Cloud NGFW for Azure Threat Log Fields
Table of Contents
Expand all | Collapse all
-
- Cloud NGFW for Azure
- Cloud NGFW Components
- Cloud NGFW for Azure Supported Regions
- Cloud NGFW for Azure Limits and Quotas
- Cloud NGFW for Azure Pricing
- Cloud NGFW for Azure Free Trial
- Cloud NGFW Credit Distribution and Management
- Start with Cloud NGFW for Azure
- Manage Cloud NGFW Roles for Azure Users
- Integrate Single Sign-on
- Monitor Cloud NGFW Health
- Create a Support Case
- Register Your Cloud NGFW Tenant with a Palo Alto Networks Support Account
- Cloud NGFW for Azure Certifications
- Cloud NGFW For Azure Privacy and Data Protection
-
- About Rulestacks and Rules on Cloud NGFW for Azure
- Create a Rulestack on Cloud NGFW for Azure
- Cloud NGFW for Azure Security Rule Objects
- Create a Prefix List on Cloud NGFW for Azure
- Create an FQDN List for Cloud NGFW on Azure
- Add a Certificate to Cloud NGFW for Azure
- Create Security Rules on Cloud NGFW for Azure
- Cloud NGFW for Azure Security Services
- Enable DNS Security on Cloud NGFW for Azure
- Set Up Outbound Decryption on Cloud NGFW for Azure
- Set Up Inbound Decryption on Cloud NGFW for Azure
-
- Panorama Integration
- Panorama Integration Prerequisites
- Link the Cloud NGFW to Palo Alto Networks Management
- Use Panorama for Cloud NGFW Policy Management
- Enable User-ID on the Cloud NGFW for Azure
- Configure Service Routes for On-Prem Services
- Use XFF IP Address Values in Policy
- View Cloud NGFW Logs and Activity in Panorama
- Strata Cloud Manager Policy Management
-
- Configure Logging for Cloud NGFW on Azure
- Cloud NGFW for Azure Traffic Log Fields
- Cloud NGFW for Azure Threat Log Fields
- Cloud NGFW for Azure Decryption Log Fields
- Enable Log Settings
- Disable Log Settings
- Enable Activity Logging on Cloud NGFW for Azure
- Multiple Logging Destinations on Cloud NGFW for Azure
- View the Logs
- View Audit Logs on a Firewall Resource
- View Audit Logs on Resource Groups
- What's New
- Cloud NGFW for Azure Known Issues
- Cloud NGFW for Azure Addressed Issues
Cloud NGFW for Azure Threat Log Fields
Learn what the threat log fields mean.
Field Name
|
Description
|
---|---|
Source address (src_ip)
|
Original session source IP address.
|
Source Port (sport)
|
Source port utilized by the session.
|
Destination address (dst)
|
Original session destination IP address.
|
Destination Port (dport)
|
Destination port utilized by the session.
|
IP Protocol (proto)
|
IP protocol associated with the session.
|
Application (app)
|
Application associated with the session.
|
Rule Name (rule)
|
Name of the rule that the session matched.
|
Action (action)
|
Action taken for the session; values are alert, allow, deny, drop,
drop-all-packets, reset-client, reset-server, reset-both,
block-url.
|
Threat Category (threat_category)
|
Describes threat categories used to
classify different types of threat signatures.
|
Threat/Content Type (threat_content_type)
|
Subtype of threat log. Values include the following:
|
Threat/Content Name (threat_content_name)
|
Palo Alto Networks identifier for known and custom threats. It is a
description string followed by a 64-bit numerical identifier in
parentheses for some Subtypes:
Threat ID ranges for virus detection, WildFire signature feed,
and DNS C2 signatures used in previous releases have been
replaced with permanent, globally unique threat IDs. Refer to
the Threat/Content Type (subtype) and Threat Category
(thr_category) field names to create updated reports, filter
threat logs, and ACC activity. |
Severity (severity)
|
Severity associated with the threat; values are informational, low,
medium, high, critical.
|
Direction (direction)
|
Indicates the direction of the attack, client-to-server or
server-to-client:
|
Repeat Count (repeatcnt)
|
Number of sessions with same Source IP, Destination IP, Application,
and Content/Threat Type seen within 5 seconds.
|
Reason (data_filter_reason)
|
Reason for Data Filtering action.
|
XFF Address (xff)
|
The IP address of the user who requested the web page or the IP
address of the next to last device that the request traversed. If
the request goes through one or more proxies, load balancers, or
other upstream devices, the firewall displays the IP address of the
most recent device.
|
Content Version (contentver)
|
Applications and Threats version on your firewall when the log was
generated.
|