Detection

Table of Contents

Detection

Scans and protects data within sanctioned corporate applications (e.g., Microsoft 365, Google Workspace, Slack, Salesforce).

See the following for information related to supported log formats:

DETECTION Field (Display Name)	Description
agent_id (AGENT ID)	Unique identifier of the agent (if applicable). CEF field name: PanOSAgentID EMAIL field name: AgentID HTTPS field name: AgentID LEEF field name: AgentID
customer_id (CORTEX DATA LAKE TENANT ID)	The ID that uniquely identifies the Cortex Data Lake instance which received this log record. CEF field name: PanOSCortexDataLakeTenantID EMAIL field name: CortexDataLakeTenantId HTTPS field name: CortexDataLakeTenantId LEEF field name: s
detection_details (DETECTION DETAILS)	Detector-specific details encoded as JSON string. CEF field name: PanOSDetectionDetails EMAIL field name: DetectionDetails HTTPS field name: DetectionDetails LEEF field name: DetectionDetails
detection_id (DETECTION ID)	Unique identifier for this detection instance (used for correlation). CEF field name: PanOSDetectionID EMAIL field name: DetectionID HTTPS field name: DetectionID LEEF field name: DetectionID
detection_risk_score (DETECTION RISK SCORE)	Risk score as provided by source. CEF field name: PanOSDetectionRiskScore EMAIL field name: DetectionRiskScore HTTPS field name: DetectionRiskScore LEEF field name: DetectionRiskScore
detector_type (DETECTOR TYPE)	Specific detector type triggered (e.g., DORMANT_AGENT). CEF field name: PanOSDetectorType EMAIL field name: DetectorType HTTPS field name: DetectorType LEEF field name: DetectorType
first_seen_at (FIRST SEEN AT)	First time this issue was detected in ISO 8601 / RFC 3339 timestamp format. CEF field name: PanOSFirstSeenAt EMAIL field name: FirstSeenAt HTTPS field name: FirstSeenAt LEEF field name: FirstSeenAt
last_seen_at (LAST SEEN AT)	Most recent time this issue was seen in ISO 8601 / RFC 3339 timestamp format. CEF field name: PanOSLasSeenAt EMAIL field name: LasSeenAt HTTPS field name: LasSeenAt LEEF field name: LasSeenAt
log_source (LOG SOURCE)	Identifies the origin of the data - the system that produced the data. CEF field name: PanOSLogSource EMAIL field name: LogSource HTTPS field name: LogSource LEEF field name: LogSource
log_source_group_id (LOG SOURCE GROUP ID)	ID that uniquely identifies the logSourceGroupId of the log. That is, the log_source_id of the group. CEF field name: LogSourceGroupID EMAIL field name: LogSourceGroupID HTTPS field name: LogSourceGroupID LEEF field name: LogSourceGroupID
log_source_id (DEVICE SN)	ID that uniquely identifies the source of the log - serial number of the firewall that generated the log. CEF field name: deviceExternalID EMAIL field name: DeviceSN HTTPS field name: DeviceSN LEEF field name: DeviceSN
log_source_name (DEVICE NAME)	Name of the source of the log - hostname of the firewall that logged the network traffic. CEF field name: dvchost EMAIL field name: DeviceName HTTPS field name: DeviceName LEEF field name: DeviceName
log_source_tz_offset (LOG SOURCE TIMEZONE OFFSET)	Time Zone offset from GMT of the source of the log. CEF field name: PanOSLogSourceTimeZoneOffset EMAIL field name: LogSourceTimeZoneOffset HTTPS field name: LogSourceTimeZoneOffset LEEF field name: LogSourceTimeZoneOffset
log_time (TIME RECEIVED)	Time the log was received in Cortex Data Lake. This is populated by the platform. CEF field name: rt EMAIL field name: TimeReceived HTTPS field name: TimeReceived LEEF field name: TimeReceived
log_type.value (LOG TYPE)	Identifies the log type. CEF field name: DeviceEventClassID EMAIL field name: LogType HTTPS field name: LogType LEEF field name: cat
platform_type (PLATFORM TYPE)	Identifies the platform that generated the log. CEF field name: PlatformType EMAIL field name: PlatformType HTTPS field name: PlatformType LEEF field name: PlatformType
saas_app_id (SAAS APP ID)	App identifier (like ms-copilot-studio). CEF field name: PanOSSaaSAppID EMAIL field name: SaaSAppID HTTPS field name: SaaSAppID LEEF field name: SaaSAppID
scan_id (SCAN ID)	Scan ID that produced the detection. CEF field name: PanOSScanID EMAIL field name: ScanID HTTPS field name: ScanID LEEF field name: ScanID
sub_type.value (SUB TYPE)	Identifies the log subtype. CEF field name: Name EMAIL field name: SubType HTTPS field name: SubType LEEF field name: SubType
time_generated (TIME GENERATED)	Time the log was generated on the data plane in format YYYY-MM-DDTHH:MM:SS[.DDDDDD]Z. CEF field name: start EMAIL field name: TimeGenerated HTTPS field name: TimeGenerated LEEF field name: devTime
time_generated_high_res (TIME GENERATED HIGH RESOLUTION)	Time the log was generated in data plane with millisec granularity in format YYYY-MM-DDTHH:MM:SS[.DDDDDD]Z. CEF field name: PanOSTimeGeneratedHighResolution EMAIL field name: TimeGeneratedHighResolution HTTPS field name: TimeGeneratedHighResolution LEEF field name: TimeGeneratedHighResolution
tsg_id (TSG ID)	The ID that uniquely identifiers a Tenant Sevice Group (TSG) that this log record should be associated with. CEF field name: PanOSTSGID EMAIL field name: TSGID HTTPS field name: TSGID LEEF field name: TSGID
vendor_name (VENDOR NAME)	Identifies the vendor that produced the data. CEF field name: Device Vendor EMAIL field name: VendorName HTTPS field name: VendorName LEEF field name: Vendor

SaaS Security Logs

Detection CEF Fields

Strata Logging Service Docs

Detection

Strata Logging Service Docs

Detection

Activation & Onboarding

Next-Generation Firewalls

SASE

Cloud-Delivered Security Services

Endpoints

Visibility & Monitoring

Best Practices

Experts Corner