>
    Strata Copilot
    AI Security
    Focus
    Download PDF
    Focus
    1. Home
    2. Strata Logging Service
    3. Strata Logging Service Log Reference
    4. Network Logs
    5. AI Security
    Download PDF
    Strata Logging Service

    AI Security

    Table of Contents

    AI Security

    The AI Security logs contain information to help you monitor and investigate threats found in your AI network traffic with AI Runtime Security.
    See the following for information related to supported log formats:
    AI SECURITY Field
    (Display Name)
    Description
    action
    (ACTION)
    Identifies the action that the firewall took for the network traffic. Action can be allow/block/alert in the firewall logs.
    CEF field name: act
    EMAIL field name: Action
    HTTPS field name: Action
    LEEF field name: EventID
    ai_incident_report_id
    (AI INCIDENT REPORT ID)
    ATP report id.
    CEF field name: PanOSAIIncidentReportID
    EMAIL field name: AIIncidentReportID
    HTTPS field name: AIIncidentReportID
    LEEF field name: AIIncidentReportID
    ai_incident_subtype
    (AI INCIDENT SUBTYPE)
    URL Security, Prompt Injection, Data Rule, .
    CEF field name: PanOSAIIncidentSubtype
    EMAIL field name: AIIncidentSubtype
    HTTPS field name: AIIncidentSubtype
    LEEF field name: AIIncidentSubtype
    ai_incident_type
    (AI INCIDENT TYPE)
    AI Application Protection, AI Model Protection, AI Data Protection, Latency Limit, Model Denied.
    CEF field name: PanOSAIIncidentType
    EMAIL field name: AIIncidentType
    HTTPS field name: AIIncidentType
    LEEF field name: AIIncidentType
    ai_model_csp_name
    (AI MODEL CSP NAME)
    Name of the cloud provider where LLM is hosted.
    CEF field name: PanOSAIModelCSPName
    EMAIL field name: AIModelCSPName
    HTTPS field name: AIModelCSPName
    LEEF field name: AIModelCSPName
    ai_model_csp_region_name
    (AI MODEL CSP REGION NAME)
    Region name of the cloud provider where LLM is hosted.
    CEF field name: PanOSApplicationAppSubcategory
    EMAIL field name: AIModelCSPRegionName
    HTTPS field name: AIModelCSPRegionName
    LEEF field name: AIModelCSPRegionName
    ai_model_name
    (AI MODEL NAME)
    e.g. Gemini 1.5 Pro, GPT-4.
    CEF field name: PanOSApplicationSource
    EMAIL field name: AIModelName
    HTTPS field name: AIModelName
    LEEF field name: AIModelName
    ai_security_profile_name
    (AI SECURITY PROFILE NAME)
    Integrate with SCM, and get the name of AI Security Profile.
    CEF field name: PanOSAISecurityProfileName
    EMAIL field name: AISecurityProfileName
    HTTPS field name: AISecurityProfileName
    LEEF field name: AISecurityProfileName
    ai_subtype_details
    (AI SUBTYPE DETAILS)
    If AI Data Protection - Data Filtering was triggered, this field would provide the name of the specific DLP rule that was triggered. If AI Application Protection - URL Security was triggered, this field would provide the specific URL category that was triggered.
    CEF field name: PanOSAISubtypeDetails
    EMAIL field name: AISubtypeDetails
    HTTPS field name: AISubtypeDetails
    LEEF field name: AISubtypeDetails
    customer_id
    (CORTEX DATA LAKE TENANT ID)
    The ID that uniquely identifies the Logging Service instance which received this log record. It’s equivalent to csp_id.
    CEF field name: PanOSCortexDataLakeTenantID
    EMAIL field name: CortexDataLakeTenantID
    HTTPS field name: CortexDataLakeTenantID
    LEEF field name: CortexDataLakeTenantID
    dest_ip.​value
    (DESTINATION ADDRESS)
    Original destination IP address.
    CEF fields: dst or c6a3
    EMAIL field name: DestinationAddress
    HTTPS field name: DestinationAddress
    LEEF field name: dst
    dest_port
    (DESTINATION PORT)
    Network traffic's destination port. If this value is 0, then the app is using its standard port.
    CEF field name: dpt
    EMAIL field name: dstPort
    HTTPS field name: dstPort
    LEEF field name: dstPort
    k8s_cluster_id
    (KUBERNETES CLUSTER ID)
    cluster_id from DP.
    CEF field name: PanOSKubernetesClusterID
    EMAIL field name: KubernetesClusterID
    HTTPS field name: KubernetesClusterID
    LEEF field name: KubernetesClusterID
    latency
    (LATENCY)
    Cloud Latency in ms (core service processing + detection module processing).
    CEF field name: PanOSLatency
    EMAIL field name: Latency
    HTTPS field name: Latency
    LEEF field name: Latency
    log_source
    (LOG SOURCE)
    Identifies the origin of the data - the system that produced the data.
    CEF field name: PanOSLogSource
    EMAIL field name: LogSource
    HTTPS field name: LogSource
    LEEF field name: LogSource
    log_source_id
    (DEVICE SN)
    ID that uniquely identifies the source of the log.
