Threat LEEF Fields

Example Threat log in LEEF:
Sep 21 01:47:20 xxx.xx.x.xx 2368 <14>1 2021-09-21T01:47:20.990Z stream-logfwd20-b7167985--09201842-8zwj-harness-cc98 logforwarder - panwlogs - LEEF:2.0|Palo Alto Networks|Next Generation Firewall|10.1|2| |TimeReceived=2021-09-21T01:47:20.000000Z DeviceSN=xxxxxxxxxxxxx cat=threat SubType=packet ConfigVersion=10.1 devTime=2021-09-21T01:47:18.000000Z src=xxx.xx.x.xx dst=xxx.xx.x.xx srcPostNAT=xxx.xx.x.xx dstPostNAT=xxx.xx.x.xx Rule=allow-business-apps usrName=paloaltonetwork\xxxxx DestinationUser=paloaltonetwork\xxxxx Application=websense VirtualLocation=vsys1 FromZone=datacenter ToZone=datacenter InboundInterface=ethernet1/1 OutboundInterface=ethernet1/4 LogSetting=rs-logging SessionID=366981 RepeatCount=1 srcPort=12023 dstPort=8466 srcPostNATPort=2374 dstPostNATPort=2463 proto=tcp Action=drop-packet FileName=0123456789012345678901234567890123456789012345678901234 VendorSeverity=Low DirectionOfAttack=client to server SequenceNo=7003061085140560926 SourceLocation=dallas DestinationLocation=IN PacketID=0 FileHash= ApplianceOrCloud= URLCounter=0 FileType= SenderEmail= EmailSubject= RecipientEmail= ReportID=0 DGHierarchyLevel1=11 DGHierarchyLevel2=0 DGHierarchyLevel3=0 DGHierarchyLevel4=0 VirtualSystemName= DeviceName=xxxxx SourceUUID= DestinationUUID= IMSI=35 IMEI=datacenter ParentSessionID=5534 ParentStarttime=1970-01-01T00:00:00.000000Z Tunnel=GTP-U-TCI ThreatCategory=unknown ContentVersion=50122SigFlags=0x0 RuleUUID=ec14df0b-c845-4435-87a2-d207730f5ae8 HTTP2Connection=0 DynamicUserGroupName= X-Forwarded-ForIP=xxx.xx.x.xx SourceDeviceCategory=A-Phone SourceDeviceProfile=a-profile SourceDeviceModel=720P/60 SourceDeviceVendor=Samsung SourceDeviceOSFamily=M4500 SourceDeviceOSVersion=Android v8 SourceDeviceHost=pan-123 SourceDeviceMac=264989591511DestinationDeviceCategory=A-Phone DestinationDeviceProfile=a-profile DestinationDeviceModel=iPhone DestinationDeviceVendor=Apple DestinationDeviceOSFamily=9 DestinationDeviceOSVersion=iOS 9 DestinationDeviceHost=pan-233 DestinationDeviceMac=743514319696 ContainerID=1873cc5c-0d31 ContainerNameSpace=pns_default ContainerName=pan-dp-77754f4 SourceEDL= DestinationEDL= HostID=1010101010 EndpointSerialNumber=xxxxxxxxxxxxxx DomainEDL= SourceDynamicAddressGroup= DestinationDynamicAddressGroup= PartialHash=0 TimeGeneratedHighResolution=2021-09-21T01:47:18.732000Z NSSAINetworkSliceType=be devTimeFormat=YYYY-MM-DD'T'HH:mm:ss.SSSZ
The following table identifies the Threat field names that the Log Forwarding app uses when you forward logs using the LEEF log format.
When you create a syslog forwarding profile , you can optionally create a profile token that the Log Forwarding app uses when it sends logs to the syslog server. If you configure a profile token, it appears in the log line immediately after the log type information (for example,
TRAFFIC
,
THREAT
,
HIPMATCH
, and so forth). The token will appear on a parameter called
profileToken
.
