Strata Logging Service
Events
Table of Contents
Expand All
|
Collapse All
Events
The event logs contain information that the Prisma Access Browser collects for
investigating every activity within your Enterprise Browser deployment.
See the following for information related to supported log formats:
EVENTS Field
(Display Name)
|
Description
|
|---|---|
application.app_category
(APPLICATION - APP CATEGORY)
| The category of application associated with the event. CEF field name: PanOSApplicationAppCategory EMAIL field name: ApplicationAppCategory HTTPS field name: ApplicationAppCategory LEEF field name: ApplicationAppCategory |
application.app_sub_category
(APPLICATION - APP SUBCATEGORY)
| The sub-category of application associated with the event. CEF field name: PanOSApplicationAppSubcategory EMAIL field name: ApplicationAppSubcategory HTTPS field name: ApplicationAppSubcategory LEEF field name: ApplicationAppSubcategory |
application.external_id
(APPLICATION - EXTERNAL ID)
| The unique identifier of the application. CEF field name: PanOSApplicationExternalID EMAIL field name: ApplicationExternalID HTTPS field name: ApplicationExternalID LEEF field name: ApplicationExternalID |
application.external_name
(APPLICATION - EXTERNAL NAME)
| The public name of the application associated with the event. CEF field name: PanOSApplicationExternalName EMAIL field name: ApplicationExternalName HTTPS field name: ApplicationExternalName LEEF field name: ApplicationExternalName |
application.id
(APPLICATION - ID)
|
Enumeration integer assigned to the application field value.
CEF field name: PanOSApplicationID EMAIL field name: ApplicationID HTTPS field name: ApplicationID LEEF field name: ApplicationID |
application.name
(APPLICATION - NAME)
| The application name (as used in APP-ID) associated with the event. CEF field name: PanOSApplicationName EMAIL field name: ApplicationName HTTPS field name: ApplicationName LEEF field name: ApplicationName |
application.protected_account
(APPLICATION - PROTECTED ACCOUNT)
| Identifies if the SaaS account is protected or not. CEF field name: PanOSApplicationProtectedAccount EMAIL field name: ApplicationProtectedAccount HTTPS field name: ApplicationProtectedAccount LEEF field name: ApplicationProtectedAccount |
application.risk_of_app
(APPLICATION - RISK OF APP)
| The risk score of the application associated with the event. CEF field name: PanOSApplicationRiskofApp EMAIL field name: ApplicationRiskOfApp HTTPS field name: ApplicationRiskOfApp LEEF field name: ApplicationRiskOfApp |
application.source
(APPLICATION - SOURCE)
| The source of the application; either Catalog - application from the
App-id catalog, or Custom - a private application stored at the
data center. CEF field name: PanOSApplicationSource EMAIL field name: ApplicationSource HTTPS field name: ApplicationSource LEEF field name: ApplicationSource |
application.username
(APPLICATION - USERNAME)
| The username that is used to log in to a specific application. CEF field name: PanOSApplicationUsername EMAIL field name: ApplicationUsername HTTPS field name: ApplicationUsername LEEF field name: ApplicationUsername |
batch_id
(BATCH ID)
| Identifier of the batch to which the event is associated. CEF field name: PanOSBatchID EMAIL field name: BatchID HTTPS field name: BatchID LEEF field name: BatchID |
browser_extension.app_launch_url
(BROWSER EXTENSION - APP LAUNCH URL)
| A URL that the extension can open from the Extensions screen. CEF field name: PanOSBrowserExtensionAppLaunchURL EMAIL field name: BrowserExtensionAppLaunchURL HTTPS field name: BrowserExtensionAppLaunchURL LEEF field name: BrowserExtensionAppLaunchURL |
browser_extension.available_launch_types
(BROWSER EXTENSION - AVAILABLE LAUNCH TYPES)
| The way the extension can handle new tab (for example, open as a new
tab, open a new window). CEF field name: PanOSBrowserExtensionAvailableLaunchTypes EMAIL field name: BrowserExtensionAvailableLaunchTypes HTTPS field name: BrowserExtensionAvailableLaunchTypes LEEF field name: BrowserExtensionAvailableLaunchTypes |
browser_extension.description
(BROWSER EXTENSION - DESCRIPTION)
| The description in the first row, as seen in the chrome extensions
store. CEF field name: PanOSBrowserExtensionDescription EMAIL field name: BrowserExtensionDescription HTTPS field name: BrowserExtensionDescription LEEF field name: BrowserExtensionDescription |
browser_extension.disabled_reason
(BROWSER EXTENSION - DISABLED REASON)
| The reason why the extension was disabled. CEF field name: PanOSBrowserExtensionDisabledReason EMAIL field name: BrowserExtensionDisabledReason HTTPS field name: BrowserExtensionDisabledReason LEEF field name: BrowserExtensionDisabledReason |
browser_extension.enabled
(BROWSER EXTENSION - ENABLED)
| The status of the extension that is enabled. CEF field name: PanOSBrowserExtensionEnabled EMAIL field name: BrowserExtensionEnabled HTTPS field name: BrowserExtensionEnabled LEEF field name: BrowserExtensionEnabled |
browser_extension.homepage_url
(BROWSER EXTENSION - HOMEPAGE URL)
| The extension page in the chrome extensions store. CEF field name: PanOSBrowserExtensionHomepageURL EMAIL field name: BrowserExtensionHomepageURL HTTPS field name: BrowserExtensionHomepageURL LEEF field name: BrowserExtensionHomepageURL |
browser_extension.host_permissions
(BROWSER EXTENSION - HOST PERMISSIONS)
| The web access permissions (URLs) of the extension. CEF field name: PanOSBrowserExtensionHostPermissions EMAIL field name: BrowserExtensionHostPermissions HTTPS field name: BrowserExtensionHostPermissions LEEF field name: BrowserExtensionHostPermissions |
browser_extension.id
(BROWSER EXTENSION - ID)
|
Enumeration integer assigned to the browser_extension field value.
