Table of Contents
File
Represents a file transfer across the network. These log records can represent either
a successful transfer, or an attempted transfer that was blocked by the firewall.
See the following for information related to supported log formats:
FILE Field
(Display Name)
|
Description
|
|---|---|
action.value
(ACTION)
|
Identifies the action that the firewall took for the network traffic.
Syslog field name: Syslog Field Order CEF field name: act EMAIL field name: Action HTTPS field name: Action LEEF field name: Action |
app
(APPLICATION)
|
Application associated with the network traffic.
Syslog field name: Syslog Field Order CEF field name: app EMAIL field name: Application HTTPS field name: Application LEEF field name: Application |
app_category
(APPLICATION CATEGORY)
|
Identifies the high-level family of the application.
CEF field name: PanOSApplicationCategory EMAIL field name: ApplicationCategory HTTPS field name: ApplicationCategory LEEF field name: ApplicationCategory |
app_sub_category
(APPLICATION SUBCATEGORY)
|
Identifies the application's subcategory. The subcategory is related to the application's category, which is identified in app_category.
CEF field name: PanOSApplicationSubcategory EMAIL field name: ApplicationSubcategory HTTPS field name: ApplicationSubcategory LEEF field name: ApplicationSubcategory |
cloud_hostname
(CLOUD HOSTNAME)
|
The hostname in which the VM-series firewall is running.
CEF field name: PanOSCloudHostname EMAIL field name: CloudHostname HTTPS field name: CloudHostname LEEF field name: CloudHostname |
cloud_reportid
(CLOUD REPORTID)
| Unique 32 character ID for a file scanned by the DLP
cloud service sent by a firewall running PAN-OS 10.2.0. The same Cloud Report ID is displayed for a file the DLP cloud
service has already scanned and generated a Cloud Report ID for. CEF field name: PanOSCloudReportID EMAIL field name: CloudReportID HTTPS field name: CloudReportID LEEF field name: CloudReportID |
config_version.value
(CONFIG VERSION)
|
Version number of the firewall operating system that wrote this log record.
Syslog field name: Syslog Field Order CEF field name: PanOSConfigVersion EMAIL field name: ConfigVersion HTTPS field name: ConfigVersion LEEF field name: ConfigVersion |
container_id
(CONTAINER ID)
|
Unknown field. No information is available at this time.
Syslog field name: Syslog Field Order CEF field name: PanOSContainerID EMAIL field name: ContainerID HTTPS field name: ContainerID LEEF field name: ContainerID |
container_of_app
(APPLICATION CONTAINER)
|
Identifies the managing application or parent of the application associated with this network traffic.
CEF field name: PanOSApplicationContainer EMAIL field name: ApplicationContainer HTTPS field name: ApplicationContainer LEEF field name: ApplicationContainer |
content_version
(CONTENT VERSION)
|
Applications and Threats version installed on the firewall when the log was generated.
Syslog field name: Syslog Field Order CEF field name: PanOSContentVersion EMAIL field name: ContentVersion HTTPS field name: ContentVersion LEEF field name: ContentVersion |
count_of_repeats
(REPEAT COUNT)
|
Number of sessions with same Source IP, Destination IP, Application, and Content/Threat Type seen for the summary interval.
Syslog field name: Syslog Field Order CEF field name: cnt EMAIL field name: RepeatCount HTTPS field name: RepeatCount LEEF field name: RepeatCount |
customer_id
(CORTEX DATA LAKE TENANT ID)
|
The ID that uniquely identifies the Cortex Data Lake instance which received this log record.
CEF field name: PanOSCortexDataLakeTenantID EMAIL field name: CortexDataLakeTenantID HTTPS field name: CortexDataLakeTenantID LEEF field name: CortexDataLakeTenantID |
dest_device_category
(DESTINATION DEVICE CATEGORY)
|
Category of the device to which the session was directed.
Syslog field name: Syslog Field Order CEF field name: PanOSDestinationDeviceCategory EMAIL field name: DestinationDeviceCategory HTTPS field name: DestinationDeviceCategory LEEF field name: DestinationDeviceCategory |
dest_device_class
(DESTINATION DEVICE CLASS)
|
Destination device class.
CEF field name: PanOSDestinationDeviceClass EMAIL field name: DestinationDeviceClass HTTPS field name: DestinationDeviceClass LEEF field name: DestinationDeviceClass |
dest_device_host
(DESTINATION DEVICE HOST)
|
Hostname of the device to which the session was directed.
Syslog field name: Syslog Field Order CEF field name: PanOSDestinationDeviceHost EMAIL field name: DestinationDeviceHost HTTPS field name: DestinationDeviceHost LEEF field name: DestinationDeviceHost |
dest_device_mac
(DESTINATION DEVICE MAC)
|
MAC Address of the device to which the session was directed.
Syslog field name: Syslog Field Order CEF field name: PanOSDestinationDeviceMac EMAIL field name: DestinationDeviceMac HTTPS field name: DestinationDeviceMac LEEF field name: DestinationDeviceMac |
dest_device_model
(DESTINATION DEVICE MODEL)
|
Model of the device to which the session was directed.
Syslog field name: Syslog Field Order CEF field name: PanOSDestinationDeviceModel EMAIL field name: DestinationDeviceModel HTTPS field name: DestinationDeviceModel LEEF field name: DestinationDeviceModel |
dest_device_os
(DESTINATION DEVICE OS)
|
Destination device OS type.
CEF field name: PanOSDestinationDeviceOS EMAIL field name: DestinationDeviceOS HTTPS field name: DestinationDeviceOS LEEF field name: DestinationDeviceOS |
dest_device_osfamily
(DESTINATION DEVICE OS FAMILY)
|
OS family of the device to which the session was directed.
