Palo Alto URL Filtering
Palo Alto PAN-OS URL Filtering logs — web browsing activity with 65+ URL categories, allow/block/continue/override actions, App-ID application attribution, and content type inspection.
Quick Start
uv tool install eventum-generator
git clone https://github.com/eventum-generator/content-packs.git
cd content-packs
eventum generate \
--path generators/network-paloalto-url/generator.yml \
--id panw-url \
--live-mode trueEvent Types
| Event ID | Description | Frequency | Category |
|---|---|---|---|
| alert | URL alert — allowed access | ~87% | network |
| block-url | Hard block by URL category | ~6.5% | network |
| block-continue | Block with continue page | ~2.4% | network |
| continue | Allowed after user clicked Continue | ~1.2% | network |
| block-override | Block with override page | ~0.8% | network |
| override | Allowed after override password | ~0.7% | network |
| drop | Silent drop | ~0.7% | network |
| reset-client | Reset sent to client | ~0.4% | network |
| reset-server | Reset sent to server | ~0.2% | network |
| reset-both | Reset sent to both | ~0.1% | network |
Realism Features
- 27 PAN-DB URL categories with realistic enterprise traffic weights
- Correlated continue/override flows — block events store sessions; continue/override events consume them
- 12 PAN-OS App-IDs with weighted selection (ssl, web-browsing, google-base, ms-office365)
- Source NAT translation on all outbound traffic
- HTTP header logging with realistic User-Agent strings and method distribution
- Geo-aware destinations — allowed traffic skews US/EU/JP; blocked skews higher-risk regions
Sample Output
{
"@timestamp": "2026-02-21T14:30:15.123456+00:00",
"event": {
"action": "url_filtering",
"category": ["intrusion_detection", "threat", "network"],
"dataset": "panw.panos",
"kind": "alert",
"outcome": "success"
},
"source": { "ip": "10.1.1.14", "user": { "name": "jsmith" } },
"destination": { "ip": "142.250.80.46", "port": 443 },
"url": { "domain": "www.google.com", "path": "/search" },
"panw": {
"panos": {
"action": "alert",
"url": { "category": "search-engines" }
}
},
"observer": { "product": "PAN-OS", "vendor": "Palo Alto Networks" }
}Parameters
| Parameter | Default | Description |
|---|---|---|
| hostname | PA-5260 | PAN-OS firewall hostname |
| domain | CORP | Active Directory domain |
| serial_number | 007200001056 | Firewall serial number |
| nat_ip | 198.51.100.1 | Source NAT IP |
| agent_id | e4f8c1a2-... | Elastic Agent ID |
| agent_version | 8.17.0 | Elastic Agent version |
Related Generators
Suricata IDS/IPS
Suricata EVE JSON output — IDS alerts with ET Open signatures, DNS/HTTP/TLS/SSH protocol logs, NetFlow records, and anomaly detections with correlated flow IDs and MITRE ATT&CK mapping.
Palo Alto Threat
Palo Alto PAN-OS Threat logs — IPS vulnerability exploits, antivirus detections, anti-spyware (DNS sinkhole and C2 callback), WildFire cloud verdicts, file type matching, and network scan detection with correlated severity, action, and threat category fields.
Snort IDS/IPS
Snort IDS/IPS alert output — malware C2 callbacks, web application attacks, network reconnaissance, policy violations, protocol anomalies, and DoS detection across 13 alert classifications.