Threat CEF Fields
Table of Contents
Threat CEF Fields
Example Threat log in CEF:
Mar 1 20:48:22 gke-standard-cluster-2-default-pool-2c7fa720-sw0m 4465 <14>1 2021-03-01T20:48:22.900Z stream-logfwd20-587718190-03011242-xynu-harness-l80k logforwarder - panwlogs - CEF:0|Palo Alto Networks|LF|2.0|THREAT|spyware|1|ProfileToken=xxxxx dtz=UTC rt=Mar 01 2021 20:48:21 deviceExternalId=xxxxxxxxxxxxx start=Mar 01 2021 20:48:16 PanOSApplicationCategory=general-internet PanOSApplicationContainer=sina-weibo PanOSApplicationRisk=4 PanOSApplicationSubcategory=social-networking PanOSApplicationTechnology=browser-based PanOSCaptivePortal=false PanOSCloudHostname=xxxxx PanOSCortexDataLakeTenantID=xxxxxxxxxxxxx PanOSDestinationDeviceClass= PanOSDestinationDeviceOS= dntdom=paloaltonetwork duser=xxxxx duid= PanOSHTTPMethod=get PanOSInboundInterfaceDetailsPort=0 PanOSInboundInterfaceDetailsSlot=0 PanOSInboundInterfaceDetailsType=unknown PanOSInboundInterfaceDetailsUnit=0 PanOSIsClienttoServer=true PanOSIsContainer=false PanOSIsDecryptMirror=false PanOSIsDecrypted=false PanOSIsDuplicateLog=false PanOSIsEncrypted=false PanOSIsIPV6=false PanOSIsMptcpOn=false PanOSIsNonStandardDestinationPort=false PanOSIsPacketCapture=false PanOSIsPhishing=false PanOSIsPrismaNetwork=false PanOSIsPrismaUsers=false PanOSIsProxy=false PanOSIsReconExcluded=false PanOSIsSaaSApplication=false PanOSIsServertoClient=false PanOSIsSourceXForwarded=true PanOSIsSystemReturn=true PanOSIsTransaction=false PanOSIsTunnelInspected=false PanOSIsURLDenied=false PanOSLogExported=false PanOSLogForwarded=true PanOSLogSource=firewall PanOSLogSourceTimeZoneOffset= PanOSNAT=false PanOSNonStandardDestinationPort=13884 PanOSOutboundInterfaceDetailsPort=0 PanOSOutboundInterfaceDetailsSlot=0 PanOSOutboundInterfaceDetailsType=unknown PanOSOutboundInterfaceDetailsUnit=0 PanOSPacket= PanOSPayloadProtocolID=-1 PanOSSanctionedStateOfApp=false PanOSSeverity=Informational PanOSSourceDeviceClass= PanOSSourceDeviceOS= sntdom=paloaltonetwork suser=xxxxx suid= cat=27379 PanOSThreatNameFirewall=27379 PanOSTunneledApplication=tunneled-app PanOSURLDomain= PanOSUsers=paloaltonetwork\\xxxxx PanOSVerdict= PanOSVirtualSystemID=1 c6a2=fe80:110:8897:efab:9202:b3ff:fe1e:8329 c6a2Label=Source IPv6 Address c6a3=fe80:110:8897:efab:9202:b3ff:fe1e:8329 c6a3Label=Destination IPv6 Address sourceTranslatedAddress=xxx.xx.x.xx destinationTranslatedAddress=xxx.xx.x.xx cs1=deny-attackers cs1Label=Rule suser0=paloaltonetwork\\xxxxx duser0=paloaltonetwork\\xxxxx app=sina-weibo-base cs3=vsys1 cs3Label=VirtualLocation cs4=datacenter cs4Label=FromZone cs5=ethernet4Zone-test4 cs5Label=ToZone deviceInboundInterface=unknown deviceOutboundInterface=unknown cs6=rs-logging cs6Label=LogSetting cn1=947181 cn1Label=SessionID cnt=1 spt=13884 dpt=4228 sourceTranslatedPort=30116 destinationTranslatedPort=20966 proto=tcp act=drop-all request=some other fake filename PanOSThreatID=27379(27379) flexString2=server to client flexString2Label=DirectionOfAttack externalId=xxxxxxxxxxxxx PanOSSourceLocation=LY PanOSDestinationLocation=BR fileId=0 PanOSFileHash= PanOSApplianceOrCloud= PanOSURLCounter=0 