CEF Format

The following table lists the events in CEF format.
Event
CEF Format
AccessViolation
@Model["Time"] @Model["EsmIp"] CEF:0| Palo Alto Networks|Traps Agent| @Model["ProductVersion"]|Access Violation|Threat| @Model.ExternalSeverity| rt=@Model["Time"] dhost=@Model["host"] duser=@Model["user"] cs2Label=Module cs2=@Model["EPM"] dvc=@Model["AgentIp"] msg=Access Violation- @Model["TargetName"]: @Model["TargetValue"]
AgentAuthenticationFailed
@Model["Time"] @Model["EsmIp"] CEF:0| Palo Alto Networks|Traps Agent| @Model["ProductVersion"]|Agent Authentication Failed| Agent|@Model.ExternalSeverity| rt=@Model["Time"] dvc=@Model["AgentIp"] msg=@Model["AgentIp"] authentication failed - @Model["FailureReason"]
AgentContentUpdate
@Model["Time"] @Model["EsmIp"] CEF:0| Palo Alto Networks|Traps Agent| @Model["ProductVersion"]|Agent Content Update|Agent| @Model.ExternalSeverity| rt=@Model["Time"] dhost=@Model["host"] duser=@Model["user"] msg=@Model["host"] received new content- version @Model["ContentVersion"]
AgentMigration
@Model["Time"] @Model["EsmIp"] CEF:0| Palo Alto Networks|Traps Agent| @Model["ProductVersion"]|Agent Migration|Agent| @Model.ExternalSeverity| rt=@Model["Time"] dvc=@Model["AgentIp"] msg=Agent has migrated to Traps cloud services
AgentPolicyChange
@Model["Time"] @Model["EsmIp"] CEF:0| Palo Alto Networks|Traps Agent| @Model["ProductVersion"]|Agent Policy Changed|Agent| @Model.ExternalSeverity| rt=@Model["Time"] dhost=@Model["host"] duser=@Model["user"] msg=Policy changed
AgentPolicyChangesFailed
@Model["Time"] @Model["EsmIp"] CEF:0| Palo Alto Networks|Traps Agent| @Model["ProductVersion"]|Agent Policy Changes failed| Agent|@Model.ExternalSeverity| rt=@Model["Time"] dhost=@Model["host"] duser=@Model["user"] msg=New Policy Changes Failed
ArchivedPreventionsFailure
@Model["Time"] @Model["EsmIp"] CEF:0| Palo Alto Networks|Traps ESM| @Model["ProductVersion"]|Preventions Archived Failed| System|@Model.ExternalSeverity| rt=@Model["Time"] shost=@Model["esmHost"] suser=@Model["user"] dhost=@Model["host"] msg=Archived preventions failed
ArchivedPreventions
@Model["Time"] @Model["EsmIp"] CEF:0| Palo Alto Networks|Traps ESM| @Model["ProductVersion"]|Preventions Archived|System| @Model.ExternalSeverity| rt=@Model["Time"] shost=@Model["esmHost"] suser=@Model["user"] dhost=@Model["host"] msg=@Model["totalPreventions"] preventions been archived
AutoContentUpdateAvailable
@Model["Time"] @Model["EsmIp"] CEF:0| Palo Alto Networks|Traps ESM| @Model["ProductVersion"]| Server Content Update Available|Policy| @Model.ExternalSeverity| rt=@Model["Time"] shost=@Model["esmHost"] suser=@Model["user"] msg=A new Content Update (version @Model["ContentVersion"]) is Available
ClientInstall
@Model["Time"] @Model["EsmIp"] CEF:0| Palo Alto Networks|Traps Agent| @Model["ProductVersion"]|Agent Install|Agent| @Model.ExternalSeverity| rt=@Model["Time"] dhost=@Model["host"] duser=@Model["user"] msg=Agent installed
ClientLicenseInvalid
@Model["Time"] @Model["EsmIp"] CEF:0| Palo Alto Networks|Traps Agent| @Model["ProductVersion"]|Client License Invalid| Agent|@Model.ExternalSeverity| rt=@Model["Time"] dhost=@Model["host"] duser=@Model["user"] msg=Invalid license
ClientLicenseRequest
@Model["Time"] @Model["EsmIp"] CEF:0| Palo Alto Networks|Traps Agent| @Model["ProductVersion"]|Client License Request| Agent|@Model.ExternalSeverity| rt=@Model["Time"] dhost=@Model["host"] duser=@Model["user"] msg=New license request
ClientUninstall
@Model["Time"] @Model["EsmIp"] CEF:0| Palo Alto Networks|Traps Agent| @Model["ProductVersion"]|Agent Uninstall|Agent| @Model.ExternalSeverity| rt=@Model["Time"] dhost=@Model["host"] duser=@Model["user"] msg=Agent uninstalled