LEEF Name
Query Name
Field Type
Action
Custom
Application
app
Custom
ApplicationCategory
Custom
ApplicationSubcategory
Custom
ApplianceOrCloud
Custom
CloudHostname
Custom
CloudReportID
Custom
ConfigVersion
Custom
ContainerID
Custom
ApplicationContainer
Custom
ContentVersion
Custom
RepeatCount
Custom
CortexDataLakeTenantID
Custom
DestinationDeviceCategory
Custom
DestinationDeviceClass
Custom
DestinationDeviceHost
Custom
DestinationDeviceMac
Custom
DestinationDeviceModel
Custom
DestinationDeviceOS
Custom
DestinationDeviceOSFamily
Custom
DestinationDeviceOSVersion
Custom
DestinationDeviceProfile
Custom
DestinationDeviceVendor
Custom
DestinationDynamicAddressGroup
Custom
DestinationEDL
Custom
dst
Predefined
DestinationLocation
Custom
dstPort
Predefined
DestinationUser
Custom
DestinationUserDomain
Custom
DestinationUserName
Custom
DestinationUserUUID
Custom
DestinationUUID
Custom
DGHierarchyLevel1
Custom
DGHierarchyLevel2
Custom
DGHierarchyLevel3
Custom
DGHierarchyLevel4
Custom
DirectionOfAttack
Custom
DomainEDL
Custom
DynamicUserGroupName
Custom
EndpointSerialNumber
Custom
FileName
Custom
FileHash
Custom
FileType
Custom
FileURL
Custom
FromZone
Custom
HostID
Custom
HTTP2Connection
Custom
HTTPMethod
Custom
InboundInterface
Custom
InboundInterfaceDetailsPort
Custom
InboundInterfaceDetailsSlot
Custom
InboundInterfaceDetailsType
Custom
InboundInterfaceDetailsUnit
Custom
CaptivePortal
Custom
IsClienttoServer
Custom
IsContainer
Custom
IsDecryptMirror
Custom
IsDecrypted
Custom
IsDuplicateLog
Custom
IsEncrypted
Custom
LogExported
Custom
LogForwarded
Custom
IsIPV6
Custom
IsMptcpOn
Custom
NAT
Custom
IsNonStandardDestinationPort
Custom
IsPacketCapture
Custom
IsPhishing
Custom
IsPrismaNetwork
Custom
IsPrismaUsers
Custom
IsProxy
Custom
IsReconExcluded
Custom
IsSaaSApplication
Custom
IsServertoClient
Custom
IsSourceXForwarded
Custom
IsSystemReturn
Custom
IsTransaction
Custom
IsTunnelInspected
Custom
IsURLDenied
Custom
Location
Custom
LogSetting
Custom
LogSource
Custom
DeviceSN
Custom
DeviceName
Custom
LogSourceTimeZoneOffset
Custom
TimeReceived
Custom
cat
Predefined
IMEI
Custom
dstPostNAT
Predefined
dstPostNATPort
Predefined
srcPostNAT
Predefined
srcPostNATPort
Predefined
NonStandardDestinationPort
Custom
NSSAINetworkSliceType
Custom
OutboundInterface
Custom
OutboundInterfaceDetailsPort
Custom
OutboundInterfaceDetailsSlot
Custom
OutboundInterfaceDetailsType
Custom
OutboundInterfaceDetailsUnit
Custom
ParentSessionID
Custom
ParentStarttime
Custom
PartialHash
Custom
PayloadProtocolID
Custom
Packet
Custom
PacketID
Custom
ContainerName
Custom
ContainerNameSpace
Custom
proto
Predefined
RecipientEmail
Custom
ReportID
Custom
ApplicationRisk
Custom
Rule
Custom
RuleUUID
Custom
SanctionedStateOfApp
Custom
SenderEmail
Custom
SequenceNo
Custom
SessionID
Custom
Severity
Custom
SigFlags
Custom
SourceDeviceCategory
Custom
SourceDeviceClass
Custom
SourceDeviceHost
Custom
SourceDeviceMac
Custom
SourceDeviceModel
Custom
SourceDeviceOS
Custom
SourceDeviceOSFamily
Custom
SourceDeviceOSVersion
Custom
SourceDeviceProfile
Custom
SourceDeviceVendor
Custom
SourceDynamicAddressGroup
Custom
SourceEDL
Custom
src
Predefined
SourceLocation
Custom
srcPort
Predefined
usrName
Predefined
SourceUserDomain
Custom
SourceUserName
Custom
SourceUserUUID
Custom
SourceUUID
Custom
SubType
Custom
EmailSubject
Custom
ApplicationTechnology
Custom
ThreatCategory
Custom
EventID
Header
ThreatName
Custom
ThreatNameFirewall
Custom
devTime
Predefined
TimeGeneratedHighResolution
Custom
ToZone
Custom
Tunnel
Custom
TunneledApplication
Custom
IMSI
Custom
URLDomain
Custom
URLCounter
Custom
Users
Custom
Vendor
Header
VendorSeverity
Custom
Verdict
Custom
VirtualLocation
Custom
VirtualSystemID
Custom
VirtualSystemName
Custom
X-Forwarded-ForIP
Custom

Recommended For You