CEF field name: PanOSBrowserExtensionID EMAIL field name: BrowserExtensionID HTTPS field name: BrowserExtensionID LEEF field name: BrowserExtensionID |
browser_extension.install_type
(BROWSER EXTENSION - INSTALL TYPE)
| The installation type of the extension. CEF field name: PanOSBrowserExtensionInstallType EMAIL field name: BrowserExtensionInstallType HTTPS field name: BrowserExtensionInstallType LEEF field name: BrowserExtensionInstallType |
browser_extension.is_app
(BROWSER EXTENSION - IS APP)
| Identifies if the browser extension is an application or an
extension. CEF field name: PanOSBrowserExtensionIsApp EMAIL field name: BrowserExtensionIsApp HTTPS field name: BrowserExtensionIsApp LEEF field name: BrowserExtensionIsApp |
browser_extension.launch_type
(BROWSER EXTENSION - LAUNCH TYPE)
| The way the extension will handle new tab (for example, open as a
new tab, open a new window). CEF field name: PanOSBrowserExtensionLaunchType EMAIL field name: BrowserExtensionLaunchType HTTPS field name: BrowserExtensionLaunchType LEEF field name: BrowserExtensionLaunchType |
browser_extension.may_disable
(BROWSER EXTENSION - MAY DISABLE)
| Indicates whether the extension can be disabled. CEF field name: PanOSBrowserExtensionMayDisable EMAIL field name: BrowserExtensionMayDisable HTTPS field name: BrowserExtensionMayDisable LEEF field name: BrowserExtensionMayDisable |
browser_extension.name
(BROWSER EXTENSION - NAME)
| The public name of the browser extension. CEF field name: PanOSBrowserExtensionName EMAIL field name: BrowserExtensionName HTTPS field name: BrowserExtensionName LEEF field name: BrowserExtensionName |
browser_extension.offline_enabled
(BROWSER EXTENSION - OFFLINE ENABLED)
| The offline mode status of the browser extension. CEF field name: PanOSBrowserExtensionOfflineEnabled EMAIL field name: BrowserExtensionOfflineEnabled HTTPS field name: BrowserExtensionOfflineEnabled LEEF field name: BrowserExtensionOfflineEnabled |
browser_extension.options_url
(BROWSER EXTENSION - OPTIONS URL)
| The URL for the item's options page, if available. CEF field name: PanOSBrowserExtensionOptionsURL EMAIL field name: BrowserExtensionOptionsURL HTTPS field name: BrowserExtensionOptionsURL LEEF field name: BrowserExtensionOptionsURL |
browser_extension.permissions
(BROWSER EXTENSION - PERMISSIONS)
| The browser API permissions for the extension. CEF field name: PanOSBrowserExtensionPermissions EMAIL field name: BrowserExtensionPermissions HTTPS field name: BrowserExtensionPermissions LEEF field name: BrowserExtensionPermissions |
browser_extension.short_name
(BROWSER EXTENSION - SHORT NAME)
| The abbreviated name of the extension. CEF field name: PanOSBrowserExtensionShortName EMAIL field name: BrowserExtensionShortName HTTPS field name: BrowserExtensionShortName LEEF field name: BrowserExtensionShortName |
browser_extension.type
(BROWSER EXTENSION - TYPE)
| The type of extension (public, private). CEF field name: PanOSBrowserExtensionType EMAIL field name: BrowserExtensionType HTTPS field name: BrowserExtensionType LEEF field name: BrowserExtensionType |
browser_extension.update_url
(BROWSER EXTENSION - UPDATE URL)
| Unique URL used to grab extension updates. CEF field name: PanOSBrowserExtensionUpdateURL EMAIL field name: BrowserExtensionUpdateURL HTTPS field name: BrowserExtensionUpdateURL LEEF field name: BrowserExtensionUpdateURL |
browser_extension.version
(BROWSER EXTENSION - VERSION)
| Current version of the extension. CEF field name: PanOSBrowserExtensionVersion EMAIL field name: BrowserExtensionVersion HTTPS field name: BrowserExtensionVersion LEEF field name: BrowserExtensionVersion |
certificate.created_time
(CERTIFICATE - CREATED TIME)
| The time stamp when the certificate was created. CEF field name: PanOSCertificateCreatedTime EMAIL field name: CertificateCreatedTime HTTPS field name: CertificateCreatedTime LEEF field name: CertificateCreatedTime |
certificate.expiration_time
(CERTIFICATE - EXPIRATION TIME)
| The expiry time stamp of the certificate. CEF field name: PanOSCertificateExpirationTime EMAIL field name: CertificateExpirationTime HTTPS field name: CertificateExpirationTime LEEF field name: CertificateExpirationTime |
certificate.fingerprints
(CERTIFICATE - FINGERPRINTS)
| Certificate's fingerprint (HASH) and its public key. CEF field name: PanOSCertificateFingerprints EMAIL field name: CertificateFingerprints HTTPS field name: CertificateFingerprints LEEF field name: CertificateFingerprints |
certificate.issuer
(CERTIFICATE - ISSUER)
| The issuer of the certificate. CEF field name: PanOSCertificateIssuer EMAIL field name: CertificateIssuer HTTPS field name: CertificateIssuer LEEF field name: CertificateIssuer |
certificate.serial_number
(CERTIFICATE - SERIAL NUMBER)
| The serial number of the certificate. CEF field name: PanOSCertificateSerialNumber EMAIL field name: CertificateSerialNumber HTTPS field name: CertificateSerialNumber LEEF field name: CertificateSerialNumber |
certificate.subject
(CERTIFICATE - SUBJECT)
