Focus
Focus
Table of Contents

File

Represents a file transfer across the network. These log records can represent either a successful transfer, or an attempted transfer that was blocked by the firewall.
See the following for information related to supported log formats:
FILE Field
(Display Name)
Description
action.​value
(ACTION)
Identifies the action that the firewall took for the network traffic.
Syslog field name: Syslog Field Order
CEF field name: act
EMAIL field name: Action
HTTPS field name: Action
LEEF field name: Action
app
(APPLICATION)
Application associated with the network traffic.
Syslog field name: Syslog Field Order
CEF field name: app
EMAIL field name: Application
HTTPS field name: Application
LEEF field name: Application
app_category
(APPLICATION CATEGORY)
Identifies the high-level family of the application.
CEF field name: PanOSApplicationCategory
EMAIL field name: ApplicationCategory
HTTPS field name: ApplicationCategory
LEEF field name: ApplicationCategory
app_sub_category
(APPLICATION SUBCATEGORY)
Identifies the application's subcategory. The subcategory is related to the application's category, which is identified in app_category.
EMAIL field name: ApplicationSubcategory
HTTPS field name: ApplicationSubcategory
LEEF field name: ApplicationSubcategory
cloud_hostname
(CLOUD HOSTNAME)
The hostname in which the VM-series firewall is running.
CEF field name: PanOSCloudHostname
EMAIL field name: CloudHostname
HTTPS field name: CloudHostname
LEEF field name: CloudHostname
cloud_reportid
(CLOUD REPORTID)
Unique 32 character ID for a file scanned by the DLP cloud service sent by a firewall running PAN-OS 10.2.0.
The same Cloud Report ID is displayed for a file the DLP cloud service has already scanned and generated a Cloud Report ID for.
CEF field name: PanOSCloudReportID
EMAIL field name: CloudReportID
HTTPS field name: CloudReportID
LEEF field name: CloudReportID
config_version.​value
(CONFIG VERSION)
Version number of the firewall operating system that wrote this log record.
Syslog field name: Syslog Field Order
CEF field name: PanOSConfigVersion
EMAIL field name: ConfigVersion
HTTPS field name: ConfigVersion
LEEF field name: ConfigVersion
container_id
(CONTAINER ID)
Unknown field. No information is available at this time.
Syslog field name: Syslog Field Order
CEF field name: PanOSContainerID
EMAIL field name: ContainerID
HTTPS field name: ContainerID
LEEF field name: ContainerID
container_of_app
(APPLICATION CONTAINER)
Identifies the managing application or parent of the application associated with this network traffic.
EMAIL field name: ApplicationContainer
HTTPS field name: ApplicationContainer
LEEF field name: ApplicationContainer
content_version
(CONTENT VERSION)
Applications and Threats version installed on the firewall when the log was generated.
Syslog field name: Syslog Field Order
CEF field name: PanOSContentVersion
EMAIL field name: ContentVersion
HTTPS field name: ContentVersion
LEEF field name: ContentVersion
count_of_repeats
(REPEAT COUNT)
Number of sessions with same Source IP, Destination IP, Application, and Content/Threat Type seen for the summary interval.
Syslog field name: Syslog Field Order
CEF field name: cnt
EMAIL field name: RepeatCount
HTTPS field name: RepeatCount
LEEF field name: RepeatCount
customer_id
(CORTEX DATA LAKE TENANT ID)
The ID that uniquely identifies the Cortex Data Lake instance which received this log record.
EMAIL field name: CortexDataLakeTenantID
HTTPS field name: CortexDataLakeTenantID
LEEF field name: CortexDataLakeTenantID
dest_device_category
(DESTINATION DEVICE CATEGORY)
Category of the device to which the session was directed.
Syslog field name: Syslog Field Order
EMAIL field name: DestinationDeviceCategory
HTTPS field name: DestinationDeviceCategory
LEEF field name: DestinationDeviceCategory
dest_device_class
(DESTINATION DEVICE CLASS)
Destination device class.
EMAIL field name: DestinationDeviceClass
HTTPS field name: DestinationDeviceClass
LEEF field name: DestinationDeviceClass
dest_device_host
(DESTINATION DEVICE HOST)
Hostname of the device to which the session was directed.
Syslog field name: Syslog Field Order
EMAIL field name: DestinationDeviceHost
HTTPS field name: DestinationDeviceHost
LEEF field name: DestinationDeviceHost
dest_device_mac
(DESTINATION DEVICE MAC)
MAC Address of the device to which the session was directed.
Syslog field name: Syslog Field Order
EMAIL field name: DestinationDeviceMac
HTTPS field name: DestinationDeviceMac
LEEF field name: DestinationDeviceMac
dest_device_model
(DESTINATION DEVICE MODEL)
Model of the device to which the session was directed.
Syslog field name: Syslog Field Order
EMAIL field name: DestinationDeviceModel
HTTPS field name: DestinationDeviceModel
LEEF field name: DestinationDeviceModel
dest_device_os
(DESTINATION DEVICE OS)
Destination device OS type.
CEF field name: PanOSDestinationDeviceOS
EMAIL field name: DestinationDeviceOS
HTTPS field name: DestinationDeviceOS
LEEF field name: DestinationDeviceOS
dest_device_osfamily
(DESTINATION DEVICE OS FAMILY)
OS family of the device to which the session was directed.
Syslog field name: Syslog Field Order
EMAIL field name: DestinationDeviceOSFamily
HTTPS field name: DestinationDeviceOSFamily
LEEF field name: DestinationDeviceOSFamily
dest_device_osversion
(DESTINATION DEVICE OS VERSION)
OS version of the device to which the session was directed.