Syslog field name: Syslog Field Order CEF field name: PanOSDestinationDeviceOSFamily EMAIL field name: DestinationDeviceOSFamily HTTPS field name: DestinationDeviceOSFamily LEEF field name: DestinationDeviceOSFamily |
dest_device_osversion
(DESTINATION DEVICE OS VERSION)
|
OS version of the device to which the session was directed.
Syslog field name: Syslog Field Order CEF field name: PanOSDestinationDeviceOSVersion EMAIL field name: DestinationDeviceOSVersion HTTPS field name: DestinationDeviceOSVersion LEEF field name: DestinationDeviceOSVersion |
dest_device_profile
(DESTINATION DEVICE PROFILE)
|
Profile of the device to which the session was directed.
Syslog field name: Syslog Field Order CEF field name: PanOSDestinationDeviceProfile EMAIL field name: DestinationDeviceProfile HTTPS field name: DestinationDeviceProfile LEEF field name: DestinationDeviceProfile |
dest_device_vendor
(DESTINATION DEVICE VENDOR)
|
Vendor of the device to which the session was directed.
Syslog field name: Syslog Field Order CEF field name: PanOSDestinationDeviceVendor EMAIL field name: DestinationDeviceVendor HTTPS field name: DestinationDeviceVendor LEEF field name: DestinationDeviceVendor |
dest_dynamic_address_group
(DESTINATION DYNAMIC ADDRESS GROUP)
|
The dynamic address group that Device-ID identifies as the destination for the traffic.
Syslog field name: Syslog Field Order CEF field name: PanOSDestinationDynamicAddressGroup EMAIL field name: DestinationDynamicAddressGroup HTTPS field name: DestinationDynamicAddressGroup LEEF field name: DestinationDynamicAddressGroup |
dest_edl
(DESTINATION EDL)
|
The name of the external dynamic list that contains the destination IP address of the traffic.
Syslog field name: Syslog Field Order CEF field name: PanOSDestinationEDL EMAIL field name: DestinationEDL HTTPS field name: DestinationEDL LEEF field name: DestinationEDL |
dest_ip.value
(DESTINATION ADDRESS)
|
Original destination IP address.
Syslog field name: Syslog Field Order EMAIL field name: DestinationAddress HTTPS field name: DestinationAddress LEEF field name: dst |
dest_location
(DESTINATION LOCATION)
|
Destination country or internal region for private addresses.
Syslog field name: Syslog Field Order CEF field name: PanOSDestinationLocation EMAIL field name: DestinationLocation HTTPS field name: DestinationLocation LEEF field name: DestinationLocation |
dest_port
(DESTINATION PORT)
|
Network traffic's destination port. If this value is 0, then the app is using its standard port.
Syslog field name: Syslog Field Order CEF field name: dpt EMAIL field name: DestinationPort HTTPS field name: DestinationPort LEEF field name: dstPort |
dest_user
(DESTINATION USER)
|
The username to which the network traffic was destined.
Syslog field name: Syslog Field Order CEF field name: duser EMAIL field name: DestinationUser HTTPS field name: DestinationUser LEEF field name: DestinationUser |
dest_user_info.domain
(DESTINATION USER DOMAIN)
|
Domain to which the Destination User belongs.
CEF field name: dntdom EMAIL field name: DestinationUserDomain HTTPS field name: DestinationUserDomain LEEF field name: DestinationUserDomain |
dest_user_info.name
(DESTINATION USER NAME)
|
The Destination User. That is, the username to which the network traffic was destined.
CEF field name: duser EMAIL field name: DestinationUserName HTTPS field name: DestinationUserName LEEF field name: DestinationUserName |
dest_user_info.uuid
(DESTINATION USER UUID)
|
Unique identifier assigned to the Destination User.
CEF field name: duid EMAIL field name: DestinationUserUUID HTTPS field name: DestinationUserUUID LEEF field name: DestinationUserUUID |
dest_uuid
(DESTINATION UUID)
|
Identifies the destination universal unique identifier for a guest virtual machine in the VMware NSX environment.
Syslog field name: Syslog Field Order CEF field name: PanOSDestinationUUID EMAIL field name: DestinationUUID HTTPS field name: DestinationUUID LEEF field name: DestinationUUID |
dg_hier_level_1
(DG HIERARCHY LEVEL 1)
|
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy.
Syslog field name: Syslog Field Order CEF field name: PanOSDGHierarchyLevel1 EMAIL field name: DGHierarchyLevel1 HTTPS field name: DGHierarchyLevel1 LEEF field name: DGHierarchyLevel1 |
dg_hier_level_2
(DG HIERARCHY LEVEL 2)
|
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy.
Syslog field name: Syslog Field Order CEF field name: PanOSDGHierarchyLevel2 EMAIL field name: DGHierarchyLevel2 HTTPS field name: DGHierarchyLevel2 LEEF field name: DGHierarchyLevel2 |
dg_hier_level_3
(DG HIERARCHY LEVEL 3)
|
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy.
Syslog field name: Syslog Field Order CEF field name: PanOSDGHierarchyLevel3 EMAIL field name: DGHierarchyLevel3 HTTPS field name: DGHierarchyLevel3 LEEF field name: DGHierarchyLevel3 |
dg_hier_level_4
(DG HIERARCHY LEVEL 4)
|
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy.
Syslog field name: Syslog Field Order CEF field name: PanOSDGHierarchyLevel4 EMAIL field name: DGHierarchyLevel4 HTTPS field name: DGHierarchyLevel4 LEEF field name: DGHierarchyLevel4 |
direction_of_attack.value
(DIRECTION OF ATTACK)
|
Indicates the direction of the attack.
Syslog field name: Syslog Field Order CEF field name: flexString2 EMAIL field name: DirectionOfAttack HTTPS field name: DirectionOfAttack LEEF field name: DirectionOfAttack |
dlp_version_flag
(DLP VERSION FLAG)
|
Indicates whether these are old or new data filtering logs.
CEF field name: PanOSDLPVersionFlag EMAIL field name: DLPVersionFlag HTTPS field name: DLPVersionFlag LEEF field name: DLPVersionFlag |
domain_edl
(DOMAIN EDL)
|
Domain External Dynamic List. That is, the name of the external dynamic list that
contains the destination domain of the traffic.
Syslog field name: Syslog Field Order CEF field name: PanOSDomainEDL EMAIL field name: DomainEDL HTTPS field name: DomainEDL LEEF field name: DomainEDL |
dynusergroup_name
(DYNAMIC USER GROUP)
|
Dynamic user group of the user who initiated the network connection.
Syslog field name: Syslog Field Order CEF field name: PanOSDynamicUserGroup EMAIL field name: DynamicUserGroup HTTPS field name: DynamicUserGroup LEEF field name: DynamicUserGroup |
endpoint_serial_number
(ENDPOINT SERIAL NUMBER)
|
Serial number of the host on which GlobalProtect is installed.
Syslog field name: Syslog Field Order CEF field name: PanOSEndpointSerialNumber EMAIL field name: EndpointSerialNumber HTTPS field name: EndpointSerialNumber LEEF field name: EndpointSerialNumber |
file_name
(FILE NAME)
|
The name of the file that is blocked.
Syslog field name: Syslog Field Order CEF field name: filePath EMAIL field name: FileName HTTPS field name: FileName LEEF field name: FileName |
file_sha_256
(FILE HASH)
|
The binary hash (SHA256) of the file.
Syslog field name: Syslog Field Order CEF field name: PanOSFileHash EMAIL field name: FileHash HTTPS field name: FileHash LEEF field name: FileHash |
file_type
(FILE TYPE)
|
Palo Alto Networks textual identifier for the threat.
CEF field name: PanOSFileType EMAIL field name: FileType HTTPS field name: FileType LEEF field name: EventID |
file_url
(FILE URL)
|
File URL.
CEF field name: PanOSFileURL EMAIL field name: FileURL HTTPS field name: FileURL LEEF field name: FileURL |
from_zone
(FROM ZONE)
|
The networking zone from which the traffic originated.
Syslog field name: Syslog Field Order CEF field name: cs4 EMAIL field name: FromZone HTTPS field name: FromZone LEEF field name: FromZone |
gp_host_id
(HOST ID)
|
A unique ID that GlobalProtect assigns to identify the host.
Syslog field name: Syslog Field Order CEF field name: PanOSHostID EMAIL field name: HostID HTTPS field name: HostID LEEF field name: HostID |
http2_connection
(HTTP2 CONNECTION)
|
Parent session ID for an HTTP/2 connection. If the traffic is not using HTTP/2, this field is set to 0.
Syslog field name: Syslog Field Order CEF field name: PanOSHTTP2Connection EMAIL field name: HTTP2Connection HTTPS field name: HTTP2Connection LEEF field name: HTTP2Connection |
inbound_if.value
(INBOUND INTERFACE)
|
Interface from which the network traffic was sourced.
Syslog field name: Syslog Field Order CEF field name: deviceInboundInterface EMAIL field name: InboundInterface HTTPS field name: InboundInterface LEEF field name: InboundInterface |
inbound_if_details.port
(INBOUND INTERFACE DETAILS PORT)
|
Hardware port or socket from which the network traffic was sourced.
CEF field name: PanOSInboundInterfaceDetailsPort EMAIL field name: InboundInterfaceDetailsPort HTTPS field name: InboundInterfaceDetailsPort LEEF field name: InboundInterfaceDetailsPort |
inbound_if_details.slot
(INBOUND INTERFACE DETAILS SLOT)
|
Interface slot from which the network traffic was sourced.
CEF field name: PanOSInboundInterfaceDetailsSlot EMAIL field name: InboundInterfaceDetailsSlot HTTPS field name: InboundInterfaceDetailsSlot LEEF field name: InboundInterfaceDetailsSlot |
inbound_if_details.type.value
(INBOUND INTERFACE DETAILS TYPE)
|
The type of interface from which the network traffic was sourced.
CEF field name: PanOSInboundInterfaceDetailsType EMAIL field name: InboundInterfaceDetailsType HTTPS field name: InboundInterfaceDetailsType LEEF field name: InboundInterfaceDetailsType |
inbound_if_details.unit
(INBOUND INTERFACE DETAILS UNIT)
|
Internal use.
CEF field name: PanOSInboundInterfaceDetailsUnit EMAIL field name: InboundInterfaceDetailsUnit HTTPS field name: InboundInterfaceDetailsUnit LEEF field name: InboundInterfaceDetailsUnit |
is_captive_portal
(CAPTIVE PORTAL)
|
Indicates if user information for the session was captured through Captive Portal.
CEF field name: PanOSCaptivePortal EMAIL field name: CaptivePortal HTTPS field name: CaptivePortal LEEF field name: CaptivePortal |
is_client_to_server
(IS CLIENT TO SERVER)
|
Indicates if direction of traffic is from client to server.
CEF field name: PanOSIsClienttoServer EMAIL field name: IsClienttoServer HTTPS field name: IsClienttoServer LEEF field name: IsClienttoServer |
is_container
(IS CONTAINER)
|
Indicates if the session is a container page access (Container Page).
CEF field name: PanOSIsContainer EMAIL field name: IsContainer HTTPS field name: IsContainer LEEF field name: IsContainer |
is_decrypt_mirror
(IS DECRYPT MIRROR)
|
Indicates whether decrypted traffic was sent out in clear text through a mirror port.
CEF field name: PanOSIsDecryptMirror EMAIL field name: IsDecryptMirror HTTPS field name: IsDecryptMirror LEEF field name: IsDecryptMirror |
is_decrypted
(IS DECRYPTED)
|
Flag that indicates that the session is decrypted.
CEF field name: PanOSIsDecrypted EMAIL field name: IsDecrypted HTTPS field name: IsDecrypted LEEF field name: IsDecrypted |
is_dup_log
(IS DUPLICATE LOG)
|
Indicates whether this log data is available in multiple locations, such as from Cortex Data Lake as well as from an on-premise log collector.
CEF field name: PanOSIsDuplicateLog EMAIL field name: IsDuplicateLog HTTPS field name: IsDuplicateLog LEEF field name: IsDuplicateLog |
is_encrypted
(IS ENCRYPTED)
|
Flag that indicates that the session is encrypted.
CEF field name: PanOSIsEncrypted EMAIL field name: IsEncrypted HTTPS field name: IsEncrypted LEEF field name: IsEncrypted |
is_exported
(LOG EXPORTED)
|
Indicates if this log was exported from the firewall using the firewall's log export function.
CEF field name: PanOSLogExported EMAIL field name: LogExported HTTPS field name: LogExported LEEF field name: LogExported |
is_forwarded
(LOG FORWARDED)
|
Internal-use field that indicates if the log is being forwarded.
CEF field name: PanOSLogForwarded EMAIL field name: LogForwarded HTTPS field name: LogForwarded LEEF field name: LogForwarded |
is_ipv6
(IS IPV6)
|
Indicates whether IPV6 was used for the session.
CEF field name: PanOSIsIPV6 EMAIL field name: IsIPV6 HTTPS field name: IsIPV6 LEEF field name: IsIPV6 |
is_mptcp_on
(IS MPTCP ON)
|
Indicates whether the option is enabled on the next-generation firewall that allows a client to use multiple paths to connect to a destination host.
CEF field name: PanOSIsMptcpOn EMAIL field name: IsMptcpOn HTTPS field name: IsMptcpOn LEEF field name: IsMptcpOn |
is_non_std_dest_port
(IS NON STANDARD DESTINATION PORT)
|
Indicates if the destination port is non-standard.
CEF field name: PanOSIsNonStandardDestinationPort EMAIL field name: IsNonStandardDestinationPort HTTPS field name: IsNonStandardDestinationPort LEEF field name: IsNonStandardDestinationPort |
is_packet_capture
(IS PACKET CAPTURE)
|
Indicates whether the session has a packet capture (PCAP).
CEF field name: PanOSIsPacketCapture EMAIL field name: IsPacketCapture HTTPS field name: IsPacketCapture LEEF field name: IsPacketCapture |
is_phishing
(IS PHISHING)
|
Indicates whether enterprise credentials were submitted by an end user.
CEF field name: PanOSIsPhishing EMAIL field name: IsPhishing HTTPS field name: IsPhishing LEEF field name: IsPhishing |
is_prisma_branch
(IS PRISMA NETWORK)
|
Internal-use field. If set to 1, the log was generated on a cloud-based firewall. If 0, the firewall was running on-premise.
CEF field name: PanOSIsPrismaNetwork EMAIL field name: IsPrismaNetwork HTTPS field name: IsPrismaNetwork LEEF field name: IsPrismaNetwork |
is_prisma_mobile
(IS PRISMA USERS)
|
Internal use field. If set to 1, the log record was generated using a cloud-based GlobalProtect instance. If 0, GlobalProtect was hosted on-premise.
CEF field name: PanOSIsPrismaUsers EMAIL field name: IsPrismaUsers HTTPS field name: IsPrismaUsers LEEF field name: IsPrismaUsers |
is_proxy
(IS PROXY)
|
Indicates whether the SSL session is decrypted (SSL Proxy).
CEF field name: PanOSIsProxy EMAIL field name: IsProxy HTTPS field name: IsProxy LEEF field name: IsProxy |
is_recon_excluded
(IS RECON EXCLUDED)
|
Indicates whether source for the flow is on the firewall allow list and not subject to recon protection.
CEF field name: PanOSIsReconExcluded EMAIL field name: IsReconExcluded HTTPS field name: IsReconExcluded LEEF field name: IsReconExcluded |
is_saas_app
(IS SAAS APPLICATION)
|
Internal use field. Indicates whether the application associated with this network traffic is a SAAS application.
CEF field name: PanOSIsSaaSApplication EMAIL field name: IsSaaSApplication HTTPS field name: IsSaaSApplication LEEF field name: IsSaaSApplication |
is_server_to_client
(IS SERVER TO CLIENT)
|
Indicates if direction of traffic is from server to client.
CEF field name: PanOSIsServertoClient EMAIL field name: IsServertoClient HTTPS field name: IsServertoClient LEEF field name: IsServertoClient |
is_source_x_fwded
(IS SOURCE X FORWARDED)
|
Indicates whether the X-Forwarded-For value from a proxy is in the source user field.
CEF field name: PanOSIsSourceXForwarded EMAIL field name: IsSourceXForwarded HTTPS field name: IsSourceXForwarded LEEF field name: IsSourceXForwarded |
is_sym_return
(IS SYSTEM RETURN)
|
Indicates whether symmetric return was used to forward traffic for this session.
CEF field name: PanOSIsSystemReturn EMAIL field name: IsSystemReturn HTTPS field name: IsSystemReturn LEEF field name: IsSystemReturn |
is_transaction
(IS TRANSACTION)
|
Indicates whether the log corresponds to a transaction within an HTTP proxy session (Proxy Transaction).
CEF field name: PanOSIsTransaction EMAIL field name: IsTransaction HTTPS field name: IsTransaction LEEF field name: IsTransaction |
is_tunnel_inspected
(IS TUNNEL INSPECTED)
|
Indicates whether the payload for the outer tunnel was inspected.
CEF field name: PanOSIsTunnelInspected EMAIL field name: IsTunnelInspected HTTPS field name: IsTunnelInspected LEEF field name: IsTunnelInspected |
is_url_denied
(IS URL DENIED)
|
Indicates whether the session was denied due to a URL filtering rule.
CEF field name: PanOSIsURLDenied EMAIL field name: IsURLDenied HTTPS field name: IsURLDenied LEEF field name: IsURLDenied |
justification
(JUSTIFICATION)
|
Justification string.
Syslog field name: Syslog Field Order CEF field name: PanOSJustification EMAIL field name: Justification HTTPS field name: Justification LEEF field name: Justification |
location
(PRISMA ACCESS LOCATION)
|
Prisma Access Region/Location.
CEF field name: PanOSLocation EMAIL field name: Location HTTPS field name: Location LEEF field name: Location |
log_set
(LOG SETTING)
|
Log forwarding profile name that was applied to the session. This name was defined by the firewall's administrator.
Syslog field name: Syslog Field Order CEF field name: cs6 EMAIL field name: LogSetting HTTPS field name: LogSetting LEEF field name: LogSetting |
log_source
(LOG SOURCE)
|
Identifies the origin of the data - the system that produced the data.
CEF field name: PanOSLogSource EMAIL field name: LogSource HTTPS field name: LogSource LEEF field name: LogSource |
log_source_group_id
(LOG SOURCE GROUP ID)
|
ID that uniquely identifies the logSourceGroupId of the log. That is, the log_source_id of the group.
CEF field name: LogSourceGroupID EMAIL field name: LogSourceGroupID HTTPS field name: LogSourceGroupID LEEF field name: LogSourceGroupID |
log_source_id
(DEVICE SN)
|
ID that uniquely identifies the source of the log - serial number of the firewall that generated the log.
If the log is generated by Prisma Access, the serial number is not displayed. Syslog field name: Syslog Field Order CEF field name: deviceExternalId EMAIL field name: DeviceSN HTTPS field name: DeviceSN LEEF field name: DeviceSN |
log_source_name
(DEVICE NAME)
|
Name of the source of the log - hostname of the firewall that logged the network traffic.
Syslog field name: Syslog Field Order CEF field name: dvchost EMAIL field name: DeviceName HTTPS field name: DeviceName LEEF field name: DeviceName |
log_source_tz_offset
(LOG SOURCE TIMEZONE OFFSET)
|
Time Zone offset from GMT of the source of the log.
CEF field name: PanOSLogSourceTimeZoneOffset EMAIL field name: LogSourceTimeZoneOffset HTTPS field name: LogSourceTimeZoneOffset LEEF field name: LogSourceTimeZoneOffset |
log_time
(TIME RECEIVED)
|
Time the log was received in Cortex Data Lake. This string
contains a timestamp value that is the number of microseconds
since the Unix epoch.
Syslog field name: Syslog Field Order CEF field name: rt EMAIL field name: TimeReceived HTTPS field name: TimeReceived LEEF field name: TimeReceived |
log_type.value
(LOG TYPE)
|
Identifies the log type.
Syslog field name: Syslog Field Order CEF field name: Device Event Class ID EMAIL field name: LogType HTTPS field name: LogType LEEF field name: cat |
monitor_tag_imei
(IMEI)
|
A string used to group similar traffic together for logging and reporting. This value is globally defined on the firewall by the administrator.
Syslog field name: Syslog Field Order CEF field name: PanOSIMEI EMAIL field name: IMEI HTTPS field name: IMEI LEEF field name: IMEI |
nat_dest.value
(NAT DESTINATION)
|
If destination NAT performed, the post-NAT destination IP address.
Syslog field name: Syslog Field Order CEF field name: destinationTranslatedAddress EMAIL field name: NATDestination HTTPS field name: NATDestination LEEF field name: dstPostNAT |
nat_dest_port
(NAT DESTINATION PORT)
|
Post-NAT destination port.
Syslog field name: Syslog Field Order CEF field name: destinationTranslatedPort EMAIL field name: NATDestinationPort HTTPS field name: NATDestinationPort LEEF field name: dstPostNATPort |
nat_source.value
(NAT SOURCE)
|
If source NAT was performed, the post-NAT source IP address.
Syslog field name: Syslog Field Order CEF field name: sourceTranslatedAddress EMAIL field name: NATSource HTTPS field name: NATSource LEEF field name: srcPostNAT |
nat_source_port
(NAT SOURCE PORT)
|
Post-NAT source port.
Syslog field name: Syslog Field Order CEF field name: sourceTranslatedPort EMAIL field name: NATSourcePort HTTPS field name: NATSourcePort LEEF field name: srcPostNATPort |
non_standard_dest_port
(NON STANDARD DESTINATION PORT)
|
Identifies the non-standard or unexpected port used by the application associated with this session.
CEF field name: PanOSNonStandardDestinationPort EMAIL field name: NonStandardDestinationPort HTTPS field name: NonStandardDestinationPort LEEF field name: NonStandardDestinationPort |
nssai_network_slice_type.value
(NSSAI NETWORK SLICE TYPE)
|
Network Slice Type (SST part of SNSSAI).
Syslog field name: Syslog Field Order CEF field name: PanOSNSSAINetworkSliceType EMAIL field name: NSSAINetworkSliceType HTTPS field name: NSSAINetworkSliceType LEEF field name: NSSAINetworkSliceType |
outbound_if.value
(OUTBOUND INTERFACE)
|
Interface to which the network traffic was destined.
Syslog field name: Syslog Field Order CEF field name: deviceOutboundInterface EMAIL field name: OutboundInterface HTTPS field name: OutboundInterface LEEF field name: OutboundInterface |
outbound_if_details.port
(OUTBOUND INTERFACE DETAILS PORT)
|
Hardware port or socket to which the network traffic was sent.
CEF field name: PanOSOutboundInterfaceDetailsPort EMAIL field name: OutboundInterfaceDetailsPort HTTPS field name: OutboundInterfaceDetailsPort LEEF field name: OutboundInterfaceDetailsPort |
outbound_if_details.slot
(OUTBOUND INTERFACE DETAILS SLOT)
|
Interface slot to which the network traffic was sent.