| Certificate's common name or organization name. CEF field name: PanOSCertificateSubject EMAIL field name: CertificateSubject HTTPS field name: CertificateSubject LEEF field name: CertificateSubject |
classification.category
(CLASSIFICATION - CATEGORY)
| Event category- initial classification for Prisma Access Browser
events. CEF field name: PanOSClassificationCategory EMAIL field name: ClassificationCategory HTTPS field name: ClassificationCategory LEEF field name: ClassificationCategory |
classification.malicious_categories
(CLASSIFICATION - MALICIOUS CATEGORIES)
| List of the relevant malicious categories (phishing, malware, etc). CEF field name: PanOSClassificationMaliciousCategories EMAIL field name: ClassificationMaliciousCategories HTTPS field name: ClassificationMaliciousCategories LEEF field name: ClassificationMaliciousCategories |
classification.mitre
(CLASSIFICATION - MITRE)
| List of the relevant MITRE attack techniques. CEF field name: PanOSClassificationMITRE EMAIL field name: ClassificationMITRE HTTPS field name: ClassificationMITRE LEEF field name: ClassificationMITRE |
classification.reputation
(CLASSIFICATION - REPUTATION)
| The site reputation: Ok, Moderate, or Danger. CEF field name: PanOSClassificationReputation EMAIL field name: ClassificationReputation HTTPS field name: ClassificationReputation LEEF field name: ClassificationReputation |
classification.security_compliance
(CLASSIFICATION - SECURITY COMPLIANCE)
| List of compliance standards relevant for the end user activity. CEF field name: PanOSClassificationSecurityCompliance EMAIL field name: ClassificationSecurityCompliance HTTPS field name: ClassificationSecurityCompliance LEEF field name: ClassificationSecurityCompliance |
classification.severity
(CLASSIFICATION - SEVERITY )
| Severity of the activity. CEF field name: PanOSClassificationSeverity EMAIL field name: ClassificationSeverity HTTPS field name: ClassificationSeverity LEEF field name: ClassificationSeverity |
clipboard.from_url
(CLIPBOARD - FROM URL)
| The tab URL from which data was copied to the clipboard. CEF field name: PanOSClipboardFromURL EMAIL field name: ClipboardFromURL HTTPS field name: ClipboardFromURL LEEF field name: ClipboardFromURL |
clipboard.selected_element
(CLIPBOARD - SELECTED ELEMENT)
| Unique website element identifier. CEF field name: PanOSClipboardSelectedElement EMAIL field name: ClipboardSelectedElement HTTPS field name: ClipboardSelectedElement LEEF field name: ClipboardSelectedElement |
content.categories
(CONTENT - CATEGORIES)
| List of categories matched for the content. CEF field name: PanOSContentCategories EMAIL field name: ContentCategories HTTPS field name: ContentCategories LEEF field name: ContentCategories |
content.length_bytes
(CONTENT - LENGTH BYTES)
| File size in bytes. CEF field name: PanOSContentLengthBytes EMAIL field name: ContentLengthBytes HTTPS field name: ContentLengthBytes LEEF field name: ContentLengthBytes |
content.mip_matched_label
(CONTENT - MIP MATCHED LABEL)
| MIP matched label on content, if applicable. CEF field name: PanOSContentMIPMatchedLabel EMAIL field name: ContentMIPMatchedLabel HTTPS field name: ContentMIPMatchedLabel LEEF field name: ContentMIPMatchedLabel |
content.scan_engine
(CONTENT - SCAN ENGINE)
| Engine used to scan content. CEF field name: PanOSContentScanEngine EMAIL field name: ContentScanEngine HTTPS field name: ContentScanEngine LEEF field name: ContentScanEngine |
content.sensitive_data_categories
(CONTENT - SENSITIVE DATA CATEGORIES)
| Content sensitive category or categories (if applicable). CEF field name: PanOSContentSensitiveDataCategories EMAIL field name: ContentSensitiveDataCategories HTTPS field name: ContentSensitiveDataCategories LEEF field name: ContentSensitiveDataCategories |
content.source_element_selector
(CONTENT - SOURCE ELEMENT SELECTOR)
| Type of element that was selected. CEF field name: PanOSContentSourceElementSelector EMAIL field name: ContentSourceElementSelector HTTPS field name: ContentSourceElementSelector LEEF field name: ContentSourceElementSelector |
content.source_url
(CONTENT - SOURCE URL)
| The URL from which the element was selected. CEF field name: PanOSContentSourceURL EMAIL field name: ContentSourceURL HTTPS field name: ContentSourceURL LEEF field name: ContentSourceURL |
customer_id
(TENANT ID) | The ID that uniquely identifies the
instance which received this log record. CEF field name: PanOSCortexDataLakeTenantID EMAIL field name: CortexDataLakeTenantID HTTPS field name: CortexDataLakeTenantID LEEF field name: CortexDataLakeTenantID |
device.browser_brand
(DEVICE - BROWSER BRAND)
| Browser brand (Prisma Access Browser, Chrome, Edge, etc.), mostly
relevant for Prisma Access Browser extension offering. CEF field name: PanOSDeviceBrowserBrand EMAIL field name: DeviceBrowserBrand HTTPS field name: DeviceBrowserBrand LEEF field name: DeviceBrowserBrand |
device.browser_type
(DEVICE - BROWSER TYPE)
| Browser type (Enterprise browser, Mobile, Extension only). CEF field name: PanOSDeviceBrowserType EMAIL field name: DeviceBrowserType HTTPS field name: DeviceBrowserType LEEF field name: DeviceBrowserType |
device.browser_version
(DEVICE - BROWSER VERSION)
