Table of Contents
4.2 (EoS)
Expand all | Collapse all
-
- Set Up the Endpoint Infrastructure
- Activate Traps Licenses
-
- Endpoint Infrastructure Installation Considerations
- TLS/SSL Encryption for Traps Components
- Configure the MS-SQL Server Database
- Install the Endpoint Security Manager Server Software
- Install the Endpoint Security Manager Console Software
- Manage Proxy Communication with the Endpoint Security Manager
- Load Balance Traffic to ESM Servers
-
- Malware Protection Policy Best Practices
- Malware Protection Flow
- Manage Trusted Signers
-
- Remove an Endpoint from the Health Page
- Install an End-of-Life Traps Agent Version
-
-
- Traps Troubleshooting Resources
- Traps and Endpoint Security Manager Processes
- ESM Tech Support File
-
- Access Cytool
- View the Status of the Agent Using Cytool
- View Processes Currently Protected by Traps Using Cytool
- Manage Logging of Traps Components Using Cytool
- Restore a Quarantined File Using Cytool
- View Statistics for a Protected Process Using Cytool
- View Details About the Traps Local Analysis Module Using Cy...
- View Hash Details About a File Using Cytool
LEEF Format
The following table lists the events in LEEF format.
Event | LEEF Format |
|---|---|
AccessViolation | LEEF:1.0|Palo Alto Networks|Traps
Agent| @Model["ProductVersion"]|Access Violation|cat=Threat subtype=Access
Violation devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"]
src=@Model["EsmIp"] dhost=@Model["host"] duser=@Model["user"] Module=@Model["EPM"]
dst=@Model["AgentIp"] msg=Access Violation- @Model["TargetName"]:
@Model["TargetValue"] sev=@Model.ExternalSeverity |
AgentAuthenticationFailed | LEEF:1.0|Palo Alto Networks|Traps
Agent| @Model["ProductVersion"]|Agent Authentication Failed| cat=Agent
subtype=Agent Authentication Failed devTimeFormat=MMM dd yyyy HH:mm:ss
devTime=@Model["Time"] src=@Model["EsmIp"] dst=@Model["AgentIp"]
msg=@Model["AgentIp"] authentication failed - @Model["FailureReason"]
sev=@Model.ExternalSeverity |
AgentContentUpdate | LEEF:1.0|Palo Alto Networks|Traps
Agent| @Model["ProductVersion"]|Agent Content Update| cat=Agent
subtype=Agent Content Update devTimeFormat=MMM dd yyyy HH:mm:ss
devTime=@Model["Time"] src=@Model["EsmIp"] dhost=@Model["host"] duser=@Model["user"]
msg=@Model["host"] received new content- version @Model["ContentVersion"] sev=@Model.ExternalSeverity |
AgentPolicyChange | LEEF:1.0|Palo Alto Networks|Traps
Agent| @Model["ProductVersion"]|Agent Policy Changed| cat=Agent
subtype=Agent Policy Changed devTimeFormat=MMM dd yyyy HH:mm:ss
devTime=@Model["Time"] src=@Model["EsmIp"] dhost=@Model["host"] duser=@Model["user"]
msg=Policy changed sev=@Model.ExternalSeverity |
AgentPolicyChangesFailed | LEEF:1.0|Palo Alto Networks|Traps
Agent| @Model["ProductVersion"]|Agent Policy Changes failed| cat=Agent
subtype=Agent Policy Changes failed devTime=@Model["Time"] src=@Model["EsmIp"]
dhost=@Model["host"] duser=@Model["user"] msg=New Policy Changes
Failed sev=@Model.ExternalSeverity |
ArchivedPreventionsFailure | LEEF:1.0|Palo Alto Networks|Traps
ESM| @Model["ProductVersion"]|Preventions Archived Failed| cat=System subtype=Preventions
Archived Failed devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"]
src=@Model["EsmIp"] shost=@Model["esmHost"] suser=@Model["user"]
dhost=@Model["host"] msg=Archived preventions failed sev=@Model.ExternalSeverity |
ArchivedPreventions | LEEF:1.0|Palo Alto Networks|Traps
ESM| @Model["ProductVersion"]|Preventions Archived| cat=System subtype=Preventions Archived
devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"] src=@Model["EsmIp"]
shost=@Model["esmHost"] suser=@Model["user"] dhost=@Model["host"]
msg=@Model["totalPreventions"] preventions been archived sev=@Model.ExternalSeverity |
ClientInstall | LEEF:1.0|Palo Alto Networks|Traps
Agent| @Model["ProductVersion"]|Agent Install|cat=Agent subtype=Agent
Install devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"]
src=@Model["EsmIp"] dhost=@Model["host"] duser=@Model["user"] msg=Agent
installed sev=@Model.ExternalSeverity |
ClientLicenseInvalid | LEEF:1.0|Palo Alto Networks|Traps
Agent| @Model["ProductVersion"]|Client License Invalid| cat=Agent
subtype=Client License Invalid devTimeFormat=MMM dd yyyy HH:mm:ss
devTime=@Model["Time"] src=@Model["EsmIp"] dhost=@Model["host"] duser=@Model["user"]
msg=Invalid license sev=@Model.ExternalSeverity |
ClientLicenseRequest | LEEF:1.0|Palo Alto Networks|Traps
Agent| @Model["ProductVersion"]|Client License Request| cat=Agent
subtype=Client License Request devTimeFormat=MMM dd yyyy HH:mm:ss
devTime=@Model["Time"] src=@Model["EsmIp"] dhost=@Model["host"] duser=@Model["user"]
msg=New license request sev=@Model.ExternalSeverity |
ClientUninstall | LEEF:1.0|Palo Alto Networks|Traps
Agent| @Model["ProductVersion"]|Agent Uninstall|cat=Agent subtype=Agent
Uninstall devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"]
src=@Model["EsmIp"] dhost=@Model["host"] duser=@Model["user"] msg=Agent
uninstalled sev=@Model.ExternalSeverity |
ClientUpgrade | LEEF:1.0|Palo Alto Networks|Traps
Agent| @Model["ProductVersion"]|Agent Upgrade|cat=Agent subtype=Agent
Upgrade devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"]
src=@Model["EsmIp"] dhost=@Model["host"] duser=@Model["user"] msg=Agent
upgraded sev=@Model.ExternalSeverity |
CommunicationsCheckWithProxy | LEEF:1.0|Palo Alto Networks|Traps
ESM| @Model["ProductVersion"]| Communications Check With Proxy|cat=System subtype=Communications
Check With Proxy devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"]
src=@Model["EsmIp"] shost=@Model["esmHost"] suser=@Model["user"]
dhost=@Model["host"] msg=Communications check with Proxy on host '@Model["host"]'.
