Palo Alto Threat
Palo Alto PAN-OS Threat logs — IPS vulnerability exploits, antivirus detections, anti-spyware (DNS sinkhole and C2 callback), WildFire cloud verdicts, file type matching, and network scan detection with correlated severity, action, and threat category fields.
Quick Start
uv tool install eventum-generator
git clone https://github.com/eventum-generator/content-packs.git
cd content-packs
eventum generate \
--path generators/network-paloalto-threat/generator.yml \
--id panw-threat \
--live-mode trueEvent Types
| Event ID | Description | Frequency | Category |
|---|---|---|---|
| spyware-dns | DNS-based spyware — malware domains, C2 callbacks, DNS tunneling | ~35% | threat |
| vulnerability | IPS vulnerability exploit signatures | ~20% | threat |
| spyware-callback | C2 callback over HTTP/HTTPS | ~15% | threat |
| virus | Antivirus file-based detections (PE, ELF, scripts) | ~12% | threat |
| file-scan | File type matching and network scan detection | ~10% | threat |
| wildfire | WildFire cloud verdicts — malware, grayware, phishing | ~8% | threat |
Realism Features
- 70 threat signatures with realistic ID ranges per subtype (spyware, vulnerability, virus, wildfire, file, scan)
- Correlated action distributions per subtype — DNS spyware uses sinkhole/drop; virus uses reset-both; vulnerability mostly alerts
- Severity-to-syslog mapping with per-subtype severity distributions (critical through informational)
- Direction correlation — DNS/C2/scan outbound, virus/wildfire/file inbound
- Subtype-specific content versions (Antivirus-* for virus, AppThreat-* for others)
- 55 malicious domains organized by threat category (C2, malware download, DNS tunnel)
Sample Output
{
"@timestamp": "2026-03-06T14:22:31.000+00:00",
"event": {
"action": "spyware_detected",
"category": ["intrusion_detection", "threat", "network"],
"dataset": "panw.panos",
"kind": "alert",
"outcome": "failure",
"severity": 3,
"type": ["denied"]
},
"source": { "ip": "10.1.1.14", "user": { "name": "jsmith" } },
"destination": { "ip": "10.100.15.1", "port": 53 },
"network": { "application": "dns-base", "transport": "udp" },
"panw": {
"panos": {
"action": "sinkhole",
"severity": "medium",
"sub_type": "spyware",
"threat": { "name": "Suspicious DNS Query (Generic:c2-beacon.xyz)(327891564)" },
"threat_category": "dns-malware"
}
},
"observer": { "product": "PAN-OS", "vendor": "Palo Alto Networks" }
}Parameters
| Parameter | Default | Description |
|---|---|---|
| hostname | PA-5260 | PAN-OS firewall hostname |
| domain | CORP | Active Directory domain |
| serial_number | 007200001056 | Firewall serial number |
| nat_ip | 198.51.100.1 | Source NAT IP |
| agent_id | e4f8c1a2-... | Elastic Agent ID |
| agent_version | 8.17.0 | Elastic Agent version |
Related Generators
Suricata IDS/IPS
Suricata EVE JSON output — IDS alerts with ET Open signatures, DNS/HTTP/TLS/SSH protocol logs, NetFlow records, and anomaly detections with correlated flow IDs and MITRE ATT&CK mapping.
Palo Alto URL Filtering
Palo Alto PAN-OS URL Filtering logs — web browsing activity with 65+ URL categories, allow/block/continue/override actions, App-ID application attribution, and content type inspection.
Snort IDS/IPS
Snort IDS/IPS alert output — malware C2 callbacks, web application attacks, network reconnaissance, policy violations, protocol anomalies, and DoS detection across 13 alert classifications.