| Browser version (of the specific used browser type) at the time of
the event. CEF field name: PanOSDeviceBrowserVersion EMAIL field name: DeviceBrowserVersion HTTPS field name: DeviceBrowserVersion LEEF field name: DeviceBrowserVersion |
device.device_uuid
(DEVICE - UUID )
| Unique endpoint device identifier. CEF field name: PanOSDeviceUUID EMAIL field name: DeviceUUID HTTPS field name: DeviceUUID LEEF field name: DeviceUUID |
device.device_version
(DEVICE - VERSION)
| The version of the endpoint device. CEF field name: PanOSDeviceVersion EMAIL field name: DeviceVersion HTTPS field name: DeviceVersion LEEF field name: DeviceVersion |
device.disk_encryption_status
(DEVICE - DISK ENCRYPTION STATUS)
| Disk encryption status of endpoint device system
(enabled/disabled/unknown). CEF field name: PanOSDeviceDiskEncryptionStatus EMAIL field name: DeviceDiskEncryptionStatus HTTPS field name: DeviceDiskEncryptionStatus LEEF field name: DeviceDiskEncryptionStatus |
device.epp_status
(DEVICE - EPP STATUS)
| Endpoint protection status of endpoint device
(enabled/disabled/unknown). CEF field name: PanOSDeviceEPPStatus EMAIL field name: DeviceEPPStatus HTTPS field name: DeviceEPPStatus LEEF field name: DeviceEPPStatus |
device.extension_version
(DEVICE - EXTENSION VERSION)
| Prisma Access Browser extension version at the time of event
(Enterprise browser extension). CEF field name: PanOSDeviceExtensionVersion EMAIL field name: DeviceExtensionVersion HTTPS field name: DeviceExtensionVersion LEEF field name: DeviceExtensionVersion |
device.firewall_status
(DEVICE - FIREWALL STATUS)
| Firewall status of endpoint device (enabled/disabled/unknown). CEF field name: PanOSDeviceFirewallStatus EMAIL field name: DeviceFirewallStatus HTTPS field name: DeviceFirewallStatus LEEF field name: DeviceFirewallStatus |
device.geoip_from_city_name
(DEVICE - GEO IP FROM CITY NAME)
| Device location of endpoint; city- UI name. CEF field name: PanOSDeviceGeoIPFromCityName EMAIL field name: DeviceGeoIPFromCityName HTTPS field name: DeviceGeoIPFromCityName LEEF field name: DeviceGeoIPFromCityName |
device.geoip_from_country_name
(DEVICE - GEO IP FROM COUNTRY NAME)
| Device location of endpoint; country - UI name. CEF field name: PanOSDeviceGeoIPFromCountryName EMAIL field name: DeviceGeoIPFromCountryName HTTPS field name: DeviceGeoIPFromCountryName LEEF field name: DeviceGeoIPFromCountryName |
device.geoip_from_location_latitude
(DEVICE - GEO IP FROM LOCATION LATITUDE)
| Device location of endpoint - geoIP latitude. CEF field name: PanOSDeviceGeoIPFromLocationLatitude EMAIL field name: DeviceGeoIPFromLocationLatitude HTTPS field name: DeviceGeoIPFromLocationLatitude LEEF field name: DeviceGeoIPFromLocationLatitude |
device.geoip_from_location_longitude
(DEVICE - GEO IP FROM LOCATION LONGITUDE)
| Device location of endpoint - geoIP longitude. CEF field name: PanOSDeviceGeoIPFromLocationLongitude EMAIL field name: DeviceGeoIPFromLocationLongitude HTTPS field name: DeviceGeoIPFromLocationLongitude LEEF field name: DeviceGeoIPFromLocationLongitude |
device.groups.ids
(DEVICE - GROUPS IDS)
| List of device groups IDs associated with the device, at time of
event. CEF field name: PanOSDeviceGroupsIDs EMAIL field name: DeviceGroupsIDs HTTPS field name: DeviceGroupsIDs LEEF field name: DeviceGroupsIDs |
device.groups.names
(DEVICE - GROUPS NAMES)
| List of device groups names associated with the device, at time of
event. CEF field name: PanOSDeviceGroupsNames EMAIL field name: DeviceGroupsNames HTTPS field name: DeviceGroupsNames LEEF field name: DeviceGroupsNames |
device.hostname
(DEVICE - HOSTNAME)
| Prisma Access Browser endpoint name. CEF field name: PanOSDeviceHostname EMAIL field name: DeviceHostname HTTPS field name: DeviceHostname LEEF field name: DeviceHostname |
device.ip_address
(DEVICE - IP ADDRESS)
| External IP address of the device. CEF field name: PanOSDeviceIPAddress EMAIL field name: DeviceIPAddress HTTPS field name: DeviceIPAddress LEEF field name: DeviceIPAddress |
device.mac_addresses
(DEVICE - MAC ADDRESSES)
| MAC address of the endpoint device. CEF field name: PanOSMACAddresses EMAIL field name: DeviceMACAddresses HTTPS field name: DeviceMACAddresses LEEF field name: DeviceMACAddresses |
device.model
(DEVICE - MODEL)
| Endpoint device model. CEF field name: PanOSDeviceModel EMAIL field name: DeviceModel HTTPS field name: DeviceModel LEEF field name: DeviceModel |
device.os.android.build
(DEVICE - OS ANDROID BUILD)
| Android build version of endpoint device (if relevant). CEF field name: PanOSDeviceOSAndroidBuild EMAIL field name: DeviceOSAndroidBuild HTTPS field name: DeviceOSAndroidBuild LEEF field name: DeviceOSAndroidBuild |
device.os.android.patch
(DEVICE - OS ANDROID PATCH)
| Android patch version of endpoint device (if relevant). CEF field name: PanOSDeviceOSAndroidPatch EMAIL field name: DeviceOSAndroidPatch HTTPS field name: DeviceOSAndroidPatch LEEF field name: DeviceOSAndroidPatch |
device.os.android.release
(DEVICE - OS ANDROID RELEASE)
