Threat logs contain entries for when network traffic matches one of the security profiles attached to a next-generation firewall security rule.
As network traffic passes through the firewall, it inspects the content contained in the traffic. Whenever this content matches a threat pattern (that is, it presents a pattern suggesting the content is a virus, or spyware, or a known vulnerability in a legitimate application), the firewall will create a Threat log.
The frequency of this pattern matching within a network session is unpredictable. Most often you should see sessions with no Threat logs, followed by sessions with a single Threat log. But it is also possible for sessions to require many Threat logs. Remember that a network session can include multiple messages sent and received between two communicating endpoints. If these messages contain content that matches the firewall's threat patterns, they will cause the firewall to generate multiple threat logs.
See the following for information related to supported log formats:
Identifies the application's subcategory. The subcategory is related to the application's category, which is identified in app_category.
CEF field name: PanOSApplicationSubcategory
EMAIL field name: ApplicationSubcategory
HTTPS field name: ApplicationSubcategory
LEEF field name: ApplicationSubcategory
Unique 32 character ID for a file scanned by the DLP cloud service sent by a firewall running PAN-OS 10.2.0.
The same Cloud Report ID is displayed for a file the DLP cloud service has already scanned and generated a Cloud Report ID for.
CEF field name: PanOSCloudReportID
EMAIL field name: CloudReportID
HTTPS field name: CloudReportID
LEEF field name: CloudReportID
(CORTEX DATA LAKE TENANT ID)
(DESTINATION DEVICE CATEGORY)
(DESTINATION DEVICE HOST)
(DESTINATION DEVICE MODEL)
(DESTINATION DEVICE OS FAMILY)
(DESTINATION DEVICE OS VERSION)
(DESTINATION DEVICE PROFILE)
(DESTINATION DEVICE VENDOR)
(DESTINATION DYNAMIC ADDRESS GROUP)
The dynamic address group that Device-ID identifies as the destination for the traffic.
CEF field name: PanOSDestinationDynamicAddressGroup
EMAIL field name: DestinationDynamicAddressGroup
HTTPS field name: DestinationDynamicAddressGroup
LEEF field name: DestinationDynamicAddressGroup
(DG HIERARCHY LEVEL 1)
(DG HIERARCHY LEVEL 2)
(DG HIERARCHY LEVEL 3)
(DG HIERARCHY LEVEL 4)
(DYNAMIC USER GROUP NAME)
(ENDPOINT SERIAL NUMBER)
(INBOUND INTERFACE DETAILS PORT)
(INBOUND INTERFACE DETAILS SLOT)
(INBOUND INTERFACE DETAILS TYPE)
(IS DUPLICATE LOG)
(IS PRISMA USERS)
(NON STANDARD DESTINATION PORT)
(OUTBOUND INTERFACE DETAILS PORT)
(OUTBOUND INTERFACE DETAILS SLOT)
(OUTBOUND INTERFACE DETAILS TYPE)
(PARENT START TIME)
Time that the parent session began. This string contains a timestamp value that is the number of microseconds since the Unix epoch.
CEF field name: PanOSParentStarttime
EMAIL field name: ParentStarttime
HTTPS field name: ParentStarttime
LEEF field name: ParentStarttime
Identifies the recipient of an email that sandbox determined to be malicious when it was analyzing an email link forwarded by the firewall.
CEF field name: PanOSRecipientEmail
EMAIL field name: RecipientEmail
HTTPS field name: RecipientEmail
LEEF field name: RecipientEmail
(SANCTIONED STATE OF APP)
(SOURCE DEVICE CATEGORY)
(SOURCE DEVICE OS FAMILY)
(SOURCE DEVICE OS VERSION)
(SOURCE DYNAMIC ADDRESS GROUP)
Identifies the subject of an email that the sandbox determined to be malicious when it was analyzing an email link forwarded by the firewall.
CEF field name: PanOSEmailSubject
EMAIL field name: EmailSubject
HTTPS field name: EmailSubject
LEEF field name: EmailSubject
Time when the log was generated on the firewall's data plane. This string contains a timestamp value that is the number of microseconds since the Unix epoch.
CEF field name: start
EMAIL field name: TimeGenerated
HTTPS field name: TimeGenerated
LEEF field name: devTime
(TIME GENERATED HIGH RESOLUTION)
Time the log was generated in data plane with millisec granularity in format YYYY-MM-DDTHH:MM:SS[.DDDDDD]Z.
CEF field name: PanOSTimeGeneratedHighResolution
EMAIL field name: TimeGeneratedHighResolution
HTTPS field name: TimeGeneratedHighResolution
LEEF field name: TimeGeneratedHighResolution
Recommended For You
Recommended videos not found.