Status: '@Model["message"]' sev=@Model.ExternalSeverity |
ConditionDeleted | LEEF:1.0|Palo Alto Networks|Traps
ESM| @Model["ProductVersion"]|Condition Deleted| cat=Config subtype=Condition
Deleted devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"]
src=@Model["EsmIp"] shost=@Model["esmHost"] suser=@Model["user"]
dhost=@Model["host"] msg=Condition ID: @Model["id"] was deleted
sev=@Model.ExternalSeverity |
ConditionEdited | LEEF:1.0|Palo Alto Networks|Traps
ESM| @Model["ProductVersion"]|Condition Edited|cat=Config subtype=Condition
Edited devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"]
src=@Model["EsmIp"] shost=@Model["esmHost"] suser=@Model["user"]
msg=Condition ID: @Model["id"] was added/changed. sev=@Model.ExternalSeverity |
ConfigurationChange | LEEF:1.0|Palo Alto Networks|Traps
ESM| @Model["ProductVersion"]|Settings Change|cat=Config subtype=Settings
Change devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"]
src=@Model["EsmIp"] shost=@Model["esmHost"] suser=@Model["user"]
dhost=@Model["host"] msg=@Model["Property"] has changed from @Model["OldValue"]
to @Model["NewValue"]. sev=@Model.ExternalSeverity |
DisabledProtection | LEEF:1.0|Palo Alto Networks|Traps
ESM| @Model["ProductVersion"]|Protection Disabled| cat=Policy subtype=Protection Disabled
devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"] src=@Model["EsmIp"]
shost=@Model["esmHost"] suser=@Model["user"] msg=Protection disabled
on all agents sev=@Model.ExternalSeverity |
EPMInitFailed | LEEF:1.0|Palo Alto Networks|Traps
Agent| @Model["ProductVersion"]|EPM Init Failed|cat=Agent subtype=EPM
Init Failed devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"]
src=@Model["EsmIp"] dhost=@Model["host"] duser=@Model["user"] Module=@Model["EPM"]
msg=EPM @Model["EPM"] failed to initialize sev=@Model.ExternalSeverity |
EnabledProtection | LEEF:1.0|Palo Alto Networks|Traps
ESM| @Model["ProductVersion"]|Protection Enabled| cat=Policy subtype=Protection Enabled
devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"] src=@Model["EsmIp"]
shost=@Model["esmHost"] suser=@Model["user"] msg=Protection restored
on all agents sev=@Model.ExternalSeverity |
EsmConfigurationChange | LEEF:1.0|Palo Alto Networks|Traps
ESM| @Model["ProductVersion"]|ESM Configuration Change| cat=System
subtype=ESM Configuration Change devTimeFormat=MMM dd yyyy HH:mm:ss
devTime=@Model["Time"] src=@Model["EsmIp"] shost=@Model["esmHost"]
suser=@Model["user"] dhost=@Model["host"] msg=Multi ESM configurations
has changed sev=@Model.ExternalSeverity |
EsmStatusChange | LEEF:1.0|Palo Alto Networks|Traps
ESM| @Model["ProductVersion"]|ESM Status Change| cat=System subtype=ESM
Status Change devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"]
src=@Model["EsmIp"] shost=@Model["esmHost"] suser=@Model["user"]
dhost=@Model["host"] msg=ESM status changed sev=@Model.ExternalSeverity |
FileUploadFailure | LEEF:1.0|Palo Alto Networks|Traps
ESM| @Model["ProductVersion"]|File Upload Failure| cat=System subtype=File
Upload Failure devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"]
src=@Model["EsmIp"] shost=@Model["esmHost"] dhost=@Model["host"]
duser=@Model["user"] fname=@Model["fileName"] msg=File failed to
upload sev=@Model.ExternalSeverity |
HashesImport | LEEF:1.0|Palo Alto Networks|Traps
ESM| @Model["ProductVersion"]|Hashes Import|cat=Policy subtype=Hashes
Import devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"]
src=@Model["EsmIp"] shost=@Model["esmHost"] suser=@Model["user"]
fileHash=@Model["Hash"] msg=@Model["Amount"] hashes were imported
sev=@Model.ExternalSeverity |
Heartbeat | LEEF:1.0|Palo Alto Networks|Traps
Agent| @Model["ProductVersion"]|Heartbeat|cat=Agent subtype=Heartbeat devTimeFormat=MMM
dd yyyy HH:mm:ss devTime=@Model["Time"] src=@Model["EsmIp"] dhost=@Model["host"]
duser=@Model["user"] dst=@Model["AgentIp"] msg=Service is alive
sev=@Model.ExternalSeverity |
LicenseExpiration | LEEF:1.0|Palo Alto Networks|Traps
ESM| @Model["ProductVersion"]|License Expiration| cat=System subtype=License Expiration
devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"] src=@Model["EsmIp"]
shost=@Model["esmHost"] suser=@Model["user"] dhost=@Model["host"]
msg=@Model["poolName"] licenses will expire in @Model["days"] days sev=@Model.ExternalSeverity |