| Android release version of endpoint device (if relevant). CEF field name: PanOSDeviceOSAndroidRelease EMAIL field name: DeviceOSAndroidRelease HTTPS field name: DeviceOSAndroidRelease LEEF field name: DeviceOSAndroidRelease |
device.os.android.sdk
(DEVICE - OS ANDROID SDK)
| Android sdk version of endpoint device (if relevant). CEF field name: PanOSDeviceOSAndroidSDK EMAIL field name: DeviceOSAndroidSDK HTTPS field name: DeviceOSAndroidSDK LEEF field name: DeviceOSAndroidSDK |
device.os.ios.major
(DEVICE - OS IOS MAJOR)
| Major version of iOS of endpoint device (if relevant). CEF field name: PanOSDeviceOSiOSMajor EMAIL field name: DeviceOSiOSMajor HTTPS field name: DeviceOSiOSMajor LEEF field name: DeviceOSiOSMajor |
device.os.ios.minor
(DEVICE - OS IOS MINOR)
| Minor version of iOS of endpoint device (if relevant). CEF field name: PanOSDeviceOSiOSMinor EMAIL field name: DeviceOSiOSMinor HTTPS field name: DeviceOSiOSMinor LEEF field name: DeviceOSiOSMinor |
device.os.ios.patch
(DEVICE - OS IOS PATCH)
| iOS patch version of endpoint device (if relevant). CEF field name: PanOSDeviceOSiOSPatch EMAIL field name: DeviceOSiOSPatch HTTPS field name: DeviceOSiOSPatch LEEF field name: DeviceOSiOSPatch |
device.os.macos.bugfix
(DEVICE - OS MACOS BUGFIX)
| Bug fix version of macOS for endpoint device (if relevant). CEF field name: PanOSDeviceOSmacOSBugfix EMAIL field name: DeviceOSmacOSBugfix HTTPS field name: DeviceOSmacOSBugfix LEEF field name: DeviceOSmacOSBugfix |
device.os.macos.build
(DEVICE - OS MACOS BUILD)
| macOS build version of endpoint device (if relevant). CEF field name: PanOSDeviceOSmacOSBuild EMAIL field name: DeviceOSmacOSBuild HTTPS field name: DeviceOSmacOSBuild LEEF field name: DeviceOSmacOSBuild |
device.os.macos.major
(DEVICE - OS MACOS MAJOR)
| Major version of macOS (if relevant). CEF field name: PanOSDeviceOSmacOSMajor EMAIL field name: DeviceOSmacOSMajor HTTPS field name: DeviceOSmacOSMajor LEEF field name: DeviceOSmacOSMajor |
device.os.macos.minor
(DEVICE - OS MACOS MINOR)
| Minor version of macOS (if relevant). CEF field name: PanOSDeviceOSmacOSMinor EMAIL field name: DeviceOSmacOSMinor HTTPS field name: DeviceOSmacOSMinor LEEF field name: DeviceOSmacOSMinor |
device.os.macos.server
(DEVICE - OS MACOS SERVER)
| macOS server name of endpoint device (if relevant). CEF field name: PanOSDeviceOSmacOSServer EMAIL field name: DeviceOSmacOSServer HTTPS field name: DeviceOSmacOSServer LEEF field name: DeviceOSmacOSServer |
device.os.type
(DEVICE - OS TYPE)
| Operating system of the endpoint device. CEF field name: PanOSDeviceOSType EMAIL field name: DeviceOSType HTTPS field name: DeviceOSType LEEF field name: DeviceOSType |
device.os.windows.build
(DEVICE - OS WINDOWS BUILD)
| Windows build version of endpoint device (if relevant). CEF field name: PanOSDeviceOSWindowsBuild EMAIL field name: DeviceOSWindowsBuild HTTPS field name: DeviceOSWindowsBuild LEEF field name: DeviceOSWindowsBuild |
device.os.windows.major
(DEVICE - OS WINDOWS MAJOR)
| Windows major version of endpoint device (if relevant). CEF field name: PanOSDeviceOSWindowsMajor EMAIL field name: DeviceOSWindowsMajor HTTPS field name: DeviceOSWindowsMajor LEEF field name: DeviceOSWindowsMajor |
device.os.windows.minor
(DEVICE - OS WINDOWS MINOR)
| Windows minor version of endpoint device (if relevant). CEF field name: PanOSDeviceOSWindowsMinor EMAIL field name: DeviceOSWindowsMinor HTTPS field name: DeviceOSWindowsMinor LEEF field name: DeviceOSWindowsMinor |
device.os.windows.patch
(DEVICE - OS WINDOWS PATCH)
| Windows patch version of endpoint device (if relevant). CEF field name: PanOSDeviceOSWindowsPatch EMAIL field name: DeviceOSWindowsPatch HTTPS field name: DeviceOSWindowsPatch LEEF field name: DeviceOSWindowsPatch |
device.os.windows.product
(DEVICE - OS WINDOWS PRODUCT)
| Windows product name of endpoint device (if relevant). . CEF field name: PanOSDeviceOSWindowsProduct EMAIL field name: DeviceOSWindowsProduct HTTPS field name: DeviceOSWindowsProduct LEEF field name: DeviceOSWindowsProduct |
device.os_display_name
(DEVICE - OS DISPLAY NAME)
| Display name of operating system of endpoint device. CEF field name: PanOSDeviceOSDisplayName EMAIL field name: DeviceOSDisplayName HTTPS field name: DeviceOSDisplayName LEEF field name: DeviceOSDisplayName |
device.raw_universal_id
(DEVICE - RAW UNIVERSAL ID)
| Unique identifier for endpoint device. CEF field name: PanOSDeviceRawUniversalID EMAIL field name: DeviceRawUniversalID HTTPS field name: DeviceRawUniversalID LEEF field name: DeviceRawUniversalID |
device.screen_lock_status
(DEVICE - SCREEN LOCK STATUS)
| Screen lock status of endpoint device (enabled/disabled/unknown). CEF field name: PanOSDeviceScreenLockStatus EMAIL field name: DeviceScreenLockStatus HTTPS field name: DeviceScreenLockStatus LEEF field name: DeviceScreenLockStatus |
device.serial_number
(DEVICE - SERIAL NUMBER)
| Serial number assigned by the manufacturer to an endpoint device. CEF field name: PanOSDeviceSerialNumber EMAIL field name: DeviceSerialNumber HTTPS field name: DeviceSerialNumber LEEF field name: DeviceSerialNumber |
device.type
(DEVICE - TYPE)
| Device type of endpoint device
