Strata Logging Service
Events
Table of Contents
Expand All
|
Collapse All
Strata Logging Service Docs
Events
The event logs contain information that the Prisma Access Browser collects for
investigating every activity within your Enterprise Browser deployment.
See the following for information related to supported log formats:
|
EVENTS Field
(Display Name)
|
Description
|
|---|---|
|
application.app_category
(APPLICATION - APP CATEGORY)
|
The category of application associated with the event.
CEF field name: PanOSApplicationAppCategory
EMAIL field name: ApplicationAppCategory
HTTPS field name: ApplicationAppCategory
LEEF field name: ApplicationAppCategory
|
|
application.app_sub_category
(APPLICATION - APP SUBCATEGORY)
|
The sub-category of application associated with the event.
CEF field name: PanOSApplicationAppSubcategory
EMAIL field name: ApplicationAppSubcategory
HTTPS field name: ApplicationAppSubcategory
LEEF field name: ApplicationAppSubcategory
|
|
application.external_id
(APPLICATION - EXTERNAL ID)
|
The unique identifier of the application.
CEF field name: PanOSApplicationExternalID
EMAIL field name: ApplicationExternalID
HTTPS field name: ApplicationExternalID
LEEF field name: ApplicationExternalID
|
|
application.external_name
(APPLICATION - EXTERNAL NAME)
|
The public name of the application associated with the event.
CEF field name: PanOSApplicationExternalName
EMAIL field name: ApplicationExternalName
HTTPS field name: ApplicationExternalName
LEEF field name: ApplicationExternalName
|
|
application.id
(APPLICATION - ID)
|
Enumeration integer assigned to the application field value.
CEF field name: PanOSApplicationID
EMAIL field name: ApplicationID
HTTPS field name: ApplicationID
LEEF field name: ApplicationID
|
|
application.name
(APPLICATION - NAME)
|
The application name (as used in APP-ID) associated with the event.
CEF field name: PanOSApplicationName
EMAIL field name: ApplicationName
HTTPS field name: ApplicationName
LEEF field name: ApplicationName
|
|
application.protected_account
(APPLICATION - PROTECTED ACCOUNT)
|
Identifies if the SaaS account is protected or not.
CEF field name: PanOSApplicationProtectedAccount
EMAIL field name: ApplicationProtectedAccount
HTTPS field name: ApplicationProtectedAccount
LEEF field name: ApplicationProtectedAccount
|
|
application.risk_of_app
(APPLICATION - RISK OF APP)
|
The risk score of the application associated with the event.
CEF field name: PanOSApplicationRiskofApp
EMAIL field name: ApplicationRiskOfApp
HTTPS field name: ApplicationRiskOfApp
LEEF field name: ApplicationRiskOfApp
|
|
application.source
(APPLICATION - SOURCE)
|
The source of the application; either Catalog - application from the
App-id catalog, or Custom - a private application stored at the
data center.
CEF field name: PanOSApplicationSource
EMAIL field name: ApplicationSource
HTTPS field name: ApplicationSource
LEEF field name: ApplicationSource
|
|
application.username
(APPLICATION - USERNAME)
|
The username that is used to log in to a specific application.
CEF field name: PanOSApplicationUsername
EMAIL field name: ApplicationUsername
HTTPS field name: ApplicationUsername
LEEF field name: ApplicationUsername
|
|
batch_id
(BATCH ID)
|
Identifier of the batch to which the event is associated.
CEF field name: PanOSBatchID
EMAIL field name: BatchID
HTTPS field name: BatchID
LEEF field name: BatchID
|
|
browser_extension.app_launch_url
(BROWSER EXTENSION - APP LAUNCH URL)
|
A URL that the extension can open from the Extensions screen.
CEF field name: PanOSBrowserExtensionAppLaunchURL
EMAIL field name: BrowserExtensionAppLaunchURL
HTTPS field name: BrowserExtensionAppLaunchURL
LEEF field name: BrowserExtensionAppLaunchURL
|
|
browser_extension.available_launch_types
(BROWSER EXTENSION - AVAILABLE LAUNCH TYPES)
|
The way the extension can handle new tab (for example, open as a new
tab, open a new window).
CEF field name: PanOSBrowserExtensionAvailableLaunchTypes
EMAIL field name: BrowserExtensionAvailableLaunchTypes
HTTPS field name: BrowserExtensionAvailableLaunchTypes
LEEF field name: BrowserExtensionAvailableLaunchTypes
|
|
browser_extension.description
(BROWSER EXTENSION - DESCRIPTION)
|
The description in the first row, as seen in the chrome extensions
store.
CEF field name: PanOSBrowserExtensionDescription
EMAIL field name: BrowserExtensionDescription
HTTPS field name: BrowserExtensionDescription
LEEF field name: BrowserExtensionDescription
|
|
browser_extension.disabled_reason
(BROWSER EXTENSION - DISABLED REASON)
|
The reason why the extension was disabled.
CEF field name: PanOSBrowserExtensionDisabledReason
EMAIL field name: BrowserExtensionDisabledReason
HTTPS field name: BrowserExtensionDisabledReason
LEEF field name: BrowserExtensionDisabledReason
|
|
browser_extension.enabled
(BROWSER EXTENSION - ENABLED)
|
The status of the extension that is enabled.
CEF field name: PanOSBrowserExtensionEnabled
EMAIL field name: BrowserExtensionEnabled
HTTPS field name: BrowserExtensionEnabled
LEEF field name: BrowserExtensionEnabled
|
|
browser_extension.homepage_url
(BROWSER EXTENSION - HOMEPAGE URL)
|
The extension page in the chrome extensions store.
CEF field name: PanOSBrowserExtensionHomepageURL
EMAIL field name: BrowserExtensionHomepageURL
HTTPS field name: BrowserExtensionHomepageURL
LEEF field name: BrowserExtensionHomepageURL
|
|
browser_extension.host_permissions
(BROWSER EXTENSION - HOST PERMISSIONS)
|
The web access permissions (URLs) of the extension.
CEF field name: PanOSBrowserExtensionHostPermissions
EMAIL field name: BrowserExtensionHostPermissions
HTTPS field name: BrowserExtensionHostPermissions
LEEF field name: BrowserExtensionHostPermissions
|
|
browser_extension.id
(BROWSER EXTENSION - ID)
|
Enumeration integer assigned to the browser_extension field value.
