8 | 231064903
9 |
10 |
11 | b719e17ee4d35b783b63f61bb8380171bea03875bc058e428a0d841a70cdd900
12 |
13 |
14 | 5c8d28e4b7250dc74e6545579beaef1a
15 |
16 |
17 | yes
18 |
19 |
20 |
21 | Created or modified files
22 |
23 |
24 | Spawned new processes
25 |
26 |
27 | Registered a DLL or ActiveX control with regsvr32.exe
28 |
29 |
30 | Modified Windows registries
31 |
32 |
33 | Modified registries or system configuration to enable auto start capability
34 |
35 |
36 | Changed security settings of Internet Explorer
37 |
38 |
39 | Changed the proxy settings for Internet Explorer
40 |
41 |
42 | Modified the network connections setting for Internet Explorer
43 |
44 |
45 |
46 |
47 |
48 |
49 |
50 |
51 |
52 |
53 |
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 |
75 |
76 |
77 |
78 |
79 |
80 |
81 |
82 |
83 |
84 |
85 |
86 |
87 |
88 |
89 |
90 |
91 |
92 |
93 |
94 |
95 |
96 |
97 |
98 |
99 |
100 |
101 |
102 |
103 |
104 |
105 |
106 |
107 |
108 |
109 |
110 |
111 |
112 |
113 |
114 |
115 |
116 |
117 |
118 |
119 |
120 |
121 |
122 |
123 |
124 |
125 |
126 |
127 |
128 |
129 |
130 |
131 |
132 |
133 |
134 |
135 |
136 |
137 |
138 |
139 |
140 |
141 |
142 |
143 |
144 |
145 |
146 |
147 |
148 |
149 |
150 |
151 |
152 |
153 |
154 |
155 |
156 |
--------------------------------------------------------------------------------
/bin/scripts/pan_endpoint.py:
--------------------------------------------------------------------------------
1 | # #############
2 | # modify these vars if necessary
3 | # #############
4 | splunkserver = 'localhost'
5 | splunkport = '8089'
6 | index = 'main'
7 | sourcetype = 'pan:log'
8 | panuser = 'pan'
9 | panpass = 'pan'
10 | ## events per second
11 | EPS = 1
12 | ##############
13 | # you shouldn't have to modify anything below this line
14 | #########################################
15 |
16 | import time # for sleep
17 | import sys # for exits and inputs
18 | import os # for environ variables and joins
19 | import datetime # to create timestamps
20 | import urllib2 # to make the https connection
21 | from random import randint
22 |
23 | try:
24 | # you can change this value to your splunk install value
25 | SPLUNK_HOME = os.environ['SPLUNK_HOME']
26 | except:
27 | print "can't find splunk home"
28 | sys.exit(-1)
29 |
30 | # the path of the app
31 | paninc_libPath = os.path.join(SPLUNK_HOME, 'etc', 'apps', 'pan_datagen')
32 | ## sample log location
33 | log_in = open(os.path.join(paninc_libPath, 'bin', 'data', 'pan_endpoint.txt'),
34 | 'r').readlines()
35 | # more or less wholesale from: http://docs.python.org/2/library/urllib2.html
36 | # Create an OpenerDirector with support for Basic HTTP Authentication...
37 | auth_handler = urllib2.HTTPBasicAuthHandler()
38 | auth_handler.add_password(realm='/splunk',
39 | uri='https://' + splunkserver + ':' + splunkport,
40 | user=panuser,
41 | passwd=panpass)
42 | opener = urllib2.build_opener(auth_handler)
43 | # ...and install it globally so it can be used with urlopen.