(desktop/laptop/mobile/server/tablet). CEF field name: PanOSDeviceType EMAIL field name: DeviceType HTTPS field name: DeviceType LEEF field name: DeviceType |
device.user_agent
(DEVICE - USER AGENT)
| Identifies browser type. CEF field name: PanOSDeviceUserAgent EMAIL field name: DeviceUserAgent HTTPS field name: DeviceUserAgent LEEF field name: DeviceUserAgent |
file.extension
(FILE - EXTENSION)
| The file type of the event. CEF field name: PanOSFileExtension EMAIL field name: FileExtension HTTPS field name: FileExtension LEEF field name: FileExtension |
file.is_encrypted
(FILE - IS ENCRYPTED)
| The file encryption status of the event. CEF field name: PanOSFileIsEncrypted EMAIL field name: FileIsEncrypted HTTPS field name: FileIsEncrypted LEEF field name: FileIsEncrypted |
file.local_path
(FILE - LOCAL PATH)
| The file's selected path on the disk of the endpoint device. CEF field name: PanOSFileLocalPath EMAIL field name: FileLocalPath HTTPS field name: FileLocalPath LEEF field name: FileLocalPath |
file.mime_type
(FILE - MIME TYPE)
| The event's file MIME type (for example, HTML, JPEG, MPEG, and so
on.). CEF field name: PanOSFileMimeType EMAIL field name: FileMimeType HTTPS field name: FileMimeType LEEF field name: FileMimeType |
file.name
(FILE - NAME)
| The file name of the event. CEF field name: PanOSFileName EMAIL field name: FileName HTTPS field name: FileName LEEF field name: FileName |
file.operation
(FILE - OPERATION)
| File handling operation (for example, download, upload, etc.). CEF field name: PanOSFileOperation EMAIL field name: FileOperation HTTPS field name: FileOperation LEEF field name: FileOperation |
file.origin_download_url
(FILE - ORIGIN DOWNLOAD URL)
| URL of the event's source file. CEF field name: PanOSFileOriginDownloadURL EMAIL field name: FileOriginDownloadURL HTTPS field name: FileOriginDownloadURL LEEF field name: FileOriginDownloadURL |
file.sha256
(FILE - SHA256)
| File hash of the event. CEF field name: PanOSFileSHA256 EMAIL field name: FileSHA256 HTTPS field name: FileSHA256 LEEF field name: FileSHA256 |
file.url
(FILE - URL)
| The associated URL of the event when handling files. CEF field name: PanOSFileURL EMAIL field name: FileURL HTTPS field name: FileURL LEEF field name: FileURL |
log_source
(LOG SOURCE)
| Identifies the system that produced the data. CEF field name: PanOSLogSource EMAIL field name: LogSource HTTPS field name: LogSource LEEF field name: LogSource |
log_source_group_id
(LOG SOURCE GROUP ID)
| ID that uniquely identifies the logSourceGroupId of the log group. CEF field name: PanOSLogSourceGroupID EMAIL field name: LogSourceGroupID HTTPS field name: LogSourceGroupID LEEF field name: LogSourceGroupID |
log_source_id
(DEVICE SN)
|
ID that uniquely identifies the source of the log. That is, the serial number of the firewall that generated the log.
CEF field name: deviceExternalID EMAIL field name: DeviceSN HTTPS field name: DeviceSN LEEF field name: DeviceSN |
log_source_name
(DEVICE NAME)
|
Name of the source of the log. That is, the hostname of the firewall that logged the network traffic.
CEF field name: dvchost EMAIL field name: DeviceName HTTPS field name: DeviceName LEEF field name: DeviceName |
log_time
(TIME RECEIVED)
| Time the log was received in . This is
populated by the platform. CEF field name: rt EMAIL field name: TimeReceived HTTPS field name: TimeReceived LEEF field name: TimeReceived |
log_type.value
(LOG TYPE)
|
Identifies the log type.
CEF field name: Device Event Class ID EMAIL field name: LogType HTTPS field name: LogType LEEF field name: cat |
network.classifications
(NETWORK - CLASSIFICATIONS)
| Web classification of the website associated with the event. CEF field name: PanOSNetworkClassifications EMAIL field name: NetworkClassifications HTTPS field name: NetworkClassifications LEEF field name: NetworkClassifications |
network.frame_url
(NETWORK - FRAME URL)
| The URL of the frame within the website (iframe scenario). CEF field name: PanOSNetworkFrameURL EMAIL field name: NetworkFrameURL HTTPS field name: NetworkFrameURL LEEF field name: NetworkFrameURL |
network.http.method
(NETWORK - HTTP METHOD)
| HTTP methods (GET, POST, etc) used in the event. CEF field name: PanOSNetworkHTTPMethod EMAIL field name: NetworkHTTPMethod HTTPS field name: NetworkHTTPMethod LEEF field name: NetworkHTTPMethod |
network.http.status
(NETWORK - HTTP STATUS)
| HTTP status codes (200, 404, etc.) associated with the event. CEF field name: PanOSNetworkHTTPStatus EMAIL field name: NetworkHTTPStatus HTTPS field name: NetworkHTTPStatus LEEF field name: NetworkHTTPStatus |
network.protocol
(NETWORK - PROTOCOL)
| Protocol used for the event. CEF field name: PanOSNetworkProtocol EMAIL field name: NetworkProtocol HTTPS field name: NetworkProtocol LEEF field name: NetworkProtocol |
network.tab_url
(NETWORK - TAB URL )
| The tab URL of the associated event. CEF field name: PanOSNetworkTabURL EMAIL field name: NetworkTabURL HTTPS field name: NetworkTabURL LEEF field name: NetworkTabURL |
network.url
(NETWORK - URL)
| The URL of the event on which the rule was enforced. CEF field name: PanOSNetworkURL EMAIL field name: NetworkURL HTTPS field name: NetworkURL LEEF field name: NetworkURL |