LicensePoolAdded | LEEF:1.0|Palo Alto Networks|Traps
ESM| @Model["ProductVersion"]|License Pool Added| cat=System subtype=License
Pool Added devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"]
src=@Model["EsmIp"] shost=@Model["esmHost"] suser=@Model["user"]
dhost=@Model["host"] msg=A pool of @Model["licenseCount"] licenses
of type @Model["licenseType"] have been added sev=@Model.ExternalSeverity |
LicenseQuantity | LEEF:1.0|Palo Alto Networks|Traps
ESM| @Model["ProductVersion"]|License Quantity|cat=System subtype=License
Quantity devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"]
src=@Model["EsmIp"] shost=@Model["esmHost"] suser=@Model["user"]
dhost=@Model["host"] msg=Agent Licenses are running low sev=@Model.ExternalSeverity |
LicenseRevoked | LEEF:1.0|Palo Alto Networks|Traps
ESM| @Model["ProductVersion"]|License Revoked|cat=Config subtype=License
Revoked devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"]
src=@Model["EsmIp"] shost=@Model["esmHost"] suser=@Model["user"]
dhost=@Model["host"] msg=Licenses revoked sev=@Model.ExternalSeverity |
LocalAnalysisFeatureExtractionFailed | LEEF:1.0|Palo Alto Networks|Traps
Agent| @Model["ProductVersion"]| Local Analysis Extraction Failed|cat=Agent subtype=Local
Analysis Extraction Failed devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"]
src=@Model["EsmIp"] dhost=@Model["host"] duser=@Model["user"] ContentVersion=@Model["ContentVersion"]
msg=Local Analysis Feature Extraction Failed sev=@Model.ExternalSeverity |
LocalAnalysisModelUnavailable | LEEF:1.0|Palo Alto Networks|Traps
ESM| @Model["ProductVersion"]| Local Analysis Model Unavailable|cat=System subtype=Local
Analysis Model Unavailable devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"]
src=@Model["EsmIp"] shost=@Model["esmHost"] suser=@Model["user"]
dhost=@Model["host"] msg=Local Analysis Model Unavailable sev=@Model.ExternalSeverity |
LocalAnalysisModuleFailed | LEEF:1.0|Palo Alto Networks|Traps
Agent| @Model["ProductVersion"]| Local Analysis Module Failed|cat=Agent
subtype=Local Analysis Module Failed devTimeFormat=MMM dd yyyy HH:mm:ss
devTime=@Model["Time"] src=@Model["EsmIp"] dhost=@Model["host"]
duser=@Model["user"] msg=Add new module into Local Analysis- Failed
sev=@Model.ExternalSeverity |
LocalAnalysisModuleSucceeded | LEEF:1.0|Palo Alto Networks|Traps
Agent| @Model["ProductVersion"]| Local Analysis Module Succeeded|cat=Agent subtype=Local
Analysis Module Succeeded devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"]
src=@Model["EsmIp"] dhost=@Model["host"] duser=@Model["user"] ModuleVersion=@Model["ModuleVersion"]
msg=Add new module into Local Analysis- Succeeded sev=@Model.ExternalSeverity |
MachineLicenseValidationFailed | LEEF:1.0|Palo Alto Networks|Traps
ESM| @Model["ProductVersion"]| Machine License Validation Failed|cat=System subtype=Machine
License Validation Failed devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"]
src=@Model["EsmIp"] shost=@Model["esmHost"] suser=@Model["user"]
dhost=@Model["host"] msg=License Validation Failed sev=@Model.ExternalSeverity |
NewHash | LEEF:1.0|Palo Alto Networks|Traps
ESM| @Model["ProductVersion"]|New Hash Added|cat=Policy subtype=New
Hash Added devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"]
src=@Model["EsmIp"] shost=@Model["esmHost"] suser=@Model["user"]
fileHash=@Model["Hash"] NewVerdict=@Model["NewVerdict"] msg=New
hash added sev=@Model.ExternalSeverity |
NotificationEvent | LEEF:1.0|Palo Alto Networks|Traps
Agent| @Model["ProductVersion"]|Notification Event| cat=Threat subtype=Notification Event
devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"] src=@Model["EsmIp"]
dhost=@Model["host"] duser=@Model["user"] Module=@Model["EPM"] deviceProcessName=@Model["ProcessName"]
fileHash=@Model["Hash"] ContentVersion=@Model["ContentVersion"]
dst=@Model["AgentIp"] msg=New notification event. Prevention Key: @Model["preventionKey"]
sev=@Model.ExternalSeverity |
OneTimeActionComplete | LEEF:1.0|Palo Alto Networks|Traps
Agent| @Model["ProductVersion"]|One Time Action Complete| cat=Agent
subtype=One Time Action Complete devTimeFormat=MMM dd yyyy HH:mm:ss
devTime=@Model["Time"] src=@Model["EsmIp"] dhost=@Model["host"] duser=@Model["user"]
msg=One Time Action completed. Action Type=@Model["ActionType"].
