>
    Strata Copilot
    Cloud NGFW for Azure Threat Log Fields
    Focus
    Download PDF
    Focus
    1. Home
    2. Cloud NGFW for Azure Administration
    3. Monitor Cloud NGFW for Azure Resources
    4. View Traffic and Threat Logs Natively in Azure
    5. View the Logs in Log Analytics Workspace
    6. Cloud NGFW for Azure Threat Log Fields
    Download PDF
    Cloud NGFW for Azure

    Cloud NGFW for Azure Threat Log Fields

    Table of Contents

    Cloud NGFW for Azure Threat Log Fields

    Learn about Threat log fields for your Cloud NGFW for Azure resource.
    Where Can I Use This?What Do I Need?
    • Cloud NGFW for Azure
    • Cloud NGFW subscription
    • Palo Alto Networks Customer Support Portal account
    • Azure Marketplace subscription
    Field Name
    Description
    Source address (src_ip)
    Original session source IP address.
    Source port (sport)
    Source port utilized by the session.
    Destination address (dst)
    Original session destination IP address.
    Destination port (dport)
    Destination port utilized by the session.
    IP Protocol (proto)
    IP protocol associated with the session.
    Application (app)
    Application associated with the session.
    Rule Name (rule)
    Name of the rule that the session matched.
    Action (action)
    Action taken for the session; values are alert, allow, deny, drop, drop-all-packets, reset-client, reset-server, reset-both, block-url.
    • alert—threat or URL detected but not blocked
    • allow— flood detection alert
    • deny—flood detection mechanism activated and deny traffic based on configuration
    • drop— threat detected and the associated session was dropped
    • reset-client —threat detected and a TCP RST sent to the client
    • reset-server —threat detected and a TCP RST sent to the server
    • reset-both —threat detected and a TCP RST sent to both the client and the server
    • block-url —URL request blocked because it matched a URL category that was blocked
    • block-ip—threat detected and client IP is blocked
    • random-drop—flood detected and the packet was randomly dropped
    • sinkhole—DNS sinkhole activated
    • syncookie-sent—syncookie alert
    • block-continue (URL subtype only)—an HTTP request is blocked and redirected to a Continue page with a button for confirmation to proceed
    • continue (URL subtype only)—response to a block-continue URL continue page indicating a block-continue request was allowed to proceed
    • block-override (URL subtype only)—an HTTP request is blocked and redirected to an admin override page that requires a pass code from the firewall administrator to continue
    • override-lockout (URL subtype only)—too many failed admin override pass code attempts from the source IP. IP is now blocked from the block-override redirect page
    • override (URL subtype only)—response to a block-override page where a correct pass code is provided and the request is allowed
    • block (WildFire® only)—file blocked by the firewall and uploaded to WildFire®
    Threat Category (threat_category)
    Describes threat categories used to classify different types of threat signatures.
    Threat/Content Type (threat_content_type)
    Subtype of Threat log. Values include the following:
    • data—Data pattern matching a data filtering profile.
    • file—File type matching a file blocking profile.
    • flood—Flood detected via a Zone Protection profile.
    • packet—Packet-based attack protection triggered by a Zone Protection profile.
    • scan—Scan detected via a Zone Protection profile.
    • spyware —Spyware detected via an antispyware profile.
    • url—URL filtering log.
    • ml-virus—malware detected by WildFire® Inline ML via an Antivirus profile.
    • virus—malware detected via an Antivirus profile.
    • vulnerability —Vulnerability exploit detected via a Vulnerability Protection profile.
    • wildfire —A WildFire verdict generated when the firewall submits a file to WildFire per a WildFire Analysis profile and a verdict (malware, phishing, grayware, or benign, depending on what you're logging) is logged in the WildFire Submissions log.
    • wildfire-virus®—malware detected via an Antivirus profile.
    Threat/Content Name (threat_content_name)
    Palo Alto Networks identifier for known and custom threats. It's a description string followed by a 64-bit numerical identifier in parentheses for some Subtypes:
    • 8000-8099— scan detection
    • 8500-8599— flood detection
    • 9999— URL filtering log
    • 10000-19999 —spyware phone home detection
    • 20000-29999 —spyware download detection
    • 30000-44999 —vulnerability exploits detection
    • 52000-52999— filetype detection
    • 60000-69999 —data filtering detection
    Threat ID ranges for virus detection, WildFire signature feed, and DNS C2 signatures used in previous releases are replaced with permanent, globally unique threat IDs. Refer to the Threat/Content Type (subtype) and threat Category (thr_category) field names to create updated reports, filter threat logs, and ACC activity.
    Severity (severity)
    Severity associated with the threat; values are informational, low, medium, high, critical.
    Direction (direction)
    Indicates the direction of the attack, client-to-server, or server-to-client:
    • 0—direction of the threat is client to server
    • 1—direction of the threat is server to client
    Repeat Count (repeatcnt)
    Number of sessions with the same Source IP, Destination IP, Application, and Content or Threat Type seen within 5 seconds.
    Reason (data_filter_reason)
    Reason for data filtering action.
    XFF Address (xff)
    The IP address of the user who requested the webpage or the IP address of the next to the last device that the request traversed. If the request goes through one or more proxies, load balancers, or other upstream devices, the firewall displays the IP address of the most recent device.
    Content Version (contentver)
    Applications and Threats version on your firewall when the log is generated.

    © 2026 Palo Alto Networks, Inc. All rights reserved.