page.capture.is_secure_screenshot
(PAGE - CAPTURE IS SECURE SCREENSHOT)
| Identifies whether screenshot was made by the secure screenshot
capability (T/F). CEF field name: PanOSPageCaptureIsSecureScreenshot EMAIL field name: PageCaptureIsSecureScreenshot HTTPS field name: PageCaptureIsSecureScreenshot LEEF field name: PageCaptureIsSecureScreenshot |
page.capture.triggered_by_url
(PAGE - CAPTURE TRIGGERED BY URL)
| Identifies whether screenshot was made by the web page or not. CEF field name: PanOSPageCaptureTriggeredByURL EMAIL field name: PageCaptureTriggeredByURL HTTPS field name: PageCaptureTriggeredByURL LEEF field name: PageCaptureTriggeredByURL |
page.devtools.block_reason
(PAGE - DEVTOOLS BLOCK REASON)
| The reason for which dev tools access was blocked (such as data
masking, typing guard, watermark). CEF field name: PanOSPageDevtoolsBlockReason EMAIL field name: PageDevtoolsBlockReason HTTPS field name: PageDevtoolsBlockReason LEEF field name: PageDevtoolsBlockReason |
page.title
(PAGE - TITLE)
| The title of the web page or tab. CEF field name: PanOSPageTitle EMAIL field name: PageTitle HTTPS field name: PageTitle LEEF field name: PageTitle |
pincode.failed_attempts
(PINCODE - FAILED ATTEMPTS)
| Number of failed PIN Code attempts. CEF field name: PanOSPincodeFailedAttempts EMAIL field name: PincodeFailedAttempts HTTPS field name: PincodeFailedAttempts LEEF field name: PincodeFailedAttempts |
pincode.registration_time
(PINCODE - REGISTRATION TIME)
| Timestamp of the last failed attempt in which PIN Code was inserted. CEF field name: PanOSPincodeRegistrationTime EMAIL field name: PincodeRegistrationTime HTTPS field name: PincodeRegistrationTime LEEF field name: PincodeRegistrationTime |
platform_type
(PLATFORM TYPE)
|
The platform type (Valid types are PRISMA_ACCESS, CNGFW, VM, HWFW).
CEF field name: PlatformType EMAIL field name: PlatformType HTTPS field name: PlatformType LEEF field name: PlatformType |
policy.action
(POLICY - ACTION)
| The action taken by the policy on the endpoint activity. CEF field name: PanOSPolicyAction EMAIL field name: PolicyAction HTTPS field name: PolicyAction LEEF field name: PolicyAction |
policy.block_reason
(POLICY - BLOCK REASON)
| Reason for which the action was blocked. CEF field name: PanOSPolicyBlockReason EMAIL field name: PolicyBlockReason HTTPS field name: PolicyBlockReason LEEF field name: PolicyBlockReason |
policy.bypass_reason
(POLICY - BYPASS REASON)
| Reason provided by the end user to bypass a blocked action (one of a
list of options). CEF field name: PanOSPolicyBypassReason EMAIL field name: PolicyBypassReason HTTPS field name: PolicyBypassReason LEEF field name: PolicyBypassReason |
policy.is_monitor
(POLICY - IS MONITOR)
| Identifies whether the event was generated of a monitoring rule
(T/F). CEF field name: PanOSPolicyIsMonitor EMAIL field name: PolicyIsMonitor HTTPS field name: PolicyIsMonitor LEEF field name: PolicyIsMonitor |
policy.is_session_recorded
(POLICY - IS SESSION RECORDED)
| Identifies whether the event has a video recording. CEF field name: PanOSPolicyIsSessionRecorded EMAIL field name: PolicyIsSessionRecorded HTTPS field name: PolicyIsSessionRecorded LEEF field name: PolicyIsSessionRecorded |
policy.rule_description
(POLICY - RULE DESCRIPTION)
| Description of the rule that generated the event. CEF field name: PanOSPolicyRuleDescription EMAIL field name: PolicyRuleDescription HTTPS field name: PolicyRuleDescription LEEF field name: PolicyRuleDescription |
policy.rule_id
(POLICY - RULE ID)
| ID of the rule that generated the event. CEF field name: PanOSPolicyRuleID EMAIL field name: PolicyRuleID HTTPS field name: PolicyRuleID LEEF field name: PolicyRuleID |
posture.block_reason
(POSTURE - BLOCK REASON)
| Specific reason of a block caused due to a posture misalignment. CEF field name: PanOSPostureBlockReason EMAIL field name: PostureBlockReason HTTPS field name: PostureBlockReason LEEF field name: PostureBlockReason |
posture.block_type
(POSTURE - BLOCK TYPE)
| Type of a block caused due to a posture misalignment. CEF field name: PanOSPostureBlockType EMAIL field name: PostureBlockType HTTPS field name: PostureBlockType LEEF field name: PostureBlockType |
posture.error
(POSTURE - ERROR)
| Specific posture check mechanism error. CEF field name: PanOSPostureError EMAIL field name: PostureError HTTPS field name: PostureError LEEF field name: PostureError |
print.printer_location
(PRINT - PRINTER LOCATION)
| Virtual name of the printer used as part of a printing activity (if
available). CEF field name: PanOSPrintPrinterLocation EMAIL field name: PrintPrinterLocation HTTPS field name: PrintPrinterLocation LEEF field name: PrintPrinterLocation |
print.printer_name
(PRINT - PRINTER NAME)
| Network name of the printer used as part of a printing activity. CEF field name: PanOSPrintPrinterName EMAIL field name: PrintPrinterName HTTPS field name: PrintPrinterName LEEF field name: PrintPrinterName |
process.cli_args
(PROESS - CLI ARGS)