Action ID=@Model["ActionID"] sev=@Model.ExternalSeverity |
OneTimeActionFailed | LEEF:1.0|Palo Alto Networks|Traps
Agent| @Model["ProductVersion"]|One Time Action Failed| cat=Agent
subtype=One Time Action Failed devTimeFormat=MMM dd yyyy HH:mm:ss
devTime=@Model["Time"] src=@Model["EsmIp"] dhost=@Model["host"] duser=@Model["user"]
msg=One Time Action failed to run. Action Type=@Model["ActionType"]
sev=@Model.ExternalSeverity |
PostDetectionEvent | LEEF:1.0|Palo Alto Networks|Traps
Agent| @Model["ProductVersion"]|Post Detection Event| cat=Threat
subtype=Post Detection Event devTimeFormat=MMM dd yyyy HH:mm:ss
devTime=@Model["Time"] src=@Model["EsmIp"] dhost=@Model["host"] duser=@Model["user"]
Module=@Model["EPM"] deviceProcessName=@Model["ProcessName"] fileHash=@Model["Hash"] dst=@Model["AgentIp"]
msg=New post detection event. Prevention Key: @Model["preventionKey"] ContentVersion=@Model["ContentVersion"]
sev=@Model.ExternalSeverity |
PreventionEvent | LEEF:1.0|Palo Alto Networks|Traps
Agent| @Model["ProductVersion"]|Prevention Event|cat=Threat subtype=Prevention
Event devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"]
src=@Model["EsmIp"] dhost=@Model["host"] duser=@Model["user"] Module=@Model["EPM"]
deviceProcessName=@Model["ProcessName"] fileHash=@Model["Hash"]
dst=@Model["AgentIp"] msg=New prevention event. Prevention Key:
@Model["preventionKey"] ContentVersion=@Model["ContentVersion"] sev=@Model.ExternalSeverity |
ProcessCrashed | LEEF:1.0|Palo Alto Networks|Traps
Agent| @Model["ProductVersion"]|Process Crashed|cat=Agent subtype=Process
Crashed devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"]
src=@Model["EsmIp"] dhost=@Model["host"] duser=@Model["user"] msg=Process
@Model["ProcessName"] had crashed sev=@Model.ExternalSeverity |
ProcessDeleted | LEEF:1.0|Palo Alto Networks|Traps
ESM| @Model["ProductVersion"]|Process Deleted|cat=Config subtype=Process
Deleted devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"]
src=@Model["EsmIp"] shost=@Model["esmHost"] suser=@Model["user"]
deviceProcessName=@Model["Name"] msg=Process was deleted sev=@Model.ExternalSeverity |
ProcessEdited | LEEF:1.0|Palo Alto Networks|Traps
ESM| @Model["ProductVersion"]|Process Edited|cat=Config subtype=Process
Edited devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"]
src=@Model["EsmIp"] shost=@Model["esmHost"] suser=@Model["user"]
deviceProcessName=@Model.Data.ProcessFilename msg=Process was added/edited sev=@Model.ExternalSeverity |
ProcessInjectionTimedOut | LEEF:1.0|Palo Alto Networks|Traps
Agent| @Model["ProductVersion"]|Process Injection Time Out| cat=Agent
subtype=Process Injection Time Out devTimeFormat=MMM dd yyyy HH:mm:ss
devTime=@Model["Time"] src=@Model["EsmIp"] dhost=@Model["host"] duser=@Model["user"]
msg=Injection Timeout sev=@Model.ExternalSeverity |
ProvisionalEvent | LEEF:1.0|Palo Alto Networks|Traps
Agent| @Model["ProductVersion"]|Provisional Event| cat=Threat subtype=Provisional Event
devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"] src=@Model["EsmIp"]
dhost=@Model["host"] duser=@Model["user"] Module=@Model["EPM"] deviceProcessName=@Model["ProcessName"]
fileHash=@Model["Hash"] ContentVersion=@Model["ContentVersion"]
dst=@Model["AgentIp"] msg=New provisional event. Prevention Key: @Model["preventionKey"]
sev=@Model.ExternalSeverity |
PublisherChanged | LEEF:1.0|Palo Alto Networks|Traps
ESM| @Model["ProductVersion"]|Trusted Signer Changed| cat=Policy
subtype=Trusted Signer Changed devTimeFormat=MMM dd yyyy HH:mm:ss
devTime=@Model["Time"] src=@Model["EsmIp"] shost=@Model["esmHost"] suser=@Model["user"]
fileHash=@Model["Hash"] msg=Hash @Model["Hash"] trusted signer changed
automatically from @Model["OldPublisher"] to @Model["NewPublisher"]
sev=@Model.ExternalSeverity |
QuarantineFailed | LEEF:1.0|Palo Alto Networks|Traps
Agent| @Model["ProductVersion"]|Quarantine Failed|cat=Agent subtype=Quarantine
Failed devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"]
src=@Model["EsmIp"] dhost=@Model["host"] duser=@Model["user"] msg=File
@Model["fileName"] could not be quarantined, reason: @Model["FailureReason"]
sev=@Model.ExternalSeverity |
QuarantineQuotaExceeded | LEEF:1.0|Palo Alto Networks|Traps
Agent| @Model["ProductVersion"]|Quarantine Quota Exceeded| cat=Agent subtype=Quarantine
Quota Exceeded devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"]