PanOSFileType= PanOSSenderEmail= PanOSEmailSubject= PanOSRecipientEmail= PanOSReportID=0 PanOSDGHierarchyLevel1=11 PanOSDGHierarchyLevel2=0 PanOSDGHierarchyLevel3=0 PanOSDGHierarchyLevel4=0 PanOSVirtualSystemName= dvchost=xxxxx PanOSSourceUUID= PanOSDestinationUUID= PanOSIMSI=0 PanOSIMEI= PanOSParentSessionID=0 PanOSParentStarttime=Jan 01 1970 00:00:00 PanOSTunnel=N/A PanOSThreatCategory=unknown PanOSContentVersion=50059 PanOSSigFlags=0x0 PanOSRuleUUID=017e4d76-2003-47f4-8afc-1d35c808c615 PanOSHTTP2Connection=0 PanOSDynamicUserGroupName= PanOSX-Forwarded-ForIP= PanOSSourceDeviceCategory=X-Phone PanOSSourceDeviceProfile=x-profile PanOSSourceDeviceModel=Note 4G PanOSSourceDeviceVendor=Lenovo PanOSSourceDeviceOSFamily=K6 PanOSSourceDeviceOSVersion=Android v9 PanOSSourceDeviceHost=pan-505 PanOSSourceDeviceMac=596703749274 PanOSDestinationDeviceCategory=X-Phone PanOSDestinationDeviceProfile=x-profile PanOSDestinationDeviceModel=MI PanOSDestinationDeviceVendor=Xiaomi PanOSDestinationDeviceOSFamily=A1 PanOSDestinationDeviceOSVersion=Android v9.1 PanOSDestinationDeviceHost=pan-622 PanOSDestinationDeviceMac=620797415366 PanOSContainerID=1873cc5c-0d31 PanOSContainerNameSpace=pns_default PanOSSourceEDL= PanOSDestinationEDL= PanOSHostID=xxxxxxxxxxxxxx PanOSEndpointSerialNumber=xxxxxxxxxxxxxx PanOSDomainEDL= PanOSSourceDynamicAddressGroup= PanOSDestinationDynamicAddressGroup= PanOSPartialHash=0 PanOSTimeGeneratedHighResolution=Mar 01 2021 20:48:16 PanOSNSSAINetworkSliceType=dc
The following table identifies the Threat field names that the Log Forwarding app
uses when you forward logs using the CEF log format.
CEF Name
|
Field Details
|
|---|---|
act
| |
app
| |
PanOSApplicationCategory
| Query Name: app_categoryHeader Type: Custom |
PanOSApplicationSubcategory
| Query Name: app_sub_categoryHeader Type: Custom |
PanOSApplianceOrCloud
| Query Name: cloudHeader Type: Custom |
PanOSCloudHostname
| Query Name: cloud_hostnameHeader Type: Custom |
PanOSCloudReportID
| Query Name: cloud_reportidHeader Type: Custom |
PanOSConfigVersion
| Query Name: config_version.valueHeader Type: Custom |
PanOSContainerID
| Query Name: container_idHeader Type: Custom |
PanOSApplicationContainer
| Query Name: container_of_appHeader Type: Custom |
PanOSContentVersion
| Query Name: content_versionHeader Type: Custom |
cnt
| Query Name: count_of_repeatsHeader Type: Predefined |
PanOSCortexDataLakeTenantID
| Query Name: customer_idHeader Type: Custom |
PanOSDestinationDeviceCategory
| Query Name: dest_device_categoryHeader Type: Custom |
PanOSDestinationDeviceClass
| Query Name: dest_device_classHeader Type: Custom |
PanOSDestinationDeviceHost
| Query Name: dest_device_hostHeader Type: Custom |
PanOSDestinationDeviceMac
| Query Name: dest_device_macHeader Type: Custom |
PanOSDestinationDeviceModel
| Query Name: dest_device_modelHeader Type: Custom |
PanOSDestinationDeviceOS
| Query Name: dest_device_osHeader Type: Custom |
PanOSDestinationDeviceOSFamily
| Query Name: dest_device_osfamilyHeader Type: Custom |
PanOSDestinationDeviceOSVersion
| Query Name: dest_device_osversionHeader Type: Custom |
