Focus
Focus
Table of Contents

LEEF Format

The following table lists the events in LEEF format.
Event
LEEF Format
AccessViolation
LEEF:1.0|Palo Alto Networks|Traps Agent| @Model["ProductVersion"]|Access Violation|cat=Threat subtype=Access Violation devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"] src=@Model["EsmIp"] dhost=@Model["host"] duser=@Model["user"] Module=@Model["EPM"] dst=@Model["AgentIp"] msg=Access Violation- @Model["TargetName"]: @Model["TargetValue"] sev=@Model.ExternalSeverity
AgentAuthenticationFailed
LEEF:1.0|Palo Alto Networks|Traps Agent| @Model["ProductVersion"]|Agent Authentication Failed| cat=Agent subtype=Agent Authentication Failed devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"] src=@Model["EsmIp"] dst=@Model["AgentIp"] msg=@Model["AgentIp"] authentication failed - @Model["FailureReason"] sev=@Model.ExternalSeverity
AgentContentUpdate
LEEF:1.0|Palo Alto Networks|Traps Agent| @Model["ProductVersion"]|Agent Content Update| cat=Agent subtype=Agent Content Update devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"] src=@Model["EsmIp"] dhost=@Model["host"] duser=@Model["user"] msg=@Model["host"] received new content- version @Model["ContentVersion"] sev=@Model.ExternalSeverity
AgentPolicyChange
LEEF:1.0|Palo Alto Networks|Traps Agent| @Model["ProductVersion"]|Agent Policy Changed| cat=Agent subtype=Agent Policy Changed devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"] src=@Model["EsmIp"] dhost=@Model["host"] duser=@Model["user"] msg=Policy changed sev=@Model.ExternalSeverity
AgentPolicyChangesFailed
LEEF:1.0|Palo Alto Networks|Traps Agent| @Model["ProductVersion"]|Agent Policy Changes failed| cat=Agent subtype=Agent Policy Changes failed devTime=@Model["Time"] src=@Model["EsmIp"] dhost=@Model["host"] duser=@Model["user"] msg=New Policy Changes Failed sev=@Model.ExternalSeverity
ArchivedPreventionsFailure
LEEF:1.0|Palo Alto Networks|Traps ESM| @Model["ProductVersion"]|Preventions Archived Failed| cat=System subtype=Preventions Archived Failed devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"] src=@Model["EsmIp"] shost=@Model["esmHost"] suser=@Model["user"] dhost=@Model["host"] msg=Archived preventions failed sev=@Model.ExternalSeverity
ArchivedPreventions
LEEF:1.0|Palo Alto Networks|Traps ESM| @Model["ProductVersion"]|Preventions Archived| cat=System subtype=Preventions Archived devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"] src=@Model["EsmIp"] shost=@Model["esmHost"] suser=@Model["user"] dhost=@Model["host"] msg=@Model["totalPreventions"] preventions been archived sev=@Model.ExternalSeverity
ClientInstall
LEEF:1.0|Palo Alto Networks|Traps Agent| @Model["ProductVersion"]|Agent Install|cat=Agent subtype=Agent Install devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"] src=@Model["EsmIp"] dhost=@Model["host"] duser=@Model["user"] msg=Agent installed sev=@Model.ExternalSeverity
ClientLicenseInvalid
LEEF:1.0|Palo Alto Networks|Traps Agent| @Model["ProductVersion"]|Client License Invalid| cat=Agent subtype=Client License Invalid devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"] src=@Model["EsmIp"] dhost=@Model["host"] duser=@Model["user"] msg=Invalid license sev=@Model.ExternalSeverity
ClientLicenseRequest
LEEF:1.0|Palo Alto Networks|Traps Agent| @Model["ProductVersion"]|Client License Request| cat=Agent subtype=Client License Request devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"] src=@Model["EsmIp"] dhost=@Model["host"] duser=@Model["user"] msg=New license request sev=@Model.ExternalSeverity
ClientUninstall