44 | urllib2.install_opener(opener)
45 | try:
46 | urllib2.urlopen(
47 | 'https://' + splunkserver + ':' + splunkport +
48 | '/services/receivers/simple?index=' + index + '&sourcetype=' +
49 | sourcetype,
50 | 'this is a test')
51 | except:
52 | print "May be Splunk is not running or the server path is correct"
53 | sys.exit(-1)
54 |
55 |
56 | def replay():
57 | log = log_in
58 |
59 | while True:
60 | x = 0
61 | for l in log:
62 |
63 | if x >= EPS:
64 | x = 0
65 | time.sleep(randint(30, 60))
66 | ts = datetime.datetime.now().strftime(
67 | '%b %d %H:%M:%S')
68 | evt = ts + l[15:].replace('[\r\n]', '')
69 | # print "Feb 25 01:01:40"
70 | urllib2.urlopen(
71 | 'https://' + splunkserver + ':' + splunkport +
72 | '/services/receivers/simple?index=' + index +
73 | '&sourcetype=' + sourcetype,
74 | evt)
75 |
76 | x += 1
77 |
78 |
79 | replay()
--------------------------------------------------------------------------------
/bin/scripts/pan_globalprotect.py:
--------------------------------------------------------------------------------
1 | # #############
2 | # modify these vars if necessary
3 | # #############
4 | splunkserver = 'localhost'
5 | splunkport = '8089'
6 | index = 'main'
7 | sourcetype = 'pan:log'
8 | panuser = 'pan'
9 | panpass = 'pan'
10 | ## events per second
11 | EPS = 1
12 | ##############
13 | # you shouldn't have to modify anything below this line
14 | #########################################
15 |
16 | import time # for sleep
17 | import sys # for exits and inputs
18 | import os # for environ variables and joins
19 | import datetime # to create timestamps
20 | import urllib2 # to make the https connection
21 | from random import randint
22 |
23 | try:
24 | # you can change this value to your splunk install value
25 | SPLUNK_HOME = os.environ['SPLUNK_HOME']
26 | except:
27 | print "can't find splunk home"
28 | sys.exit(-1)
29 |
30 | # the path of the app
31 | paninc_libPath = os.path.join(SPLUNK_HOME, 'etc', 'apps', 'pan_datagen')
32 | ## sample log location
33 | log_in = open(os.path.join(paninc_libPath, 'bin', 'data', 'pan_globalprotect.txt'),
34 | 'r').readlines()
35 | # more or less wholesale from: http://docs.python.org/2/library/urllib2.html
36 | # Create an OpenerDirector with support for Basic HTTP Authentication...
37 | auth_handler = urllib2.HTTPBasicAuthHandler()
38 | auth_handler.add_password(realm='/splunk',
39 | uri='https://' + splunkserver + ':' + splunkport,
40 | user=panuser,
41 | passwd=panpass)
42 | opener = urllib2.build_opener(auth_handler)
43 | # ...and install it globally so it can be used with urlopen.
44 | urllib2.install_opener(opener)
45 | try:
46 | urllib2.urlopen(
47 | 'https://' + splunkserver + ':' + splunkport +
48 | '/services/receivers/simple?index=' + index + '&sourcetype=' +
49 | sourcetype,
50 | 'this is a test')
51 | except:
52 | print "May be Splunk is not running or the server path is correct"
53 | sys.exit(-1)
54 |
55 |
56 | def replay():
57 | log = log_in
58 |
59 | while True:
60 | x = 0
61 | for l in log:
62 |
63 | if x >= EPS:
64 | x = 0
65 | time.sleep(randint(1, 20))
66 | ts = datetime.datetime.now().strftime(
67 | '%b %d %H:%M:%S')
68 | evt = ts + l[15:].replace('[\r\n]', '')
69 | #print "Feb 25 01:01:40"
70 | urllib2.urlopen(
71 | 'https://' + splunkserver + ':' + splunkport +
72 | '/services/receivers/simple?index=' + index +
73 | '&sourcetype=' + sourcetype,
74 | evt)
75 |
76 | x += 1
77 |
78 | replay()
79 |
--------------------------------------------------------------------------------
/bin/scripts/pan_inc_data_config.py:
--------------------------------------------------------------------------------
1 | # #############
2 | # modify these vars if necessary
3 | ##############
4 | splunkserver = 'localhost'
5 | splunkport = '8089'
6 | index = 'main'
7 | sourcetype = 'pan:log'
8 | panuser = 'pan'
9 | panpass = 'pan'
10 | ## events per second
11 | EPS = 3
12 | ##############
13 | # you shouldn't have to modify anything below this line
14 | #########################################
15 |
16 | import time # for sleep
17 | import sys # for exits and inputs
18 | import os # for environ variables and joins
19 | import datetime # to create timestamps
20 | import urllib2 # to make the https connection
21 |
22 | try:
23 | # you can change this value to your splunk install value
24 | SPLUNK_HOME = os.environ['SPLUNK_HOME']
25 | except:
26 | print "can't find splunk home"
27 | sys.exit(-1)
28 |
29 | # the path of the app
30 | paninc_libPath = os.path.join(SPLUNK_HOME, 'etc', 'apps', 'pan_datagen')
31 | ## sample log location
32 | log_in = open(os.path.join(paninc_libPath, 'bin', 'data',
33 | 'pan_incident_data_config.txt'), 'r').readlines()
34 | # more or less wholesale from: http://docs.python.org/2/library/urllib2.html
35 | # Create an OpenerDirector with support for Basic HTTP Authentication...