ClientUpgrade
@Model["Time"] @Model["EsmIp"] CEF:0| Palo Alto Networks|Traps Agent| @Model["ProductVersion"]|Agent Upgrade|Agent| @Model.ExternalSeverity| rt=@Model["Time"] dhost=@Model["host"] duser=@Model["user"] msg=Agent upgraded
CommunicationsCheckWithProxy
@Model["Time"] @Model["EsmIp"] CEF:0| Palo Alto Networks|Traps ESM| @Model["ProductVersion"]| Communications Check With Proxy|System| @Model.ExternalSeverity| rt=@Model["Time"] shost=@Model["esmHost"] suser=@Model["user"] dhost=@Model["host"] msg=Communications check with Proxy on host '@Model["host"]'. Status: '@Model["message"]'
ConditionDeleted
@Model["Time"] @Model["EsmIp"] CEF:0| Palo Alto Networks|Traps ESM| @Model["ProductVersion"]|Condition Deleted|Config| @Model.ExternalSeverity| rt=@Model["Time"] shost=@Model["esmHost"] suser=@Model["user"] dhost=@Model["host"] msg=Condition ID: @Model["id"] was deleted
ConditionEdited
@Model["Time"] @Model["EsmIp"] CEF:0| Palo Alto Networks|Traps ESM| @Model["ProductVersion"]|Condition Edited|Config| @Model.ExternalSeverity| rt=@Model["Time"] shost=@Model["esmHost"] suser=@Model["user"] msg=Condition ID: @Model["id"] was added/changed.
ConfigurationChange
@Model["Time"] @Model["EsmIp"] CEF:0| Palo Alto Networks|Traps ESM| @Model["ProductVersion"]|Settings Change|Config| @Model.ExternalSeverity| rt=@Model["Time"] shost=@Model["esmHost"] suser=@Model["user"] dhost=@Model["host"] msg=@Model["Property"] has changed from @Model["OldValue"] to @Model["NewValue"].
DisabledProtection
@Model["Time"] @Model["EsmIp"] CEF:0| Palo Alto Networks|Traps ESM| @Model["ProductVersion"]|Protection Disabled|Policy| @Model.ExternalSeverity| rt=@Model["Time"] shost=@Model["esmHost"] suser=@Model["user"] msg=Protection disabled on all agents
EPMInitFailed
@Model["Time"] @Model["EsmIp"] CEF:0| Palo Alto Networks|Traps Agent| @Model["ProductVersion"]|EPM Init Failed|Agent| @Model.ExternalSeverity| rt=@Model["Time"] dhost=@Model["host"] duser=@Model["user"] cs2Label=Module cs2=@Model["EPM"] msg=EPM @Model["EPM"] failed to initialize
EnabledProtection
@Model["Time"] @Model["EsmIp"] CEF:0| Palo Alto Networks|Traps ESM| @Model["ProductVersion"]|Protection Enabled|Policy| @Model.ExternalSeverity| rt=@Model["Time"] shost=@Model["esmHost"] suser=@Model["user"] msg=Protection restored on all agents
EsmConfigurationChange
@Model["Time"] @Model["EsmIp"] CEF:0| Palo Alto Networks|Traps ESM| @Model["ProductVersion"]|ESM Configuration Change| System|@Model.ExternalSeverity| rt=@Model["Time"] shost=@Model["esmHost"] suser=@Model["user"] dhost=@Model["host"] msg=Multi ESM configurations has changed
EsmStatusChange
@Model["Time"] @Model["EsmIp"] CEF:0| Palo Alto Networks|Traps ESM| @Model["ProductVersion"]|ESM Status Change|System| @Model.ExternalSeverity| rt=@Model["Time"] shost=@Model["esmHost"] suser=@Model["user"] dhost=@Model["host"] msg=ESM status changed
FileUploadFailure
@Model["Time"] @Model["EsmIp"] CEF:0| Palo Alto Networks|Traps ESM| @Model["ProductVersion"]|File Upload Failure|System| @Model.ExternalSeverity| rt=@Model["Time"] shost=@Model["esmHost"] dhost=@Model["host"] duser=@Model["user"] fname=@Model["fileName"] msg=File failed to upload
HashesImport
@Model["Time"] @Model["EsmIp"] CEF:0| Palo Alto Networks|Traps ESM| @Model["ProductVersion"]|Hashes Import|Policy| @Model.ExternalSeverity| rt=@Model["Time"] shost=@Model["esmHost"] suser=@Model["user"] fileHash=@Model["Hash"] msg=@Model["Amount"] hashes were imported
Heartbeat
@Model["Time"] @Model["EsmIp"] CEF:0| Palo Alto Networks|Traps Agent| @Model["ProductVersion"]|Heartbeat|Agent| @Model.ExternalSeverity| rt=@Model["Time"] dhost=@Model["host"] duser=@Model["user"] dvc=@Model["AgentIp"] msg=Service is alive