CEF field name: PanOSBrowserExtensionID
EMAIL field name: BrowserExtensionID
HTTPS field name: BrowserExtensionID
LEEF field name: BrowserExtensionID
|
|
browser_extension.install_type
(BROWSER EXTENSION - INSTALL TYPE)
|
The installation type of the extension.
CEF field name: PanOSBrowserExtensionInstallType
EMAIL field name: BrowserExtensionInstallType
HTTPS field name: BrowserExtensionInstallType
LEEF field name: BrowserExtensionInstallType
|
|
browser_extension.is_app
(BROWSER EXTENSION - IS APP)
|
Identifies if the browser extension is an application or an
extension.
CEF field name: PanOSBrowserExtensionIsApp
EMAIL field name: BrowserExtensionIsApp
HTTPS field name: BrowserExtensionIsApp
LEEF field name: BrowserExtensionIsApp
|
|
browser_extension.launch_type
(BROWSER EXTENSION - LAUNCH TYPE)
|
The way the extension will handle new tab (for example, open as a
new tab, open a new window).
CEF field name: PanOSBrowserExtensionLaunchType
EMAIL field name: BrowserExtensionLaunchType
HTTPS field name: BrowserExtensionLaunchType
LEEF field name: BrowserExtensionLaunchType
|
|
browser_extension.may_disable
(BROWSER EXTENSION - MAY DISABLE)
|
Indicates whether the extension can be disabled.
CEF field name: PanOSBrowserExtensionMayDisable
EMAIL field name: BrowserExtensionMayDisable
HTTPS field name: BrowserExtensionMayDisable
LEEF field name: BrowserExtensionMayDisable
|
|
browser_extension.name
(BROWSER EXTENSION - NAME)
|
The public name of the browser extension.
CEF field name: PanOSBrowserExtensionName
EMAIL field name: BrowserExtensionName
HTTPS field name: BrowserExtensionName
LEEF field name: BrowserExtensionName
|
|
browser_extension.offline_enabled
(BROWSER EXTENSION - OFFLINE ENABLED)
|
The offline mode status of the browser extension.
CEF field name: PanOSBrowserExtensionOfflineEnabled
EMAIL field name: BrowserExtensionOfflineEnabled
HTTPS field name: BrowserExtensionOfflineEnabled
LEEF field name: BrowserExtensionOfflineEnabled
|
|
browser_extension.options_url
(BROWSER EXTENSION - OPTIONS URL)
|
The URL for the item's options page, if available.
CEF field name: PanOSBrowserExtensionOptionsURL
EMAIL field name: BrowserExtensionOptionsURL
HTTPS field name: BrowserExtensionOptionsURL
LEEF field name: BrowserExtensionOptionsURL
|
|
browser_extension.permissions
(BROWSER EXTENSION - PERMISSIONS)
|
The browser API permissions for the extension.
CEF field name: PanOSBrowserExtensionPermissions
EMAIL field name: BrowserExtensionPermissions
HTTPS field name: BrowserExtensionPermissions
LEEF field name: BrowserExtensionPermissions
|
|
browser_extension.short_name
(BROWSER EXTENSION - SHORT NAME)
|
The abbreviated name of the extension.
CEF field name: PanOSBrowserExtensionShortName
EMAIL field name: BrowserExtensionShortName
HTTPS field name: BrowserExtensionShortName
LEEF field name: BrowserExtensionShortName
|
|
browser_extension.type
(BROWSER EXTENSION - TYPE)
|
The type of extension (public, private).
CEF field name: PanOSBrowserExtensionType
EMAIL field name: BrowserExtensionType
HTTPS field name: BrowserExtensionType
LEEF field name: BrowserExtensionType
|
|
browser_extension.update_url
(BROWSER EXTENSION - UPDATE URL)
|
Unique URL used to grab extension updates.
CEF field name: PanOSBrowserExtensionUpdateURL
EMAIL field name: BrowserExtensionUpdateURL
HTTPS field name: BrowserExtensionUpdateURL
LEEF field name: BrowserExtensionUpdateURL
|
|
browser_extension.version
(BROWSER EXTENSION - VERSION)
|
Current version of the extension.
CEF field name: PanOSBrowserExtensionVersion
EMAIL field name: BrowserExtensionVersion
HTTPS field name: BrowserExtensionVersion
LEEF field name: BrowserExtensionVersion
|
|
certificate.created_time
(CERTIFICATE - CREATED TIME)
|
The time stamp when the certificate was created.
CEF field name: PanOSCertificateCreatedTime
EMAIL field name: CertificateCreatedTime
HTTPS field name: CertificateCreatedTime
LEEF field name: CertificateCreatedTime
|
|
certificate.expiration_time
(CERTIFICATE - EXPIRATION TIME)
|
The expiry time stamp of the certificate.
CEF field name: PanOSCertificateExpirationTime
EMAIL field name: CertificateExpirationTime
HTTPS field name: CertificateExpirationTime
LEEF field name: CertificateExpirationTime
|
|
certificate.fingerprints
(CERTIFICATE - FINGERPRINTS)
|
Certificate's fingerprint (HASH) and its public key.
CEF field name: PanOSCertificateFingerprints
EMAIL field name: CertificateFingerprints
HTTPS field name: CertificateFingerprints
LEEF field name: CertificateFingerprints
|
|
certificate.issuer
(CERTIFICATE - ISSUER)
|
The issuer of the certificate.
CEF field name: PanOSCertificateIssuer
EMAIL field name: CertificateIssuer
HTTPS field name: CertificateIssuer
LEEF field name: CertificateIssuer
|
|
certificate.serial_number
(CERTIFICATE - SERIAL NUMBER)
|
The serial number of the certificate.
CEF field name: PanOSCertificateSerialNumber
EMAIL field name: CertificateSerialNumber
HTTPS field name: CertificateSerialNumber
LEEF field name: CertificateSerialNumber
|
|
certificate.subject
(CERTIFICATE - SUBJECT)
|
Certificate's common name or organization name.
CEF field name: PanOSCertificateSubject
EMAIL field name: CertificateSubject
HTTPS field name: CertificateSubject
LEEF field name: CertificateSubject
|
|
classification.category
(CLASSIFICATION - CATEGORY)
|
Event category- initial classification for Prisma Access Browser
events.