36 | auth_handler = urllib2.HTTPBasicAuthHandler()
37 | auth_handler.add_password(realm='/splunk',
38 | uri='https://' + splunkserver + ':' + splunkport,
39 | user=panuser,
40 | passwd=panpass)
41 | opener = urllib2.build_opener(auth_handler)
42 | # ...and install it globally so it can be used with urlopen.
43 | urllib2.install_opener(opener)
44 | try:
45 | urllib2.urlopen(
46 | 'https://' + splunkserver + ':' + splunkport +
47 | '/services/receivers/simple?index=' + index + '&sourcetype=' +
48 | sourcetype,
49 | 'this is a test')
50 | except:
51 | print "May be Splunk is not running or the server path is correct"
52 | sys.exit(-1)
53 |
54 |
55 | def replay():
56 | log = log_in
57 |
58 | while True:
59 | x = 0
60 | for l in log:
61 |
62 | if x >= EPS:
63 | x = 0
64 | time.sleep(5)
65 | continue
66 | ts = datetime.datetime.now().strftime(
67 | '%b %d %H:%M:%S 1,%Y/%m/%d %H:%M:%S,')
68 | evt = ts + l[38:].replace('[\r\n]', '')
69 | # print "Feb 25 01:01:40 1,2012/02/25 01:01:40,"
70 | urllib2.urlopen(
71 | 'https://' + splunkserver + ':' + splunkport +
72 | '/services/receivers/simple?index=' + index +
73 | '&sourcetype=' + sourcetype,
74 | evt)
75 |
76 | x += 1
77 |
78 |
79 | replay()
80 |
--------------------------------------------------------------------------------
/bin/scripts/pan_inc_wildfire_report.py:
--------------------------------------------------------------------------------
1 | # #############
2 | # modify these vars if necessary
3 | ##############
4 | splunkserver = 'localhost'
5 | splunkport = '8089'
6 | index = 'main'
7 | sourcetype = 'pan:wildfire_report'
8 | panuser = 'pan'
9 | panpass = 'pan'
10 | ## events per second
11 | EPS = 1
12 | ##############
13 | # you shouldn't have to modify anything below this line
14 | #########################################
15 |
16 | import time # for sleep
17 | import sys # for exits and inputs
18 | import os # for environ variables and joins
19 | import urllib2 # to make the https connection
20 |
21 | try:
22 | # you can change this value to your splunk install value
23 | SPLUNK_HOME = os.environ['SPLUNK_HOME']
24 | except:
25 | print "can't find splunk home"
26 | sys.exit(-1)
27 |
28 | # the path of the app
29 | paninc_libPath = os.path.join(SPLUNK_HOME, 'etc', 'apps', 'pan_datagen')
30 | ## sample log location
31 | #log_in = open(os.path.join(paninc_libPath,'bin','data','pan_incident.txt'),
32 | # 'r').readlines()
33 | log_in = []
34 | for filename in os.listdir(
35 | os.path.join(paninc_libPath, 'bin', 'data', 'reports')):
36 | with open(os.path.join(paninc_libPath, 'bin', 'data', 'reports',
37 | filename)) as f:
38 | log_in.append(f.readlines())
39 |
40 | #print log_in
41 | # more or less wholesale from: http://docs.python.org/2/library/urllib2.html
42 | # Create an OpenerDirector with support for Basic HTTP Authentication...