LicenseExpiration
@Model["Time"] @Model["EsmIp"] CEF:0| Palo Alto Networks|Traps ESM| @Model["ProductVersion"]|License Expiration|System| @Model.ExternalSeverity| rt=@Model["Time"] shost=@Model["esmHost"] suser=@Model["user"] dhost=@Model["host"] msg=@Model["poolName"] licenses will expire in @Model["days"] days
LicensePoolAdded
@Model["Time"] @Model["EsmIp"] CEF:0| Palo Alto Networks|Traps ESM| @Model["ProductVersion"]|License Pool Added|System| @Model.ExternalSeverity| rt=@Model["Time"] shost=@Model["esmHost"] suser=@Model["user"] dhost=@Model["host"] msg=A pool of @Model["licenseCount"] licenses of type @Model["licenseType"] have been added
LicenseQuantity
@Model["Time"] @Model["EsmIp"] CEF:0| Palo Alto Networks|Traps ESM| @Model["ProductVersion"]|License Quantity|System| @Model.ExternalSeverity| rt=@Model["Time"] shost=@Model["esmHost"] suser=@Model["user"] dhost=@Model["host"] msg=Agent Licenses are running low
LicenseRevoked
@Model["Time"] @Model["EsmIp"] CEF:0| Palo Alto Networks|Traps ESM| @Model["ProductVersion"]|License Revoked|Config| @Model.ExternalSeverity| rt=@Model["Time"] shost=@Model["esmHost"] suser=@Model["user"] dhost=@Model["host"] msg=Licenses revoked
LocalAnalysisFeatureExtractionFailed
@Model["Time"] @Model["EsmIp"] CEF:0| Palo Alto Networks|Traps Agent| @Model["ProductVersion"]| Local Analysis Extraction Failed|Agent| @Model.ExternalSeverity| rt=@Model["Time"] dhost=@Model["host"] duser=@Model["user"] cs3Label=ContentVersion cs3=@Model["ContentVersion"] msg=Local Analysis Feature Extraction Failed
LocalAnalysisModelUnavailable
@Model["Time"] @Model["EsmIp"] CEF:0| Palo Alto Networks|Traps ESM| @Model["ProductVersion"]| Local Analysis Model Unavailable|System| @Model.ExternalSeverity| rt=@Model["Time"] shost=@Model["esmHost"] suser=@Model["user"] dhost=@Model["host"] msg=Local Analysis Model Unavailable
LocalAnalysisModuleFailed
@Model["Time"] @Model["EsmIp"] CEF:0| Palo Alto Networks|Traps Agent| @Model["ProductVersion"]| Local Analysis Module Failed|Agent| @Model.ExternalSeverity| rt=@Model["Time"] dhost=@Model["host"] duser=@Model["user"] msg=Add new module into Local Analysis- Failed
LocalAnalysisModuleSucceeded
@Model["Time"] @Model["EsmIp"] CEF:0| Palo Alto Networks|Traps Agent| @Model["ProductVersion"]| Local Analysis Module Succeeded|Agent| @Model.ExternalSeverity| rt=@Model["Time"] dhost=@Model["host"] duser=@Model["user"] cs4Label=ModuleVersion cs4=@Model["ModuleVersion"] msg=Add new module into Local Analysis- Succeeded
MachineLicenseValidationFailed
@Model["Time"] @Model["EsmIp"] CEF:0| Palo Alto Networks|Traps ESM| @Model["ProductVersion"]| Machine License Validation Failed|System| @Model.ExternalSeverity| rt=@Model["Time"] shost=@Model["esmHost"] suser=@Model["user"] dhost=@Model["host"] msg=License Validation Failed
NewHash
@Model["Time"] @Model["EsmIp"] CEF:0| Palo Alto Networks|Traps ESM| @Model["ProductVersion"]|New Hash Added|Policy| @Model.ExternalSeverity| rt=@Model["Time"] shost=@Model["esmHost"] suser=@Model["user"] fileHash=@Model["Hash"] cs5Label=NewVerdict cs5=@Model["NewVerdict"] msg=New hash added
NotificationEvent
@Model["Time"] @Model["EsmIp"] CEF:0| Palo Alto Networks|Traps Agent| @Model["ProductVersion"]|Notification Event|Threat| @Model.ExternalSeverity| rt=@Model["Time"] dhost=@Model["host"] duser=@Model["user"] cs2Label=Module cs2=@Model["EPM"] deviceProcessName=@Model["ProcessName"] fileHash=@Model["Hash"] cs3Label=ContentVersion cs3=@Model["ContentVersion"] dvc=@Model["AgentIp"] msg=New notification event. Prevention Key: @Model["preventionKey"]