LEEF:1.0|Palo Alto Networks|Traps Agent| @Model["ProductVersion"]|Agent Uninstall|cat=Agent subtype=Agent Uninstall devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"] src=@Model["EsmIp"] dhost=@Model["host"] duser=@Model["user"] msg=Agent uninstalled sev=@Model.ExternalSeverity
ClientUpgrade
LEEF:1.0|Palo Alto Networks|Traps Agent| @Model["ProductVersion"]|Agent Upgrade|cat=Agent subtype=Agent Upgrade devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"] src=@Model["EsmIp"] dhost=@Model["host"] duser=@Model["user"] msg=Agent upgraded sev=@Model.ExternalSeverity
CommunicationsCheckWithProxy
LEEF:1.0|Palo Alto Networks|Traps ESM| @Model["ProductVersion"]| Communications Check With Proxy|cat=System subtype=Communications Check With Proxy devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"] src=@Model["EsmIp"] shost=@Model["esmHost"] suser=@Model["user"] dhost=@Model["host"] msg=Communications check with Proxy on host '@Model["host"]'. Status: '@Model["message"]' sev=@Model.ExternalSeverity
ConditionDeleted
LEEF:1.0|Palo Alto Networks|Traps ESM| @Model["ProductVersion"]|Condition Deleted| cat=Config subtype=Condition Deleted devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"] src=@Model["EsmIp"] shost=@Model["esmHost"] suser=@Model["user"] dhost=@Model["host"] msg=Condition ID: @Model["id"] was deleted sev=@Model.ExternalSeverity
ConditionEdited
LEEF:1.0|Palo Alto Networks|Traps ESM| @Model["ProductVersion"]|Condition Edited|cat=Config subtype=Condition Edited devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"] src=@Model["EsmIp"] shost=@Model["esmHost"] suser=@Model["user"] msg=Condition ID: @Model["id"] was added/changed. sev=@Model.ExternalSeverity
ConfigurationChange
LEEF:1.0|Palo Alto Networks|Traps ESM| @Model["ProductVersion"]|Settings Change|cat=Config subtype=Settings Change devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"] src=@Model["EsmIp"] shost=@Model["esmHost"] suser=@Model["user"] dhost=@Model["host"] msg=@Model["Property"] has changed from @Model["OldValue"] to @Model["NewValue"]. sev=@Model.ExternalSeverity
DisabledProtection
LEEF:1.0|Palo Alto Networks|Traps ESM| @Model["ProductVersion"]|Protection Disabled| cat=Policy subtype=Protection Disabled devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"] src=@Model["EsmIp"] shost=@Model["esmHost"] suser=@Model["user"] msg=Protection disabled on all agents sev=@Model.ExternalSeverity
EPMInitFailed
LEEF:1.0|Palo Alto Networks|Traps Agent| @Model["ProductVersion"]|EPM Init Failed|cat=Agent subtype=EPM Init Failed devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"] src=@Model["EsmIp"] dhost=@Model["host"] duser=@Model["user"] Module=@Model["EPM"] msg=EPM @Model["EPM"] failed to initialize sev=@Model.ExternalSeverity
EnabledProtection
LEEF:1.0|Palo Alto Networks|Traps ESM| @Model["ProductVersion"]|Protection Enabled| cat=Policy subtype=Protection Enabled devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"] src=@Model["EsmIp"] shost=@Model["esmHost"] suser=@Model["user"] msg=Protection restored on all agents sev=@Model.ExternalSeverity
EsmConfigurationChange
LEEF:1.0|Palo Alto Networks|Traps ESM| @Model["ProductVersion"]|ESM Configuration Change| cat=System subtype=ESM Configuration Change devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"] src=@Model["EsmIp"] shost=@Model["esmHost"] suser=@Model["user"] dhost=@Model["host"] msg=Multi ESM configurations has changed sev=@Model.ExternalSeverity
EsmStatusChange
LEEF:1.0|Palo Alto Networks|Traps ESM| @Model["ProductVersion"]|ESM Status Change| cat=System subtype=ESM Status Change devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"] src=@Model["EsmIp"] shost=@Model["esmHost"] suser=@Model["user"] dhost=@Model["host"] msg=ESM status changed sev=@Model.ExternalSeverity