Syslog field name: Syslog Field Order
EMAIL field name: DestinationDeviceOSVersion
HTTPS field name: DestinationDeviceOSVersion
dest_device_profile
(DESTINATION DEVICE PROFILE)
Profile of the device to which the session was directed.
Syslog field name: Syslog Field Order
EMAIL field name: DestinationDeviceProfile
HTTPS field name: DestinationDeviceProfile
LEEF field name: DestinationDeviceProfile
dest_device_vendor
(DESTINATION DEVICE VENDOR)
Vendor of the device to which the session was directed.
Syslog field name: Syslog Field Order
EMAIL field name: DestinationDeviceVendor
HTTPS field name: DestinationDeviceVendor
LEEF field name: DestinationDeviceVendor
dest_dynamic_address_group
(DESTINATION DYNAMIC ADDRESS GROUP)
The dynamic address group that Device-ID identifies as the destination for the traffic.
Syslog field name: Syslog Field Order
dest_edl
(DESTINATION EDL)
The name of the external dynamic list that contains the destination IP address of the traffic.
Syslog field name: Syslog Field Order
CEF field name: PanOSDestinationEDL
EMAIL field name: DestinationEDL
HTTPS field name: DestinationEDL
LEEF field name: DestinationEDL
dest_ip.​value
(DESTINATION ADDRESS)
Original destination IP address.
Syslog field name: Syslog Field Order
CEF fields: dst or c6a3
EMAIL field name: DestinationAddress
HTTPS field name: DestinationAddress
LEEF field name: dst
dest_location
(DESTINATION LOCATION)
Destination country or internal region for private addresses.
Syslog field name: Syslog Field Order
CEF field name: PanOSDestinationLocation
EMAIL field name: DestinationLocation
HTTPS field name: DestinationLocation
LEEF field name: DestinationLocation
dest_port
(DESTINATION PORT)
Network traffic's destination port. If this value is 0, then the app is using its standard port.
Syslog field name: Syslog Field Order
CEF field name: dpt
EMAIL field name: DestinationPort
HTTPS field name: DestinationPort
LEEF field name: dstPort
dest_user
(DESTINATION USER)
The username to which the network traffic was destined.
Syslog field name: Syslog Field Order
CEF field name: duser
EMAIL field name: DestinationUser
HTTPS field name: DestinationUser
LEEF field name: DestinationUser
dest_user_info.​domain
(DESTINATION USER DOMAIN)
Domain to which the Destination User belongs.
CEF field name: dntdom
EMAIL field name: DestinationUserDomain
HTTPS field name: DestinationUserDomain
LEEF field name: DestinationUserDomain
dest_user_info.​name
(DESTINATION USER NAME)
The Destination User. That is, the username to which the network traffic was destined.
CEF field name: dusername, duser
EMAIL field name: DestinationUserName
HTTPS field name: DestinationUserName
LEEF field name: DestinationUserName
dest_user_info.​uuid
(DESTINATION USER UUID)
Unique identifier assigned to the Destination User.
CEF field name: duid
EMAIL field name: DestinationUserUUID
HTTPS field name: DestinationUserUUID
LEEF field name: DestinationUserUUID
dest_uuid
(DESTINATION UUID)
Identifies the destination universal unique identifier for a guest virtual machine in the VMware NSX environment.
Syslog field name: Syslog Field Order
CEF field name: PanOSDestinationUUID
EMAIL field name: DestinationUUID
HTTPS field name: DestinationUUID
LEEF field name: DestinationUUID
dg_hier_level_1
(DG HIERARCHY LEVEL 1)
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy.
Syslog field name: Syslog Field Order
CEF field name: PanOSDGHierarchyLevel1
EMAIL field name: DGHierarchyLevel1
HTTPS field name: DGHierarchyLevel1
LEEF field name: DGHierarchyLevel1
dg_hier_level_2
(DG HIERARCHY LEVEL 2)
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy.
Syslog field name: Syslog Field Order
CEF field name: PanOSDGHierarchyLevel2
EMAIL field name: DGHierarchyLevel2
HTTPS field name: DGHierarchyLevel2
LEEF field name: DGHierarchyLevel2
dg_hier_level_3
(DG HIERARCHY LEVEL 3)
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy.
Syslog field name: Syslog Field Order
CEF field name: PanOSDGHierarchyLevel3
EMAIL field name: DGHierarchyLevel3
HTTPS field name: DGHierarchyLevel3
LEEF field name: DGHierarchyLevel3
dg_hier_level_4
(DG HIERARCHY LEVEL 4)
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy.
Syslog field name: Syslog Field Order
CEF field name: PanOSDGHierarchyLevel4
EMAIL field name: DGHierarchyLevel4
HTTPS field name: DGHierarchyLevel4
LEEF field name: DGHierarchyLevel4
direction_of_attack.​value
(DIRECTION OF ATTACK)
Indicates the direction of the attack.
Syslog field name: Syslog Field Order
CEF field name: flexString2
EMAIL field name: DirectionOfAttack
HTTPS field name: DirectionOfAttack
LEEF field name: DirectionOfAttack
dlp_version_flag
(DLP VERSION FLAG)
Indicates whether these are old or new data filtering logs.
CEF field name: PanOSDLPVersionFlag
EMAIL field name: DLPVersionFlag
HTTPS field name: DLPVersionFlag
LEEF field name: DLPVersionFlag
domain_edl
(DOMAIN EDL)
Domain External Dynamic List. That is, the name of the external dynamic list that contains the destination domain of the traffic.
Syslog field name: Syslog Field Order
CEF field name: PanOSDomainEDL
EMAIL field name: DomainEDL
HTTPS field name: DomainEDL
LEEF field name: DomainEDL
dynusergroup_name
(DYNAMIC USER GROUP)
Dynamic user group of the user who initiated the network connection.
Syslog field name: Syslog Field Order
CEF field name: PanOSDynamicUserGroup
EMAIL field name: DynamicUserGroup
HTTPS field name: DynamicUserGroup
LEEF field name: DynamicUserGroup
endpoint_serial_number
(ENDPOINT SERIAL NUMBER)
Serial number of the host on which GlobalProtect is installed.
Syslog field name: Syslog Field Order
EMAIL field name: EndpointSerialNumber
HTTPS field name: EndpointSerialNumber
LEEF field name: EndpointSerialNumber
file_name
(FILE NAME)
The name of the file that is blocked.
Syslog field name: Syslog Field Order
CEF field name: filePath
EMAIL field name: FileName
HTTPS field name: FileName
LEEF field name: FileName
file_sha_256
(FILE HASH)
The binary hash (SHA256) of the file.
Syslog field name: Syslog Field Order
CEF field name: PanOSFileHash
EMAIL field name: FileHash
HTTPS field name: FileHash
LEEF field name: FileHash
file_type
(FILE TYPE)
Palo Alto Networks textual identifier for the threat.
CEF field name: PanOSFileType
EMAIL field name: FileType
HTTPS field name: FileType
LEEF field name: EventID
file_url
(FILE URL)
File URL.
CEF field name: PanOSFileURL
EMAIL field name: FileURL
HTTPS field name: FileURL
LEEF field name: FileURL
from_zone
(FROM ZONE)
The networking zone from which the traffic originated.
Syslog field name: Syslog Field Order
CEF field name: cs4
EMAIL field name: FromZone
HTTPS field name: FromZone
LEEF field name: FromZone
gp_host_id
(HOST ID)
A unique ID that GlobalProtect assigns to identify the host.
Syslog field name: Syslog Field Order
CEF field name: PanOSHostID
EMAIL field name: HostID
HTTPS field name: HostID
LEEF field name: HostID
http2_connection
(HTTP2 CONNECTION)
Parent session ID for an HTTP/2 connection. If the traffic is not using HTTP/2, this field is set to 0.
Syslog field name: Syslog Field Order
CEF field name: PanOSHTTP2Connection
EMAIL field name: HTTP2Connection
HTTPS field name: HTTP2Connection
LEEF field name: HTTP2Connection
inbound_if.​value
(INBOUND INTERFACE)
Interface from which the network traffic was sourced.
Syslog field name: Syslog Field Order
CEF field name: deviceInboundInterface
EMAIL field name: InboundInterface
HTTPS field name: InboundInterface
LEEF field name: InboundInterface
inbound_if_details.​port
(INBOUND INTERFACE DETAILS PORT)
Hardware port or socket from which the network traffic was sourced.
EMAIL field name: InboundInterfaceDetailsPort
HTTPS field name: InboundInterfaceDetailsPort
inbound_if_details.​slot
(INBOUND INTERFACE DETAILS SLOT)
Interface slot from which the network traffic was sourced.
EMAIL field name: InboundInterfaceDetailsSlot
HTTPS field name: InboundInterfaceDetailsSlot
inbound_if_details.​type.​value
(INBOUND INTERFACE DETAILS TYPE)
The type of interface from which the network traffic was sourced.
EMAIL field name: InboundInterfaceDetailsType
HTTPS field name: InboundInterfaceDetailsType
inbound_if_details.​unit
(INBOUND INTERFACE DETAILS UNIT)
Internal use.
EMAIL field name: InboundInterfaceDetailsUnit
HTTPS field name: InboundInterfaceDetailsUnit
is_captive_portal
(CAPTIVE PORTAL)
Indicates if user information for the session was captured through Captive Portal.
CEF field name: PanOSCaptivePortal
EMAIL field name: CaptivePortal
HTTPS field name: CaptivePortal
LEEF field name: CaptivePortal
is_client_to_server
(IS CLIENT TO SERVER)
Indicates if direction of traffic is from client to server.
CEF field name: PanOSIsClienttoServer
EMAIL field name: IsClienttoServer
HTTPS field name: IsClienttoServer
LEEF field name: IsClienttoServer
is_container
(IS CONTAINER)
Indicates if the session is a container page access (Container Page).
CEF field name: PanOSIsContainer
EMAIL field name: IsContainer
HTTPS field name: IsContainer
LEEF field name: IsContainer
is_decrypt_mirror
(IS DECRYPT MIRROR)
Indicates whether decrypted traffic was sent out in clear text through a mirror port.
CEF field name: PanOSIsDecryptMirror
EMAIL field name: IsDecryptMirror
HTTPS field name: IsDecryptMirror
LEEF field name: IsDecryptMirror
is_decrypted
(IS DECRYPTED)
Flag that indicates that the session is decrypted.
CEF field name: PanOSIsDecrypted
EMAIL field name: IsDecrypted
HTTPS field name: IsDecrypted
LEEF field name: IsDecrypted
is_dup_log
(IS DUPLICATE LOG)
Indicates whether this log data is available in multiple locations, such as from Cortex Data Lake as well as from an on-premise log collector.