OneTimeActionComplete
@Model["Time"] @Model["EsmIp"] CEF:0| Palo Alto Networks|Traps Agent| @Model["ProductVersion"]|One Time Action Complete| Agent|@Model.ExternalSeverity| rt=@Model["Time"] dhost=@Model["host"] duser=@Model["user"] msg=One Time Action completed. Action Type: @Model["ActionType"]. Action ID: @Model["ActionID"]
OneTimeActionFailed
@Model["Time"] @Model["EsmIp"] CEF:0| Palo Alto Networks|Traps Agent| @Model["ProductVersion"]|One Time Action Failed| Agent|@Model.ExternalSeverity| rt=@Model["Time"] dhost=@Model["host"] duser=@Model["user"] msg=One Time Action failed to run. Action Type: @Model["ActionType"]
PostDetectionEvent
@Model["Time"] @Model["EsmIp"] CEF:0| Palo Alto Networks|Traps Agent| @Model["ProductVersion"]|Post Detection Event|Threat| @Model.ExternalSeverity| rt=@Model["Time"] dhost=@Model["host"] duser=@Model["user"] cs2Label=Module cs2=@Model["EPM"] deviceProcessName=@Model["ProcessName"] fileHash=@Model["Hash"] cs3Label=ContentVersion cs3=@Model["ContentVersion"] dvc=@Model["AgentIp"] msg=New post detection event. Prevention Key: @Model["preventionKey"]
PreventionEvent
@Model["Time"] @Model["EsmIp"] CEF:0| Palo Alto Networks|Traps Agent| @Model["ProductVersion"]|Prevention Event|Threat| @Model.ExternalSeverity| rt=@Model["Time"] dhost=@Model["host"] duser=@Model["user"] cs2Label=Module cs2=@Model["EPM"] deviceProcessName=@Model["ProcessName"] fileHash=@Model["Hash"] cs3Label=ContentVersion cs3=@Model["ContentVersion"] dvc=@Model["AgentIp"] msg=New prevention event. Prevention Key: @Model["preventionKey"]
ProcessCrashed
@Model["Time"] @Model["EsmIp"] CEF:0| Palo Alto Networks|Traps Agent| @Model["ProductVersion"]|Process Crashed|Agent| @Model.ExternalSeverity| rt=@Model["Time"] dhost=@Model["host"] duser=@Model["user"] msg=Process @Model["ProcessName"] had crashed
ProcessDeleted
@Model["Time"] @Model["EsmIp"] CEF:0| Palo Alto Networks|Traps ESM| @Model["ProductVersion"]|Process Deleted|Config| @Model.ExternalSeverity| rt=@Model["Time"] shost=@Model["esmHost"] suser=@Model["user"] deviceProcessName=@Model["Name"] msg=Process was deleted
ProcessEdited
@Model["Time"] @Model["EsmIp"] CEF:0| Palo Alto Networks|Traps ESM| @Model["ProductVersion"]|Process Edited|Config| @Model.ExternalSeverity| rt=@Model["Time"] shost=@Model["esmHost"] suser=@Model["user"] deviceProcessName=@Model.Data.ProcessFilename msg=Process was added/edited
ProcessInjectionTimedOut
@Model["Time"] @Model["EsmIp"] CEF:0| Palo Alto Networks|Traps Agent| @Model["ProductVersion"]|Process Injection Time Out| Agent|@Model.ExternalSeverity| rt=@Model["Time"] dhost=@Model["host"] duser=@Model["user"] msg=Injection Timeout
ProvisionalEvent
@Model["Time"] @Model["EsmIp"] CEF:0| Palo Alto Networks|Traps Agent| @Model["ProductVersion"]|Provisional Event|Threat| @Model.ExternalSeverity| rt=@Model["Time"] dhost=@Model["host"] duser=@Model["user"] cs2Label=Module cs2=@Model["EPM"] deviceProcessName=@Model["ProcessName"] fileHash=@Model["Hash"] cs3Label=ContentVersion cs3=@Model["ContentVersion"] dvc=@Model["AgentIp"] msg=New provisional event. Prevention Key: @Model["preventionKey"]
PublisherChanged
@Model["Time"] @Model["EsmIp"] CEF:0| Palo Alto Networks|Traps ESM| @Model["ProductVersion"]|Trusted Signer Changed| Policy|@Model.ExternalSeverity| rt=@Model["Time"] shost=@Model["esmHost"] suser=@Model["user"] fileHash=@Model["Hash"] msg=Hash @Model["Hash"] trusted signer changed automatically from @Model["OldPublisher"] to @Model["NewPublisher"]
QuarantineFailed
