Threat EMAIL Fields

Example Threat log in EMAIL:
TimeReceived=2021-02-22T03:56:10.000000Z DeviceSN=xxxxxxxxxxxxx LogType=THREAT Subtype=vulnerability ConfigVersion=10.0 TimeGenerated=2021-02-22T03:55:57.000000Z SourceAddress=xxx.xx.x.xx DestinationAddress=xxx.xx.x.xx NATSource= NATDestination=xxx.xx.x.xx Rule=deny-attackers SourceUser="paloaltonetwork\xxxxx" DestinationUser="paloaltonetwork\xxxxx" Application=gtpv1-c VirtualLocation=vsys1 FromZone=ethernet4Zone-test2 ToZone=partners InboundInterface=unknown OutboundInterface=unknown LogSetting=rs-logging SessionID=855279 RepeatCount=1 SourcePort=29447 DestinationPort=10810 NATSourcePort=9459 NATDestinationPort=20230 Protocol=tcp Action=reset-server FileName=some other fake filename ThreatID=Bot: Backdoor_Win32_IRCBot_emv(19974) VendorSeverity=High DirectionOfAttack=client to server SequenceNo=2638696487 SourceLocation=east-coast DestinationLocation=ZZ PacketID=0 FileHash= ApplianceOrCloud= URLCounter=0 FileType= SenderEmail= EmailSubject= RecipientEmail= ReportID=0 DGHierarchyLevel1=11 DGHierarchyLevel2=0 DGHierarchyLevel3=0 DGHierarchyLevel4=0 VirtualSystemName= DeviceName=xxxxx SourceUUID= DestinationUUID= IMSI=47 IMEI=xxxxx ParentSessionID=7605 ParentStarttime=2021-02-22T03:55:57.000000Z Tunnel=GTP-U-TCI ThreatCategory=backdoor ContentVersion=50199 SigFlags=0x2 RuleUUID=017e4d76-2003-47f4-8afc-1d35c808c615 HTTP2Connection=0 DynamicUserGroupName= X-Forwarded-ForIP=xxx.xx.x.xx SourceDeviceCategory=S-Phone SourceDeviceProfile=s-profile SourceDeviceModel=720P/60 SourceDeviceVendor=Samsung SourceDeviceOSFamily=M4500 SourceDeviceOSVersion=Android v8 SourceDeviceHost=pan-123 SourceDeviceMac=264989591511 DestinationDeviceCategory=S-Phone DestinationDeviceProfile=s-profile DestinationDeviceModel=S9 DestinationDeviceVendor=Samsung DestinationDeviceOSFamily=Galaxy DestinationDeviceOSVersion=Android v9 DestinationDeviceHost=pan-121 DestinationDeviceMac=180872328842 ContainerID=1873cc5c-0d31 ContainerNameSpace=pns_default ContainerName=pan-dp-77754f4 SourceEDL= DestinationEDL= HostID=1010101010 EndpointSerialNumber=xxxxxxxxxxxxxx DomainEDL= SourceDynamicAddressGroup= DestinationDynamicAddressGroup= PartialHash=0 TimeGeneratedHighResolution=2021-02-22T03:55:57.964000Z NSSAINetworkSliceType=f1
The following table identifies the Threat field names that the Log Forwarding app uses when you forward logs using the EMAIL log format.
EMAIL Name
Query Name
Action
Application
app
ApplicationCategory
ApplicationSubcategory
ApplianceOrCloud
CloudHostname
CloudReportID
ConfigVersion
ContainerID
ApplicationContainer
ContentVersion
RepeatCount
CortexDataLakeTenantID
DestinationDeviceCategory
DestinationDeviceClass
DestinationDeviceHost
DestinationDeviceMac
DestinationDeviceModel
DestinationDeviceOS
DestinationDeviceOSFamily
DestinationDeviceOSVersion
DestinationDeviceProfile
DestinationDeviceVendor
DestinationDynamicAddressGroup
DestinationEDL
DestinationAddress
DestinationLocation
DestinationPort
DestinationUser
DestinationUserDomain
DestinationUserName
DestinationUserUUID
DestinationUUID
DGHierarchyLevel1
DGHierarchyLevel2
DGHierarchyLevel3
DGHierarchyLevel4
DirectionOfAttack
DomainEDL
DynamicUserGroupName
EndpointSerialNumber
FileName
FileHash
FileType
FileURL
FromZone
HostID
HTTP2Connection
HTTPMethod
InboundInterface
InboundInterfaceDetailsPort
InboundInterfaceDetailsSlot
InboundInterfaceDetailsType
InboundInterfaceDetailsUnit
CaptivePortal
IsClienttoServer
IsContainer
IsDecryptMirror
IsDecrypted
IsDuplicateLog
IsEncrypted
LogExported
LogForwarded
IsIPV6
IsMptcpOn
NAT
IsNonStandardDestinationPort
IsPacketCapture
IsPhishing
IsPrismaNetwork
IsPrismaUsers
IsProxy
IsReconExcluded
IsSaaSApplication
IsServertoClient
IsSourceXForwarded
IsSystemReturn
IsTransaction
IsTunnelInspected
IsURLDenied
Location
LogSetting
LogSource
DeviceSN
DeviceName
LogSourceTimeZoneOffset
TimeReceived
LogType
IMEI
NATDestination
NATDestinationPort
NATSource
NATSourcePort
NonStandardDestinationPort
NSSAINetworkSliceType
OutboundInterface
OutboundInterfaceDetailsPort
OutboundInterfaceDetailsSlot
OutboundInterfaceDetailsType
OutboundInterfaceDetailsUnit
ParentSessionID
ParentStarttime
PartialHash
PayloadProtocolID
Packet
PacketID
ContainerName
ContainerNameSpace
Protocol
RecipientEmail
ReportID
ApplicationRisk
Rule
RuleUUID
SanctionedStateOfApp
SenderEmail
SequenceNo
SessionID
Severity
SigFlags
SourceDeviceCategory
SourceDeviceClass
SourceDeviceHost
SourceDeviceMac
SourceDeviceModel
SourceDeviceOS
SourceDeviceOSFamily
SourceDeviceOSVersion
SourceDeviceProfile
SourceDeviceVendor
SourceDynamicAddressGroup
SourceEDL
SourceAddress
SourceLocation
SourcePort
SourceUser
SourceUserDomain
SourceUserName
SourceUserUUID
SourceUUID
Subtype
EmailSubject
ApplicationTechnology
ThreatCategory
ThreatID
ThreatName
ThreatNameFirewall
TimeGenerated
TimeGeneratedHighResolution
ToZone
Tunnel
TunneledApplication
IMSI
URLDomain
URLCounter
Users
VendorName
VendorSeverity
Verdict
VirtualLocation
VirtualSystemID
VirtualSystemName
X-Forwarded-ForIP

Recommended For You