FileUploadFailure
LEEF:1.0|Palo Alto Networks|Traps ESM| @Model["ProductVersion"]|File Upload Failure| cat=System subtype=File Upload Failure devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"] src=@Model["EsmIp"] shost=@Model["esmHost"] dhost=@Model["host"] duser=@Model["user"] fname=@Model["fileName"] msg=File failed to upload sev=@Model.ExternalSeverity
HashesImport
LEEF:1.0|Palo Alto Networks|Traps ESM| @Model["ProductVersion"]|Hashes Import|cat=Policy subtype=Hashes Import devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"] src=@Model["EsmIp"] shost=@Model["esmHost"] suser=@Model["user"] fileHash=@Model["Hash"] msg=@Model["Amount"] hashes were imported sev=@Model.ExternalSeverity
Heartbeat
LEEF:1.0|Palo Alto Networks|Traps Agent| @Model["ProductVersion"]|Heartbeat|cat=Agent subtype=Heartbeat devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"] src=@Model["EsmIp"] dhost=@Model["host"] duser=@Model["user"] dst=@Model["AgentIp"] msg=Service is alive sev=@Model.ExternalSeverity
LicenseExpiration
LEEF:1.0|Palo Alto Networks|Traps ESM| @Model["ProductVersion"]|License Expiration| cat=System subtype=License Expiration devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"] src=@Model["EsmIp"] shost=@Model["esmHost"] suser=@Model["user"] dhost=@Model["host"] msg=@Model["poolName"] licenses will expire in @Model["days"] days sev=@Model.ExternalSeverity
LicensePoolAdded
LEEF:1.0|Palo Alto Networks|Traps ESM| @Model["ProductVersion"]|License Pool Added| cat=System subtype=License Pool Added devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"] src=@Model["EsmIp"] shost=@Model["esmHost"] suser=@Model["user"] dhost=@Model["host"] msg=A pool of @Model["licenseCount"] licenses of type @Model["licenseType"] have been added sev=@Model.ExternalSeverity
LicenseQuantity
LEEF:1.0|Palo Alto Networks|Traps ESM| @Model["ProductVersion"]|License Quantity|cat=System subtype=License Quantity devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"] src=@Model["EsmIp"] shost=@Model["esmHost"] suser=@Model["user"] dhost=@Model["host"] msg=Agent Licenses are running low sev=@Model.ExternalSeverity
LicenseRevoked
LEEF:1.0|Palo Alto Networks|Traps ESM| @Model["ProductVersion"]|License Revoked|cat=Config subtype=License Revoked devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"] src=@Model["EsmIp"] shost=@Model["esmHost"] suser=@Model["user"] dhost=@Model["host"] msg=Licenses revoked sev=@Model.ExternalSeverity
LocalAnalysisFeatureExtractionFailed
LEEF:1.0|Palo Alto Networks|Traps Agent| @Model["ProductVersion"]| Local Analysis Extraction Failed|cat=Agent subtype=Local Analysis Extraction Failed devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"] src=@Model["EsmIp"] dhost=@Model["host"] duser=@Model["user"] ContentVersion=@Model["ContentVersion"] msg=Local Analysis Feature Extraction Failed sev=@Model.ExternalSeverity
LocalAnalysisModelUnavailable
LEEF:1.0|Palo Alto Networks|Traps ESM| @Model["ProductVersion"]| Local Analysis Model Unavailable|cat=System subtype=Local Analysis Model Unavailable devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"] src=@Model["EsmIp"] shost=@Model["esmHost"] suser=@Model["user"] dhost=@Model["host"] msg=Local Analysis Model Unavailable sev=@Model.ExternalSeverity
LocalAnalysisModuleFailed
LEEF:1.0|Palo Alto Networks|Traps Agent| @Model["ProductVersion"]| Local Analysis Module Failed|cat=Agent subtype=Local Analysis Module Failed devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"] src=@Model["EsmIp"] dhost=@Model["host"] duser=@Model["user"] msg=Add new module into Local Analysis- Failed sev=@Model.ExternalSeverity
LocalAnalysisModuleSucceeded