| Arguments in which the exe was used to run via CLI. CEF field name: PanOSProcessCLIArgs EMAIL field name: ProcessCLIArgs HTTPS field name: ProcessCLIArgs LEEF field name: ProcessCLIArgs |
process.image_path
(PROCESS - IMAGE PATH)
| Path on disk of the browser executable. CEF field name: PanOSProcessImagePath EMAIL field name: ProcessImagePath HTTPS field name: ProcessImagePath LEEF field name: ProcessImagePath |
process.parent_process
(PROCESS - PARENT PROCESS)
| Process initiator of the browser. CEF field name: PanOSProcessParentProcess EMAIL field name: ProcessParentProcess HTTPS field name: ProcessParentProcess LEEF field name: ProcessParentProcess |
process.pid
(PROCESS - PID)
| Identifier of the current browser process. CEF field name: PanOSProcessPID EMAIL field name: ProcessPID HTTPS field name: ProcessPID LEEF field name: ProcessPID |
state.device_group_evaluation
(STATE - DEVICE GROUP EVALUATION)
| Device group evaluation based on device posture. CEF field name: PanOSStateDeviceGroupEvaluation EMAIL field name: StateDeviceGroupEvaluation HTTPS field name: StateDeviceGroupEvaluation LEEF field name: StateDeviceGroupEvaluation |
state.sign_in_rules
(STATE - SIGN IN RULES)
| Applicable sign-in rules. CEF field name: PanOSStateSignInRules EMAIL field name: StateSignInRules HTTPS field name: StateSignInRules LEEF field name: StateSignInRules |
sub_tenant_id
(SUBTENANT ID)
| Identifies the sub-tenant in which the log was generated. CEF field name: PanOSSubtenantID EMAIL field name: SubtenantID HTTPS field name: SubtenantID LEEF field name: SubtenantID |
tampering.type
(TAMPERING - TYPE)
| Type of detected tampering activity. CEF field name: PanOSTamperingType EMAIL field name: TamperingType HTTPS field name: TamperingType LEEF field name: TamperingType |
tenant_id
(TENANT ID)
| The tenant id. CEF field name: PanOSTenantID EMAIL field name: TenantID HTTPS field name: TenantID LEEF field name: TenantID |
time_generated
(TIME GENERATED)
|
Time the log was generated on the data plane in format YYYY-MM-DDTHH:MM:SS[.DDDDDD]Z.
CEF field name: start EMAIL field name: TimeGenerated HTTPS field name: TimeGenerated LEEF field name: devTime |
time_generated_high_res
(TIME GENERATED HIGH RESOLUTION)
|
Time the log was generated in data plane with millisec granularity in format YYYY-MM-DDTHH:MM:SS[.DDDDDD]Z.
CEF field name: PanOSTimeGeneratedHighResolution EMAIL field name: TimeGeneratedHighResolution HTTPS field name: TimeGeneratedHighResolution LEEF field name: TimeGeneratedHighResolution |
timestamp
(TIMESTAMP)
| Time the log was received in . CEF field name: PanOSTimestamp EMAIL field name: Timestamp HTTPS field name: Timestamp LEEF field name: Timestamp |
tsg_id
(TSG ID)
| The Tenant Service Group that uniquely identifies the instance which received this log
record. CEF field name: PanOSTSGID EMAIL field name: TSGID HTTPS field name: TSGID LEEF field name: TSGID |
user.email
(USER - EMAIL)
| Email address of the user that generated the event. CEF field name: PanOSUserEmail EMAIL field name: UserEmail HTTPS field name: UserEmail LEEF field name: UserEmail |
user.external_id
(USER - EXTERNAL ID)
| unique user identifier. CEF field name: PanOSUserExternalID EMAIL field name: UserExternalID HTTPS field name: UserExternalID LEEF field name: UserExternalID |
user.groups.ids
(USER - GROUPS IDS)
|
Enumeration integer assigned to the user.groups field value.
CEF field name: PanOSUserGroupsIDs EMAIL field name: UserGroupsIDs HTTPS field name: UserGroupsIDs LEEF field name: UserGroupsIDs |
user.groups.names
(USER - GROUPS NAMES)
| Unique user groups names associated with the user that generated the
event. CEF field name: PanOSUserGroupsNames EMAIL field name: UserGroupsNames HTTPS field name: UserGroupsNames LEEF field name: UserGroupsNames |
user.id
(USER ID)
|
Enumeration integer assigned to the user field value.
CEF field name: PanOSUserID EMAIL field name: UserID HTTPS field name: UserID LEEF field name: UserID |
user.name
(USER - NAME)
| Name of the user that generated the event. CEF field name: PanOSUserName EMAIL field name: UserName HTTPS field name: UserName LEEF field name: UserName |
user.tenant_external_id
(USER - TENANT EXTERNAL ID)
| External identifier of the tenant. CEF field name: PanOSUserTenantExternalID EMAIL field name: UserTenantExternalID HTTPS field name: UserTenantExternalID LEEF field name: UserTenantExternalID |
user.tenant_id
(USER - TENANT ID)
| Unique identifier of the tenant. CEF field name: PanOSUserTenantID EMAIL field name: UserTenantID HTTPS field name: UserTenantID LEEF field name: UserTenantID |
user.tenant_name
(USER - TENANT NAME)
| Name of the tenant. CEF field name: PanOSUserTenantName EMAIL field name: UserTenantName HTTPS field name: UserTenantName LEEF field name: UserTenantName |
user.tsg_id
(USER - TSG ID)
| Associated tsg ID of the specific user. CEF field name: PanOSUserTSGID EMAIL field name: UserTSGID HTTPS field name: UserTSGID LEEF field name: UserTSGID |
vendor_name
(VENDOR NAME)
|
Identifies the vendor that produced the data.
CEF field name: Device Vendor EMAIL field name: VendorName HTTPS field name: VendorName LEEF field name: Vendor |