Skip to content

feat(data_library): add full-width PAN-OS CSV samples for Palo Alto#245

Open
chelseawright7 wants to merge 3 commits into
observIQ:mainfrom
chelseawright7:add-palo-alto-full-width-csv-samples
Open

feat(data_library): add full-width PAN-OS CSV samples for Palo Alto#245
chelseawright7 wants to merge 3 commits into
observIQ:mainfrom
chelseawright7:add-palo-alto-full-width-csv-samples

Conversation

@chelseawright7

Copy link
Copy Markdown

What

Adds full-width PAN-OS (10.x) CSV log samples under data_library/palo-alto/, starting with TRAFFIC. More log types (THREAT, SYSTEM, CONFIG, …) will be added to this PR.

Why

The Bindplane Palo Alto parsing/reduction blueprints parse PAN-OS syslog by parse_csv against the full field header. The existing palo-alto CSV samples (auth_failure.log, config_change.log) are abbreviated — they have fewer fields than the full PAN-OS header, so they fail strict CSV parsing and can't be used to verify the blueprints end-to-end. (The other palo-alto samples are LEEF, a different format.)

These full-width samples let the blueprints be validated against realistic, complete PAN-OS records.

Sample

  • data_library/palo-alto/traffic.log — a 64-field PAN-OS TRAFFIC (session end) record, syslog-framed, using the standard Blitz %Y/%m/%d %H:%M:%S timestamp placeholders. Values are realistic and generic (no real customer data).

Adds a full-width (64-field) PAN-OS 10.x TRAFFIC log to data_library/palo-alto/
so the Bindplane Palo Alto traffic parsing blueprint can be verified end-to-end.
The existing palo-alto CSV samples (auth_failure.log, config_change.log) are
abbreviated and fail strict CSV parsing against the full field header.
@chelseawright7 chelseawright7 requested review from a team as code owners July 3, 2026 07:36
Chelsea Wright added 2 commits July 3, 2026 09:48
…o-alto/csv; add THREAT

Move traffic.log into palo-alto/csv/ (native full-width CSV, distinct from the
existing LEEF samples) and add csv/threat.log (79-field PAN-OS THREAT record).
Adds SYSTEM, CONFIG, HIP-MATCH, AUTHENTICATION, CORRELATION, DECRYPTION,
GLOBALPROTECT, GTP, IPTAG, SCTP, and USERID full-width PAN-OS 10.x CSV records
under palo-alto/csv/, each matching the corresponding PAN-OS field header exactly
(so strict CSV parsing succeeds). Realistic, generic values (no customer data).
Used to verify the Bindplane Palo Alto full log parsing blueprint end-to-end.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant