>
    Strata Copilot
    Decryption EMAIL Fields
    Focus
    Download PDF
    Focus
    1. Home
    2. Strata Logging Service
    3. Strata Logging Service Log Reference
    4. Network Logs
    5. Decryption
    6. Decryption EMAIL Fields
    Download PDF
    Strata Logging Service

    Decryption EMAIL Fields

    Table of Contents

    Decryption EMAIL Fields

    Example Decryption log in EMAIL: 
    TimeReceived=2021-02-23T02:43:57.000000Z
DeviceSN=xxxxxxxxxxxxx
SubType=end
ConfigVersion=null
TimeGenerated=2021-02-23T02:43:57.000000Z
CaptivePortal=false
CortexDataLakeTenantID=xxxxxxxxxxxxx-ingest
Cpadding=0
DGHierarchyLevel1=12
DGHierarchyLevel2=0
DGHierarchyLevel3=0
DGHierarchyLevel4=0
DestinationDeviceClass=
DestinationDeviceOS=
DestinationLocation=IN
DestinationUserDomain=paloaltonetwork
DestinationUserName=xxxxx
DestinationUserUUID=0
DeviceName=PA-VM
Domain=0
InboundInterfaceDetailsPort=1
InboundInterfaceDetailsSlot=1
InboundInterfaceDetailsType=ethernet
InboundInterfaceDetailsUnit=0
IsCertCNTruncated=false
IsCertECDSA=false
IsCertRSA=false
IsClienttoServer=false
IsContainer=false
IsDecryptMirror=false
IsDecrypted=
IsDuplicateLog=false
IsEncrypted=
IsForwarded=true
IsIPV6=
IsIssuerCNTruncated=false
IsMptcpOn=false
IsNAT=false
IsNonStandardDestinationPort=true
IsPhishing=false
IsPrismaNetwork=false
IsPrismaUsers=false
IsProxy=false
IsReconExcluded=false
IsResumeSession=false
IsRootCNTruncated=false
IsSNITruncated=false
IsServertoClient=false
IsSourceXForwarded=
IsSystemReturn=false
SourceAddress=xxx.xx.x.xx
DestinationAddress=xxx.xx.x.xx
NATSource=xxx.xx.x.xx
NATDestination=xxx.xx.x.xx
Rule=allow-all-employees
SourceUser="paloaltonetwork\\xxxxx"
DestinationUser="paloaltonetwork\\xxxxx"
Application=gmail-base
VirtualLocation=vsys1
FromZone=datacenter
ToZone=ethernet4Zone-test1
InboundInterface=ethernet1/1
OutboundInterface=tunnel.901
LogSetting=test
TimeReceivedManagementPlane=2019-12-12T22:16:48.000000Z
SessionID=106112
CountOfRepeat=1
SourcePort=16524
DestinationPort=20122
NATSourcePort=15856
NATDestinationPort=10128
Protocol=tcp
Action=deny
Tunnel=N/A
SourceUUID=
DestinationUUID=
RuleUUID=fnullacnullnulle1-2c69-4f2b-8293-46ee4c73737e
ClientToFirewall=null
FirewallToClient=null
TLSVersion=null
TLSKeyExchange=null
TLSEncryptionAlgorithm=null
TLSAuth=null
PolicyName=
EllipticCurve=
ErrorIndex=null
RootStatus=null
ChainStatus=null
ProxyType=null
CertificateSerial=
Fingerprint=
TimeNotBefore=0
TimeNotAfter=0
CertificateVersion=null
CertificateSize=0
CommonNameLength=0
IssuerNameLength=0
RootCNLength=0
SNILength=0
CertificateFlags=0
CommonName=
IssuerCommonName=
RootCommonName=
ServerNameIndication=
ErrorMessage=
ContainerID=
ContainerNameSpace=
ContainerName=
SourceEDL=
DestinationEDL=
SourceDynamicAddressGroup=
DestinationDynamicAddressGroup=test
TimeGeneratedHighResolution=2019-07-25T23:30:12.000000Z
SourceDeviceCategory=
SourceDeviceProfile=
SourceDeviceModel=
SourceDeviceVendor=
SourceDeviceOSFamily=
SourceDeviceOSVersion=
SourceDeviceHost=
SourceDeviceMac=
DestinationDeviceCategory=
DestinationDeviceProfile=
DestinationDeviceModel=
DestinationDeviceVendor=
DestinationDeviceOSFamily=
DestinationDeviceOSVersion=
DestinationDeviceHost=
DestinationDeviceMac=
SequenceNo=8026543790
    The following table identifies the Decryption field names that the Log Forwarding app uses when you forward logs using the EMAIL log format.
    EMAIL Name