CEF field name: PanOSOutboundInterfaceDetailsSlot EMAIL field name: OutboundInterfaceDetailsSlot HTTPS field name: OutboundInterfaceDetailsSlot LEEF field name: OutboundInterfaceDetailsSlot |
outbound_if_details.type.value
(OUTBOUND INTERFACE DETAILS TYPE)
|
The type of interface to which the network traffic was sent.
CEF field name: PanOSOutboundInterfaceDetailsType EMAIL field name: OutboundInterfaceDetailsType HTTPS field name: OutboundInterfaceDetailsType LEEF field name: OutboundInterfaceDetailsType |
outbound_if_details.unit
(OUTBOUND INTERFACE DETAILS UNIT)
|
Internal use.
CEF field name: PanOSOutboundInterfaceDetailsUnit EMAIL field name: OutboundInterfaceDetailsUnit HTTPS field name: OutboundInterfaceDetailsUnit LEEF field name: OutboundInterfaceDetailsUnit |
panorama_serial
(PANORAMA SN)
|
Panorama Serial associated with CDL.
CEF field name: PanOSPanoramaSN EMAIL field name: PanoramaSN HTTPS field name: PanoramaSN LEEF field name: PanoramaSN |
parent_session_id
(PARENT SESSION ID)
|
ID of the session in which this network traffic was tunneled.
Syslog field name: Syslog Field Order CEF field name: PanOSParentSessionID EMAIL field name: ParentSessionID HTTPS field name: ParentSessionID LEEF field name: ParentSessionID |
parent_start_time
(PARENT START TIME)
|
Time that the parent session began. This string contains a timestamp value that is the
number of microseconds since the Unix epoch.
Syslog field name: Syslog Field Order CEF field name: PanOSParentStartTime EMAIL field name: ParentStartTime HTTPS field name: ParentStartTime LEEF field name: ParentStartTime |
partial_hash
(PARTIAL HASH)
|
Machine learning partial hash.
Syslog field name: Syslog Field Order CEF field name: PanOSPartialHash EMAIL field name: PartialHash HTTPS field name: PartialHash LEEF field name: PartialHash |
pcap
(PACKET)
|
Packet that triggered the firewall to generate this threat log record.
CEF field name: PanOSPacket EMAIL field name: Packet HTTPS field name: Packet LEEF field name: Packet |
pcap_id
(PACKET ID)
|
Packet capture ID. Used to correlate threat pcap files with extended pcaps taken as a part of the session flow.
Syslog field name: Syslog Field Order CEF field name: fileId EMAIL field name: PacketID HTTPS field name: PacketID LEEF field name: PacketID |
platform_type
(PLATFORM TYPE)
|
The platform type (Valid types are VM, PA, NGFW, CNGFW).
CEF field name: PlatformType EMAIL field name: PlatformType HTTPS field name: PlatformType LEEF field name: PlatformType |
pod_name
(CONTAINER NAME)
|
Container name.
Syslog field name: Syslog Field Order CEF field name: PanOSContainerName EMAIL field name: ContainerName HTTPS field name: ContainerName LEEF field name: ContainerName |
pod_namespace
(CONTAINER NAME SPACE)
|
Container namespace.
Syslog field name: Syslog Field Order CEF field name: PanOSContainerNameSpace EMAIL field name: ContainerNameSpace HTTPS field name: ContainerNameSpace LEEF field name: ContainerNameSpace |
profile_name
(PROFILE NAME)
|
Data filtering profile name.
CEF field name: PanOSProfileName EMAIL field name: ProfileName HTTPS field name: ProfileName LEEF field name: ProfileName |
protocol.value
(PROTOCOL)
|
IP protocol associated with the session.
Syslog field name: Syslog Field Order CEF field name: proto EMAIL field name: Protocol HTTPS field name: Protocol LEEF field name: proto |
reason_data_filtering
(REASON FOR DATA FILTERING ACTION)
|
Reason for data filtering action.
Syslog field name: Syslog Field Order CEF field name: PanOSReasonForDataFilteringAction EMAIL field name: ReasonForDataFilteringAction HTTPS field name: ReasonForDataFilteringAction LEEF field name: ReasonForDataFilteringAction |
report_id
(REPORT ID)
|
Identifies the analysis requested from the sandbox (cloud or appliance).
Syslog field name: Syslog Field Order CEF field name: PanOSReportID EMAIL field name: ReportID HTTPS field name: ReportID LEEF field name: ReportID |
risk_of_app
(APPLICATION RISK)
|
Indicates how risky the application is from a network security perspective.
CEF field name: PanOSApplicationRisk EMAIL field name: ApplicationRisk HTTPS field name: ApplicationRisk LEEF field name: ApplicationRisk |
rule_matched
(RULE)
|
Name of the security policy rule that the network traffic matched.
Syslog field name: Syslog Field Order CEF field name: cs1 EMAIL field name: Rule HTTPS field name: Rule LEEF field name: Rule |
rule_matched_uuid
(RULE UUID)
|
Unique identifier for the security policy rule that the network traffic matched.
Syslog field name: Syslog Field Order CEF field name: PanOSRuleUUID EMAIL field name: RuleUUID HTTPS field name: RuleUUID LEEF field name: RuleUUID |
sanctioned_state_of_app
(SANCTIONED STATE OF APP)
|
Indicates whether the application has been flagged as sanctioned by the firewall administrator.
CEF field name: PanOSSanctionedStateOfApp EMAIL field name: SanctionedStateOfApp HTTPS field name: SanctionedStateOfApp LEEF field name: SanctionedStateOfApp |
sequence_no
(SEQUENCE NO)
|
The log entry identifier, which is incremented sequentially. Each log type has a unique number space.