CEF field name: PanOSClassificationCategory
EMAIL field name: ClassificationCategory
HTTPS field name: ClassificationCategory
LEEF field name: ClassificationCategory
|
|
classification.malicious_categories
(CLASSIFICATION - MALICIOUS CATEGORIES)
|
List of the relevant malicious categories (phishing, malware, etc).
CEF field name: PanOSClassificationMaliciousCategories
EMAIL field name: ClassificationMaliciousCategories
HTTPS field name: ClassificationMaliciousCategories
LEEF field name: ClassificationMaliciousCategories
|
|
classification.mitre
(CLASSIFICATION - MITRE)
|
List of the relevant MITRE attack techniques.
CEF field name: PanOSClassificationMITRE
EMAIL field name: ClassificationMITRE
HTTPS field name: ClassificationMITRE
LEEF field name: ClassificationMITRE
|
|
classification.reputation
(CLASSIFICATION - REPUTATION)
|
The site reputation: Ok, Moderate, or Danger.
CEF field name: PanOSClassificationReputation
EMAIL field name: ClassificationReputation
HTTPS field name: ClassificationReputation
LEEF field name: ClassificationReputation
|
|
classification.security_compliance
(CLASSIFICATION - SECURITY COMPLIANCE)
|
List of compliance standards relevant for the end user activity.
CEF field name: PanOSClassificationSecurityCompliance
EMAIL field name: ClassificationSecurityCompliance
HTTPS field name: ClassificationSecurityCompliance
LEEF field name: ClassificationSecurityCompliance
|
|
classification.severity
(CLASSIFICATION - SEVERITY )
|
Severity of the activity.
CEF field name: PanOSClassificationSeverity
EMAIL field name: ClassificationSeverity
HTTPS field name: ClassificationSeverity
LEEF field name: ClassificationSeverity
|
|
clipboard.from_url
(CLIPBOARD - FROM URL)
|
The tab URL from which data was copied to the clipboard.
CEF field name: PanOSClipboardFromURL
EMAIL field name: ClipboardFromURL
HTTPS field name: ClipboardFromURL
LEEF field name: ClipboardFromURL
|
|
clipboard.selected_element
(CLIPBOARD - SELECTED ELEMENT)
|
Unique website element identifier.
CEF field name: PanOSClipboardSelectedElement
EMAIL field name: ClipboardSelectedElement
HTTPS field name: ClipboardSelectedElement
LEEF field name: ClipboardSelectedElement
|
|
content.categories
(CONTENT - CATEGORIES)
|
List of categories matched for the content.
CEF field name: PanOSContentCategories
EMAIL field name: ContentCategories
HTTPS field name: ContentCategories
LEEF field name: ContentCategories
|
|
content.length_bytes
(CONTENT - LENGTH BYTES)
|
File size in bytes.
CEF field name: PanOSContentLengthBytes
EMAIL field name: ContentLengthBytes
HTTPS field name: ContentLengthBytes
LEEF field name: ContentLengthBytes
|
|
content.mip_matched_label
(CONTENT - MIP MATCHED LABEL)
|
MIP matched label on content, if applicable.
CEF field name: PanOSContentMIPMatchedLabel
EMAIL field name: ContentMIPMatchedLabel
HTTPS field name: ContentMIPMatchedLabel
LEEF field name: ContentMIPMatchedLabel
|
|
content.scan_engine
(CONTENT - SCAN ENGINE)
|
Engine used to scan content.
CEF field name: PanOSContentScanEngine
EMAIL field name: ContentScanEngine
HTTPS field name: ContentScanEngine
LEEF field name: ContentScanEngine
|
|
content.sensitive_data_categories
(CONTENT - SENSITIVE DATA CATEGORIES)
|
Content sensitive category or categories (if applicable).
CEF field name: PanOSContentSensitiveDataCategories
EMAIL field name: ContentSensitiveDataCategories
HTTPS field name: ContentSensitiveDataCategories
LEEF field name: ContentSensitiveDataCategories
|
|
content.source_element_selector
(CONTENT - SOURCE ELEMENT SELECTOR)
|
Type of element that was selected.
CEF field name: PanOSContentSourceElementSelector
EMAIL field name: ContentSourceElementSelector
HTTPS field name: ContentSourceElementSelector
LEEF field name: ContentSourceElementSelector
|
|
content.source_url
(CONTENT - SOURCE URL)
|
The URL from which the element was selected.
CEF field name: PanOSContentSourceURL
EMAIL field name: ContentSourceURL
HTTPS field name: ContentSourceURL
LEEF field name: ContentSourceURL
|
|
customer_id
(TENANT ID)
|
The ID that uniquely identifies the Strata Logging Service
instance which received this log record.
CEF field name: PanOSCortexDataLakeTenantID
EMAIL field name: CortexDataLakeTenantID
HTTPS field name: CortexDataLakeTenantID
LEEF field name: CortexDataLakeTenantID
|
|
device.browser_brand
(DEVICE - BROWSER BRAND)
|
Browser brand (Prisma Access Browser, Chrome, Edge, etc.), mostly
relevant for Prisma Access Browser extension offering.
CEF field name: PanOSDeviceBrowserBrand
EMAIL field name: DeviceBrowserBrand
HTTPS field name: DeviceBrowserBrand
LEEF field name: DeviceBrowserBrand
|
|
device.browser_type
(DEVICE - BROWSER TYPE)
|
Browser type (Enterprise browser, Mobile, Extension only).
CEF field name: PanOSDeviceBrowserType
EMAIL field name: DeviceBrowserType
HTTPS field name: DeviceBrowserType
LEEF field name: DeviceBrowserType
|
|
device.browser_version
(DEVICE - BROWSER VERSION)
|
Browser version (of the specific used browser type) at the time of
the event.
CEF field name: PanOSDeviceBrowserVersion
EMAIL field name: DeviceBrowserVersion
HTTPS field name: DeviceBrowserVersion
LEEF field name: DeviceBrowserVersion
|
|
device.device_uuid
(DEVICE - UUID )
|
Unique endpoint device identifier.
CEF field name: PanOSDeviceUUID
EMAIL field name: DeviceUUID
HTTPS field name: DeviceUUID
LEEF field name: DeviceUUID
|
|
device.device_version
(DEVICE - VERSION)
|
The version of the endpoint device.