src=@Model["EsmIp"] dhost=@Model["host"] duser=@Model["user"] msg=File
@Model["fileName"] was permanently removed from the quarantine folder because
quota was exceeded sev=@Model.ExternalSeverity |
QuarantineSucceeded | LEEF:1.0|Palo Alto Networks|Traps
Agent| @Model["ProductVersion"]|Quarantine Succeed| cat=Agent subtype=Quarantine Succeed
devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"] src=@Model["EsmIp"]
dhost=@Model["host"] duser=@Model["user"] msg=File @Model["fileName"]
was quarantined successfully sev=@Model.ExternalSeverity |
ReportingServiceStartFailed | LEEF:1.0|Palo Alto Networks|Traps
Agent| @Model["ProductVersion"]| Reporting Service Start Failed|cat=Agent subtype=Failed
listening to Traps reporting service on @Model["host"] devTimeFormat=MMM
dd yyyy HH:mm:ss devTime=@Model["Time"] src=@Model["EsmIp"] dhost=@Model["host"]
duser=@Model["user"] msg=Reporting Service start failed. sev=@Model.ExternalSeverity |
RestoreFailed | LEEF:1.0|Palo Alto Networks|Traps
Agent| @Model["ProductVersion"]|Restore Failed|cat=Agent subtype=Restore
Failed devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"]
src=@Model["EsmIp"] dhost=@Model["host"] duser=@Model["user"] msg=File
@Model["fileName"] could not be restored, reason: @Model["FailureReason"]
sev=@Model.ExternalSeverity |
RestoreSucceeded | LEEF:1.0|Palo Alto Networks|Traps
Agent| @Model["ProductVersion"]|Restore Succeeded|cat=Agent subtype=Restore
Succeeded devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"]
src=@Model["EsmIp"] dhost=@Model["host"] duser=@Model["user"] msg=File
@Model["fileName"] restored successfully sev=@Model.ExternalSeverity |
RestrictionSettingsEdited | LEEF:1.0|Palo Alto Networks|Traps
ESM| @Model["ProductVersion"]|Restriction Settings Edited| cat=Config subtype=Restriction
Settings Edited devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"]
src=@Model["EsmIp"] shost=@Model["esmHost"] suser=@Model["user"]
msg=Restriction Settings were added/changed sev=@Model.ExternalSeverity |
RoleDeleted | LEEF:1.0|Palo Alto Networks|Traps
ESM| @Model["ProductVersion"]|Role Deleted|cat=Config subtype=Role
Deleted devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"]
src=@Model["EsmIp"] shost=@Model["esmHost"] suser=@Model["user"]
msg=Role @Model["Name"] was deleted sev=@Model.ExternalSeverity |
RoleEdited | LEEF:1.0|Palo Alto Networks|Traps
ESM| @Model["ProductVersion"]|Role Edited|cat=Config subtype=Role
Edited devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"]
src=@Model["EsmIp"] shost=@Model["esmHost"] suser=@Model["user"]
msg=Role @Model.Data.Name was added\changed sev=@Model.ExternalSeverity |
RoleStatusChanged | LEEF:1.0|Palo Alto Networks|Traps
ESM| @Model["ProductVersion"]|Role Status Changed| cat=Config subtype=Role
Status Changed devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"]
src=@Model["EsmIp"] shost=@Model["esmHost"] suser=@Model["user"]
msg=Role @Model["Name"] status was changed to @Model["Status"] sev=@Model.ExternalSeverity |
RuleDeleted | LEEF:1.0|Palo Alto Networks|Traps
ESM| @Model["ProductVersion"]|Rule Deleted|cat=Policy subtype=Rule
Deleted devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"]
src=@Model["EsmIp"] shost=@Model["esmHost"] suser=@Model["user"]
rule=@Model["id"] msg=Rule @Model["id"]: Deleted sev=@Model.ExternalSeverity |
RuleEdited | LEEF:1.0|Palo Alto Networks|Traps
ESM| @Model["ProductVersion"]|Rule Edited|cat=Policy subtype=Rule
Edited devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"]
src=@Model["EsmIp"] shost=@Model["esmHost"] suser=@Model["user"]
rule=@Model.Data.Id msg=Rule @Model.Data.Id: Edited sev=@Model.ExternalSeverity |
SendingLicenseToClient | LEEF:1.0|Palo Alto Networks|Traps
ESM| @Model["ProductVersion"]|Sending License To Client| cat=Config
subtype=Sending License To Client devTimeFormat=MMM dd yyyy HH:mm:ss
devTime=@Model["Time"] src=@Model["EsmIp"] shost=@Model["esmHost"] suser=@Model["user"]
dhost=@Model["host"] msg=New license sent sev=@Model.ExternalSeverity |
ServerContentRevertFailure | LEEF:1.0|Palo Alto Networks|Traps
ESM| @Model["ProductVersion"]| Server Content Revert Failure|cat=Policy subtype=Server
Content Revert Failure devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"]
src=@Model["EsmIp"] shost=@Model["esmHost"] suser=@Model["user"]
msg=Content version failed to revert to @Model["ContentVersion"].