Syslog field name: Syslog Field Order CEF field name: externalId EMAIL field name: SequenceNo HTTPS field name: SequenceNo LEEF field name: SequenceNo |
session_id
(SESSION ID)
|
Identifies the firewall's internal identifier for a specific network session.
Syslog field name: Syslog Field Order CEF field name: cn1 EMAIL field name: SessionID HTTPS field name: SessionID LEEF field name: SessionID |
severity
(SEVERITY)
|
Severity as defined by the platform.
CEF field name: PanOSSeverity EMAIL field name: Severity HTTPS field name: Severity LEEF field name: Severity |
sig_flags
(SIG FLAGS)
|
Internal use only.
Syslog field name: Syslog Field Order CEF field name: PanOSSigFlags EMAIL field name: SigFlags HTTPS field name: SigFlags LEEF field name: SigFlags |
source_device_category
(SOURCE DEVICE CATEGORY)
|
Category of the device from which the session originated.
Syslog field name: Syslog Field Order CEF field name: PanOSSourceDeviceCategory EMAIL field name: SourceDeviceCategory HTTPS field name: SourceDeviceCategory LEEF field name: SourceDeviceCategory |
source_device_class
(SOURCE DEVICE CLASS)
|
Source device class.
CEF field name: PanOSSourceDeviceClass EMAIL field name: SourceDeviceClass HTTPS field name: SourceDeviceClass LEEF field name: SourceDeviceClass |
source_device_host
(SOURCE DEVICE HOST)
|
Hostname of the device from which the session originated.
Syslog field name: Syslog Field Order CEF field name: PanOSSourceDeviceHost EMAIL field name: SourceDeviceHost HTTPS field name: SourceDeviceHost LEEF field name: SourceDeviceHost |
source_device_mac
(SOURCE DEVICE MAC)
|
MAC Address of the device from which the session originated.
Syslog field name: Syslog Field Order CEF field name: PanOSSourceDeviceMac EMAIL field name: SourceDeviceMac HTTPS field name: SourceDeviceMac LEEF field name: SourceDeviceMac |
source_device_model
(SOURCE DEVICE MODEL)
|
Model of the device from which the session originated.
Syslog field name: Syslog Field Order CEF field name: PanOSSourceDeviceModel EMAIL field name: SourceDeviceModel HTTPS field name: SourceDeviceModel LEEF field name: SourceDeviceModel |
source_device_os
(SOURCE DEVICE OS)
|
Source device OS type.
CEF field name: PanOSSourceDeviceOS EMAIL field name: SourceDeviceOS HTTPS field name: SourceDeviceOS LEEF field name: SourceDeviceOS |
source_device_osfamily
(SOURCE DEVICE OS FAMILY)
|
OS family of the device from which the session originated.
Syslog field name: Syslog Field Order CEF field name: PanOSSourceDeviceOSFamily EMAIL field name: SourceDeviceOSFamily HTTPS field name: SourceDeviceOSFamily LEEF field name: SourceDeviceOSFamily |
source_device_osversion
(SOURCE DEVICE OS VERSION)
|
OS version of the device from which the session originated.
Syslog field name: Syslog Field Order CEF field name: PanOSSourceDeviceOSVersion EMAIL field name: SourceDeviceOSVersion HTTPS field name: SourceDeviceOSVersion LEEF field name: SourceDeviceOSVersion |
source_device_profile
(SOURCE DEVICE PROFILE)
|
Profile of the device from which the session originated.
Syslog field name: Syslog Field Order CEF field name: PanOSSourceDeviceProfile EMAIL field name: SourceDeviceProfile HTTPS field name: SourceDeviceProfile LEEF field name: SourceDeviceProfile |
source_device_vendor
(SOURCE DEVICE VENDOR)
|
Vendor of the device from which the session originated.
Syslog field name: Syslog Field Order CEF field name: PanOSSourceDeviceVendor EMAIL field name: SourceDeviceVendor HTTPS field name: SourceDeviceVendor LEEF field name: SourceDeviceVendor |
source_dynamic_address_group
(SOURCE DYNAMIC ADDRESS GROUP)
|
The dynamic address group that Device-ID identifies as the source of the traffic.
Syslog field name: Syslog Field Order CEF field name: PanOSSourceDynamicAddressGroup EMAIL field name: SourceDynamicAddressGroup HTTPS field name: SourceDynamicAddressGroup LEEF field name: SourceDynamicAddressGroup |
source_edl
(SOURCE EDL)
|
The name of the external dynamic list that contains the source IP address of the traffic.
Syslog field name: Syslog Field Order CEF field name: PanOSSourceEDL EMAIL field name: SourceEDL HTTPS field name: SourceEDL LEEF field name: SourceEDL |
source_ip.value
(SOURCE ADDRESS)
|
Original source IP address.
Syslog field name: Syslog Field Order EMAIL field name: SourceAddress HTTPS field name: SourceAddress LEEF field name: src |
source_location
(SOURCE LOCATION)
|
Source country or internal region for private addresses.
Syslog field name: Syslog Field Order CEF field name: PanOSSourceLocation EMAIL field name: SourceLocation HTTPS field name: SourceLocation LEEF field name: SourceLocation |
source_port
(SOURCE PORT)
|
Source port utilized by the session.
Syslog field name: Syslog Field Order CEF field name: spt EMAIL field name: SourcePort HTTPS field name: SourcePort LEEF field name: srcPort |
source_user
(SOURCE USER)
|
The username that initiated the network traffic.
Syslog field name: Syslog Field Order CEF field name: suser EMAIL field name: SourceUser HTTPS field name: SourceUser LEEF field name: usrName |
source_user_info.domain
(SOURCE USER DOMAIN)
|
Domain to which the Source User belongs.