CEF field name: PanOSIsDuplicateLog
EMAIL field name: IsDuplicateLog
HTTPS field name: IsDuplicateLog
LEEF field name: IsDuplicateLog
is_encrypted
(IS ENCRYPTED)
Flag that indicates that the session is encrypted.
CEF field name: PanOSIsEncrypted
EMAIL field name: IsEncrypted
HTTPS field name: IsEncrypted
LEEF field name: IsEncrypted
is_exported
(LOG EXPORTED)
Indicates if this log was exported from the firewall using the firewall's log export function.
CEF field name: PanOSLogExported
EMAIL field name: LogExported
HTTPS field name: LogExported
LEEF field name: LogExported
is_forwarded
(LOG FORWARDED)
Internal-use field that indicates if the log is being forwarded.
CEF field name: PanOSLogForwarded
EMAIL field name: LogForwarded
HTTPS field name: LogForwarded
LEEF field name: LogForwarded
is_ipv6
(IS IPV6)
Indicates whether IPV6 was used for the session.
CEF field name: PanOSIsIPV6
EMAIL field name: IsIPV6
HTTPS field name: IsIPV6
LEEF field name: IsIPV6
is_mptcp_on
(IS MPTCP ON)
Indicates whether the option is enabled on the next-generation firewall that allows a client to use multiple paths to connect to a destination host.
CEF field name: PanOSIsMptcpOn
EMAIL field name: IsMptcpOn
HTTPS field name: IsMptcpOn
LEEF field name: IsMptcpOn
is_nat
(NAT)
Indicates if the firewall is performing network address translation (NAT) for the logged traffic.
CEF field name: PanOSNAT
EMAIL field name: NAT
HTTPS field name: NAT
LEEF field name: NAT
is_non_std_dest_port
(IS NON STANDARD DESTINATION PORT)
Indicates if the destination port is non-standard.
is_packet_capture
(IS PACKET CAPTURE)
Indicates whether the session has a packet capture (PCAP).
CEF field name: PanOSIsPacketCapture
EMAIL field name: IsPacketCapture
HTTPS field name: IsPacketCapture
LEEF field name: IsPacketCapture
is_phishing
(IS PHISHING)
Indicates whether enterprise credentials were submitted by an end user.
CEF field name: PanOSIsPhishing
EMAIL field name: IsPhishing
HTTPS field name: IsPhishing
LEEF field name: IsPhishing
is_prisma_branch
(IS PRISMA NETWORK)
Internal-use field. If set to 1, the log was generated on a cloud-based firewall. If 0, the firewall was running on-premise.
CEF field name: PanOSIsPrismaNetwork
EMAIL field name: IsPrismaNetwork
HTTPS field name: IsPrismaNetwork
LEEF field name: IsPrismaNetwork
is_prisma_mobile
(IS PRISMA USERS)
Internal use field. If set to 1, the log record was generated using a cloud-based GlobalProtect instance. If 0, GlobalProtect was hosted on-premise.
CEF field name: PanOSIsPrismaUsers
EMAIL field name: IsPrismaUsers
HTTPS field name: IsPrismaUsers
LEEF field name: IsPrismaUsers
is_proxy
(IS PROXY)
Indicates whether the SSL session is decrypted (SSL Proxy).
CEF field name: PanOSIsProxy
EMAIL field name: IsProxy
HTTPS field name: IsProxy
LEEF field name: IsProxy
is_recon_excluded
(IS RECON EXCLUDED)
Indicates whether source for the flow is on the firewall allow list and not subject to recon protection.
CEF field name: PanOSIsReconExcluded
EMAIL field name: IsReconExcluded
HTTPS field name: IsReconExcluded
LEEF field name: IsReconExcluded
is_saas_app
(IS SAAS APPLICATION)
Internal use field. Indicates whether the application associated with this network traffic is a SAAS application.
CEF field name: PanOSIsSaaSApplication
EMAIL field name: IsSaaSApplication
HTTPS field name: IsSaaSApplication
LEEF field name: IsSaaSApplication
is_server_to_client
(IS SERVER TO CLIENT)
Indicates if direction of traffic is from server to client.
CEF field name: PanOSIsServertoClient
EMAIL field name: IsServertoClient
HTTPS field name: IsServertoClient
LEEF field name: IsServertoClient
is_source_x_fwded
(IS SOURCE X FORWARDED)
Indicates whether the X-Forwarded-For value from a proxy is in the source user field.
CEF field name: PanOSIsSourceXForwarded
EMAIL field name: IsSourceXForwarded
HTTPS field name: IsSourceXForwarded
LEEF field name: IsSourceXForwarded
is_sym_return
(IS SYSTEM RETURN)
Indicates whether symmetric return was used to forward traffic for this session.
CEF field name: PanOSIsSystemReturn
EMAIL field name: IsSystemReturn
HTTPS field name: IsSystemReturn
LEEF field name: IsSystemReturn
is_transaction
(IS TRANSACTION)
Indicates whether the log corresponds to a transaction within an HTTP proxy session (Proxy Transaction).
CEF field name: PanOSIsTransaction
EMAIL field name: IsTransaction
HTTPS field name: IsTransaction
LEEF field name: IsTransaction
is_tunnel_inspected
(IS TUNNEL INSPECTED)
Indicates whether the payload for the outer tunnel was inspected.
CEF field name: PanOSIsTunnelInspected
EMAIL field name: IsTunnelInspected
HTTPS field name: IsTunnelInspected
LEEF field name: IsTunnelInspected
is_url_denied
(IS URL DENIED)
Indicates whether the session was denied due to a URL filtering rule.