LEEF:1.0|Palo Alto Networks|Traps Agent| @Model["ProductVersion"]| Local Analysis Module Succeeded|cat=Agent subtype=Local Analysis Module Succeeded devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"] src=@Model["EsmIp"] dhost=@Model["host"] duser=@Model["user"] ModuleVersion=@Model["ModuleVersion"] msg=Add new module into Local Analysis- Succeeded sev=@Model.ExternalSeverity
MachineLicenseValidationFailed
LEEF:1.0|Palo Alto Networks|Traps ESM| @Model["ProductVersion"]| Machine License Validation Failed|cat=System subtype=Machine License Validation Failed devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"] src=@Model["EsmIp"] shost=@Model["esmHost"] suser=@Model["user"] dhost=@Model["host"] msg=License Validation Failed sev=@Model.ExternalSeverity
NewHash
LEEF:1.0|Palo Alto Networks|Traps ESM| @Model["ProductVersion"]|New Hash Added|cat=Policy subtype=New Hash Added devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"] src=@Model["EsmIp"] shost=@Model["esmHost"] suser=@Model["user"] fileHash=@Model["Hash"] NewVerdict=@Model["NewVerdict"] msg=New hash added sev=@Model.ExternalSeverity
NotificationEvent
LEEF:1.0|Palo Alto Networks|Traps Agent| @Model["ProductVersion"]|Notification Event| cat=Threat subtype=Notification Event devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"] src=@Model["EsmIp"] dhost=@Model["host"] duser=@Model["user"] Module=@Model["EPM"] deviceProcessName=@Model["ProcessName"] fileHash=@Model["Hash"] ContentVersion=@Model["ContentVersion"] dst=@Model["AgentIp"] msg=New notification event. Prevention Key: @Model["preventionKey"] sev=@Model.ExternalSeverity
OneTimeActionComplete
LEEF:1.0|Palo Alto Networks|Traps Agent| @Model["ProductVersion"]|One Time Action Complete| cat=Agent subtype=One Time Action Complete devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"] src=@Model["EsmIp"] dhost=@Model["host"] duser=@Model["user"] msg=One Time Action completed. Action Type=@Model["ActionType"]. Action ID=@Model["ActionID"] sev=@Model.ExternalSeverity
OneTimeActionFailed
LEEF:1.0|Palo Alto Networks|Traps Agent| @Model["ProductVersion"]|One Time Action Failed| cat=Agent subtype=One Time Action Failed devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"] src=@Model["EsmIp"] dhost=@Model["host"] duser=@Model["user"] msg=One Time Action failed to run. Action Type=@Model["ActionType"] sev=@Model.ExternalSeverity
PostDetectionEvent
LEEF:1.0|Palo Alto Networks|Traps Agent| @Model["ProductVersion"]|Post Detection Event| cat=Threat subtype=Post Detection Event devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"] src=@Model["EsmIp"] dhost=@Model["host"] duser=@Model["user"] Module=@Model["EPM"] deviceProcessName=@Model["ProcessName"] fileHash=@Model["Hash"] dst=@Model["AgentIp"] msg=New post detection event. Prevention Key: @Model["preventionKey"] ContentVersion=@Model["ContentVersion"] sev=@Model.ExternalSeverity
PreventionEvent
LEEF:1.0|Palo Alto Networks|Traps Agent| @Model["ProductVersion"]|Prevention Event|cat=Threat subtype=Prevention Event devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"] src=@Model["EsmIp"] dhost=@Model["host"] duser=@Model["user"] Module=@Model["EPM"] deviceProcessName=@Model["ProcessName"] fileHash=@Model["Hash"] dst=@Model["AgentIp"] msg=New prevention event. Prevention Key: @Model["preventionKey"] ContentVersion=@Model["ContentVersion"] sev=@Model.ExternalSeverity
ProcessCrashed
LEEF:1.0|Palo Alto Networks|Traps Agent| @Model["ProductVersion"]|Process Crashed|cat=Agent subtype=Process Crashed devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"] src=@Model["EsmIp"] dhost=@Model["host"] duser=@Model["user"] msg=Process @Model["ProcessName"] had crashed sev=@Model.ExternalSeverity
