Identifies the action that the API conveyed back to caller. Action can be allow/block/alert in the logs.

CEF field name: PanOSAction

EMAIL field name: Action

HTTPS field name: Action

LEEF field name: Action

Agent builder framework used to build Agents such as AWS_Agent_Builder, Microsoft_copilot_studio and others.

CEF field name: PanOSAgentFramework

EMAIL field name: AgentFramework

HTTPS field name: AgentFramework

LEEF field name: AgentFramework

ID of the AI Agent.

CEF field name: PanOSAgentID

EMAIL field name: AgentID

HTTPS field name: AgentID

LEEF field name: AgentID

Cloud provider for the AI Application. Will be configured in SCM and AI Runtime API Cloud will send to SLS.

CEF field name: PanOSAIAppCloudProvider

EMAIL field name: AIAppCloudProvider

HTTPS field name: AIAppCloudProvider

LEEF field name: AIAppCloudProvider

Name of the cloud provider where the app is hosted.

CEF field name: PanOSAIAppCSPName

EMAIL field name: AIAppCSPName

HTTPS field name: AIAppCSPName

LEEF field name: AIAppCSPName

Customer Environment where AI Application is deployed. Will be configured in SCM and AI Runtime API Cloud will send to the SLS.

CEF field name: PanOSAIAppEnvironment

EMAIL field name: AIAppEnvironment

HTTPS field name: AIAppEnvironment

LEEF field name: AIAppEnvironment

Domain name of the AI application user.

CEF field name: PanOSAIAppUserDomain

EMAIL field name: AIAppUserDomain

HTTPS field name: AIAppUserDomain

LEEF field name: AIAppUserDomain

Group ID of the AI application user.

CEF field name: PanOSAIAppUserGroupID

EMAIL field name: AIAppUserGroupID

HTTPS field name: AIAppUserGroupID

LEEF field name: AIAppUserGroupID

Group name of the AI application user.

CEF field name: PanOSAIAppUserGroupName

EMAIL field name: AIAppUserGroupName

HTTPS field name: AIAppUserGroupName

LEEF field name: AIAppUserGroupName

End User using AI Application. Will be configured in SCM and AI Runtime API Cloud will send to the SLS.

CEF field name: PanOSAIApplicationUserName

EMAIL field name: AIApplicationUserName

HTTPS field name: AIApplicationUserName

LEEF field name: AIApplicationUserName

Vendor of the API producing the data. Will be configured in SCM and AI Runtime API Cloud will send to the SLS.

CEF field name: PanOSAIApplicationName

EMAIL field name: AIApplicationName

HTTPS field name: AIApplicationName

LEEF field name: AIApplicationName

AI Runtime API report id.

CEF field name: PanOSAIIncidentReportID

EMAIL field name: AIIncidentReportID

HTTPS field name: AIIncidentReportID

LEEF field name: AIIncidentReportID

URL Security, Prompt Injection, Data Rule, .

CEF field name: PanOSAIIncidentSubtype

EMAIL field name: AIIncidentSubtype

HTTPS field name: AIIncidentSubtype

LEEF field name: AIIncidentSubtype

AI Application Protection, AI Model Protection, AI Data Protection, Latency Limit, Model Denied.

CEF field name: PanOSAIIncidentType

EMAIL field name: AIIncidentType

HTTPS field name: AIIncidentType

LEEF field name: AIIncidentType

e.g. Gemini 1.5 Pro, GPT-4. Will be generated in AI Runtime API Cloud and sent to the SLS.

CEF field name: PanOSAIModelName

EMAIL field name: AIModelName

HTTPS field name: AIModelName

LEEF field name: AIModelName

ID of AI Security Policy.

CEF field name: PanOSAISecurityPolicyID

EMAIL field name: AISecurityPolicyID

HTTPS field name: AISecurityPolicyID

LEEF field name: AISecurityPolicyID

Name of AI Security Policy.

CEF field name: PanOSAISecurityPolicyName

EMAIL field name: AISecurityPolicyName

HTTPS field name: AISecurityPolicyName

LEEF field name: AISecurityPolicyName

ID of AI Security Profile.

CEF field name: PanOSAISecurityProfileID

EMAIL field name: AISecurityProfileID

HTTPS field name: AISecurityProfileID

LEEF field name: AISecurityProfileID

Name of AI Security Profile.