CEF field name: PanOSIsURLDenied
EMAIL field name: IsURLDenied
HTTPS field name: IsURLDenied
LEEF field name: IsURLDenied
justification
(JUSTIFICATION)
Justification string.
Syslog field name: Syslog Field Order
CEF field name: PanOSJustification
EMAIL field name: Justification
HTTPS field name: Justification
LEEF field name: Justification
location
(PRISMA ACCESS LOCATION)
Prisma Access Region/Location.
CEF field name: PanOSLocation
EMAIL field name: Location
HTTPS field name: Location
LEEF field name: Location
log_set
(LOG SETTING)
Log forwarding profile name that was applied to the session. This name was defined by the firewall's administrator.
Syslog field name: Syslog Field Order
CEF field name: cs6
EMAIL field name: LogSetting
HTTPS field name: LogSetting
LEEF field name: LogSetting
log_source
(LOG SOURCE)
Identifies the origin of the data - the system that produced the data.
CEF field name: PanOSLogSource
EMAIL field name: LogSource
HTTPS field name: LogSource
LEEF field name: LogSource
log_source_group_id
(LOG SOURCE GROUP ID)
ID that uniquely identifies the logSourceGroupId of the log. That is, the log_source_id of the group.
CEF field name: LogSourceGroupID
EMAIL field name: LogSourceGroupID
HTTPS field name: LogSourceGroupID
LEEF field name: LogSourceGroupID
log_source_id
(DEVICE SN)
ID that uniquely identifies the source of the log - serial number of the firewall that generated the log.
If the log is generated by Prisma Access, the serial number is not displayed.
Syslog field name: Syslog Field Order
CEF field name: deviceExternalId
EMAIL field name: DeviceSN
HTTPS field name: DeviceSN
LEEF field name: DeviceSN
log_source_name
(DEVICE NAME)
Name of the source of the log - hostname of the firewall that logged the network traffic.
Syslog field name: Syslog Field Order
CEF field name: dvchost
EMAIL field name: DeviceName
HTTPS field name: DeviceName
LEEF field name: DeviceName
log_source_tz_offset
(LOG SOURCE TIMEZONE OFFSET)
Time Zone offset from GMT of the source of the log.
EMAIL field name: LogSourceTimeZoneOffset
HTTPS field name: LogSourceTimeZoneOffset
LEEF field name: LogSourceTimeZoneOffset
log_time
(TIME RECEIVED)
Time the log was received in Cortex Data Lake. This string contains a timestamp value that is the number of microseconds since the Unix epoch.
Syslog field name: Syslog Field Order
CEF field name: rt
EMAIL field name: TimeReceived
HTTPS field name: TimeReceived
LEEF field name: TimeReceived
log_type.​value
(LOG TYPE)
Identifies the log type.
Syslog field name: Syslog Field Order
CEF field name: Device Event Class ID
EMAIL field name: LogType
HTTPS field name: LogType
LEEF field name: cat
monitor_tag_imei
(IMEI)
A string used to group similar traffic together for logging and reporting. This value is globally defined on the firewall by the administrator.
Syslog field name: Syslog Field Order
CEF field name: PanOSIMEI
EMAIL field name: IMEI
HTTPS field name: IMEI
LEEF field name: IMEI
nat_dest.​value
(NAT DESTINATION)
If destination NAT performed, the post-NAT destination IP address.
Syslog field name: Syslog Field Order
EMAIL field name: NATDestination
HTTPS field name: NATDestination
LEEF field name: dstPostNAT
nat_dest_port
(NAT DESTINATION PORT)
Post-NAT destination port.
Syslog field name: Syslog Field Order
EMAIL field name: NATDestinationPort
HTTPS field name: NATDestinationPort
LEEF field name: dstPostNATPort
nat_source.​value
(NAT SOURCE)
If source NAT was performed, the post-NAT source IP address.
Syslog field name: Syslog Field Order
CEF field name: sourceTranslatedAddress
EMAIL field name: NATSource
HTTPS field name: NATSource
LEEF field name: srcPostNAT
nat_source_port
(NAT SOURCE PORT)
Post-NAT source port.
Syslog field name: Syslog Field Order
CEF field name: sourceTranslatedPort
EMAIL field name: NATSourcePort
HTTPS field name: NATSourcePort
LEEF field name: srcPostNATPort
non_standard_dest_port
(NON STANDARD DESTINATION PORT)
Identifies the non-standard or unexpected port used by the application associated with this session.
EMAIL field name: NonStandardDestinationPort
HTTPS field name: NonStandardDestinationPort
nssai_network_slice_type.​value
(NSSAI NETWORK SLICE TYPE)
Network Slice Type (SST part of SNSSAI).
Syslog field name: Syslog Field Order
EMAIL field name: NSSAINetworkSliceType
HTTPS field name: NSSAINetworkSliceType
LEEF field name: NSSAINetworkSliceType
outbound_if.​value
(OUTBOUND INTERFACE)
Interface to which the network traffic was destined.
Syslog field name: Syslog Field Order
CEF field name: deviceOutboundInterface
EMAIL field name: OutboundInterface
HTTPS field name: OutboundInterface
LEEF field name: OutboundInterface
outbound_if_details.​port
(OUTBOUND INTERFACE DETAILS PORT)
Hardware port or socket to which the network traffic was sent.
outbound_if_details.​slot
(OUTBOUND INTERFACE DETAILS SLOT)
Interface slot to which the network traffic was sent.
outbound_if_details.​type.​value
(OUTBOUND INTERFACE DETAILS TYPE)
The type of interface to which the network traffic was sent.
outbound_if_details.​unit
(OUTBOUND INTERFACE DETAILS UNIT)
Internal use.
panorama_serial
(PANORAMA SN)
Panorama Serial associated with CDL.