Error: @Model["Error"] sev=@Model.ExternalSeverity |
ServerContentRevertSuccess | LEEF:1.0|Palo Alto Networks|Traps
ESM| @Model["ProductVersion"]| Server Content Revert Success|cat=Policy subtype=Server
Content Revert Success devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"]
src=@Model["EsmIp"] shost=@Model["esmHost"] suser=@Model["user"]
msg=Content version was reverted to @Model["ContentVersion"] successfully sev=@Model.ExternalSeverity |
ServerContentUpdateFailure | LEEF:1.0|Palo Alto Networks|Traps
ESM| @Model["ProductVersion"]| Server Content Update Failed|cat=Policy
subtype=Server Content Update Failed devTimeFormat=MMM dd yyyy HH:mm:ss
devTime=@Model["Time"] src=@Model["EsmIp"] shost=@Model["esmHost"]
suser=@Model["user"] msg=Content version failed to update to @Model["ContentVersion"].
Error: @Model["Error"] sev=@Model.ExternalSeverity |
ServerContentUpdateSuccess | LEEF:1.0|Palo Alto Networks|Traps
ESM| @Model["ProductVersion"]| Server Content Update Success|cat=Policy subtype=Server
Content Update Success devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"]
src=@Model["EsmIp"] shost=@Model["esmHost"] suser=@Model["user"]
msg=Content version was updated to @Model["ContentVersion"] successfully sev=@Model.ExternalSeverity |
ServerHeartbeat | LEEF:1.0|Palo Alto Networks|Traps
ESM| @Model["ProductVersion"]|ESM Heartbeat|cat=System subtype=ESM
Heartbeat devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"]
src=@Model["EsmIp"] shost=@Model["esmHost"] suser=@Model["user"]
dhost=@Model["host"] msg=ESM heartbeat sev=@Model.ExternalSeverity |
ServiceAlive | LEEF:1.0|Palo Alto Networks|Traps
Agent| @Model["ProductVersion"]|Service Alive|cat=Agent subtype=Service
Alive devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"]
src=@Model["EsmIp"] dhost=@Model["host"] duser=@Model["user"] msg=Service
start sev=@Model.ExternalSeverity |
ServiceStartFailed | LEEF:1.0|Palo Alto Networks|Traps
Agent| @Model["ProductVersion"]|Service Start Failed| cat=Agent
subtype=Service Start Failed devTimeFormat=MMM dd yyyy HH:mm:ss
devTime=@Model["Time"] src=@Model["EsmIp"] dhost=@Model["host"] duser=@Model["user"]
msg=Service start failed sev=@Model.ExternalSeverity |
ServiceStopped | LEEF:1.0|Palo Alto Networks|Traps
Agent| @Model["ProductVersion"]|Service Stopped|cat=Agent subtype=Service
Stopped devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"]
src=@Model["EsmIp"] dhost=@Model["host"] duser=@Model["user"] msg=Service
stopped sev=@Model.ExternalSeverity |
ServiceWarning | LEEF:1.0|Palo Alto Networks|Traps
Agent| @Model["ProductVersion"]|Service Warning|cat=Threat subtype=Service
Warning devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"]
src=@Model["EsmIp"] dhost=@Model["host"] duser=@Model["user"] Module=@Model["EPM"]
dst=@Model["AgentIp"] msg=Warning- Java sandboxed file access to
@Model["TargetValue"] sev=@Model.ExternalSeverity |
SystemShutdown | LEEF:1.0|Palo Alto Networks|Traps
Agent| @Model["ProductVersion"]|System Shutdown|cat=Agent subtype=System
Shutdown devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"]
src=@Model["EsmIp"] dhost=@Model["host"] duser=@Model["user"] msg=Service
shutdown sev=@Model.ExternalSeverity |
TechSupportFileStatus | LEEF:1.0|Palo Alto Networks|Traps
ESM| @Model["ProductVersion"]|Tech Support File| cat=System subtype=Tech
Support File devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"]
src=@Model["EsmIp"] shost=@Model["esmHost"] msg=Tech Support File:
Status:@Model["Status"] sev=@Model.ExternalSeverity |
TrapsServiceStatusChange | LEEF:1.0|Palo Alto Networks|Traps
Agent| @Model["ProductVersion"]|Traps Service Status Change| cat=Agent
subtype=Traps Service Status Change devTimeFormat=MMM dd yyyy HH:mm:ss
devTime=@Model["Time"] src=@Model["EsmIp"] dhost=@Model["host"]
duser=@Model["user"] msg=Agent Service Status Changed: @Model["OldStatus"]->
@Model["NewStatus"] sev=@Model.ExternalSeverity |
UserDeleted | LEEF:1.0|Palo Alto Networks|Traps