PanOSDestinationDeviceProfile
| Query Name: dest_device_profileHeader Type: Custom |
PanOSDestinationDeviceVendor
| Query Name: dest_device_vendorHeader Type: Custom |
PanOSDestinationDynamicAddressGroup
| Query Name: dest_dynamic_address_groupHeader Type: Custom |
PanOSDestinationEDL
| Query Name: dest_edlHeader Type: Custom |
dst or c6a3
| Query Name: dest_ip.valueHeader Type: PredefinedLabel: || c6a3LabelLabel Text: || Destination IPv6 Address |
PanOSDestinationLocation
| Query Name: dest_locationHeader Type: Custom |
dpt
| Query Name: dest_portHeader Type: Predefined |
duser
| |
dntdom
| |
duser
| |
duid
| |
PanOSDestinationUUID
| Query Name: dest_uuidHeader Type: Custom |
PanOSDGHierarchyLevel1
| Query Name: dg_hier_level_1Header Type: Custom |
PanOSDGHierarchyLevel2
| Query Name: dg_hier_level_2Header Type: Custom |
PanOSDGHierarchyLevel3
| Query Name: dg_hier_level_3Header Type: Custom |
PanOSDGHierarchyLevel4
| Query Name: dg_hier_level_4Header Type: Custom |
flexString2
| Query Name: direction_of_attack.valueHeader Type: PredefinedLabel: flexString2LabelLabel Text: DirectionOfAttackMax Length: 1023 |
PanOSDomainEDL
| Query Name: domain_edlHeader Type: Custom |
PanOSDynamicUserGroupName
| Query Name: dynusergroup_nameHeader Type: Custom |
PanOSEndpointSerialNumber
| Query Name: endpoint_serial_numberHeader Type: Custom |
request
| |
PanOSFileHash
| Query Name: file_sha_256Header Type: Custom |
PanOSFileType
| Query Name: file_typeHeader Type: Custom |
PanOSFileURL
| Query Name: file_urlHeader Type: Custom |
FlowType
| Query Name: flow_type.valueHeader Type: Custom |
cs4
| |
PanOSHostID
| Query Name: host_idHeader Type: Custom |
PanOSHTTP2Connection
| Query Name: http2_connectionHeader Type: Custom |
PanOSHTTPMethod
| Query Name: http_method.valueHeader Type: Custom |
deviceInboundInterface
| |
PanOSInboundInterfaceDetailsPort
| Query Name: inbound_if_details.portHeader Type: Custom |
PanOSInboundInterfaceDetailsSlot
| Query Name: inbound_if_details.slotHeader Type: Custom |
PanOSInboundInterfaceDetailsType
| Query Name: inbound_if_details.type.valueHeader Type: Custom |
PanOSInboundInterfaceDetailsUnit
| Query Name: inbound_if_details.unitHeader Type: Custom |
PanOSCaptivePortal
| Query Name: is_captive_portalHeader Type: Custom |
PanOSIsClienttoServer
| Query Name: is_client_to_serverHeader Type: Custom |
PanOSIsContainer
| Query Name: is_containerHeader Type: Custom |
PanOSIsDecryptMirror
| Query Name: is_decrypt_mirrorHeader Type: Custom |
PanOSIsDecrypted
| Query Name: is_decryptedHeader Type: Custom |
PanOSIsDuplicateLog
| Query Name: is_dup_logHeader Type: Custom |
PanOSIsEncrypted
| Query Name: is_encryptedHeader Type: Custom |
PanOSLogExported
| Query Name: is_exportedHeader Type: Custom |
PanOSLogForwarded
| Query Name: is_forwardedHeader Type: Custom |
PanOSIsIPV6
| Query Name: is_ipv6Header Type: Custom |
PanOSIsMptcpOn
| Query Name: is_mptcp_onHeader Type: Custom |
PanOSNAT
| Query Name: is_natHeader Type: Custom |
PanOSIsNonStandardDestinationPort
| Query Name: is_non_std_dest_portHeader Type: Custom |