CEF field name: PanOSPanoramaSN
EMAIL field name: PanoramaSN
HTTPS field name: PanoramaSN
LEEF field name: PanoramaSN
parent_session_id
(PARENT SESSION ID)
ID of the session in which this network traffic was tunneled.
Syslog field name: Syslog Field Order
CEF field name: PanOSParentSessionID
EMAIL field name: ParentSessionID
HTTPS field name: ParentSessionID
LEEF field name: ParentSessionID
parent_start_time
(PARENT START TIME)
Time that the parent session began. This string contains a timestamp value that is the number of microseconds since the Unix epoch.
Syslog field name: Syslog Field Order
CEF field name: PanOSParentStartTime
EMAIL field name: ParentStartTime
HTTPS field name: ParentStartTime
LEEF field name: ParentStartTime
partial_hash
(PARTIAL HASH)
Machine learning partial hash.
Syslog field name: Syslog Field Order
CEF field name: PanOSPartialHash
EMAIL field name: PartialHash
HTTPS field name: PartialHash
LEEF field name: PartialHash
pcap
(PACKET)
Packet that triggered the firewall to generate this threat log record.
CEF field name: PanOSPacket
EMAIL field name: Packet
HTTPS field name: Packet
LEEF field name: Packet
pcap_id
(PACKET ID)
Packet capture ID. Used to correlate threat pcap files with extended pcaps taken as a part of the session flow.
Syslog field name: Syslog Field Order
CEF field name: fileId
EMAIL field name: PacketID
HTTPS field name: PacketID
LEEF field name: PacketID
platform_type
(PLATFORM TYPE)
The platform type (Valid types are VM, PA, NGFW, CNGFW).
CEF field name: PlatformType
EMAIL field name: PlatformType
HTTPS field name: PlatformType
LEEF field name: PlatformType
pod_name
(CONTAINER NAME)
Container name.
Syslog field name: Syslog Field Order
CEF field name: PanOSContainerName
EMAIL field name: ContainerName
HTTPS field name: ContainerName
LEEF field name: ContainerName
pod_namespace
(CONTAINER NAME SPACE)
Container namespace.
Syslog field name: Syslog Field Order
CEF field name: PanOSContainerNameSpace
EMAIL field name: ContainerNameSpace
HTTPS field name: ContainerNameSpace
LEEF field name: ContainerNameSpace
profile_name
(PROFILE NAME)
Data filtering profile name.
CEF field name: PanOSProfileName
EMAIL field name: ProfileName
HTTPS field name: ProfileName
LEEF field name: ProfileName
protocol.​value
(PROTOCOL)
IP protocol associated with the session.
Syslog field name: Syslog Field Order
CEF field name: proto
EMAIL field name: Protocol
HTTPS field name: Protocol
LEEF field name: proto
reason_data_filtering
(REASON FOR DATA FILTERING ACTION)
Reason for data filtering action.
Syslog field name: Syslog Field Order
report_id
(REPORT ID)
Identifies the analysis requested from the sandbox (cloud or appliance).
Syslog field name: Syslog Field Order
CEF field name: PanOSReportID
EMAIL field name: ReportID
HTTPS field name: ReportID
LEEF field name: ReportID
risk_of_app
(APPLICATION RISK)
Indicates how risky the application is from a network security perspective.
CEF field name: PanOSApplicationRisk
EMAIL field name: ApplicationRisk
HTTPS field name: ApplicationRisk
LEEF field name: ApplicationRisk
rule_matched
(RULE)
Name of the security policy rule that the network traffic matched.
Syslog field name: Syslog Field Order
CEF field name: cs1
EMAIL field name: Rule
HTTPS field name: Rule
LEEF field name: Rule
rule_matched_uuid
(RULE UUID)
Unique identifier for the security policy rule that the network traffic matched.
Syslog field name: Syslog Field Order
CEF field name: PanOSRuleUUID
EMAIL field name: RuleUUID
HTTPS field name: RuleUUID
LEEF field name: RuleUUID
sanctioned_state_of_app
(SANCTIONED STATE OF APP)
Indicates whether the application has been flagged as sanctioned by the firewall administrator.
EMAIL field name: SanctionedStateOfApp
HTTPS field name: SanctionedStateOfApp
LEEF field name: SanctionedStateOfApp
sequence_no
(SEQUENCE NO)
The log entry identifier, which is incremented sequentially. Each log type has a unique number space.
Syslog field name: Syslog Field Order
CEF field name: externalId
EMAIL field name: SequenceNo
HTTPS field name: SequenceNo
LEEF field name: SequenceNo
session_id
(SESSION ID)
Identifies the firewall's internal identifier for a specific network session.
Syslog field name: Syslog Field Order
CEF field name: cn1
EMAIL field name: SessionID
HTTPS field name: SessionID
LEEF field name: SessionID
severity
(SEVERITY)
Severity as defined by the platform.
CEF field name: PanOSSeverity
EMAIL field name: Severity
HTTPS field name: Severity
LEEF field name: Severity
sig_flags
(SIG FLAGS)
Internal use only.