ProcessDeleted
LEEF:1.0|Palo Alto Networks|Traps ESM| @Model["ProductVersion"]|Process Deleted|cat=Config subtype=Process Deleted devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"] src=@Model["EsmIp"] shost=@Model["esmHost"] suser=@Model["user"] deviceProcessName=@Model["Name"] msg=Process was deleted sev=@Model.ExternalSeverity
ProcessEdited
LEEF:1.0|Palo Alto Networks|Traps ESM| @Model["ProductVersion"]|Process Edited|cat=Config subtype=Process Edited devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"] src=@Model["EsmIp"] shost=@Model["esmHost"] suser=@Model["user"] deviceProcessName=@Model.Data.ProcessFilename msg=Process was added/edited sev=@Model.ExternalSeverity
ProcessInjectionTimedOut
LEEF:1.0|Palo Alto Networks|Traps Agent| @Model["ProductVersion"]|Process Injection Time Out| cat=Agent subtype=Process Injection Time Out devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"] src=@Model["EsmIp"] dhost=@Model["host"] duser=@Model["user"] msg=Injection Timeout sev=@Model.ExternalSeverity
ProvisionalEvent
LEEF:1.0|Palo Alto Networks|Traps Agent| @Model["ProductVersion"]|Provisional Event| cat=Threat subtype=Provisional Event devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"] src=@Model["EsmIp"] dhost=@Model["host"] duser=@Model["user"] Module=@Model["EPM"] deviceProcessName=@Model["ProcessName"] fileHash=@Model["Hash"] ContentVersion=@Model["ContentVersion"] dst=@Model["AgentIp"] msg=New provisional event. Prevention Key: @Model["preventionKey"] sev=@Model.ExternalSeverity
PublisherChanged
LEEF:1.0|Palo Alto Networks|Traps ESM| @Model["ProductVersion"]|Trusted Signer Changed| cat=Policy subtype=Trusted Signer Changed devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"] src=@Model["EsmIp"] shost=@Model["esmHost"] suser=@Model["user"] fileHash=@Model["Hash"] msg=Hash @Model["Hash"] trusted signer changed automatically from @Model["OldPublisher"] to @Model["NewPublisher"] sev=@Model.ExternalSeverity
QuarantineFailed
LEEF:1.0|Palo Alto Networks|Traps Agent| @Model["ProductVersion"]|Quarantine Failed|cat=Agent subtype=Quarantine Failed devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"] src=@Model["EsmIp"] dhost=@Model["host"] duser=@Model["user"] msg=File @Model["fileName"] could not be quarantined, reason: @Model["FailureReason"] sev=@Model.ExternalSeverity
QuarantineQuotaExceeded
LEEF:1.0|Palo Alto Networks|Traps Agent| @Model["ProductVersion"]|Quarantine Quota Exceeded| cat=Agent subtype=Quarantine Quota Exceeded devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"] src=@Model["EsmIp"] dhost=@Model["host"] duser=@Model["user"] msg=File @Model["fileName"] was permanently removed from the quarantine folder because quota was exceeded sev=@Model.ExternalSeverity
QuarantineSucceeded
LEEF:1.0|Palo Alto Networks|Traps Agent| @Model["ProductVersion"]|Quarantine Succeed| cat=Agent subtype=Quarantine Succeed devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"] src=@Model["EsmIp"] dhost=@Model["host"] duser=@Model["user"] msg=File @Model["fileName"] was quarantined successfully sev=@Model.ExternalSeverity
ReportingServiceStartFailed
LEEF:1.0|Palo Alto Networks|Traps Agent| @Model["ProductVersion"]| Reporting Service Start Failed|cat=Agent subtype=Failed listening to Traps reporting service on @Model["host"] devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"] src=@Model["EsmIp"] dhost=@Model["host"] duser=@Model["user"] msg=Reporting Service start failed. sev=@Model.ExternalSeverity
RestoreFailed