@Model["Time"] @Model["EsmIp"] CEF:0| Palo Alto Networks|Traps Agent| @Model["ProductVersion"]|Quarantine Failed|Agent| @Model.ExternalSeverity| rt=@Model["Time"] dhost=@Model["host"] duser=@Model["user"] msg=File @Model["fileName"] could not be quarantined, reason: @Model["FailureReason"]
QuarantineQuotaExceeded
@Model["Time"] @Model["EsmIp"] CEF:0| Palo Alto Networks|Traps Agent| @Model["ProductVersion"]|Quarantine Quota Exceeded | Agent|@Model.ExternalSeverity| rt=@Model["Time"] dhost=@Model["host"] duser=@Model["user"] msg=File @Model["fileName"] was permanently removed from the quarantine folder because quota was exceeded
QuarantineSucceeded
@Model["Time"] @Model["EsmIp"] CEF:0| Palo Alto Networks|Traps Agent| @Model["ProductVersion"]|Quarantine Succeed|Agent| @Model.ExternalSeverity| rt=@Model["Time"] dhost=@Model["host"] duser=@Model["user"] msg=File @Model["fileName"] was quarantined successfully
ReportingServiceStartFailed
@Model["Time"] @Model["EsmIp"] CEF:0| Palo Alto Networks|Traps Agent| @Model["ProductVersion"]| Reporting Service Start Failed|Agent| @Model.ExternalSeverity| rt=@Model["Time"] dhost=@Model["host"] duser=@Model["user"] msg=Failed listening to Traps reporting service on @Model["host"].
RestoreFailed
@Model["Time"] @Model["EsmIp"] CEF:0| Palo Alto Networks|Traps Agent| @Model["ProductVersion"]|Restore Failed|Agent| @Model.ExternalSeverity| rt=@Model["Time"] dhost=@Model["host"] duser=@Model["user"] msg=File @Model["fileName"] could not be restored, reason: @Model["FailureReason"]
RestoreSucceeded
@Model["Time"] @Model["EsmIp"] CEF:0| Palo Alto Networks|Traps Agent| @Model["ProductVersion"]|Restore Succeeded|Agent| @Model.ExternalSeverity| rt=@Model["Time"] dhost=@Model["host"] duser=@Model["user"] msg=File @Model["fileName"] restored successfully
RestrictionSettingsEdited
@Model["Time"] @Model["EsmIp"] CEF:0| Palo Alto Networks|Traps ESM| @Model["ProductVersion"]|Restriction Settings Edited| Config|@Model.ExternalSeverity| rt=@Model["Time"] shost=@Model["esmHost"] suser=@Model["user"] msg=Restriction Settings were added/changed
RoleDeleted
@Model["Time"] @Model["EsmIp"] CEF:0| Palo Alto Networks|Traps ESM| @Model["ProductVersion"]|Role Deleted|Config| @Model.ExternalSeverity| rt=@Model["Time"] shost=@Model["esmHost"] suser=@Model["user"] msg=Role @Model["Name"] was deleted
RoleEdited
@Model["Time"] @Model["EsmIp"] CEF:0| Palo Alto Networks|Traps ESM| @Model["ProductVersion"]|Role Edited|Config| @Model.ExternalSeverity| rt=@Model["Time"] shost=@Model["esmHost"] suser=@Model["user"] msg=Role @Model.Data.Name was added\changed
RoleStatusChanged
@Model["Time"] @Model["EsmIp"] CEF:0| Palo Alto Networks|Traps ESM| @Model["ProductVersion"]|Role Status Changed|Config| @Model.ExternalSeverity| rt=@Model["Time"] shost=@Model["esmHost"] suser=@Model["user"] msg=Role @Model["Name"] status was changed to @Model["Status"]
RuleDeleted
@Model["Time"] @Model["EsmIp"] CEF:0| Palo Alto Networks|Traps ESM| @Model["ProductVersion"]|Rule Deleted|Policy| @Model.ExternalSeverity| rt=@Model["Time"] shost=@Model["esmHost"] suser=@Model["user"] cs1Label=Rule cs1=@Model["id"] msg=Rule @Model["id"]: Deleted
RuleEdited
@Model["Time"] @Model["EsmIp"] CEF:0| Palo Alto Networks|Traps ESM| @Model["ProductVersion"]|Rule Edited|Policy| @Model.ExternalSeverity| rt=@Model["Time"] shost=@Model["esmHost"] suser=@Model["user"] cs1Label=Rule cs1=@Model.Data.Id msg=Rule @Model.Data.Id: Edited
SendingLicenseToClient
@Model["Time"] @Model["EsmIp"] CEF:0| Palo Alto Networks|Traps ESM| @Model["ProductVersion"]|Sending License To Client| Config|@Model.ExternalSeverity| rt=@Model["Time"] shost=@Model["esmHost"] suser=@Model["user"] dhost=@Model["host"] msg=New license sent
ServerContentRevertFailure