CEF field name: PanOSAISecurityProfileName

EMAIL field name: AISecurityProfileName

HTTPS field name: AISecurityProfileName

LEEF field name: AISecurityProfileName

If AI Data Protection - Data Filtering was triggered, this field would provide the name of the specific DLP rule that was triggered. If AI Application Protection - URL Security was triggered, this field would provide the specific URL category that was triggered.

CEF field name: PanOSAISubtypeDetails

EMAIL field name: AISubtypeDetails

HTTPS field name: AISubtypeDetails

LEEF field name: AISubtypeDetails

Identifies the API Key name used for Scan Request. Sent from AI Runtime API Cloud.

CEF field name: PanOSAPIKeyName

EMAIL field name: APIKeyName

HTTPS field name: APIKeyName

LEEF field name: APIKeyName

Indicates the region where api is invoked from.

CEF field name: PanOSAPIRegion

EMAIL field name: APIRegion

HTTPS field name: APIRegion

LEEF field name: APIRegion

App Id.

CEF field name: PanOSAppId

EMAIL field name: AppId

HTTPS field name: AppId

LEEF field name: AppId

Unique identifier for an asset. Agent is an asset.

CEF field name: PanOSAssetID

EMAIL field name: AssetID

HTTPS field name: AssetID

LEEF field name: AssetID

Time that the scan was completed by AI Runtime API.

CEF field name: PanOSCompletedTS

EMAIL field name: CompletedTS

HTTPS field name: CompletedTS

LEEF field name: CompletedTS

Indicates whether we masked inline content when customer requested DLP scan.

CEF field name: PanOSContentMasked

EMAIL field name: ContentMasked

HTTPS field name: ContentMasked

LEEF field name: ContentMasked

Content type.

CEF field name: PanOSContentType

EMAIL field name: ContentType

HTTPS field name: ContentType

LEEF field name: ContentType

The ID that uniquely identifiers a Customer Support Product (CSP) that this log record should be associated with.

CEF field name: PanOSCSPID

EMAIL field name: CSPID

HTTPS field name: CSPID

LEEF field name: CSPID

The ID that uniquely identifies the Cortex Data Lake instance which received this log record.

CEF field name: PanOSCortexDataLakeTenantID

EMAIL field name: CortexDataLakeTenantId

HTTPS field name: CortexDataLakeTenantId

LEEF field name: s

Indicates the detection services that were requested for this scan.

CEF field name: PanOSDetectionServiceFlags

EMAIL field name: DetectionServiceFlags

HTTPS field name: DetectionServiceFlags

LEEF field name: DetectionServiceFlags

Indicates the final prompt action for a given scan.

CEF field name: PanOSFinalPromptAction

EMAIL field name: FinalPromptAction

HTTPS field name: FinalPromptAction

LEEF field name: FinalPromptAction

Indicates the final prompt verdict for a given scan.

CEF field name: PanOSFinalPromptVerdict

EMAIL field name: FinalPromptVerdict

HTTPS field name: FinalPromptVerdict

LEEF field name: FinalPromptVerdict

Indicates the final response action for a given scan.

CEF field name: PanOSFinalResponseAction

EMAIL field name: FinalResponseAction

HTTPS field name: FinalResponseAction

LEEF field name: FinalResponseAction

Indicates the final response verdict for a given scan.

CEF field name: PanOSFinalResponseVerdict

EMAIL field name: FinalResponseVerdict

HTTPS field name: FinalResponseVerdict

LEEF field name: FinalResponseVerdict

Indicates if the request contains code.

CEF field name: PanOSIsCode

EMAIL field name: IsCode

HTTPS field name: IsCode

LEEF field name: IsCode

Indicates if the request includes a prompt.

CEF field name: PanOSIsPrompt

EMAIL field name: IsPrompt

HTTPS field name: IsPrompt

LEEF field name: IsPrompt

Indicates whether prompt was subjected to agentic security scan.

CEF field name: PanOSIsPromptAgentRequested

EMAIL field name: IsPromptAgentRequested

HTTPS field name: IsPromptAgentRequested

LEEF field name: IsPromptAgentRequested

Indicates whether DLP was requested for the prompt in the scan.

CEF field name: PanOSIsPromptDLPRequested

EMAIL field name: IsPromptDLPRequested

HTTPS field name: IsPromptDLPRequested

LEEF field name: IsPromptDLPRequested

Indicates whether Malicious Code was requested for the prompt in the scan.

CEF field name: PanOSIsPromptMCRequested

EMAIL field name: IsPromptMCRequested

HTTPS field name: IsPromptMCRequested

LEEF field name: IsPromptMCRequested

Indicates whether prompt injection was requested in the scan.