CEF field name: PanOSDeviceVersion
EMAIL field name: DeviceVersion
HTTPS field name: DeviceVersion
LEEF field name: DeviceVersion
|
|
device.disk_encryption_status
(DEVICE - DISK ENCRYPTION STATUS)
|
Disk encryption status of endpoint device system
(enabled/disabled/unknown).
CEF field name: PanOSDeviceDiskEncryptionStatus
EMAIL field name: DeviceDiskEncryptionStatus
HTTPS field name: DeviceDiskEncryptionStatus
LEEF field name: DeviceDiskEncryptionStatus
|
|
device.epp_status
(DEVICE - EPP STATUS)
|
Endpoint protection status of endpoint device
(enabled/disabled/unknown).
CEF field name: PanOSDeviceEPPStatus
EMAIL field name: DeviceEPPStatus
HTTPS field name: DeviceEPPStatus
LEEF field name: DeviceEPPStatus
|
|
device.extension_version
(DEVICE - EXTENSION VERSION)
|
Prisma Access Browser extension version at the time of event
(Enterprise browser extension).
CEF field name: PanOSDeviceExtensionVersion
EMAIL field name: DeviceExtensionVersion
HTTPS field name: DeviceExtensionVersion
LEEF field name: DeviceExtensionVersion
|
|
device.firewall_status
(DEVICE - FIREWALL STATUS)
|
Firewall status of endpoint device (enabled/disabled/unknown).
CEF field name: PanOSDeviceFirewallStatus
EMAIL field name: DeviceFirewallStatus
HTTPS field name: DeviceFirewallStatus
LEEF field name: DeviceFirewallStatus
|
|
device.geoip_from_city_name
(DEVICE - GEO IP FROM CITY NAME)
|
Device location of endpoint; city- UI name.
CEF field name: PanOSDeviceGeoIPFromCityName
EMAIL field name: DeviceGeoIPFromCityName
HTTPS field name: DeviceGeoIPFromCityName
LEEF field name: DeviceGeoIPFromCityName
|
|
device.geoip_from_country_name
(DEVICE - GEO IP FROM COUNTRY NAME)
|
Device location of endpoint; country - UI name.
CEF field name: PanOSDeviceGeoIPFromCountryName
EMAIL field name: DeviceGeoIPFromCountryName
HTTPS field name: DeviceGeoIPFromCountryName
LEEF field name: DeviceGeoIPFromCountryName
|
|
device.geoip_from_location_latitude
(DEVICE - GEO IP FROM LOCATION LATITUDE)
|
Device location of endpoint - geoIP latitude.
CEF field name: PanOSDeviceGeoIPFromLocationLatitude
EMAIL field name: DeviceGeoIPFromLocationLatitude
HTTPS field name: DeviceGeoIPFromLocationLatitude
LEEF field name: DeviceGeoIPFromLocationLatitude
|
|
device.geoip_from_location_longitude
(DEVICE - GEO IP FROM LOCATION LONGITUDE)
|
Device location of endpoint - geoIP longitude.
CEF field name: PanOSDeviceGeoIPFromLocationLongitude
EMAIL field name: DeviceGeoIPFromLocationLongitude
HTTPS field name: DeviceGeoIPFromLocationLongitude
LEEF field name: DeviceGeoIPFromLocationLongitude
|
|
device.groups.ids
(DEVICE - GROUPS IDS)
|
List of device groups IDs associated with the device, at time of
event.
CEF field name: PanOSDeviceGroupsIDs
EMAIL field name: DeviceGroupsIDs
HTTPS field name: DeviceGroupsIDs
LEEF field name: DeviceGroupsIDs
|
|
device.groups.names
(DEVICE - GROUPS NAMES)
|
List of device groups names associated with the device, at time of
event.
CEF field name: PanOSDeviceGroupsNames
EMAIL field name: DeviceGroupsNames
HTTPS field name: DeviceGroupsNames
LEEF field name: DeviceGroupsNames
|
|
device.hostname
(DEVICE - HOSTNAME)
|
Prisma Access Browser endpoint name.
CEF field name: PanOSDeviceHostname
EMAIL field name: DeviceHostname
HTTPS field name: DeviceHostname
LEEF field name: DeviceHostname
|
|
device.ip_address
(DEVICE - IP ADDRESS)
|
External IP address of the device.
CEF field name: PanOSDeviceIPAddress
EMAIL field name: DeviceIPAddress
HTTPS field name: DeviceIPAddress
LEEF field name: DeviceIPAddress
|
|
device.mac_addresses
(DEVICE - MAC ADDRESSES)
|
MAC address of the endpoint device.
CEF field name: PanOSMACAddresses
EMAIL field name: DeviceMACAddresses
HTTPS field name: DeviceMACAddresses
LEEF field name: DeviceMACAddresses
|
|
device.model
(DEVICE - MODEL)
|
Endpoint device model.
CEF field name: PanOSDeviceModel
EMAIL field name: DeviceModel
HTTPS field name: DeviceModel
LEEF field name: DeviceModel
|
|
device.os.android.build
(DEVICE - OS ANDROID BUILD)
|
Android build version of endpoint device (if relevant).
CEF field name: PanOSDeviceOSAndroidBuild
EMAIL field name: DeviceOSAndroidBuild
HTTPS field name: DeviceOSAndroidBuild
LEEF field name: DeviceOSAndroidBuild
|
|
device.os.android.patch
(DEVICE - OS ANDROID PATCH)
|
Android patch version of endpoint device (if relevant).
CEF field name: PanOSDeviceOSAndroidPatch
EMAIL field name: DeviceOSAndroidPatch
HTTPS field name: DeviceOSAndroidPatch
LEEF field name: DeviceOSAndroidPatch
|
|
device.os.android.release
(DEVICE - OS ANDROID RELEASE)
|
Android release version of endpoint device (if relevant).
CEF field name: PanOSDeviceOSAndroidRelease
EMAIL field name: DeviceOSAndroidRelease
HTTPS field name: DeviceOSAndroidRelease
LEEF field name: DeviceOSAndroidRelease
|
|
device.os.android.sdk
(DEVICE - OS ANDROID SDK)
|
Android sdk version of endpoint device (if relevant).
