Here’s a sanitised one.
Though maybe there’s a nuance I hadn’t considered yet. If I check the direction of panw.panos.sub_type:packet then all appears good. So now I’m considering whether my assumption that all inbound connections would equal network.direction:inbound. As one could argue that a file fetched from a server could be classed as outbound.
{
"_index": ".ds-logs-panw.panos-default-2025.10.12-000017",
"_id": "950S3pkBhNSVDisYfXbX",
"_version": 1,
"_source": {
"agent": {
"name": "eas00.dc.domain.com",
"id": "a4e121db-e5ad-4495-ba6f-**********",
"type": "filebeat",
"ephemeral_id": "0b7de718-46cd-4d3e-9dad-**********",
"version": "8.19.3"
},
"log": {
"level": "low",
"source": {
"address": "10.2.2.53:55292"
},
"syslog": {
"severity": {
"code": 5,
"name": "Notice"
},
"hostname": "fw.dc.domain.com",
"priority": 13,
"facility": {
"code": 1,
"name": "user-level"
}
}
},
"elastic_agent": {
"id": "a4e121db-e5ad-4495-ba6f-********",
"version": "8.19.3",
"snapshot": false
},
"destination": {
"geo": {
"continent_name": "Europe",
"country_iso_code": "BE",
"country_name": "Belgium",
"name": "Belgium",
"location": {
"lon": *.***,
"lat": *.***
}
},
"as": {
"number": *****,
"organization": {
"name": "Something N.v."
}
},
"port": 8080,
"ip": "1.2.3.4"
},
"rule": {
"name": "WAN - Unifi INFORM - GeoIP",
"uuid": "47f2b006-14e8-419e-94d1-********"
},
"source": {
"geo": {
"region_iso_code": "BE-***",
"continent_name": "Europe",
"city_name": "City",
"country_iso_code": "BE",
"country_name": "Belgium",
"name": "Belgium",
"location": {
"lon": *.***,
"lat": *.***
},
"region_name": "Some City"
},
"as": {
"number": *****,
"organization": {
"name": "Company BV"
}
},
"port": 41766,
"ip": "4.3.2.1"
},
"panw": {
"panos": {
"payload_protocol_id": "4294967295",
"http2_connection": "0",
"received_time": "2025-10-13T16:56:15.000+02:00",
"logged_time": "2025-10-13T16:56:15.000+02:00",
"repeat_count": 1,
"imsi": "0",
"type": "THREAT",
"url_idx": "1",
"threat_category": "N/A",
"log_profile": "default",
"sub_type": "file",
"flow_id": "419403",
"wildfire": {
"report_id": "0"
},
"action": "alert",
"tunnel_type": "N/A",
"device_group_hierarchy4": "0",
"ruleset": "WAN - Unifi INFORM - GeoIP",
"partial_hash": "0",
"action_flags": "0x0",
"high_resolution_timestamp": "2025-10-13T16:56:16.470+02:00",
"device_group_hierarchy1": "0",
"url": {
"category": "not-resolved"
},
"device_group_hierarchy2": "0",
"generated_time": "2025-10-13T16:56:15.000+02:00",
"device_group_hierarchy3": "0",
"virtual_sys": "vsys1",
"sequence_number": "7522994304294638195",
"content_version": "AppThreat-9028-9712",
"application": {
"risk_level": 4,
"characteristics": "used-by-malware,able-to-transfer-file,has-known-vulnerability,tunnel-other-application,pervasive-use",
"tunneled": "web-browsing",
"sub_category": "internet-utility",
"is_sanctioned": "no",
"is_saas": "no",
"technology": "browser-based",
"category": "general-internet"
},
"parent_session": {
"id": "0"
},
"sctp": {
"assoc_id": "0"
},
"threat": {
"name": "Unknown Binary File",
"id": "52081"
}
}
},
"tags": [
"panw-panos",
"forwarded"
],
"network": {
"community_id": "********",
"application": "web-browsing",
"transport": "tcp",
"type": "ipv4",
"direction": "outbound"
