URL LEEF Fields

Example URL log in LEEF:
Sep 21 01:52:01 gke-standard-cluster-2-pool-3-f004381a-0gw6 2646 <14>1 2021-09-21T01:52:01.328Z stream-logfwd20-d324e775--09201841-lxtx-harness-w8bx logforwarder - panwlogs - LEEF:2.0|Palo Alto Networks|Next Generation Firewall|10.1|sports| |TimeReceived=2021-09-21T01:52:00.000000Z DeviceSN=xxxxxxxxxxxxx cat=threat SubType=url ConfigVersion=10.1 devTime=2021-09-21T01:51:58.000000Z src=fe80:abcd:76cc:9802:d202:b3ff:fe1e:8329 dst=fe80:0:e426:5678:b202:b3ff:fe1e:8329 srcPostNAT=xxx.xx.x.xx dstPostNAT=xxx.xx.x.xx Rule=deny-time-wasters usrName=xxxxx\xxxxx o"'"test DestinationUser=paloaltonetwork\xxxxx Application=aerofs VirtualLocation=vsys1 FromZone=ethernet4Zone-test3 ToZone=ethernet4Zone-test1 InboundInterface=ethernet1/1OutboundInterface=ethernet1/2 LogSetting=rs-logging SessionID=631434 RepeatCount=1 srcPort=29176 dstPort=20350 srcPostNATPort=2932 dstPostNATPort=7181 proto=tcp Action=reset-both URL=www.this.is.another.wannabe.long.url.com/and/it/is/getting/there/by/adding/some/junk/at/the/end/of/the/url/dsakjhfskdjhfksjdhfkhk235hk2jh2kjhkhk23jhk5jh2435kjh45k3jh5k3j4h5k3h45kjh34kj5hkjhkj34hk5jh34k5jhk3j4h5k3jh45kjh34k5jhk34jh5kj34h5kjh43kj5hk34jh5k3j4h5k3j4hghhg4j5h3g VendorSeverity=Critical DirectionOfAttack=client to server SequenceNo=7003061085140561391 SourceLocation=AU DestinationLocation=west-coast ContentType=text/xml PacketID=0 URLCounter=1 UserAgent= identSrc= Referer= DGHierarchyLevel1=11 DGHierarchyLevel2=0 DGHierarchyLevel3=0DGHierarchyLevel4=0 VirtualSystemName= DeviceName=xxxxx SourceUUID= DestinationUUID= HTTPMethod=get IMSI=0 IMEI= ParentSessionID=0 ParentStarttime=1970-01-01T00:00:00.000000Z Tunnel=N/A InlineMLVerdict=unknown ContentVersion=50207 SigFlags=0 HTTPHeaders= URLCategoryList=sports,​travel,​health-and-medicine RuleUUID=2fb8efd4-2f01-421d-a113-097992777432 HTTP2Connection=0 DynamicUserGroupName= X-Forwarded-ForIP= SourceDeviceCategory=X-Phone SourceDeviceProfile=x-profile SourceDeviceModel=Redmi SourceDeviceVendor=Xiaomi SourceDeviceOSFamily=5 Plus SourceDeviceOSVersion=Android v8.2 SourceDeviceHost=pan-603 SourceDeviceMac=645701225660 DestinationDeviceCategory=X-Phone DestinationDeviceProfile=x-profile DestinationDeviceModel=MI DestinationDeviceVendor=Xiaomi DestinationDeviceOSFamily=A1 DestinationDeviceOSVersion=Android v9.1 DestinationDeviceHost=pan-622 DestinationDeviceMac=207974153661 ContainerID=1873cc5c-0d31 ContainerNameSpace=pns_default ContainerName=pan-dp-77754f4 SourceEDL= DestinationEDL= HostID=1010101010 EndpointSerialNumber=xxxxxxxxxxxxxx SourceDynamicAddressGroup= DestinationDynamicAddressGroup= TimeGeneratedHighResolution=2021-09-21T01:51:58.764000Z NSSAINetworkSliceType=cf devTimeFormat=YYYY-MM-DD'T'HH:mm:ss.SSSZ
The following table identifies the URL field names that the Log Forwarding app uses when you forward logs using the LEEF log format.
When you create a syslog forwarding profile , you can optionally create a profile token that the Log Forwarding app uses when it sends logs to the syslog server. If you configure a profile token, it appears in the log line immediately after the log type information (for example,
TRAFFIC
,
THREAT
,
HIPMATCH
, and so forth). The token will appear on a parameter called
profileToken
.