    Query Name
    Action
    action.​value
    Application
    app
    ApplicationCategory
    app_category
    ApplicationSubcategory
    app_sub_category
    CertificateFlags
    cert_flags
    CertificateSerial
    cert_serial
    CertificateSize
    certificate_size
    CertificateVersion
    certificate_version.​value
    ChainStatus
    chain_status.​value
    ApplicationCharacteristics
    characteristics_of_app
    ClientToFirewall
    client_to_firewall.​value
    CommonName
    cn
    CommonNameLength
    cn_len
    ConfigVersion
    config_version.​value
    ContainerID
    container_id
    ApplicationContainer
    container_of_app
    RepeatCount
    count_of_repeats
    Cpadding
    cpadding
    CortexDataLakeTenantID
    customer_id
    DestinationDeviceCategory
    dest_device_category
    DestinationDeviceClass
    dest_device_class
    DestinationDeviceHost
    dest_device_host
    DestinationDeviceMac
    dest_device_mac
    DestinationDeviceModel
    dest_device_model
    DestinationDeviceOS
    dest_device_os
    DestinationDeviceOSFamily
    dest_device_osfamily
    DestinationDeviceOSVersion
    dest_device_osversion
    DestinationDeviceProfile
    dest_device_profile
    DestinationDeviceVendor
    dest_device_vendor
    DestinationDynamicAddressGroup
    dest_dynamic_address_group
    DestinationEDL
    dest_edl
    DestinationAddress
    dest_ip.​value
    DestinationLocation
    dest_location
    DestinationPort
    dest_port
    DestinationUser
    dest_user
    DestinationUserDomain
    dest_user_info.​domain
    DestinationUserName
    dest_user_info.​name
    DestinationUserUUID
    dest_user_info.​uuid
    DestinationUUID
    dest_uuid
    DGHierarchyLevel1
    dg_hier_level_1
    DGHierarchyLevel2
    dg_hier_level_2
    DGHierarchyLevel3
    dg_hier_level_3
    DGHierarchyLevel4
    dg_hier_level_4
    Domain
    domain
    EllipticCurve
    elliptic_curve.​value
    ErrorIndex
    error_index.​value
    ErrorMessage
    error_message
    Fingerprint
    fingerprint
    FirewallToClient
    firewall_to_client.​value
    FromZone
    from_zone
    InboundInterface
    inbound_if.​value
    InboundInterfaceDetailsPort
    inbound_if_details.​port
    InboundInterfaceDetailsSlot
    inbound_if_details.​slot
    InboundInterfaceDetailsType
    inbound_if_details.​type.​value
    InboundInterfaceDetailsUnit
    inbound_if_details.​unit
    CaptivePortal
    is_captive_portal
    IsCertECDSA
    is_cert_ECDSA
    IsCertRSA
    is_cert_RSA
    IsCertCNTruncated
    is_cert_cn_truncated
    IsClienttoServer
    is_client_to_server
    IsContainer
    is_container
    IsDecryptMirror
    is_decrypt_mirror
    IsDecrypted
    is_decrypted
    IsDuplicateLog
    is_dup_log
    IsEncrypted
    is_encrypted
    LogExported
    is_exported
    IsForwarded
    is_forwarded
    IsIPV6
    is_ipv6
    IsIssuerCNTruncated
    is_issuer_cn_truncated
    IsMptcpOn
    is_mptcp_on
    IsNAT
    is_nat
    IsNonStandardDestinationPort
    is_non_std_dest_port
    PacketCapture
    is_packet_capture
    IsPhishing
    is_phishing
    IsPrismaNetwork
    is_prisma_branch
    IsPrismaUsers
    is_prisma_mobile
    IsProxy
    is_proxy
    IsReconExcluded
    is_recon_excluded
    IsResumeSession
    is_resume_session
    IsRootCNTruncated
    is_root_cn_truncated
    IsSaaSApplication
    is_saas_app
    IsServertoClient