Syslog field name: Syslog Field Order
CEF field name: PanOSSigFlags
EMAIL field name: SigFlags
HTTPS field name: SigFlags
LEEF field name: SigFlags
source_device_category
(SOURCE DEVICE CATEGORY)
Category of the device from which the session originated.
Syslog field name: Syslog Field Order
EMAIL field name: SourceDeviceCategory
HTTPS field name: SourceDeviceCategory
LEEF field name: SourceDeviceCategory
source_device_class
(SOURCE DEVICE CLASS)
Source device class.
CEF field name: PanOSSourceDeviceClass
EMAIL field name: SourceDeviceClass
HTTPS field name: SourceDeviceClass
LEEF field name: SourceDeviceClass
source_device_host
(SOURCE DEVICE HOST)
Hostname of the device from which the session originated.
Syslog field name: Syslog Field Order
CEF field name: PanOSSourceDeviceHost
EMAIL field name: SourceDeviceHost
HTTPS field name: SourceDeviceHost
LEEF field name: SourceDeviceHost
source_device_mac
(SOURCE DEVICE MAC)
MAC Address of the device from which the session originated.
Syslog field name: Syslog Field Order
CEF field name: PanOSSourceDeviceMac
EMAIL field name: SourceDeviceMac
HTTPS field name: SourceDeviceMac
LEEF field name: SourceDeviceMac
source_device_model
(SOURCE DEVICE MODEL)
Model of the device from which the session originated.
Syslog field name: Syslog Field Order
CEF field name: PanOSSourceDeviceModel
EMAIL field name: SourceDeviceModel
HTTPS field name: SourceDeviceModel
LEEF field name: SourceDeviceModel
source_device_os
(SOURCE DEVICE OS)
Source device OS type.
CEF field name: PanOSSourceDeviceOS
EMAIL field name: SourceDeviceOS
HTTPS field name: SourceDeviceOS
LEEF field name: SourceDeviceOS
source_device_osfamily
(SOURCE DEVICE OS FAMILY)
OS family of the device from which the session originated.
Syslog field name: Syslog Field Order
EMAIL field name: SourceDeviceOSFamily
HTTPS field name: SourceDeviceOSFamily
LEEF field name: SourceDeviceOSFamily
source_device_osversion
(SOURCE DEVICE OS VERSION)
OS version of the device from which the session originated.
Syslog field name: Syslog Field Order
EMAIL field name: SourceDeviceOSVersion
HTTPS field name: SourceDeviceOSVersion
LEEF field name: SourceDeviceOSVersion
source_device_profile
(SOURCE DEVICE PROFILE)
Profile of the device from which the session originated.
Syslog field name: Syslog Field Order
CEF field name: PanOSSourceDeviceProfile
EMAIL field name: SourceDeviceProfile
HTTPS field name: SourceDeviceProfile
LEEF field name: SourceDeviceProfile
source_device_vendor
(SOURCE DEVICE VENDOR)
Vendor of the device from which the session originated.
Syslog field name: Syslog Field Order
CEF field name: PanOSSourceDeviceVendor
EMAIL field name: SourceDeviceVendor
HTTPS field name: SourceDeviceVendor
LEEF field name: SourceDeviceVendor
source_dynamic_address_group
(SOURCE DYNAMIC ADDRESS GROUP)
The dynamic address group that Device-ID identifies as the source of the traffic.
Syslog field name: Syslog Field Order
EMAIL field name: SourceDynamicAddressGroup
HTTPS field name: SourceDynamicAddressGroup
LEEF field name: SourceDynamicAddressGroup
source_edl
(SOURCE EDL)
The name of the external dynamic list that contains the source IP address of the traffic.
Syslog field name: Syslog Field Order
CEF field name: PanOSSourceEDL
EMAIL field name: SourceEDL
HTTPS field name: SourceEDL
LEEF field name: SourceEDL
source_ip.​value
(SOURCE ADDRESS)
Original source IP address.
Syslog field name: Syslog Field Order
CEF fields: src or c6a2
EMAIL field name: SourceAddress
HTTPS field name: SourceAddress
LEEF field name: src
source_location
(SOURCE LOCATION)
Source country or internal region for private addresses.
Syslog field name: Syslog Field Order
CEF field name: PanOSSourceLocation
EMAIL field name: SourceLocation
HTTPS field name: SourceLocation
LEEF field name: SourceLocation
source_port
(SOURCE PORT)
Source port utilized by the session.
Syslog field name: Syslog Field Order
CEF field name: spt
EMAIL field name: SourcePort
HTTPS field name: SourcePort
LEEF field name: srcPort
source_user
(SOURCE USER)
The username that initiated the network traffic.
Syslog field name: Syslog Field Order
CEF field name: suser
EMAIL field name: SourceUser
HTTPS field name: SourceUser
LEEF field name: usrName
source_user_info.​domain
(SOURCE USER DOMAIN)
Domain to which the Source User belongs.
CEF field name: sntdom
EMAIL field name: SourceUserDomain
HTTPS field name: SourceUserDomain
LEEF field name: SourceUserDomain
source_user_info.​name
(SOURCE USER NAME)
The Source User. That is, the username that initiated the network traffic.
CEF field name: All of the following: susername, suser
EMAIL field name: SourceUserName
HTTPS field name: SourceUserName
LEEF field name: SourceUserName
source_user_info.​uuid
(SOURCE USER UUID)
Unique identifier assigned to the Source User.