LEEF Name
Query Name
Field Type
Action
Custom
Application
app
Custom
ApplicationCategory
Custom
ApplicationSubcategory
Custom
CloudHostname
Custom
CloudReportID
Custom
ConfigVersion
Custom
ContainerID
Custom
ApplicationContainer
Custom
ContentType
Custom
ContentVersion
Custom
RepeatCount
Custom
CortexDataLakeTenantID
Custom
DestinationDeviceCategory
Custom
DestinationDeviceClass
Custom
DestinationDeviceHost
Custom
DestinationDeviceMac
Custom
DestinationDeviceModel
Custom
DestinationDeviceOS
Custom
DestinationDeviceOSFamily
Custom
DestinationDeviceOSVersion
Custom
DestinationDeviceProfile
Custom
DestinationDeviceVendor
Custom
DestinationDynamicAddressGroup
Custom
DestinationEDL
Custom
dst
Predefined
DestinationLocation
Custom
dstPort
Predefined
DestinationUser
Custom
DestinationUserDomain
Custom
DestinationUserName
Custom
DestinationUserUUID
Custom
DestinationUUID
Custom
DGHierarchyLevel1
Custom
DGHierarchyLevel2
Custom
DGHierarchyLevel3
Custom
DGHierarchyLevel4
Custom
DirectionOfAttack
Custom
DynamicUserGroupName
Custom
EndpointSerialNumber
Custom
FileURL
Custom
FromZone
Custom
HostID
Custom
HTTP2Connection
Custom
HTTPHeaders
Custom
HTTPMethod
Custom
InboundInterface
Custom
InboundInterfaceDetailsPort
Custom
InboundInterfaceDetailsSlot
Custom
InboundInterfaceDetailsType
Custom
InboundInterfaceDetailsUnit
Custom
InlineMLVerdict
Custom
CaptivePortal
Custom
IsClienttoServer
Custom
IsContainer
Custom
IsDecryptMirror
Custom
IsDecrypted
Custom
IsDuplicateLog
Custom
IsEncrypted
Custom
LogExported
Custom
LogForwarded
Custom
IsIPV6
Custom
IsMptcpOn
Custom
NAT
Custom
IsNonStandardDestinationPort
Custom
IsPacketCapture
Custom
IsPhishing
Custom
IsPrismaNetwork
Custom
IsPrismaUsers
Custom
IsProxy
Custom
IsReconExcluded
Custom
IsSaaSApplication
Custom
IsServertoClient
Custom
IsSourceXForwarded
Custom
IsSystemReturn
Custom
IsTransaction
Custom
IsTunnelInspected
Custom
IsURLDenied
Custom
Location
Custom
LogSetting
Custom
LogSource
Custom
DeviceSN
Custom
DeviceName
Custom
LogSourceTimeZoneOffset
Custom
TimeReceived
Custom
cat
Predefined
IMEI
Custom
dstPostNAT
Predefined
dstPostNATPort
Predefined
srcPostNAT
Predefined
srcPostNATPort
Predefined
NonStandardDestinationPort
Custom
NSSAINetworkSliceType
Custom
OutboundInterface
Custom
OutboundInterfaceDetailsPort
Custom
OutboundInterfaceDetailsSlot
Custom
OutboundInterfaceDetailsType
Custom
OutboundInterfaceDetailsUnit
Custom
ParentSessionID
Custom
ParentStarttime
Custom
Packet
Custom
PacketID
Custom
ContainerName
Custom
ContainerNameSpace
Custom
proto
Predefined
Referer
Custom
HTTPRefererFQDN
Custom
HTTPRefererPort
Custom
HTTPRefererProtocol
Custom
HTTPRefererURLPath
Custom
ApplicationRisk
Custom
Rule
Custom
RuleUUID
Custom
SanctionedStateofApp
Custom
SequenceNo
Custom
SessionID
Custom
Severity
Custom
SigFlags
Custom
SourceDeviceCategory
Custom
SourceDeviceClass
Custom
SourceDeviceHost
Custom
SourceDeviceMac
Custom
SourceDeviceModel
Custom
SourceDeviceOS
Custom
SourceDeviceOSFamily
Custom
SourceDeviceOSVersion
Custom
SourceDeviceProfile
Custom
SourceDeviceVendor
Custom
SourceDynamicAddressGroup
Custom
SourceEDL
Custom
src
Predefined
SourceLocation
Custom
srcPort
Predefined
usrName
Predefined
SourceUserDomain
Custom
SourceUserName
Custom
SourceUserUUID
Custom
SourceUUID
Custom
SubType
Custom
ApplicationTechnology
Custom
devTime
Predefined
TimeGeneratedHighResolution
Custom
ToZone
Custom
Tunnel
Custom
TunneledApplication
Custom
IMSI
Custom
URL
uri
Custom
EventID
Header
URLCategoryList
Custom
URLDomain
Custom
URLCounter
Custom
UserAgent
Custom
Users
Custom
Vendor
Header
VendorSeverity
Custom
VirtualLocation
Custom
VirtualSystemID
Custom
VirtualSystemName
Custom
identSrc
xff
Predefined
X-Forwarded-ForIP
Custom

Recommended For You