CEF field name: PanOSDeviceOSAndroidSDK
EMAIL field name: DeviceOSAndroidSDK
HTTPS field name: DeviceOSAndroidSDK
LEEF field name: DeviceOSAndroidSDK
|
|
device.os.ios.major
(DEVICE - OS IOS MAJOR)
|
Major version of iOS of endpoint device (if relevant).
CEF field name: PanOSDeviceOSiOSMajor
EMAIL field name: DeviceOSiOSMajor
HTTPS field name: DeviceOSiOSMajor
LEEF field name: DeviceOSiOSMajor
|
|
device.os.ios.minor
(DEVICE - OS IOS MINOR)
|
Minor version of iOS of endpoint device (if relevant).
CEF field name: PanOSDeviceOSiOSMinor
EMAIL field name: DeviceOSiOSMinor
HTTPS field name: DeviceOSiOSMinor
LEEF field name: DeviceOSiOSMinor
|
|
device.os.ios.patch
(DEVICE - OS IOS PATCH)
|
iOS patch version of endpoint device (if relevant).
CEF field name: PanOSDeviceOSiOSPatch
EMAIL field name: DeviceOSiOSPatch
HTTPS field name: DeviceOSiOSPatch
LEEF field name: DeviceOSiOSPatch
|
|
device.os.macos.bugfix
(DEVICE - OS MACOS BUGFIX)
|
Bug fix version of macOS for endpoint device (if relevant).
CEF field name: PanOSDeviceOSmacOSBugfix
EMAIL field name: DeviceOSmacOSBugfix
HTTPS field name: DeviceOSmacOSBugfix
LEEF field name: DeviceOSmacOSBugfix
|
|
device.os.macos.build
(DEVICE - OS MACOS BUILD)
|
macOS build version of endpoint device (if relevant).
CEF field name: PanOSDeviceOSmacOSBuild
EMAIL field name: DeviceOSmacOSBuild
HTTPS field name: DeviceOSmacOSBuild
LEEF field name: DeviceOSmacOSBuild
|
|
device.os.macos.major
(DEVICE - OS MACOS MAJOR)
|
Major version of macOS (if relevant).
CEF field name: PanOSDeviceOSmacOSMajor
EMAIL field name: DeviceOSmacOSMajor
HTTPS field name: DeviceOSmacOSMajor
LEEF field name: DeviceOSmacOSMajor
|
|
device.os.macos.minor
(DEVICE - OS MACOS MINOR)
|
Minor version of macOS (if relevant).
CEF field name: PanOSDeviceOSmacOSMinor
EMAIL field name: DeviceOSmacOSMinor
HTTPS field name: DeviceOSmacOSMinor
LEEF field name: DeviceOSmacOSMinor
|
|
device.os.macos.server
(DEVICE - OS MACOS SERVER)
|
macOS server name of endpoint device (if relevant).
CEF field name: PanOSDeviceOSmacOSServer
EMAIL field name: DeviceOSmacOSServer
HTTPS field name: DeviceOSmacOSServer
LEEF field name: DeviceOSmacOSServer
|
|
device.os.type
(DEVICE - OS TYPE)
|
Operating system of the endpoint device.
CEF field name: PanOSDeviceOSType
EMAIL field name: DeviceOSType
HTTPS field name: DeviceOSType
LEEF field name: DeviceOSType
|
|
device.os.windows.build
(DEVICE - OS WINDOWS BUILD)
|
Windows build version of endpoint device (if relevant).
CEF field name: PanOSDeviceOSWindowsBuild
EMAIL field name: DeviceOSWindowsBuild
HTTPS field name: DeviceOSWindowsBuild
LEEF field name: DeviceOSWindowsBuild
|
|
device.os.windows.major
(DEVICE - OS WINDOWS MAJOR)
|
Windows major version of endpoint device (if relevant).
CEF field name: PanOSDeviceOSWindowsMajor
EMAIL field name: DeviceOSWindowsMajor
HTTPS field name: DeviceOSWindowsMajor
LEEF field name: DeviceOSWindowsMajor
|
|
device.os.windows.minor
(DEVICE - OS WINDOWS MINOR)
|
Windows minor version of endpoint device (if relevant).
CEF field name: PanOSDeviceOSWindowsMinor
EMAIL field name: DeviceOSWindowsMinor
HTTPS field name: DeviceOSWindowsMinor
LEEF field name: DeviceOSWindowsMinor
|
|
device.os.windows.patch
(DEVICE - OS WINDOWS PATCH)
|
Windows patch version of endpoint device (if relevant).
CEF field name: PanOSDeviceOSWindowsPatch
EMAIL field name: DeviceOSWindowsPatch
HTTPS field name: DeviceOSWindowsPatch
LEEF field name: DeviceOSWindowsPatch
|
|
device.os.windows.product
(DEVICE - OS WINDOWS PRODUCT)
|
Windows product name of endpoint device (if relevant).
.
CEF field name: PanOSDeviceOSWindowsProduct
EMAIL field name: DeviceOSWindowsProduct
HTTPS field name: DeviceOSWindowsProduct
LEEF field name: DeviceOSWindowsProduct
|
|
device.os_display_name
(DEVICE - OS DISPLAY NAME)
|
Display name of operating system of endpoint device.
CEF field name: PanOSDeviceOSDisplayName
EMAIL field name: DeviceOSDisplayName
HTTPS field name: DeviceOSDisplayName
LEEF field name: DeviceOSDisplayName
|
|
device.raw_universal_id
(DEVICE - RAW UNIVERSAL ID)
|
Unique identifier for endpoint device.
CEF field name: PanOSDeviceRawUniversalID
EMAIL field name: DeviceRawUniversalID
HTTPS field name: DeviceRawUniversalID
LEEF field name: DeviceRawUniversalID
|
|
device.screen_lock_status
(DEVICE - SCREEN LOCK STATUS)
|
Screen lock status of endpoint device (enabled/disabled/unknown).
CEF field name: PanOSDeviceScreenLockStatus
EMAIL field name: DeviceScreenLockStatus
HTTPS field name: DeviceScreenLockStatus
LEEF field name: DeviceScreenLockStatus
|
|
device.serial_number
(DEVICE - SERIAL NUMBER)
|
Serial number assigned by the manufacturer to an endpoint device.
