Palo Alto GlobalProtect: New ASIM Authentication Parser for VPN Monitoring

What Changed

Added complete ASIM Authentication parser support for Palo Alto PAN-OS GlobalProtect VPN events, including both parametrized (vimAuthenticationPaloAltoGlobalProtect) and unfiltered (ASimAuthenticationPaloAltoGlobalProtect) versions.

Parser Impact

The new parsers normalize GlobalProtect authentication logs from the CommonSecurityLog table to the ASIM Authentication schema (v0.1.4). Core functionality:

• Primary data source: CommonSecurityLog table filtering on DeviceVendor == “Palo Alto Networks” and DeviceProduct == “PAN-OS” with DeviceEventClassID == “GLOBALPROTECT”
• Core logic: Parses AdditionalExtensions field extracting authentication events (gateway-login, gateway-logout, gateway-auth, portal-auth, portal-prelogin, gateway-connected)
• Entity mappings: Account (TargetUsername), IP (SrcIpAddr), Host (SrcHostname), URL (TargetAppName)

Detection Surface Unlocked

Enables standardized monitoring of:

• VPN gateway authentication events (login/logout/connect)
• Portal authentication and pre-login events
• Multiple authentication methods (LDAP, RADIUS, SAML, certificate, local-database, Kerberos, TACACS+)
• GlobalProtect client version and endpoint OS tracking
• Authentication failures with detailed error categorization

No bundled detections included — parser provides data normalization foundation for custom detection development.

Affected Files

.script/tests/KqlvalidationsTests/Kqlvalidations.Tests.csproj
Parsers/ASimAuthentication/ARM/ASimAuthentication/ASimAuthentication.json
Parsers/ASimAuthentication/ARM/ASimAuthenticationPaloAltoGlobalProtect/ASimAuthenticationPaloAltoGlobalProtect.json
Parsers/ASimAuthentication/ARM/ASimAuthenticationPaloAltoGlobalProtect/README.md
Parsers/ASimAuthentication/ARM/FullDeploymentAuthentication.json
Parsers/ASimAuthentication/ARM/imAuthentication/imAuthentication.json
Parsers/ASimAuthentication/ARM/vimAuthenticationPaloAltoGlobalProtect/README.md
Parsers/ASimAuthentication/ARM/vimAuthenticationPaloAltoGlobalProtect/vimAuthenticationPaloAltoGlobalProtect.json
Parsers/ASimAuthentication/CHANGELOG/ASimAuthentication.md
Parsers/ASimAuthentication/CHANGELOG/ASimAuthenticationPaloAltoGlobalProtect.md
Parsers/ASimAuthentication/CHANGELOG/imAuthentication.md
Parsers/ASimAuthentication/CHANGELOG/vimAuthenticationPaloAltoGlobalProtect.md
Parsers/ASimAuthentication/Parsers/ASimAuthentication.yaml
Parsers/ASimAuthentication/Parsers/ASimAuthenticationPaloAltoGlobalProtect.yaml
Parsers/ASimAuthentication/Parsers/imAuthentication.yaml
Parsers/ASimAuthentication/Parsers/vimAuthenticationPaloAltoGlobalProtect.yaml
Sample Data/ASIM/Palo Alto_PAN-OS_Authentication_IngestedLogs.csv