PanOSIsPacketCapture
| Query Name: is_packet_captureHeader Type: Custom |
PanOSIsPhishing
| Query Name: is_phishingHeader Type: Custom |
PanOSIsPrismaNetwork
| Query Name: is_prisma_branchHeader Type: Custom |
PanOSIsPrismaUsers
| Query Name: is_prisma_mobileHeader Type: Custom |
PanOSIsProxy
| Query Name: is_proxyHeader Type: Custom |
PanOSIsReconExcluded
| Query Name: is_recon_excludedHeader Type: Custom |
PanOSIsSaaSApplication
| Query Name: is_saas_appHeader Type: Custom |
PanOSIsServertoClient
| Query Name: is_server_to_clientHeader Type: Custom |
PanOSIsSourceXForwarded
| Query Name: is_source_x_fwdedHeader Type: Custom |
PanOSIsSystemReturn
| Query Name: is_sym_returnHeader Type: Custom |
PanOSIsTransaction
| Query Name: is_transactionHeader Type: Custom |
PanOSIsTunnelInspected
| Query Name: is_tunnel_inspectedHeader Type: Custom |
PanOSIsURLDenied
| Query Name: is_url_deniedHeader Type: Custom |
PanOSLocation
| Query Name: locationHeader Type: Custom |
cs6
| |
PanOSLogSource
| Query Name: log_sourceHeader Type: Custom |
LogSourceGroupID
| Query Name: log_source_group_idHeader Type: Custom |
deviceExternalId
| |
dvchost
| |
PanOSLogSourceTimeZoneOffset
| Query Name: log_source_tz_offsetHeader Type: Custom |
rt
| Query Name: log_timeHeader Type: Predefined |
Device Event Class ID
| Query Name: log_type.valueHeader Type: Custom |
PanOSIMEI
| Query Name: monitor_tag_imeiHeader Type: Custom |
destinationTranslatedAddress
| Query Name: nat_dest.valueHeader Type: Predefined |
destinationTranslatedPort
| Query Name: nat_dest_portHeader Type: Predefined |
sourceTranslatedAddress
| Query Name: nat_source.valueHeader Type: Predefined |
sourceTranslatedPort
| Query Name: nat_source_portHeader Type: Predefined |
PanOSNonStandardDestinationPort
| Query Name: non_standard_dest_portHeader Type: Custom |
PanOSNSSAINetworkSliceType
| Query Name: nssai_network_slice_type.valueHeader Type: Custom |
deviceOutboundInterface
| |
PanOSOutboundInterfaceDetailsPort
| Query Name: outbound_if_details.portHeader Type: Custom |
PanOSOutboundInterfaceDetailsSlot
| Query Name: outbound_if_details.slotHeader Type: Custom |
PanOSOutboundInterfaceDetailsType
| Query Name: outbound_if_details.type.valueHeader Type: Custom |
PanOSOutboundInterfaceDetailsUnit
| Query Name: outbound_if_details.unitHeader Type: Custom |
PanOSPanoramaSN
| Query Name: panorama_serialHeader Type: Custom |
PanOSParentSessionID
| Query Name: parent_session_idHeader Type: Custom |
PanOSParentStarttime
| Query Name: parent_start_timeHeader Type: Custom |
PanOSPartialHash
| Query Name: partial_hashHeader Type: Custom |
PanOSPayloadProtocolID
| Query Name: payload_protocol_idHeader Type: Custom |
PanOSPacket
| Query Name: pcapHeader Type: Custom |
fileId
| |
PanOSContainerName
| Query Name: pod_nameHeader Type: Custom |
PanOSContainerNameSpace
| Query Name: pod_namespaceHeader Type: Custom |
proto
| |
PanOSRecipientEmail
| Query Name: recipient_of_virusHeader Type: Custom |
PanOSReportID
| Query Name: report_idHeader Type: Custom |
PanOSApplicationRisk
| Query Name: risk_of_appHeader Type: Custom |
cs1
| |
PanOSRuleUUID
