Cloud NGFW for Azure
Cloud NGFW for Azure Threat Log Fields
Table of Contents
Expand All
|
Collapse All
Cloud NGFW for Azure Docs
Cloud NGFW for Azure Threat Log Fields
Learn about Threat log fields for your Cloud NGFW for Azure resource.
Where Can I Use This? | What Do I Need? |
---|---|
|
|
Field Name
|
Description
|
---|---|
Source address (src_ip)
|
Original session source IP address.
|
Source port (sport)
|
Source port utilized by the session.
|
Destination address (dst)
|
Original session destination IP address.
|
Destination port (dport)
|
Destination port utilized by the session.
|
IP Protocol (proto)
|
IP protocol associated with the session.
|
Application (app)
|
Application associated with the session.
|
Rule Name (rule)
|
Name of the rule that the session matched.
|
Action (action)
|
Action taken for the session; values are alert, allow, deny, drop,
drop-all-packets, reset-client, reset-server, reset-both,
block-url.
|
Threat Category (threat_category)
|
Describes threat categories used to
classify different types of threat signatures.
|
Threat/Content Type (threat_content_type)
|
Subtype of Threat log. Values include the following:
|
Threat/Content Name (threat_content_name)
|
Palo Alto Networks identifier for known and custom threats. It's a
description string followed by a 64-bit numerical identifier in
parentheses for some Subtypes:
Threat ID ranges for virus detection, WildFire signature feed,
and DNS C2 signatures used in previous releases are replaced
with permanent, globally unique threat IDs. Refer to the
Threat/Content Type (subtype) and threat Category (thr_category)
field names to create updated reports, filter threat logs, and
ACC activity. |
Severity (severity)
|
Severity associated with the threat; values are informational, low,
medium, high, critical.
|
Direction (direction)
|
Indicates the direction of the attack, client-to-server, or
server-to-client:
|
Repeat Count (repeatcnt)
|
Number of sessions with the same Source IP, Destination IP,
Application, and Content or Threat Type seen within 5 seconds.
|
Reason (data_filter_reason)
|
Reason for data filtering action.
|
XFF Address (xff)
|
The IP address of the user who requested the webpage or the IP
address of the next to the last device that the request traversed.
If the request goes through one or more proxies, load balancers, or
other upstream devices, the firewall displays the IP address of the
most recent device.
|
Content Version (contentver)
|
Applications and Threats version on your firewall when the log is
generated.
|