CEF field name: PanOSIsPromptPIRequested

EMAIL field name: IsPromptPIRequested

HTTPS field name: IsPromptPIRequested

LEEF field name: IsPromptPIRequested

Indicates whether Toxic Content was requested for the prompt in the scan.

CEF field name: PanOSIsPromptTCRequested

EMAIL field name: IsPromptTCRequested

HTTPS field name: IsPromptTCRequested

LEEF field name: IsPromptTCRequested

Indicates whether prompt was subjected to topic guardrails scan.

CEF field name: PanOSIsPromptTGRequested

EMAIL field name: IsPromptTGRequested

HTTPS field name: IsPromptTGRequested

LEEF field name: IsPromptTGRequested

Indicates whether URLF was requested for the prompt in the scan.

CEF field name: PanOSIsPromptURLFRequested

EMAIL field name: IsPromptURLFRequested

HTTPS field name: IsPromptURLFRequested

LEEF field name: IsPromptURLFRequested

Indicates if the request includes a response.

CEF field name: PanOSIsResponse

EMAIL field name: IsResponse

HTTPS field name: IsResponse

LEEF field name: IsResponse

Indicates where response was subjected to agentic security scan.

CEF field name: PanOSIsResponseAgentRequested

EMAIL field name: IsResponseAgentRequested

HTTPS field name: IsResponseAgentRequested

LEEF field name: IsResponseAgentRequested

Indicates whether response was subjected to contextual grounding scan.

CEF field name: PanOSIsResponseCGRequested

EMAIL field name: IsResponseCGRequested

HTTPS field name: IsResponseCGRequested

LEEF field name: IsResponseCGRequested

Indicates whether Database Security was requested for the response in the scan.

CEF field name: PanOSIsResponseDBSRequested

EMAIL field name: IsResponseDBSRequested

HTTPS field name: IsResponseDBSRequested

LEEF field name: IsResponseDBSRequested

Indicates whether DLP was requested for the response in the scan.

CEF field name: PanOSIsResponseDLPRequested

EMAIL field name: IsResponseDLPRequested

HTTPS field name: IsResponseDLPRequested

LEEF field name: IsResponseDLPRequested

Indicates whether Malicious Code was requested for the response in the scan.

CEF field name: PanOSIsResponseMCRequested

EMAIL field name: IsResponseMCRequested

HTTPS field name: IsResponseMCRequested

LEEF field name: IsResponseMCRequested

Indicates whether Toxic Content was requested for the response in the scan.

CEF field name: PanOSIsResponseTCRequested

EMAIL field name: IsResponseTCRequested

HTTPS field name: IsResponseTCRequested

LEEF field name: IsResponseTCRequested

Indicates where response was subjected to topic guardrails scan.

CEF field name: PanOSIsResponseTGRequested

EMAIL field name: IsResponseTGRequested

HTTPS field name: IsResponseTGRequested

LEEF field name: IsResponseTGRequested

Indicates whether URLF was requested for the response in the scan.

CEF field name: PanOSIsResponseURLFRequested

EMAIL field name: IsResponseURLFRequested

HTTPS field name: IsResponseURLFRequested

LEEF field name: IsResponseURLFRequested

Cloud Latency in ms (core service processing + detection module processing). The time that core service process all the scans.

CEF field name: PanOSLatency

EMAIL field name: Latency

HTTPS field name: Latency

LEEF field name: Latency

Identifies the origin of the data - the system that produced the data.

CEF field name: PanOSLogSource

EMAIL field name: LogSource

HTTPS field name: LogSource

LEEF field name: LogSource

ID that uniquely identifies the logSourceGroupId of the log. That is, the log_source_id of the group.

CEF field name: LogSourceGroupID

EMAIL field name: LogSourceGroupID

HTTPS field name: LogSourceGroupID

LEEF field name: LogSourceGroupID

ID that uniquely identifies the source of the log - serial number of the firewall that generated the log.

CEF field name: deviceExternalID

EMAIL field name: DeviceSN

HTTPS field name: DeviceSN

LEEF field name: DeviceSN

Name of the source of the log - hostname of the firewall that logged the network traffic.

CEF field name: dvchost

EMAIL field name: DeviceName

HTTPS field name: DeviceName

LEEF field name: DeviceName

Time Zone offset from GMT of the source of the log.

CEF field name: PanOSLogSourceTimeZoneOffset

EMAIL field name: LogSourceTimeZoneOffset

HTTPS field name: LogSourceTimeZoneOffset

LEEF field name: LogSourceTimeZoneOffset

Time the log was received in Cortex Data Lake. This is populated by the platform.