| Query Name: rule_matched_uuidHeader Type: Custom |
PanOSSanctionedStateOfApp
| Query Name: sanctioned_state_of_appHeader Type: Custom |
PanOSSenderEmail
| Query Name: sender_of_virusHeader Type: Custom |
externalId
| |
cn1
| |
PanOSSeverity
| Query Name: severityHeader Type: Custom |
PanOSSigFlags
| Query Name: sig_flagsHeader Type: Custom |
PanOSSourceDeviceCategory
| Query Name: source_device_categoryHeader Type: Custom |
PanOSSourceDeviceClass
| Query Name: source_device_classHeader Type: Custom |
PanOSSourceDeviceHost
| Query Name: source_device_hostHeader Type: Custom |
PanOSSourceDeviceMac
| Query Name: source_device_macHeader Type: Custom |
PanOSSourceDeviceModel
| Query Name: source_device_modelHeader Type: Custom |
PanOSSourceDeviceOS
| Query Name: source_device_osHeader Type: Custom |
PanOSSourceDeviceOSFamily
| Query Name: source_device_osfamilyHeader Type: Custom |
PanOSSourceDeviceOSVersion
| Query Name: source_device_osversionHeader Type: Custom |
PanOSSourceDeviceProfile
| Query Name: source_device_profileHeader Type: Custom |
PanOSSourceDeviceVendor
| Query Name: source_device_vendorHeader Type: Custom |
PanOSSourceDynamicAddressGroup
| Query Name: source_dynamic_address_groupHeader Type: Custom |
PanOSSourceEDL
| Query Name: source_edlHeader Type: Custom |
src or c6a2
| Query Name: source_ip.valueHeader Type: PredefinedLabel: || c6a2LabelLabel Text: || Source IPv6 Address |
PanOSSourceLocation
| Query Name: source_locationHeader Type: Custom |
spt
| Query Name: source_portHeader Type: Predefined |
suser
| |
sntdom
| |
suser
| |
suid
| |
PanOSSourceUUID
| Query Name: source_uuidHeader Type: Custom |
Name
| Query Name: sub_type.valueHeader Type: Custom |
PanOSEmailSubject
| Query Name: subject_of_emailHeader Type: Custom |
PanOSApplicationTechnology
| Query Name: technology_of_appHeader Type: Custom |
PanOSThreatCategory
| Query Name: threat_category.valueHeader Type: Custom |
PanOSThreatID
| Query Name: threat_idHeader Type: Custom |
cat
| |
PanOSThreatNameFirewall
| Query Name: threat_name_firewallHeader Type: Custom |
start
| Query Name: time_generatedHeader Type: Predefined |
PanOSTimeGeneratedHighResolution
| Query Name: time_generated_high_resHeader Type: Custom |
cs5
| |
PanOSTunnel
| Query Name: tunnel.valueHeader Type: Custom |
PanOSTunneledApplication
| Query Name: tunneled_appHeader Type: Custom |
PanOSIMSI
| Query Name: tunnelid_imsiHeader Type: Custom |
PanOSURLDomain
| Query Name: url_domainHeader Type: Custom |
PanOSURLCounter
| Query Name: url_idxHeader Type: Custom |
PanOSUsers
| Query Name: usersHeader Type: Custom |
Device Vendor
| Query Name: vendor_nameHeader Type: Custom |
PanOSVendorSeverity
| Query Name: vendor_severity.valueHeader Type: Custom |
PanOSVerdict
| Query Name: verdict.valueHeader Type: Custom |
cs3
| Query Name: vsysHeader Type: PredefinedLabel: cs3LabelLabel Text: VirtualLocationMax Length: 4000 |
PanOSVirtualSystemID
| Query Name: vsys_idHeader Type: Custom |
PanOSVirtualSystemName
| Query Name: vsys_nameHeader Type: Custom |
PanOSX-Forwarded-ForIP
| Query Name: xff_ip.valueHeader Type: Custom |