Decryption LEEF Fields

Example Decryption log in LEEF:
Sep 21 02:00:51 gke-standard-cluster-2-pool-3-f004381a-0gw6 2462 <14>1 2021-09-21T02:00:51.988Z stream-logfwd20-d324e775--09201841-lxtx-harness-0cc4 logforwarder - panwlogs - LEEF:2.0|Palo Alto Networks|Next Generation Firewall|10.1|Cleartext| |TimeReceived=2021-09-21T02:00:51.000000Z DeviceSN=xxxxxxxxxxxxx cat=decryption SubType=start ConfigVersion=10.1 devTime=2021-09-21T02:00:48.000000Z src=xxx.xx.x.xx dst=xxx.xx.x.xx srcPostNAT=xxx.xx.x.xx dstPostNAT=xxx.xx.x.xx Rule=deny-attackers usrName=paloaltonetwork\xxxxx DestinationUser=xxxxx\xxxxx o"'"test Application=chrome-remote-desktop VirtualLocation=vsys1 FromZone=ethernet4Zone-test1 ToZone=partners InboundInterface=ethernet1/1 OutboundInterface=ethernet1/4 LogSetting=rs-logging TimeReceivedManagementPlane=2021-09-21T02:00:48.000000Z SessionID=643753 CountOfRepeat=1 srcPort=5327 dstPort=13609 srcPostNATPort=28043 dstPostNATPort=21523 proto=tcp Action=allow Tunnel=IPSEC SourceUUID= DestinationUUID= RuleUUID=017e4d76-2003-47f4-8afc-1d35c808c615 ClientToFirewall=Unknown FirewallToClient=Unknown TLSVersion=SSL2.0 TLSKeyExchange=TLS1.3 TLSEncryptionAlgorithm=CHACHA20_POLY1305 TLSAuth=SHA512 PolicyName= EllipticCurve=X9_62_prime192v1 ErrorIndex=None RootStatus=uninspected ChainStatus=Uninspected CertificateSerial=bd786e20508c58d8bed Fingerprint=fb9291df2dbeaf773075061a50181b42ca92e8ce4aed36353eed764230985a9b TimeNotBefore=1632189648 TimeNotAfter=1634781648 CertificateVersion=V3 CertificateSize=571 CommonNameLength=23 IssuerNameLength=32 RootCNLength=32 SNILength=21 CertificateFlags=4 CommonName=CN = Bin Lu Server Cert IssuerCommonName=CN = Thawte Premium Server CA1 RootCommonName=CN = Thawte Premium Server CA1 ServerNameIndication=devop-host.panw.local ErrorMessage= ContainerID=1873cc5c-0d31 ContainerNameSpace=pns_default ContainerName=pan-dp-77754f4 SourceEDL= DestinationEDL= SourceDynamicAddressGroup= DestinationDynamicAddressGroup= TimeGeneratedHighResolution=2021-09-21T02:00:48.822000Z SourceDeviceCategory=A-Phone SourceDeviceProfile=a-profile SourceDeviceModel=iPhone SourceDeviceVendor=Apple SourceDeviceOSFamily=X SourceDeviceOSVersion=iOS 11 SourceDeviceHost=pan-211 SourceDeviceMac=304566879056 DestinationDeviceCategory=A-Phone DestinationDeviceProfile=a-profile DestinationDeviceModel=iPhone DestinationDeviceVendor=Apple DestinationDeviceOSFamily=9 DestinationDeviceOSVersion=iOS 9 DestinationDeviceHost=pan-233 DestinationDeviceMac=743514319696 SequenceNo=7003061089434423021 devTimeFormat=YYYY-MM-DD'T'HH:mm:ss.SSSZ
The following table identifies the Decryption field names that the Log Forwarding app uses when you forward logs using the LEEF log format.
When you create a syslog forwarding profile , you can optionally create a profile token that the Log Forwarding app uses when it sends logs to the syslog server. If you configure a profile token, it appears in the log line immediately after the log type information (for example,
TRAFFIC
,
THREAT
,
HIPMATCH
, and so forth). The token will appear on a parameter called
profileToken
.