    is_server_to_client
    IsSNITruncated
    is_sni_truncated
    IsSourceXForwarded
    is_source_x_fwded
    IsSystemReturn
    is_sym_return
    IsTransaction
    is_transaction
    IsTunnelInspected
    is_tunnel_inspected
    IsURLDenied
    is_url_denied
    IssuerCommonName
    issuer_cn
    IssuerNameLength
    issuer_len
    LogSetting
    log_set
    LogSource
    log_source
    LogSourceGroupID
    log_source_group_id
    DeviceSN
    log_source_id
    DeviceName
    log_source_name
    LogSourceTimeZoneOffset
    log_source_tz_offset
    TimeReceived
    log_time
    LogType
    log_type.​value
    NATDestination
    nat_dest.​value
    NATDestinationPort
    nat_dest_port
    NATSource
    nat_source.​value
    NATSourcePort
    nat_source_port
    TimeNotAfter
    not_after
    TimeNotBefore
    not_before
    OutboundInterface
    outbound_if.​value
    OutboundInterfaceDetailsPort
    outbound_if_details.​port
    OutboundInterfaceDetailsSlot
    outbound_if_details.​slot
    OutboundInterfaceDetailsType
    outbound_if_details.​type.​value
    OutboundInterfaceDetailsUnit
    outbound_if_details.​unit
    Padding
    padding
    Padding3
    padding3
    PanoramaSN
    panorama_serial
    PlatformType
    platform_type
    ContainerName
    pod_name
    ContainerNameSpace
    pod_namespace
    PolicyName
    policy_name
    Protocol
    protocol.​value
    ProxyType
    proxy_type.​value
    ApplicationRisk
    risk_of_app
    RootCommonName
    root_cn
    RootCNLength
    root_cn_len
    RootStatus
    root_status.​value
    Rule
    rule_matched
    RuleUUID
    rule_matched_uuid
    SanctionedStateOfApp
    sanctioned_state_of_app
    SequenceNo
    sequence_no
    SessionID
    session_id
    ServerNameIndication
    sni
    SNILength
    sni_len
    SourceDeviceCategory
    source_device_category
    SourceDeviceClass
    source_device_class
    SourceDeviceHost
    source_device_host
    SourceDeviceMac
    source_device_mac
    SourceDeviceModel
    source_device_model
    SourceDeviceOS
    source_device_os
    SourceDeviceOSFamily
    source_device_osfamily
    SourceDeviceOSVersion
    source_device_osversion
    SourceDeviceProfile
    source_device_profile
    SourceDeviceVendor
    source_device_vendor
    SourceDynamicAddressGroup
    source_dynamic_address_group
    SourceEDL
    source_edl
    SourceAddress
    source_ip.​value
    SourceLocation
    source_location
    SourcePort
    source_port
    SourceUser
    source_user
    SourceUserDomain
    source_user_info.​domain
    SourceUserName
    source_user_info.​name
    SourceUserUUID
    source_user_info.​uuid
    SourceUUID
    source_uuid
    Subtype
    sub_type.​value
    ApplicationTechnology
    technology_of_app
    TimeGenerated
    time_generated
    TimeGeneratedHighResolution
    time_generated_high_res
    TimeReceivedManagementPlane
    time_received_mp
    TLSAuth
    tls_auth.​value
    TLSEncryptionAlgorithm
    tls_enc_algorithm.​value
    TLSKeyExchange
    tls_keyxchange.​value
    TLSVersion
    tls_version.​value
    ToZone
    to_zone
    Tpadding
    tpadding
    Tunnel
    tunnel.​value
    TunneledApplication
    tunneled_app
    VendorName
    vendor_name
    Vpadding
    vpadding
    VirtualLocation
    vsys
    VirtualSystemID
    vsys_id
    VirtualSystemName
    vsys_name

    © 2025 Palo Alto Networks, Inc. All rights reserved.