@Model["Time"] @Model["EsmIp"] CEF:0| Palo Alto Networks|Traps ESM| @Model["ProductVersion"]| Server Content Revert Failure|Policy| @Model.ExternalSeverity| rt=@Model["Time"] shost=@Model["esmHost"] suser=@Model["user"] msg=Content version failed to revert to @Model["ContentVersion"]. Error: @Model["Error"]
ServerContentRevertSuccess
@Model["Time"] @Model["EsmIp"] CEF:0| Palo Alto Networks|Traps ESM| @Model["ProductVersion"]| Server Content Revert Success|Policy| @Model.ExternalSeverity| rt=@Model["Time"] shost=@Model["esmHost"] suser=@Model["user"] msg=Content version was reverted to @Model["ContentVersion"] successfully
ServerContentUpdateFailure
@Model["Time"] @Model["EsmIp"] CEF:0| Palo Alto Networks|Traps ESM| @Model["ProductVersion"]| Server Content Update Failed|Policy| @Model.ExternalSeverity| rt=@Model["Time"] shost=@Model["esmHost"] suser=@Model["user"] msg=Content version failed to update to @Model["ContentVersion"]. Error: @Model["Error"]
ServerContentUpdateSuccess
@Model["Time"] @Model["EsmIp"] CEF:0| Palo Alto Networks|Traps ESM| @Model["ProductVersion"]| Server Content Update Success|Policy| @Model.ExternalSeverity| rt=@Model["Time"] shost=@Model["esmHost"] suser=@Model["user"] msg=Content version was updated to @Model["ContentVersion"] successfully
ServerHeartbeat
@Model["Time"] @Model["EsmIp"] CEF:0| Palo Alto Networks|Traps ESM| @Model["ProductVersion"]|ESM Heartbeat|System| @Model.ExternalSeverity| rt=@Model["Time"] shost=@Model["esmHost"] suser=@Model["user"] dhost=@Model["host"] msg=ESM heartbeat
ServiceAlive
@Model["Time"] @Model["EsmIp"] CEF:0| Palo Alto Networks|Traps Agent| @Model["ProductVersion"]|Service Alive|Agent| @Model.ExternalSeverity| rt=@Model["Time"] dhost=@Model["host"] duser=@Model["user"] msg=Service start
ServiceStartFailed
@Model["Time"] @Model["EsmIp"] CEF:0| Palo Alto Networks|Traps Agent| @Model["ProductVersion"]|Service Start Failed|Agent| @Model.ExternalSeverity| rt=@Model["Time"] dhost=@Model["host"] duser=@Model["user"] msg=Service start failed
ServiceStopped
@Model["Time"] @Model["EsmIp"] CEF:0| Palo Alto Networks|Traps Agent| @Model["ProductVersion"]|Service Stopped|Agent| @Model.ExternalSeverity| rt=@Model["Time"] dhost=@Model["host"] duser=@Model["user"] msg=Service stopped
ServiceWarning
@Model["Time"] @Model["EsmIp"] CEF:0| Palo Alto Networks|Traps Agent| @Model["ProductVersion"]|Service Warning|Threat| @Model.ExternalSeverity| rt=@Model["Time"] dhost=@Model["host"] duser=@Model["user"] cs2Label=Module cs2=@Model["EPM"]dvc=@Model["AgentIp"] msg=Warning- Java sandboxed file access to @Model["TargetValue"]
SystemShutdown
@Model["Time"] @Model["EsmIp"] CEF:0| Palo Alto Networks|Traps Agent| @Model["ProductVersion"]|System Shutdown|Agent| @Model.ExternalSeverity| rt=@Model["Time"] dhost=@Model["host"] duser=@Model["user"] msg=Service shutdown
TechSupportFileStatus
@Model["Time"] @Model["EsmIp"] CEF:0| Palo Alto Networks|Traps ESM| @Model["ProductVersion"]|Tech Support File|System| @Model.ExternalSeverity| rt=@Model["Time"] shost=@Model["esmHost"] msg=Tech Support File: Status:@Model["Status"]
TrapsServiceStatusChange
@Model["Time"] @Model["EsmIp"] CEF:0| Palo Alto Networks|Traps Agent| @Model["ProductVersion"]|Traps Service Status Change| Agent|@Model.ExternalSeverity| rt=@Model["Time"] dhost=@Model["host"] duser=@Model["user"] msg=Agent Service Status Changed: @Model["OldStatus"]-> @Model["NewStatus"]
UserDeleted
@Model["Time"] @Model["EsmIp"] CEF:0| Palo Alto Networks|Traps ESM| @Model["ProductVersion"]|User Deleted|Config| @Model.ExternalSeverity| rt=@Model["Time"] shost=@Model["esmHost"] suser=@Model["user"] msg=User @Model["Name"] was deleted.