},
"labels": {
"non_standard_port_usage": true,
"temporary_match": true
},
"input": {
"type": "tcp"
},
"observer": {
"ingress": {
"zone": "WAN",
"interface": {
"name": "ethernet1/16"
}
},
"product": "PAN-OS",
"hostname": "fw.dc",
"vendor": "Palo Alto Networks",
"serial_number": "********",
"type": "firewall",
"egress": {
"zone": "DMZ",
"interface": {
"name": "ethernet1/2.204"
}
}
},
"@timestamp": "2025-10-13T16:56:16.470+02:00",
"file": {
"name": "inform"
},
"ecs": {
"version": "8.17.0"
},
"related": {
"hosts": [
"fw.dc"
],
"ip": [
"4.3.2.1",
"1.2.3.4"
]
},
"data_stream": {
"namespace": "default",
"type": "logs",
"dataset": "panw.panos"
},
"event": {
"severity": 4,
"agent_id_status": "verified",
"ingested": "2025-10-13T14:56:17Z",
"timezone": "CET",
"created": "2025-10-13T14:56:16.473Z",
"kind": "alert",
"action": "file_match",
"category": [
"intrusion_detection",
"threat",
"network"
],
"type": [
"allowed"
],
"dataset": "panw.panos",
"outcome": "success"
}
},
"fields": {
"destination.geo.name": [
"Belgium"
],
"elastic_agent.version": [
"8.19.3"
],
"event.category": [
"intrusion_detection",
"threat",
"network"
],
"observer.egress.interface.name": [
"ethernet1/2.204"
],
"panw.panos.action_flags": [
"0x0"
],
"panw.panos.partial_hash": [
"0"
],
"observer.vendor": [
"Palo Alto Networks"
],
"panw.panos.repeat_count": [
1
],
"log.syslog.facility.name": [
"user-level"
],
"agent.name.text": [
"eas00.dc.domain.com"
],
"source.geo.region_name": [
"Some City"
],
"log.syslog.severity.name": [
"Notice"
],
"source.ip": [
"4.3.2.1"
],
"agent.name": [
"eas00.dc.domain.com"
],
"panw.panos.type": [
"THREAT"
],
"network.community_id": [
"********"
],
"event.agent_id_status": [
"verified"
],
"panw.panos.high_resolution_timestamp": [
"2025-10-13T14:56:16.470Z"
],
"event.outcome": [
"success"
],
"source.geo.city_name": [
"City"
],
"event.severity": [
4
],
"destination.geo.continent_name": [
"Europe"
],
"input.type": [
"tcp"
],
"tags": [
"panw-panos",
"forwarded"
],
"panw.panos.application.risk_level": [
4
],
"panw.panos.received_time": [
"2025-10-13T14:56:15.000Z"
],
"agent.id": [
"a4e121db-e5ad-4495-ba6f-********"
],
"source.port": [
41766
],
"panw.panos.sequence_number": [
"7522994304294638195"
],
"log.source.address": [
"10.2.2.53:55292"
],
"panw.panos.tunnel_type": [
"N/A"
],
"panw.panos.log_profile": [
"default"
],
"destination.geo.country_name": [
"Belgium"
],
"observer.egress.zone": [
"DMZ"
],
"panw.panos.ruleset": [
"WAN - Unifi INFORM - GeoIP"
],
"source.as.number": [
6848
],
"destination.port": [
8080
],
"panw.panos.url_idx": [
"1"
],
"log.syslog.hostname": [
"fw.dc.domain.com"
],
"panw.panos.application.is_saas": [
"no"
],
"labels.temporary_match": [
true
],
"agent.type": [
"filebeat"
],
"panw.panos.logged_time": [
"2025-10-13T14:56:15.000Z"
],
"network.application": [
"web-browsing"
],
"related.ip": [
"4.3.2.1",
"1.2.3.4"
],
"panw.panos.sub_type": [
"file"
],
"observer.product": [
"PAN-OS"
],
"elastic_agent.snapshot": [
false
],
"elastic_agent.id": [
"a4e121db-e5ad-4495-ba6f-********"
],
"panw.panos.imsi": [
"0"
],
"file.name": [
"inform"
],
"panw.panos.application.is_sanctioned": [
"no"
],
"destination.as.organization.name.text": [
"Company N.v."