ESM| @Model["ProductVersion"]|User Deleted|cat=Config subtype=User
Deleted devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"]
src=@Model["EsmIp"] shost=@Model["esmHost"] suser=@Model["user"]
msg=User @Model["Name"] was deleted. sev=@Model.ExternalSeverity |
UserEdited | LEEF:1.0|Palo Alto Networks|Traps
ESM| @Model["ProductVersion"]|User Edited|cat=Config subtype=User
Edited devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"]
src=@Model["EsmIp"] shost=@Model["esmHost"] suser=@Model["user"]
msg=User @Model.Data.Name was added\changed. sev=@Model.ExternalSeverity |
UserLogin | LEEF:1.0|Palo Alto Networks|Traps
ESM| @Model["ProductVersion"]|User Login|cat=System subtype=User
Login devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"]
src=@Model["EsmIp"] shost=@Model["esmHost"] suser=@Model["user"]
msg=User @Model.Data.Username logged in to ESM console sev=@Model.ExternalSeverity |
UserStatusChanged | LEEF:1.0|Palo Alto Networks|Traps
ESM| @Model["ProductVersion"]|User Status Changed| cat=Config subtype=User
Status Changed devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"]
src=@Model["EsmIp"] shost=@Model["esmHost"] suser=@Model["user"]
msg=User @Model["Name"] status was changed to @Model["Status"] sev=@Model.ExternalSeverity |
VerdictChangeAnyToMalware | LEEF:1.0|Palo Alto Networks|Traps
ESM| @Model["ProductVersion"]| Verdict Changed Any To Malware|cat=Policy subtype=Verdict
Changed Any To Malware devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"]
src=@Model["EsmIp"] shost=@Model["esmHost"] suser=@Model["user"]
fileHash=@Model["Hash"] NewVerdict=@Model["NewVerdict"] msg=Hash
verdict changed to Malware. @Model["OldVerdict"] -> @Model["NewVerdict"]
sev=@Model.ExternalSeverity |
VerdictChangeMalwareToAny | LEEF:1.0|Palo Alto Networks|Traps
ESM| @Model["ProductVersion"]| Verdict Change Malware To Any|cat=Policy subtype=Verdict
Change Malware To Any devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"]
src=@Model["EsmIp"] shost=@Model["esmHost"] suser=@Model["user"]
fileHash=@Model["Hash"] NewVerdict=@Model["NewVerdict"] msg=Hash
verdict changed from Malware. Awaiting to restore: @Model["QuarantineStatus"].
@Model["OldVerdict"] -> @Model["NewVerdict"] sev=@Model.ExternalSeverity |
VerdictChangeNoconnectionToAny | LEEF:1.0|Palo Alto Networks|Traps
ESM| @Model["ProductVersion"]| Verdict Change No Connection To Any|cat=Policy subtype=Verdict
Change No Connection To Any devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"] src=@Model["EsmIp"]
shost=@Model["esmHost"] suser=@Model["user"] fileHash=@Model["Hash"] NewVerdict=@Model["NewVerdict"]
msg=Hash verdict changed from No Connection. @Model["OldVerdict"]
-> @Model["NewVerdict"] sev=@Model.ExternalSeverity |
VerdictChangeUnknownToAny | LEEF:1.0|Palo Alto Networks|Traps
ESM| @Model["ProductVersion"]| Verdict Change Unknown To Any|cat=Policy subtype=Verdict
Change Unknown To Any devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"]
src=@Model["EsmIp"] shost=@Model["esmHost"] suser=@Model["user"]
fileHash=@Model["Hash"] NewVerdict=@Model["NewVerdict"] msg=Hash
verdict changed from Unknown. @Model["OldVerdict"] -> @Model["NewVerdict"]
sev=@Model.ExternalSeverity |
VerdictChangeAwaitingAnalysisToAny | LEEF:1.0|Palo Alto Networks|Traps
ESM| @Model["ProductVersion"]| Verdict Change Awaiting Analysis
To Any|cat=Policy subtype=Verdict Change Awaiting Analysis To Any
devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"] src=@Model["EsmIp"]
shost=@Model["esmHost"] suser=@Model["user"] fileHash=@Model["Hash"] NewVerdict=@Model["NewVerdict"]
msg=Hash verdict changed from Awaiting Analysis. @Model["OldVerdict"]
-> @Model["NewVerdict"] sev=@Model.ExternalSeverity |
VerdictChange | LEEF:1.0|Palo Alto Networks|Traps
ESM| @Model["ProductVersion"]|Verdict Changed|cat=Policy subtype=Verdict
Changed devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"]
src=@Model["EsmIp"] shost=@Model["esmHost"] suser=@Model["user"]
fileHash=@Model["Hash"] NewVerdict=@Model["NewVerdict"] msg=Hash