UserEdited
@Model["Time"] @Model["EsmIp"] CEF:0| Palo Alto Networks|Traps ESM| @Model["ProductVersion"]|User Edited|Config| @Model.ExternalSeverity| rt=@Model["Time"] shost=@Model["esmHost"] suser=@Model["user"] msg=User @Model.Data.Name was added\changed.
UserLogin
@Model["Time"] @Model["EsmIp"] CEF:0| Palo Alto Networks|Traps ESM| @Model["ProductVersion"]|User Login|System| @Model.ExternalSeverity| rt=@Model["Time"] shost=@Model["esmHost"] suser=@Model["user"] msg=User @Model.Data.Username logged in to ESM console
UserStatusChanged
@Model["Time"] @Model["EsmIp"] CEF:0| Palo Alto Networks|Traps ESM| @Model["ProductVersion"]|User Status Changed|Config| @Model.ExternalSeverity| rt=@Model["Time"] shost=@Model["esmHost"] suser=@Model["user"] msg=User @Model["Name"] status was changed to @Model["Status"]
VerdictChangeAnyToMalware
@Model["Time"] @Model["EsmIp"] CEF:0| Palo Alto Networks|Traps ESM| @Model["ProductVersion"]| Verdict Changed Any To Malware|Policy| @Model.ExternalSeverity| rt=@Model["Time"] shost=@Model["esmHost"] suser=@Model["user"] fileHash=@Model["Hash"] cs5Label=NewVerdict cs5=@Model["NewVerdict"] msg=Hash verdict changed to Malware. @Model["OldVerdict"] -> @Model["NewVerdict"]
VerdictChangeMalwareToAny
@Model["Time"] @Model["EsmIp"] CEF:0| Palo Alto Networks|Traps ESM| @Model["ProductVersion"]| Verdict Change Malware To Any|Policy| @Model.ExternalSeverity| rt=@Model["Time"] shost=@Model["esmHost"] suser=@Model["user"] fileHash=@Model["Hash"] cs5Label=NewVerdict cs5=@Model["NewVerdict"] msg=Hash verdict changed from Malware. Awaiting to restore: @Model["QuarantineStatus"]. @Model["OldVerdict"] -> @Model["NewVerdict"]
VerdictChangeNoconnectionToAny
@Model["Time"] @Model["EsmIp"] CEF:0| Palo Alto Networks|Traps ESM| @Model["ProductVersion"]| Verdict Change No Connection To Any|Policy| @Model.ExternalSeverity| rt=@Model["Time"] shost=@Model["esmHost"] suser=@Model["user"] fileHash=@Model["Hash"] cs5Label=NewVerdict cs5=@Model["NewVerdict"] msg=Hash verdict changed from No Connection. @Model["OldVerdict"] -> @Model["NewVerdict"]
VerdictChangeUnknownToAny
@Model["Time"] @Model["EsmIp"] CEF:0| Palo Alto Networks|Traps ESM| @Model["ProductVersion"]| Verdict Change Unknown To Any|Policy| @Model.ExternalSeverity| rt=@Model["Time"] shost=@Model["esmHost"] suser=@Model["user"] fileHash=@Model["Hash"] cs5Label=NewVerdict cs5=@Model["NewVerdict"] msg=Hash verdict changed from Unknown. @Model["OldVerdict"] -> @Model["NewVerdict"]
VerdictChangeAwaitingAnalysisToAny
@Model["Time"] @Model["EsmIp"] CEF:0| Palo Alto Networks|Traps ESM| @Model["ProductVersion"]| Verdict Change Awaiting Analysis To Any|Policy| @Model.ExternalSeverity| rt=@Model["Time"] shost=@Model["esmHost"] suser=@Model["user"] fileHash=@Model["Hash"] cs5Label=NewVerdict cs5=@Model["NewVerdict"] msg=Hash verdict changed from Awaiting Analysis. @Model["OldVerdict"] -> @Model["NewVerdict"]
VerdictChange