CEF field name: PanOSDeviceSerialNumber
EMAIL field name: DeviceSerialNumber
HTTPS field name: DeviceSerialNumber
LEEF field name: DeviceSerialNumber
|
|
device.type
(DEVICE - TYPE)
|
Device type of endpoint device
(desktop/laptop/mobile/server/tablet).
CEF field name: PanOSDeviceType
EMAIL field name: DeviceType
HTTPS field name: DeviceType
LEEF field name: DeviceType
|
|
device.user_agent
(DEVICE - USER AGENT)
|
Identifies browser type.
CEF field name: PanOSDeviceUserAgent
EMAIL field name: DeviceUserAgent
HTTPS field name: DeviceUserAgent
LEEF field name: DeviceUserAgent
|
|
file.extension
(FILE - EXTENSION)
|
The file type of the event.
CEF field name: PanOSFileExtension
EMAIL field name: FileExtension
HTTPS field name: FileExtension
LEEF field name: FileExtension
|
|
file.is_encrypted
(FILE - IS ENCRYPTED)
|
The file encryption status of the event.
CEF field name: PanOSFileIsEncrypted
EMAIL field name: FileIsEncrypted
HTTPS field name: FileIsEncrypted
LEEF field name: FileIsEncrypted
|
|
file.local_path
(FILE - LOCAL PATH)
|
The file's selected path on the disk of the endpoint device.
CEF field name: PanOSFileLocalPath
EMAIL field name: FileLocalPath
HTTPS field name: FileLocalPath
LEEF field name: FileLocalPath
|
|
file.mime_type
(FILE - MIME TYPE)
|
The event's file MIME type (for example, HTML, JPEG, MPEG, and so
on.).
CEF field name: PanOSFileMimeType
EMAIL field name: FileMimeType
HTTPS field name: FileMimeType
LEEF field name: FileMimeType
|
|
file.name
(FILE - NAME)
|
The file name of the event.
CEF field name: PanOSFileName
EMAIL field name: FileName
HTTPS field name: FileName
LEEF field name: FileName
|
|
file.operation
(FILE - OPERATION)
|
File handling operation (for example, download, upload, etc.).
CEF field name: PanOSFileOperation
EMAIL field name: FileOperation
HTTPS field name: FileOperation
LEEF field name: FileOperation
|
|
file.origin_download_url
(FILE - ORIGIN DOWNLOAD URL)
|
URL of the event's source file.
CEF field name: PanOSFileOriginDownloadURL
EMAIL field name: FileOriginDownloadURL
HTTPS field name: FileOriginDownloadURL
LEEF field name: FileOriginDownloadURL
|
|
file.sha256
(FILE - SHA256)
|
File hash of the event.
CEF field name: PanOSFileSHA256
EMAIL field name: FileSHA256
HTTPS field name: FileSHA256
LEEF field name: FileSHA256
|
|
file.url
(FILE - URL)
|
The associated URL of the event when handling files.
CEF field name: PanOSFileURL
EMAIL field name: FileURL
HTTPS field name: FileURL
LEEF field name: FileURL
|
|
log_source
(LOG SOURCE)
|
Identifies the system that produced the data.
CEF field name: PanOSLogSource
EMAIL field name: LogSource
HTTPS field name: LogSource
LEEF field name: LogSource
|
|
log_source_group_id
(LOG SOURCE GROUP ID)
|
ID that uniquely identifies the logSourceGroupId of the log group.
CEF field name: PanOSLogSourceGroupID
EMAIL field name: LogSourceGroupID
HTTPS field name: LogSourceGroupID
LEEF field name: LogSourceGroupID
|
|
log_source_id
(DEVICE SN)
|
ID that uniquely identifies the source of the log. That is, the serial number of the firewall that generated the log.
CEF field name: deviceExternalID
EMAIL field name: DeviceSN
HTTPS field name: DeviceSN
LEEF field name: DeviceSN
|
|
log_source_name
(DEVICE NAME)
|
Name of the source of the log. That is, the hostname of the firewall that logged the network traffic.
CEF field name: dvchost
EMAIL field name: DeviceName
HTTPS field name: DeviceName
LEEF field name: DeviceName
|
|
log_time
(TIME RECEIVED)
|
Time the log was received in Strata Logging Service. This is
populated by the platform.
CEF field name: rt
EMAIL field name: TimeReceived
HTTPS field name: TimeReceived
LEEF field name: TimeReceived
|
|
log_type.value
(LOG TYPE)
|
Identifies the log type.
CEF field name: Device Event Class ID
EMAIL field name: LogType
HTTPS field name: LogType
LEEF field name: cat
|
|
network.classifications
(NETWORK - CLASSIFICATIONS)
|
Web classification of the website associated with the event.
CEF field name: PanOSNetworkClassifications
EMAIL field name: NetworkClassifications
HTTPS field name: NetworkClassifications
LEEF field name: NetworkClassifications
|
|
network.frame_url
(NETWORK - FRAME URL)
|
The URL of the frame within the website (iframe scenario).
CEF field name: PanOSNetworkFrameURL
EMAIL field name: NetworkFrameURL
HTTPS field name: NetworkFrameURL
LEEF field name: NetworkFrameURL
|
|
network.http.method
(NETWORK - HTTP METHOD)
|
HTTP methods (GET, POST, etc) used in the event.
CEF field name: PanOSNetworkHTTPMethod
EMAIL field name: NetworkHTTPMethod
HTTPS field name: NetworkHTTPMethod
LEEF field name: NetworkHTTPMethod
|
|
network.http.status
(NETWORK - HTTP STATUS)
|
HTTP status codes (200, 404, etc.) associated with the event.
CEF field name: PanOSNetworkHTTPStatus
EMAIL field name: NetworkHTTPStatus
HTTPS field name: NetworkHTTPStatus
LEEF field name: NetworkHTTPStatus
|
|
network.protocol
(NETWORK - PROTOCOL)
|
Protocol used for the event.
CEF field name: PanOSNetworkProtocol
EMAIL field name: NetworkProtocol
HTTPS field name: NetworkProtocol
LEEF field name: NetworkProtocol
|
|
network.tab_url
(NETWORK - TAB URL )
|
The tab URL of the associated event.
CEF field name: PanOSNetworkTabURL
EMAIL field name: NetworkTabURL
HTTPS field name: NetworkTabURL
LEEF field name: NetworkTabURL
|
|
network.url
(NETWORK - URL)
|
The URL of the event on which the rule was enforced.