43 | auth_handler = urllib2.HTTPBasicAuthHandler()
44 | auth_handler.add_password(realm='/splunk',
45 | uri='https://' + splunkserver + ':' + splunkport,
46 | user=panuser,
47 | passwd=panpass)
48 | opener = urllib2.build_opener(auth_handler)
49 | # ...and install it globally so it can be used with urlopen.
50 | urllib2.install_opener(opener)
51 | try:
52 | urllib2.urlopen(
53 | 'https://' + splunkserver + ':' + splunkport +
54 | '/services/receivers/simple?index=' + index + '&sourcetype=pan_log',
55 | 'this is a test')
56 | except:
57 | print "May be Splunk is not running or the server path is correct"
58 | sys.exit(-1)
59 |
60 |
61 | def replay():
62 | while True:
63 |
64 | # wait 5 mins
65 | time.sleep(300)
66 |
67 | for l in log_in:
68 | time.sleep(5)
69 |
70 | evt = str.join("", l)
71 |
72 | urllib2.urlopen(
73 | 'https://' + splunkserver + ':' + splunkport +
74 | '/services/receivers/simple?index=' + index +
75 | '&sourcetype=' + sourcetype,
76 | evt)
77 |
78 |
79 | replay()
80 |
--------------------------------------------------------------------------------
/bin/scripts/pan_incident.py:
--------------------------------------------------------------------------------
1 | # #############
2 | # modify these vars if necessary
3 | # #############
4 | splunkserver = 'localhost'
5 | splunkport = '8089'
6 | index = 'main'
7 | sourcetype = 'pan:log'
8 | panuser = 'pan'
9 | panpass = 'pan'
10 | ## events per second
11 | EPS = 10
12 | ##############
13 | # you shouldn't have to modify anything below this line
14 | #########################################
15 |
16 | import time # for sleep
17 | import sys # for exits and inputs
18 | import os # for environ variables and joins
19 | import datetime # to create timestamps
20 | import urllib2 # to make the https connection
21 |
22 | try:
23 | # you can change this value to your splunk install value
24 | SPLUNK_HOME = os.environ['SPLUNK_HOME']
25 | except:
26 | print "can't find splunk home"
27 | sys.exit(-1)
28 |
29 | # the path of the app
30 | paninc_libPath = os.path.join(SPLUNK_HOME, 'etc', 'apps', 'pan_datagen')
31 | ## sample log location
32 | log_in = open(os.path.join(paninc_libPath, 'bin', 'data', 'pan_incident.txt'),
33 | 'r').readlines()
34 | # more or less wholesale from: http://docs.python.org/2/library/urllib2.html
35 | # Create an OpenerDirector with support for Basic HTTP Authentication...
36 | auth_handler = urllib2.HTTPBasicAuthHandler()
37 | auth_handler.add_password(realm='/splunk',
38 | uri='https://' + splunkserver + ':' + splunkport,
39 | user=panuser,
40 | passwd=panpass)
41 | opener = urllib2.build_opener(auth_handler)
42 | # ...and install it globally so it can be used with urlopen.