LEEF Name
Query Name
Field Type
Action
Custom
Application
app
Custom
ApplicationCategory
Custom
ApplicationSubcategory
Custom
CertificateFlags
Custom
CertificateSerial
Custom
CertificateSize
Custom
CertificateVersion
Custom
ChainStatus
Custom
ApplicationCharacteristics
Custom
ClientToFirewall
Custom
CommonName
cn
Custom
CommonNameLength
Custom
ConfigVersion
Custom
ContainerID
Custom
ApplicationContainer
Custom
CountOfRepeat
Custom
Cpadding
Custom
CortexDataLakeTenantID
Custom
DestinationDeviceCategory
Custom
DestinationDeviceClass
Custom
DestinationDeviceHost
Custom
DestinationDeviceMac
Custom
DestinationDeviceModel
Custom
DestinationDeviceOS
Custom
DestinationDeviceOSFamily
Custom
DestinationDeviceOSVersion
Custom
DestinationDeviceProfile
Custom
DestinationDeviceVendor
Custom
DestinationDynamicAddressGroup
Custom
DestinationEDL
Custom
dst
Predefined
DestinationLocation
Custom
dstPort
Predefined
DestinationUser
Custom
DestinationUserDomain
Custom
DestinationUserName
Custom
DestinationUserUUID
Custom
DestinationUUID
Custom
DGHierarchyLevel1
Custom
DGHierarchyLevel2
Custom
DGHierarchyLevel3
Custom
DGHierarchyLevel4
Custom
Domain
Custom
EllipticCurve
Custom
ErrorIndex
Custom
ErrorMessage
Custom
Fingerprint
Custom
FirewallToClient
Custom
FromZone
Custom
InboundInterface
Custom
InboundInterfaceDetailsPort
Custom
InboundInterfaceDetailsSlot
Custom
InboundInterfaceDetailsType
Custom
InboundInterfaceDetailsUnit
Custom
CaptivePortal
Custom
IsCertECDSA
Custom
IsCertRSA
Custom
IsCertCNTruncated
Custom
IsClienttoServer
Custom
IsContainer
Custom
IsDecryptMirror
Custom
IsDecrypted
Custom
IsDuplicateLog
Custom
IsEncrypted
Custom
LogExported
Custom
IsForwarded
Custom
IsIPV6
Custom
IsIssuerCNTruncated
Custom
IsMptcpOn
Custom
IsNAT
Custom
IsNonStandardDestinationPort
Custom
PacketCapture
Custom
IsPhishing
Custom
IsPrismaNetwork
Custom
IsPrismaUsers
Custom
IsProxy
Custom
IsReconExcluded
Custom
IsResumeSession
Custom
IsRootCNTruncated
Custom
IsSaaSApplication
Custom
IsServertoClient
Custom
IsSNITruncated
Custom
IsSourceXForwarded
Custom
IsSystemReturn
Custom
IsTransaction
Custom
IsTunnelInspected
Custom
IsURLDenied
Custom
IssuerCommonName
Custom
IssuerNameLength
Custom
LogSetting
Custom
LogSource
Custom
DeviceSN
Custom
DeviceName
Custom
LogSourceTimeZoneOffset
Custom
TimeReceived
Custom
cat
Predefined
dstPostNAT
Predefined
dstPostNATPort
Predefined
srcPostNAT
Predefined
srcPostNATPort
Predefined
TimeNotAfter
Custom
TimeNotBefore
Custom
OutboundInterface
Custom
OutboundInterfaceDetailsPort
Custom
OutboundInterfaceDetailsSlot
Custom
OutboundInterfaceDetailsType
Custom
OutboundInterfaceDetailsUnit
Custom
Padding
Custom
Padding3
Custom
ContainerName
Custom
ContainerNameSpace
Custom
PolicyName
Custom
proto
Predefined
EventID
Header
ApplicationRisk
Custom
RootCommonName
Custom
RootCNLength
Custom
RootStatus
Custom
Rule
Custom
RuleUUID
Custom
SanctionedStateOfApp
Custom
SequenceNo
Custom
SessionID
Custom
ServerNameIndication
sni
Custom
SNILength
Custom
SourceDeviceCategory
Custom
SourceDeviceClass
Custom
SourceDeviceHost
Custom
SourceDeviceMac
Custom
SourceDeviceModel
Custom
SourceDeviceOS
Custom
SourceDeviceOSFamily
Custom
SourceDeviceOSVersion
Custom
SourceDeviceProfile
Custom
SourceDeviceVendor
Custom
SourceDynamicAddressGroup
Custom
SourceEDL
Custom
src
Predefined
SourceLocation
Custom
srcPort
Predefined
usrName
Predefined
SourceUserDomain
Custom
SourceUserName
Custom
SourceUserUUID
Custom
SourceUUID
Custom
SubType
Custom
ApplicationTechnology
Custom
devTime
Predefined
TimeGeneratedHighResolution
Custom
TimeReceivedManagementPlane
Custom
TLSAuth
Custom
TLSEncryptionAlgorithm
Custom
TLSKeyExchange
Custom
TLSVersion
Custom
ToZone
Custom
Tpadding
Custom
Tunnel
Custom
TunneledApplication
Custom
Vendor
Header
Vpadding
Custom
VirtualLocation
Custom
VirtualSystemID
Custom
VirtualSystemName
Custom

Recommended For You