CEF field name: sntdom EMAIL field name: SourceUserDomain HTTPS field name: SourceUserDomain LEEF field name: SourceUserDomain |
source_user_info.name
(SOURCE USER NAME)
|
The Source User. That is, the username that initiated the network traffic.
CEF field name: suser EMAIL field name: SourceUserName HTTPS field name: SourceUserName LEEF field name: SourceUserName |
source_user_info.uuid
(SOURCE USER UUID)
|
Unique identifier assigned to the Source User.
CEF field name: suid EMAIL field name: SourceUserUUID HTTPS field name: SourceUserUUID LEEF field name: SourceUserUUID |
source_uuid
(SOURCE UUID)
|
Identifies the source universal unique identifier for a guest virtual machine in the VMware NSX environment.
Syslog field name: Syslog Field Order CEF field name: PanOSSourceUUID EMAIL field name: SourceUUID HTTPS field name: SourceUUID LEEF field name: SourceUUID |
sub_type.value
(SUB TYPE)
|
Identifies the log subtype.
Syslog field name: Syslog Field Order CEF field name: Name EMAIL field name: SubType HTTPS field name: SubType LEEF field name: SubType |
technology_of_app
(APPLICATION TECHNOLOGY)
|
The networking technology used by the identified application.
CEF field name: PanOSApplicationTechnology EMAIL field name: ApplicationTechnology HTTPS field name: ApplicationTechnology LEEF field name: ApplicationTechnology |
threat_category.value
(THREAT CATEGORY)
|
Threat category of the detected threat.
CEF field name: PanOSThreatCategory EMAIL field name: ThreatCategory HTTPS field name: ThreatCategory LEEF field name: ThreatCategory |
threat_name_firewall
(THREAT NAME FIREWALL)
|
Threat Name written by the firewall.
CEF field name: PanOSThreatNameFirewall EMAIL field name: ThreatNameFirewall HTTPS field name: ThreatNameFirewall LEEF field name: ThreatNameFirewall |
time_generated
(TIME GENERATED)
|
Time when the log was generated on the firewall's data plane. This string contains a
timestamp value that is the number of microseconds since the Unix epoch.
Syslog field name: Syslog Field Order CEF field name: start EMAIL field name: TimeGenerated HTTPS field name: TimeGenerated LEEF field name: devTime |
time_generated_high_res
(TIME GENERATED HIGH RESOLUTION)
|
Time the log was generated in data plane with millisec granularity in format YYYY-MM-DDTHH:MM:SS[.DDDDDD]Z.
Syslog field name: Syslog Field Order CEF field name: PanOSTimeGeneratedHighResolution EMAIL field name: TimeGeneratedHighResolution HTTPS field name: TimeGeneratedHighResolution LEEF field name: TimeGeneratedHighResolution |
to_zone
(TO ZONE)
|
Networking zone to which the traffic was sent.
Syslog field name: Syslog Field Order CEF field name: cs5 EMAIL field name: ToZone HTTPS field name: ToZone LEEF field name: ToZone |
tunnel.value
(TUNNEL)
|
Type of tunnel.
Syslog field name: Syslog Field Order CEF field name: PanOSTunnel EMAIL field name: Tunnel HTTPS field name: Tunnel LEEF field name: Tunnel |
tunneled_app
(TUNNELED APPLICATION)
|
For internal use only.
CEF field name: PanOSTunneledApplication EMAIL field name: TunneledApplication HTTPS field name: TunneledApplication LEEF field name: TunneledApplication |
tunnelid_imsi
(IMSI)
|
ID of the tunnel being inspected or the International Mobile Subscriber Identity (IMSI) ID of the mobile user.
Syslog field name: Syslog Field Order CEF field name: PanOSIMSI EMAIL field name: IMSI HTTPS field name: IMSI LEEF field name: IMSI |
url_category.value
(URL CATEGORY)
|
The URL category.
Syslog field name: Syslog Field Order CEF field name: cs2 EMAIL field name: URLCategory HTTPS field name: URLCategory LEEF field name: URLCategory |
users
(USERS)
|
Source/Destination user. If neither is available, source_ip is used.
CEF field name: PanOSUsers EMAIL field name: Users HTTPS field name: Users LEEF field name: Users |
vendor_name
(VENDOR NAME)
|
Identifies the vendor that produced the data.
CEF field name: Device Vendor EMAIL field name: VendorName HTTPS field name: VendorName LEEF field name: Vendor |
vendor_severity.value
(VENDOR SEVERITY)
|
Severity associated with the event.
Syslog field name: Syslog Field Order CEF field name: PanOSVendorSeverity EMAIL field name: VendorSeverity HTTPS field name: VendorSeverity LEEF field name: VendorSeverity |
vsys
(VIRTUAL LOCATION)
|
String representation of the unique identifier for a virtual system on a Palo Alto Networks firewall.
Syslog field name: Syslog Field Order CEF field name: cs3 EMAIL field name: VirtualLocation HTTPS field name: VirtualLocation LEEF field name: VirtualLocation |
vsys_id
(VIRTUAL SYSTEM ID)
|
A unique identifier for a virtual system on a Palo Alto Networks firewall.
CEF field name: PanOSVirtualSystemID EMAIL field name: VirtualSystemID HTTPS field name: VirtualSystemID LEEF field name: VirtualSystemID |
vsys_name
(VIRTUAL SYSTEM NAME)
|
The name of the virtual system associated with the network traffic.
Syslog field name: Syslog Field Order CEF field name: PanOSVirtualSystemName EMAIL field name: VirtualSystemName HTTPS field name: VirtualSystemName LEEF field name: VirtualSystemName |
xff_ip.value
(X-FORWARDED-FOR IP)
|
X-Forwarded-For IP.
Syslog field name: Syslog Field Order CEF field name: PanOSX-Forwarded-ForIP EMAIL field name: X-Forwarded-ForIP HTTPS field name: X-Forwarded-ForIP LEEF field name: X-Forwarded-ForIP |