43 | urllib2.install_opener(opener)
44 | try:
45 | urllib2.urlopen(
46 | 'https://' + splunkserver + ':' + splunkport +
47 | '/services/receivers/simple?index=' + index + '&sourcetype=' +
48 | sourcetype,
49 | 'this is a test')
50 | except:
51 | print "May be Splunk is not running or the server path is correct"
52 | sys.exit(-1)
53 |
54 |
55 | def replay():
56 | log = log_in
57 |
58 | while True:
59 | x = 0
60 | for l in log:
61 |
62 | if x >= EPS:
63 | x = 0
64 | time.sleep(5)
65 | continue
66 | ts = datetime.datetime.now().strftime(
67 | '%b %d %H:%M:%S 1,%Y/%m/%d %H:%M:%S,')
68 | evt = ts + l[38:].replace('[\r\n]', '')
69 | # print "Feb 25 01:01:40 1,2012/02/25 01:01:40,"
70 | urllib2.urlopen(
71 | 'https://' + splunkserver + ':' + splunkport +
72 | '/services/receivers/simple?index=' + index +
73 | '&sourcetype=' + sourcetype,
74 | evt)
75 |
76 | x += 1
77 |
78 |
79 | replay()
80 |
--------------------------------------------------------------------------------
/default/app.conf:
--------------------------------------------------------------------------------
1 | [ui]
2 | is_visible = 0
3 | label = pan_datagen
4 |
5 | [launcher]
6 | author = btorres-gil@paloaltonetworks.com
7 | description = Generate simulated data for Splunk for Palo Alto Networks app. Useful for demos and testing.
8 | version = 3.1
9 |
10 |
11 | [package]
12 | check_for_updates = 0
13 |
14 | [install]
15 | state = enabled
16 |
--------------------------------------------------------------------------------
/default/authorize.conf:
--------------------------------------------------------------------------------
1 | [role_pan]
2 | edit_tcp = enabled
3 | output_file = enabled
4 | rtSrchJobsQuota = 0
5 | search = enabled
6 | srchIndexesAllowed = pan_logs
7 | srchIndexesDefault = pan_logs
8 | srchMaxTime = 0
9 | srchTimeWin = 86400
10 |
--------------------------------------------------------------------------------
/default/indexes.conf:
--------------------------------------------------------------------------------
1 | [pan_logs]
2 | coldPath = $SPLUNK_DB/pan_logs/colddb
3 | homePath = $SPLUNK_DB/pan_logs/db
4 | thawedPath = $SPLUNK_DB/pan_logs/thaweddb
--------------------------------------------------------------------------------
/default/inputs.conf:
--------------------------------------------------------------------------------
1 |
2 | ## Palo Alto Gen
3 |
4 | [script://$SPLUNK_HOME/etc/apps/pan_datagen/bin/scripts/pan_incident.py]
5 | disabled = false
6 | interval = -1
7 |
8 | [script://$SPLUNK_HOME/etc/apps/pan_datagen/bin/scripts/pan_inc_data_config.py]
9 | disabled = false
10 | interval = -1
11 |
12 | [script://$SPLUNK_HOME/etc/apps/pan_datagen/bin/scripts/pan_inc_wildfire_report.py]
13 | disabled = false
14 | interval = -1
15 |
16 | [script://$SPLUNK_HOME/etc/apps/pan_datagen/bin/scripts/pan_endpoint.py]
17 | disabled = false
18 | interval = -1
19 |
20 | [script://$SPLUNK_HOME/etc/apps/pan_datagen/bin/scripts/pan_netflow.py]
21 | disabled = false
22 | interval = -1
23 |
24 | [script://$SPLUNK_HOME/etc/apps/pan_datagen/bin/scripts/pan_globalprotect.py]
25 | disabled = false
26 | interval = -1
--------------------------------------------------------------------------------
/metadata/default.meta:
--------------------------------------------------------------------------------
1 | ; This file contains configuration data and metadata.
2 | ;
3 | ; Each stanza refers to a configuration object within Splunk. Stanza headers
4 | ; have the following format:
5 | ;
6 | ; ///[/...]
7 | ;
8 | ; A stanza may contain the following settings:
9 | ;
10 | ; access = permissions on this path
11 | ; data = text data stored at this path (ignored if only whitespace)
12 | ; export = export target for this path
13 |
14 | []
15 | export = system
16 |
--------------------------------------------------------------------------------