@Model["Time"] @Model["EsmIp"] CEF:0| Palo Alto Networks|Traps ESM| @Model["ProductVersion"]|Verdict Changed|Policy| @Model.ExternalSeverity| rt=@Model["Time"] shost=@Model["esmHost"] suser=@Model["user"] fileHash=@Model["Hash"] cs5Label=NewVerdict cs5=@Model["NewVerdict"] msg=Hash verdict changed. @Model["OldVerdict"] -> @Model["NewVerdict"]
VerdictManualOverride
@Model["Time"] @Model["EsmIp"] CEF:0| Palo Alto Networks|Traps ESM| @Model["ProductVersion"]|Verdict Manual Override| Policy|@Model.ExternalSeverity| rt=@Model["Time"] shost=@Model["esmHost"] suser=@Model["user"] fileHash=@Model["Hash"] cs5Label=NewVerdict cs5=@Model["NewVerdict"] msg=Hash verdict overridden manually. @Model["OldVerdict"] -> @Model["NewVerdict"]
VerdictRevertedToWildfire
@Model["Time"] @Model["EsmIp"] CEF:0| Palo Alto Networks|Traps ESM| @Model["ProductVersion"]| Verdict Reverted To WildFire|Policy| @Model.ExternalSeverity| rt=@Model["Time"] shost=@Model["esmHost"] suser=@Model["user"] fileHash=@Model["Hash"] cs5Label=NewVerdict cs5=@Model["NewVerdict"] msg=Hash verdict reverted to WildFire. @Model["OldVerdict"] -> @Model["NewVerdict"]
WfCommunicationsStatusChanged
@Model["Time"] @Model["EsmIp"] CEF:0| Palo Alto Networks|Traps ESM| @Model["ProductVersion"]| WildFire Communications Status Changed|System| @Model.ExternalSeverity| rt=@Model["Time"] shost=@Model["esmHost"] suser=@Model["user"] dhost=@Model["host"] msg=WildFire communications status changed on host '@Model["host"]'. Status: '@Model["message"]
InstallationPackage
@Model["Time"] @Model["EsmIp"] CEF:0| Palo Alto Networks|Traps ESM| @Model["ProductVersion"]|Agent Package Created| System|@Model.ExternalSeverity| rt=@Model["Time"] shost=@Model["esmHost"] suser=@Model["user"] dhost=@Model["host"] msg=@Model["OSType"] Agent Package was @Model["AgentPackageStatus"]. Source file: @Model["SourceFile"]. Package name: @Model["AgentPackageName"] Agent Version: @Model["AgentPackageVersion"]
IncompatibleOs
@Model["Time"] @Model["EsmIp"] CEF:0| Palo Alto Networks|Traps Agent| @Model["ProductVersion"]|Agent Incompatibility Issue| Agent|@Model.ExternalSeverity| rt=@Model["Time"] dhost=@Model["host"] duser=@Model["user"] msg=Traps is inactive due to @Model["IncompatibilityReason"]
RegistrationConflict
@Model["Time"] @Model["EsmIp"] CEF:0| Palo Alto Networks|Traps ESM| @Model["ProductVersion"]| Agent Registration Conflict Detected|System| @Model.ExternalSeverity| rt=@Model["Time"] shost=@Model["esmHost"] suser=@Model["user"] dhost=@Model["host"] msg=Agent registration conflict detected on host @Model["host"] from IP: @Model["RequestIP"]. Saved IP: @Model["AgentIp"]
EsmCertValidationWarning
@Model["Time"] @Model["EsmIp"] CEF:0| Palo Alto Networks|Traps ESM| @Model["ProductVersion"]| Agent-ESM Authentication Warning|System| @Model.ExternalSeverity| rt=@Model["Time"] shost=@Model["esmHost"] suser=@Model["user"] dhost=@Model["host"] msg=Agent @Model["host"] couldn't fully authenticate ESM @Model["esmHost"] using installed certificate.

Related Documentation