],
"destination.ip": [
"1.2.3.4"
],
"observer.hostname": [
"fw.dc"
],
"panw.panos.http2_connection": [
"0"
],
"panw.panos.url.category": [
"not-resolved"
],
"event.action": [
"file_match"
],
"event.ingested": [
"2025-10-13T14:56:17.000Z"
],
"@timestamp": [
"2025-10-13T14:56:16.470Z"
],
"destination.geo.country_iso_code": [
"BE"
],
"data_stream.dataset": [
"panw.panos"
],
"source.geo.name": [
"Belgium"
],
"agent.ephemeral_id": [
"0b7de718-46cd-4d3e-9dad-********"
],
"panw.panos.sctp.assoc_id": [
"0"
],
"log.syslog.facility.code": [
1
],
"destination.as.organization.name": [
"Company N.v."
],
"panw.panos.application.characteristics": [
"used-by-malware,able-to-transfer-file,has-known-vulnerability,tunnel-other-application,pervasive-use"
],
"panw.panos.parent_session.id": [
"0"
],
"observer.ingress.interface.name": [
"ethernet1/16"
],
"panw.panos.content_version": [
"AppThreat-9028-9712"
],
"panw.panos.application.tunneled": [
"web-browsing"
],
"panw.panos.device_group_hierarchy3": [
"0"
],
"panw.panos.device_group_hierarchy4": [
"0"
],
"panw.panos.device_group_hierarchy1": [
"0"
],
"panw.panos.device_group_hierarchy2": [
"0"
],
"panw.panos.application.category": [
"general-internet"
],
"log.level": [
"low"
],
"panw.panos.application.sub_category": [
"internet-utility"
],
"source.geo.region_iso_code": [
"BE-***"
],
"event.kind": [
"alert"
],
"log.syslog.severity.code": [
5
],
"rule.name": [
"WAN - Unifi INFORM - GeoIP"
],
"panw.panos.action": [
"alert"
],
"panw.panos.application.technology": [
"browser-based"
],
"data_stream.type": [
"logs"
],
"observer.serial_number": [
"********"
],
"panw.panos.flow_id": [
"419403"
],
"ecs.version": [
"8.17.0"
],
"observer.type": [
"firewall"
],
"event.created": [
"2025-10-13T14:56:16.473Z"
],
"agent.version": [
"8.19.3"
],
"related.hosts": [
"fw.dc"
],
"labels.non_standard_port_usage": [
true
],
"panw.panos.threat_category": [
"N/A"
],
"panw.panos.wildfire.report_id": [
"0"
],
"source.geo.location": [
{
"coordinates": [
*.***,
*.***
],
"type": "Point"
}
],
"destination.geo.location": [
{
"coordinates": [
*.***,
*.***
],
"type": "Point"
}
],
"panw.panos.threat.name": [
"Unknown Binary File"
],
"event.module": [
"panw"
],
"observer.ingress.zone": [
"WAN"
],
"panw.panos.generated_time": [
"2025-10-13T14:56:15.000Z"
],
"source.geo.country_iso_code": [
"BE"
],
"log.syslog.priority": [
13
],
"network.direction": [
"outbound"
],
"panw.panos.virtual_sys": [
"vsys1"
],
"event.timezone": [
"CET"
],
"network.type": [
"ipv4"
],
"source.as.organization.name.text": [
"Company BV"
],
"panw.panos.threat.id": [
"52081"
],
"data_stream.namespace": [
"default"
],
"destination.as.number": [
*****
],
"source.as.organization.name": [
"Company BV"
],
"source.geo.continent_name": [
"Europe"
],
"network.transport": [
"tcp"
],
"rule.uuid": [
"47f2b006-14e8-419e-94d1-********"
],
"panw.panos.payload_protocol_id": [
"********"
],
"event.type": [
"allowed"
],
"source.geo.country_name": [
"Belgium"
],
"event.dataset": [
"panw.panos"
]
}
}
So if my assumptions are incorrect, please set me right.