verdict changed. @Model["OldVerdict"] -> @Model["NewVerdict"] sev=@Model.ExternalSeverity |
VerdictManualOverride | LEEF:1.0|Palo Alto Networks|Traps
ESM| @Model["ProductVersion"]|Verdict Manual Override| cat=Policy
subtype=Verdict Manual Override devTimeFormat=MMM dd yyyy HH:mm:ss
devTime=@Model["Time"] src=@Model["EsmIp"] shost=@Model["esmHost"] suser=@Model["user"]
fileHash=@Model["Hash"] NewVerdict=@Model["NewVerdict"] msg=Hash
verdict overridden manually. @Model["OldVerdict"] -> @Model["NewVerdict"]
sev=@Model.ExternalSeverity |
VerdictRevertedToWildfire | LEEF:1.0|Palo Alto Networks|Traps
ESM| @Model["ProductVersion"]| Verdict Reverted To WildFire|cat=Policy subtype=Verdict
Reverted To WildFire devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"]
src=@Model["EsmIp"] shost=@Model["esmHost"] suser=@Model["user"]
fileHash=@Model["Hash"] NewVerdict=@Model["NewVerdict"] msg=Hash
verdict reverted to WildFire. @Model["OldVerdict"] -> @Model["NewVerdict"]
sev=@Model.ExternalSeverity |
WfCommunicationsStatusChanged | LEEF:1.0|Palo Alto Networks|Traps
ESM| @Model["ProductVersion"]| WildFire Communications Status Changed|cat=System subtype=WildFire
Communications Status Changed devTimeFormat=MMM dd yyyy HH:mm:ss
devTime=@Model["Time"] src=@Model["EsmIp"] shost=@Model["esmHost"]
suser=@Model["user"] dhost=@Model["host"] msg=WildFire communications status
changed on host '@Model["host"]'. Status: '@Model["message"] sev=@Model.ExternalSeverity |
InstallationPackage | LEEF:1.0|Palo Alto Networks|Traps
ESM| @Model["ProductVersion"]|Agent Package Created| cat=System
subtype=Agent Package Created devTimeFormat=MMM dd yyyy HH:mm:ss
devTime=@Model["Time"] src=@Model["EsmIp"] shost=@Model["esmHost"] suser=@Model["user"]
dhost=@Model["host"] msg=@Model["OSType"] Agent Package was @Model["AgentPackageStatus"].
Source file: @Model["SourceFile"]. Package name: @Model["AgentPackageName"]
Agent Version: @Model["AgentPackageVersion"] sev=@Model.ExternalSeverity |
IncompatibleOs | LEEF:1.0|Palo Alto Networks|Traps
Agent| @Model["ProductVersion"]|Agent Authentication Failed| cat=Agent
subtype=Agent Incompatibility Issue devTimeFormat=MMM dd yyyy HH:mm:ss
devTime=@Model["Time"] src=@Model["EsmIp"] dhost=@Model["host"]
duser=@Model["user"] msg=Traps is inactive due to @Model["IncompatibilityReason"] sev=@Model.ExternalSeverity |
RegistrationConflict | LEEF:1.0|Palo Alto Networks|Traps
ESM| @Model["ProductVersion"]| Agent Registration Conflict Detected|
cat=System subtype=Agent Registration Conflict Detected devTimeFormat=MMM
dd yyyy HH:mm:ss devTime=@Model["Time"] src=@Model["EsmIp"] shost=@Model["esmHost"]
suser=@Model["user"] dhost=@Model["host"] msg=Agent registration
conflict detected on host @Model["host"] from IP: @Model["RequestIP"],
Saved IP: @Model["AgentIp"] sev=@Model.ExternalSeverity |
EsmCertValidationWarning | LEEF:1.0|Palo Alto Networks|Traps
ESM| @Model["ProductVersion"]| Agent-ESM Authentication Warning|
cat=System subtype=Agent-ESM Authentication Warning devTimeFormat=MMM
dd yyyy HH:mm:ss devTime=@Model["Time"] src=@Model["EsmIp"] shost=@Model["esmHost"]
suser=@Model["user"] dhost=@Model["host"] msg=Agent @Model["host"]
couldn't fully authenticate ESM @Model["esmHost"] using installed
certificate. sev=@Model.ExternalSeverity |
AutoContentUpdateAvailable | LEEF:1.0|Palo Alto Networks|Traps
ESM| @Model["ProductVersion"]|Content Update Available| cat=Policy
subtype=Content Update Available devTimeFormat=MMM dd yyyy HH:mm:ss
devTime=@Model["Time"] src=@Model["EsmIp"] shost=@Model["esmHost"] suser=@Model["user"]
msg=A new Content Update (version @Model["ContentVersion"]) is Available sev=@Model.ExternalSeverity |
AgentMigration | LEEF:1.0|Palo Alto Networks|Traps
Agent| @Model["ProductVersion"]|Agent Migration| cat=Agent subtype=Agent
Migration devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"]
src=@Model["EsmIp"] dst=@Model["AgentIp"] msg=Agent has migrated
to Traps cloud services sev=@Model.ExternalSeverity |