    If the log is generated by Prisma Access, the serial number is not displayed.
    CEF field name: deviceExternalID
    EMAIL field name: DeviceSN
    HTTPS field name: DeviceSN
    LEEF field name: DeviceSN
    log_source_name
    (DEVICE NAME)
    The hostname of the firewall that logged the network traffic.
    CEF field name: dvchost
    EMAIL field name: DeviceName
    HTTPS field name: DeviceName
    LEEF field name: DeviceName
    log_time
    (TIME RECEIVED)
    Time the log was received in Strata Logging Service. This string contains a timestamp value that is the number of microseconds since the Unix epoch.
    CEF field name: rt
    EMAIL field name: TimeReceived
    HTTPS field name: TimeReceived
    LEEF field name: TimeReceived
    log_type.​value
    (LOG TYPE)
    Specifies the log type.
    CEF field name: Device Event Class ID
    EMAIL field name: LogType
    HTTPS field name: LogType
    LEEF field name: cat
    max_latency_hit
    (MAX LATENCY HIT)
    No if blocked in-line, yes if detected asynchronously and hit the max latency. Need to figure out whether it’s a boolean or int with CDL.
    CEF field name: PanOSMaxLatencyHit
    EMAIL field name: MaxLatencyHit
    HTTPS field name: MaxLatencyHit
    LEEF field name: MaxLatencyHit
    platform_type
    (PLATFORM TYPE)
    Identifies the platform that generated the log.
    CEF field name: PlatformType
    EMAIL field name: PlatformType
    HTTPS field name: PlatformType
    LEEF field name: PlatformType
    protocol.​value
    (PROTOCOL)
    IP protocol associated with the session. It can be TCP, UDP or other protocols. Need to figure out the type (int or string). As FW doesn’t support HTTP/3 at this moment, AI traffic can only be transferred over TCP. This value will be hard-coded in AI FW Cloud and sent to CDL.
    CEF field name: proto
    EMAIL field name: DestinationPort
    HTTPS field name: DestinationPort
    LEEF field name: Protocol
    request_response
    (THREAT IN REQUEST OR RESPONSE)
    Whether threat was detected in model input or output.
    CEF field name: PanOSThreatinRequestorResponse
    EMAIL field name: ThreatinRequestorResponse
    HTTPS field name: ThreatinRequestorResponse
    LEEF field name: ThreatinRequestorResponse
    session_id
    (SESSION ID)
    Identifies the firewall's internal identifier for a specific network session.
    CEF field name: cn1
    EMAIL field name: SessionID
    HTTPS field name: SessionID
    LEEF field name: SessionID
    session_start_time
    (SESSION START TIME)
    Time when the session was established. This string contains a timestamp value that is the number of microseconds since the Unix epoch.
    CEF field name: PanOSSessionStartTime
    EMAIL field name: SessionStartTime
    HTTPS field name: SessionStartTime
    LEEF field name: SessionStartTime
    source_ip.​value
    (SOURCE ADDRESS)
    Original source IP address of the session.
    CEF fields: src or c6a2
    EMAIL field name: SourceAddress
    HTTPS field name: SourceAddress
    LEEF field name: src
    source_port
    (SOURCE PORT)
    Source port utilized by the session.
    CEF field name: spt
    EMAIL field name: SourcePort
    HTTPS field name: SourcePort
    LEEF field name: srcPort
    time_generated
    (TIME GENERATED)
    Time when the log was generated on the firewall's data plane. This string contains a timestamp value that is the number of microseconds since the Unix epoch.
    CEF field name: start
    EMAIL field name: TimeGenerated
    HTTPS field name: TimeGenerated
    LEEF field name: TimeGenerated
    time_generated_high_res
    (TIME GENERATED HIGH RESOLUTION)
    Time the log was generated in data plane with millisecond granularity in format YYYY-MM-DDTHH:MM:SSS[.DDDDDD]Z.
    CEF field name: PanOSTimeGeneratedHighResolution
    EMAIL field name: TimeGeneratedHighResolution
    HTTPS field name: TimeGeneratedHighResolution
    LEEF field name: TimeGeneratedHighResolution
    tsg_id
    (TSG ID)
    Will be generated in AI FW Cloud and sent to the CDL. Need to figure out the data type with Hub.
    CEF field name: PanOSTSGID
    EMAIL field name: TSGID
    HTTPS field name: TSGID
    LEEF field name: TSGID
    vendor_name
    (VENDOR NAME)
    Identifies the vendor that produced the data.
    CEF field name: Device Vendor
    EMAIL field name: VendorName
    HTTPS field name: VendorName
    LEEF field name: Vendor
    vendor_severity.​value
    (VENDOR SEVERITY)
    Severity level of the event as defined by the vendor writing this log record. Severity can be informational/low/medium/high in the firewall threat logs.
    CEF field name: PanOSVendorSeverity
    EMAIL field name: VendorSeverity
    HTTPS field name: VendorSeverity
    LEEF field name: VendorSeverity

    © 2026 Palo Alto Networks, Inc. All rights reserved.