CEF field name: suid
EMAIL field name: SourceUserUUID
HTTPS field name: SourceUserUUID
LEEF field name: SourceUserUUID
source_uuid
(SOURCE UUID)
Identifies the source universal unique identifier for a guest virtual machine in the VMware NSX environment.
Syslog field name: Syslog Field Order
CEF field name: PanOSSourceUUID
EMAIL field name: SourceUUID
HTTPS field name: SourceUUID
LEEF field name: SourceUUID
sub_type.​value
(SUB TYPE)
Identifies the log subtype.
Syslog field name: Syslog Field Order
CEF field name: Name
EMAIL field name: All of the following: Subtype, SubType
HTTPS field name: All of the following: Subtype, SubType
LEEF field name: SubType
technology_of_app
(APPLICATION TECHNOLOGY)
The networking technology used by the identified application.
EMAIL field name: ApplicationTechnology
HTTPS field name: ApplicationTechnology
LEEF field name: ApplicationTechnology
threat_category.​value
(THREAT CATEGORY)
Threat category of the detected threat.
CEF field name: PanOSThreatCategory
EMAIL field name: ThreatCategory
HTTPS field name: ThreatCategory
LEEF field name: ThreatCategory
threat_name_firewall
(THREAT NAME FIREWALL)
Threat Name written by the firewall.
CEF field name: PanOSThreatNameFirewall
EMAIL field name: ThreatNameFirewall
HTTPS field name: ThreatNameFirewall
LEEF field name: ThreatNameFirewall
time_generated
(TIME GENERATED)
Time when the log was generated on the firewall's data plane. This string contains a timestamp value that is the number of microseconds since the Unix epoch.
Syslog field name: Syslog Field Order
CEF field name: start
EMAIL field name: TimeGenerated
HTTPS field name: TimeGenerated
LEEF field name: devTime
time_generated_high_res
(TIME GENERATED HIGH RESOLUTION)
Time the log was generated in data plane with millisec granularity in format YYYY-MM-DDTHH:MM:SS[.DDDDDD]Z.
Syslog field name: Syslog Field Order
EMAIL field name: TimeGeneratedHighResolution
HTTPS field name: TimeGeneratedHighResolution
to_zone
(TO ZONE)
Networking zone to which the traffic was sent.
Syslog field name: Syslog Field Order
CEF field name: cs5
EMAIL field name: ToZone
HTTPS field name: ToZone
LEEF field name: ToZone
tunnel.​value
(TUNNEL)
Type of tunnel.
Syslog field name: Syslog Field Order
CEF field name: PanOSTunnel
EMAIL field name: Tunnel
HTTPS field name: Tunnel
LEEF field name: Tunnel
tunneled_app
(TUNNELED APPLICATION)
For internal use only.
CEF field name: PanOSTunneledApplication
EMAIL field name: TunneledApplication
HTTPS field name: TunneledApplication
LEEF field name: TunneledApplication
tunnelid_imsi
(IMSI)
ID of the tunnel being inspected or the International Mobile Subscriber Identity (IMSI) ID of the mobile user.
Syslog field name: Syslog Field Order
CEF field name: PanOSIMSI
EMAIL field name: IMSI
HTTPS field name: IMSI
LEEF field name: IMSI
url_category.​value
(URL CATEGORY)
The URL category.
Syslog field name: Syslog Field Order
CEF field name: cs2
EMAIL field name: URLCategory
HTTPS field name: URLCategory
LEEF field name: URLCategory
url_domain
(URL)
The name of the internet domain that was visited in this session.
CEF field name: PanOSURL
EMAIL field name: URL
HTTPS field name: URL
LEEF field name: URL
users
(USERS)
Source/Destination user. If neither is available, source_ip is used.
CEF field name: PanOSUsers
EMAIL field name: Users
HTTPS field name: Users
LEEF field name: Users
vendor_name
(VENDOR NAME)
Identifies the vendor that produced the data.
CEF field name: Device Vendor
EMAIL field name: VendorName
HTTPS field name: VendorName
LEEF field name: Vendor
vendor_severity.​value
(VENDOR SEVERITY)
Severity associated with the event.
Syslog field name: Syslog Field Order
CEF field name: PanOSVendorSeverity
EMAIL field name: VendorSeverity
HTTPS field name: VendorSeverity
LEEF field name: VendorSeverity
vsys
(VIRTUAL LOCATION)
String representation of the unique identifier for a virtual system on a Palo Alto Networks firewall.
Syslog field name: Syslog Field Order
CEF field name: cs3
EMAIL field name: VirtualLocation
HTTPS field name: VirtualLocation
LEEF field name: VirtualLocation
vsys_id
(VIRTUAL SYSTEM ID)
A unique identifier for a virtual system on a Palo Alto Networks firewall.
CEF field name: PanOSVirtualSystemID
EMAIL field name: VirtualSystemID
HTTPS field name: VirtualSystemID
LEEF field name: VirtualSystemID
vsys_name
(VIRTUAL SYSTEM NAME)
The name of the virtual system associated with the network traffic.
Syslog field name: Syslog Field Order
CEF field name: PanOSVirtualSystemName
EMAIL field name: VirtualSystemName
HTTPS field name: VirtualSystemName
LEEF field name: VirtualSystemName
xff_ip.​value
(X-FORWARDED-FOR IP)
X-Forwarded-For IP.
Syslog field name: Syslog Field Order
CEF field name: PanOSX-Forwarded-ForIP
EMAIL field name: X-Forwarded-ForIP
HTTPS field name: X-Forwarded-ForIP
LEEF field name: X-Forwarded-ForIP

Recommended For You