CEF field name: PanOSNetworkURL
EMAIL field name: NetworkURL
HTTPS field name: NetworkURL
LEEF field name: NetworkURL
|
|
page.capture.is_secure_screenshot
(PAGE - CAPTURE IS SECURE SCREENSHOT)
|
Identifies whether screenshot was made by the secure screenshot
capability (T/F).
CEF field name: PanOSPageCaptureIsSecureScreenshot
EMAIL field name: PageCaptureIsSecureScreenshot
HTTPS field name: PageCaptureIsSecureScreenshot
LEEF field name: PageCaptureIsSecureScreenshot
|
|
page.capture.triggered_by_url
(PAGE - CAPTURE TRIGGERED BY URL)
|
Identifies whether screenshot was made by the web page or not.
CEF field name: PanOSPageCaptureTriggeredByURL
EMAIL field name: PageCaptureTriggeredByURL
HTTPS field name: PageCaptureTriggeredByURL
LEEF field name: PageCaptureTriggeredByURL
|
|
page.devtools.block_reason
(PAGE - DEVTOOLS BLOCK REASON)
|
The reason for which dev tools access was blocked (such as data
masking, typing guard, watermark).
CEF field name: PanOSPageDevtoolsBlockReason
EMAIL field name: PageDevtoolsBlockReason
HTTPS field name: PageDevtoolsBlockReason
LEEF field name: PageDevtoolsBlockReason
|
|
page.title
(PAGE - TITLE)
|
The title of the web page or tab.
CEF field name: PanOSPageTitle
EMAIL field name: PageTitle
HTTPS field name: PageTitle
LEEF field name: PageTitle
|
|
pincode.failed_attempts
(PINCODE - FAILED ATTEMPTS)
|
Number of failed PIN Code attempts.
CEF field name: PanOSPincodeFailedAttempts
EMAIL field name: PincodeFailedAttempts
HTTPS field name: PincodeFailedAttempts
LEEF field name: PincodeFailedAttempts
|
|
pincode.registration_time
(PINCODE - REGISTRATION TIME)
|
Timestamp of the last failed attempt in which PIN Code was inserted.
CEF field name: PanOSPincodeRegistrationTime
EMAIL field name: PincodeRegistrationTime
HTTPS field name: PincodeRegistrationTime
LEEF field name: PincodeRegistrationTime
|
|
platform_type
(PLATFORM TYPE)
|
The platform type (Valid types are PRISMA_ACCESS, CNGFW, VM, HWFW).
CEF field name: PlatformType
EMAIL field name: PlatformType
HTTPS field name: PlatformType
LEEF field name: PlatformType
|
|
policy.action
(POLICY - ACTION)
|
The action taken by the policy on the endpoint activity.
CEF field name: PanOSPolicyAction
EMAIL field name: PolicyAction
HTTPS field name: PolicyAction
LEEF field name: PolicyAction
|
|
policy.block_reason
(POLICY - BLOCK REASON)
|
Reason for which the action was blocked.
CEF field name: PanOSPolicyBlockReason
EMAIL field name: PolicyBlockReason
HTTPS field name: PolicyBlockReason
LEEF field name: PolicyBlockReason
|
|
policy.bypass_reason
(POLICY - BYPASS REASON)
|
Reason provided by the end user to bypass a blocked action (one of a
list of options).
CEF field name: PanOSPolicyBypassReason
EMAIL field name: PolicyBypassReason
HTTPS field name: PolicyBypassReason
LEEF field name: PolicyBypassReason
|
|
policy.is_monitor
(POLICY - IS MONITOR)
|
Identifies whether the event was generated of a monitoring rule
(T/F).
CEF field name: PanOSPolicyIsMonitor
EMAIL field name: PolicyIsMonitor
HTTPS field name: PolicyIsMonitor
LEEF field name: PolicyIsMonitor
|
|
policy.is_session_recorded
(POLICY - IS SESSION RECORDED)
|
Identifies whether the event has a video recording.
CEF field name: PanOSPolicyIsSessionRecorded
EMAIL field name: PolicyIsSessionRecorded
HTTPS field name: PolicyIsSessionRecorded
LEEF field name: PolicyIsSessionRecorded
|
|
policy.rule_description
(POLICY - RULE DESCRIPTION)
|
Description of the rule that generated the event.
CEF field name: PanOSPolicyRuleDescription
EMAIL field name: PolicyRuleDescription
HTTPS field name: PolicyRuleDescription
LEEF field name: PolicyRuleDescription
|
|
policy.rule_id
(POLICY - RULE ID)
|
ID of the rule that generated the event.
CEF field name: PanOSPolicyRuleID
EMAIL field name: PolicyRuleID
HTTPS field name: PolicyRuleID
LEEF field name: PolicyRuleID
|
|
posture.block_reason
(POSTURE - BLOCK REASON)
|
Specific reason of a block caused due to a posture misalignment.
CEF field name: PanOSPostureBlockReason
EMAIL field name: PostureBlockReason
HTTPS field name: PostureBlockReason
LEEF field name: PostureBlockReason
|
|
posture.block_type
(POSTURE - BLOCK TYPE)
|
Type of a block caused due to a posture misalignment.
CEF field name: PanOSPostureBlockType
EMAIL field name: PostureBlockType
HTTPS field name: PostureBlockType
LEEF field name: PostureBlockType
|
|
posture.error
(POSTURE - ERROR)
|
Specific posture check mechanism error.
CEF field name: PanOSPostureError
EMAIL field name: PostureError
HTTPS field name: PostureError
LEEF field name: PostureError
|
|
print.printer_location
(PRINT - PRINTER LOCATION)
|
Virtual name of the printer used as part of a printing activity (if
available).
CEF field name: PanOSPrintPrinterLocation
EMAIL field name: PrintPrinterLocation
HTTPS field name: PrintPrinterLocation
LEEF field name: PrintPrinterLocation
|
|
print.printer_name
(PRINT - PRINTER NAME)
|
Network name of the printer used as part of a printing activity.
CEF field name: PanOSPrintPrinterName
EMAIL field name: PrintPrinterName
HTTPS field name: PrintPrinterName
LEEF field name: PrintPrinterName
|
|
process.cli_args
(PROESS - CLI ARGS)
|
Arguments in which the exe was used to run via CLI.