CEF field name: rt

EMAIL field name: TimeReceived

HTTPS field name: TimeReceived

LEEF field name: TimeReceived

Identifies the log type.

CEF field name: DeviceEventClassID

EMAIL field name: LogType

HTTPS field name: LogType

LEEF field name: cat

No if blocked in-line, yes if detected asynchronously and hit the max latency.

CEF field name: PanOSMaxLatencyHit

EMAIL field name: MaxLatencyHit

HTTPS field name: MaxLatencyHit

LEEF field name: MaxLatencyHit

Mcp server name.

CEF field name: PanOSMCPServer

EMAIL field name: MCPServer

HTTPS field name: MCPServer

LEEF field name: MCPServer

Identifies the platform that generated the log.

CEF field name: PlatformType

EMAIL field name: PlatformType

HTTPS field name: PlatformType

LEEF field name: PlatformType

Whether threat was detected in the request or response.

CEF field name: PanOSRequestResponse

EMAIL field name: RequestResponse

HTTPS field name: RequestResponse

LEEF field name: RequestResponse

Identifies the API's internal identifier for a specific API scan request. Sent from AI Runtime API Cloud.

CEF field name: PanOSScanID

EMAIL field name: ScanID

HTTPS field name: ScanID

LEEF field name: ScanID

Identifies the time of when the scan starts.

CEF field name: PanOSScanStartTime

EMAIL field name: ScanStartTime

HTTPS field name: ScanStartTime

LEEF field name: ScanStartTime

Identifies the API's internal identifier for a specific API scan SUB request. Sent from AI Runtime API Cloud.

CEF field name: PanOSScanSUBRequestID

EMAIL field name: ScanSUBRequestID

HTTPS field name: ScanSUBRequestID

LEEF field name: ScanSUBRequestID

Identifies the type of scan.

CEF field name: PanOSScanType

EMAIL field name: ScanType

HTTPS field name: ScanType

LEEF field name: ScanType

SCM Session URL link.

CEF field name: PanOSSessionUrl

EMAIL field name: SessionUrl

HTTPS field name: SessionUrl

LEEF field name: SessionUrl

Identifies the log subtype.

CEF field name: Name

EMAIL field name: SubType

HTTPS field name: SubType

LEEF field name: SubType

Text Records consumed.

CEF field name: PanOSTextRecords

EMAIL field name: TextRecords

HTTPS field name: TextRecords

LEEF field name: TextRecords

Time the log was generated on the data plane in format YYYY-MM-DDTHH:MM:SS[.DDDDDD]Z.

CEF field name: start

EMAIL field name: TimeGenerated

HTTPS field name: TimeGenerated

LEEF field name: devTime

Time the log was generated in data plane with millisec granularity in format YYYY-MM-DDTHH:MM:SS[.DDDDDD]Z.

CEF field name: PanOSTimeGeneratedHighResolution

EMAIL field name: TimeGeneratedHighResolution

HTTPS field name: TimeGeneratedHighResolution

LEEF field name: TimeGeneratedHighResolution

Tokens 64 consumed.

CEF field name: PanOSTokens64

EMAIL field name: Tokens64

HTTPS field name: Tokens64

LEEF field name: Tokens64

Tool name.

CEF field name: PanOSToolName

EMAIL field name: ToolName

HTTPS field name: ToolName

LEEF field name: ToolName

Identifies the API's internal identifier for a specific Transaction provided by Customer.

CEF field name: PanOSTransactionID

EMAIL field name: TransactionID

HTTPS field name: TransactionID

LEEF field name: TransactionID

The ID that uniquely identifiers a Tenant Sevice Group (TSG) that this log record should be associated with.

CEF field name: PanOSTSGID

EMAIL field name: TSGID

HTTPS field name: TSGID

LEEF field name: TSGID

Identifies the vendor that produced the data.

CEF field name: Device Vendor

EMAIL field name: VendorName

HTTPS field name: VendorName

LEEF field name: Vendor

Severity level of the event as defined by the vendor writing this log record. Severity can be informational/low/medium/high in the API threat logs.

CEF field name: PanOSVendorSeverity

EMAIL field name: VendorSeverity

HTTPS field name: VendorSeverity

LEEF field name: VendorSeverity

Identifies the Verdict that the API conveyed back to caller. Verdict could be Benign/Malicious in the logs.

CEF field name: PanOSVerdict

EMAIL field name: Verdict

HTTPS field name: Verdict

LEEF field name: Verdict