CEF field name: PanOSProcessCLIArgs
EMAIL field name: ProcessCLIArgs
HTTPS field name: ProcessCLIArgs
LEEF field name: ProcessCLIArgs
|
|
process.image_path
(PROCESS - IMAGE PATH)
|
Path on disk of the browser executable.
CEF field name: PanOSProcessImagePath
EMAIL field name: ProcessImagePath
HTTPS field name: ProcessImagePath
LEEF field name: ProcessImagePath
|
|
process.parent_process
(PROCESS - PARENT PROCESS)
|
Process initiator of the browser.
CEF field name: PanOSProcessParentProcess
EMAIL field name: ProcessParentProcess
HTTPS field name: ProcessParentProcess
LEEF field name: ProcessParentProcess
|
|
process.pid
(PROCESS - PID)
|
Identifier of the current browser process.
CEF field name: PanOSProcessPID
EMAIL field name: ProcessPID
HTTPS field name: ProcessPID
LEEF field name: ProcessPID
|
|
state.device_group_evaluation
(STATE - DEVICE GROUP EVALUATION)
|
Device group evaluation based on device posture.
CEF field name: PanOSStateDeviceGroupEvaluation
EMAIL field name: StateDeviceGroupEvaluation
HTTPS field name: StateDeviceGroupEvaluation
LEEF field name: StateDeviceGroupEvaluation
|
|
state.sign_in_rules
(STATE - SIGN IN RULES)
|
Applicable sign-in rules.
CEF field name: PanOSStateSignInRules
EMAIL field name: StateSignInRules
HTTPS field name: StateSignInRules
LEEF field name: StateSignInRules
|
|
sub_tenant_id
(SUBTENANT ID)
|
Identifies the sub-tenant in which the log was generated.
CEF field name: PanOSSubtenantID
EMAIL field name: SubtenantID
HTTPS field name: SubtenantID
LEEF field name: SubtenantID
|
|
tampering.type
(TAMPERING - TYPE)
|
Type of detected tampering activity.
CEF field name: PanOSTamperingType
EMAIL field name: TamperingType
HTTPS field name: TamperingType
LEEF field name: TamperingType
|
|
tenant_id
(TENANT ID)
|
The Strata Logging Service tenant id.
CEF field name: PanOSTenantID
EMAIL field name: TenantID
HTTPS field name: TenantID
LEEF field name: TenantID
|
|
time_generated
(TIME GENERATED)
|
Time the log was generated on the data plane in format YYYY-MM-DDTHH:MM:SS[.DDDDDD]Z.
CEF field name: start
EMAIL field name: TimeGenerated
HTTPS field name: TimeGenerated
LEEF field name: devTime
|
|
time_generated_high_res
(TIME GENERATED HIGH RESOLUTION)
|
Time the log was generated in data plane with millisec granularity in format YYYY-MM-DDTHH:MM:SS[.DDDDDD]Z.
CEF field name: PanOSTimeGeneratedHighResolution
EMAIL field name: TimeGeneratedHighResolution
HTTPS field name: TimeGeneratedHighResolution
LEEF field name: TimeGeneratedHighResolution
|
|
timestamp
(TIMESTAMP)
|
Time the log was received in Strata Logging Service.
CEF field name: PanOSTimestamp
EMAIL field name: Timestamp
HTTPS field name: Timestamp
LEEF field name: Timestamp
|
|
tsg_id
(TSG ID)
|
The Tenant Service Group that uniquely identifies the Strata Logging Service instance which received this log
record.
CEF field name: PanOSTSGID
EMAIL field name: TSGID
HTTPS field name: TSGID
LEEF field name: TSGID
|
|
user.email
(USER - EMAIL)
|
Email address of the user that generated the event.
CEF field name: PanOSUserEmail
EMAIL field name: UserEmail
HTTPS field name: UserEmail
LEEF field name: UserEmail
|
|
user.external_id
(USER - EXTERNAL ID)
|
unique user identifier.
CEF field name: PanOSUserExternalID
EMAIL field name: UserExternalID
HTTPS field name: UserExternalID
LEEF field name: UserExternalID
|
|
user.groups.ids
(USER - GROUPS IDS)
|
Enumeration integer assigned to the user.groups field value.
CEF field name: PanOSUserGroupsIDs
EMAIL field name: UserGroupsIDs
HTTPS field name: UserGroupsIDs
LEEF field name: UserGroupsIDs
|
|
user.groups.names
(USER - GROUPS NAMES)
|
Unique user groups names associated with the user that generated the
event.
CEF field name: PanOSUserGroupsNames
EMAIL field name: UserGroupsNames
HTTPS field name: UserGroupsNames
LEEF field name: UserGroupsNames
|
|
user.id
(USER ID)
|
Enumeration integer assigned to the user field value.
CEF field name: PanOSUserID
EMAIL field name: UserID
HTTPS field name: UserID
LEEF field name: UserID
|
|
user.name
(USER - NAME)
|
Name of the user that generated the event.
CEF field name: PanOSUserName
EMAIL field name: UserName
HTTPS field name: UserName
LEEF field name: UserName
|
|
user.tenant_external_id
(USER - TENANT EXTERNAL ID)
|
External identifier of the tenant.
CEF field name: PanOSUserTenantExternalID
EMAIL field name: UserTenantExternalID
HTTPS field name: UserTenantExternalID
LEEF field name: UserTenantExternalID
|
|
user.tenant_id
(USER - TENANT ID)
|
Unique identifier of the tenant.
CEF field name: PanOSUserTenantID
EMAIL field name: UserTenantID
HTTPS field name: UserTenantID
LEEF field name: UserTenantID
|
|
user.tenant_name
(USER - TENANT NAME)
|
Name of the tenant.
CEF field name: PanOSUserTenantName
EMAIL field name: UserTenantName
HTTPS field name: UserTenantName
LEEF field name: UserTenantName
|
|
user.tsg_id
(USER - TSG ID)
|
Associated tsg ID of the specific user.
CEF field name: PanOSUserTSGID
EMAIL field name: UserTSGID
HTTPS field name: UserTSGID
LEEF field name: UserTSGID
|
|
vendor_name
(VENDOR NAME)
|
Identifies the vendor that produced the data.
CEF field name: Device Vendor
EMAIL field name: VendorName
HTTPS field name: VendorName
LEEF field name: Vendor
|