LEEF:1.0|Palo Alto Networks|Traps Agent| @Model["ProductVersion"]|Restore Failed|cat=Agent subtype=Restore Failed devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"] src=@Model["EsmIp"] dhost=@Model["host"] duser=@Model["user"] msg=File @Model["fileName"] could not be restored, reason: @Model["FailureReason"] sev=@Model.ExternalSeverity
RestoreSucceeded
LEEF:1.0|Palo Alto Networks|Traps Agent| @Model["ProductVersion"]|Restore Succeeded|cat=Agent subtype=Restore Succeeded devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"] src=@Model["EsmIp"] dhost=@Model["host"] duser=@Model["user"] msg=File @Model["fileName"] restored successfully sev=@Model.ExternalSeverity
RestrictionSettingsEdited
LEEF:1.0|Palo Alto Networks|Traps ESM| @Model["ProductVersion"]|Restriction Settings Edited| cat=Config subtype=Restriction Settings Edited devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"] src=@Model["EsmIp"] shost=@Model["esmHost"] suser=@Model["user"] msg=Restriction Settings were added/changed sev=@Model.ExternalSeverity
RoleDeleted
LEEF:1.0|Palo Alto Networks|Traps ESM| @Model["ProductVersion"]|Role Deleted|cat=Config subtype=Role Deleted devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"] src=@Model["EsmIp"] shost=@Model["esmHost"] suser=@Model["user"] msg=Role @Model["Name"] was deleted sev=@Model.ExternalSeverity
RoleEdited
LEEF:1.0|Palo Alto Networks|Traps ESM| @Model["ProductVersion"]|Role Edited|cat=Config subtype=Role Edited devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"] src=@Model["EsmIp"] shost=@Model["esmHost"] suser=@Model["user"] msg=Role @Model.Data.Name was added\changed sev=@Model.ExternalSeverity
RoleStatusChanged
LEEF:1.0|Palo Alto Networks|Traps ESM| @Model["ProductVersion"]|Role Status Changed| cat=Config subtype=Role Status Changed devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"] src=@Model["EsmIp"] shost=@Model["esmHost"] suser=@Model["user"] msg=Role @Model["Name"] status was changed to @Model["Status"] sev=@Model.ExternalSeverity
RuleDeleted
LEEF:1.0|Palo Alto Networks|Traps ESM| @Model["ProductVersion"]|Rule Deleted|cat=Policy subtype=Rule Deleted devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"] src=@Model["EsmIp"] shost=@Model["esmHost"] suser=@Model["user"] rule=@Model["id"] msg=Rule @Model["id"]: Deleted sev=@Model.ExternalSeverity
RuleEdited
LEEF:1.0|Palo Alto Networks|Traps ESM| @Model["ProductVersion"]|Rule Edited|cat=Policy subtype=Rule Edited devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"] src=@Model["EsmIp"] shost=@Model["esmHost"] suser=@Model["user"] rule=@Model.Data.Id msg=Rule @Model.Data.Id: Edited sev=@Model.ExternalSeverity
SendingLicenseToClient
LEEF:1.0|Palo Alto Networks|Traps ESM| @Model["ProductVersion"]|Sending License To Client| cat=Config subtype=Sending License To Client devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"] src=@Model["EsmIp"] shost=@Model["esmHost"] suser=@Model["user"] dhost=@Model["host"] msg=New license sent sev=@Model.ExternalSeverity
ServerContentRevertFailure
LEEF:1.0|Palo Alto Networks|Traps ESM| @Model["ProductVersion"]| Server Content Revert Failure|cat=Policy subtype=Server Content Revert Failure devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"] src=@Model["EsmIp"] shost=@Model["esmHost"] suser=@Model["user"] msg=Content version failed to revert to @Model["ContentVersion"]. Error: @Model["Error"] sev=@Model.ExternalSeverity
ServerContentRevertSuccess
LEEF:1.0|Palo Alto Networks|Traps ESM| @Model["ProductVersion"]| Server Content Revert Success|cat=Policy subtype=Server Content Revert Success devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"] src=@Model["EsmIp"] shost=@Model["esmHost"] suser=@Model["user"] msg=Content version was reverted to @Model["ContentVersion"] successfully sev=@Model.ExternalSeverity
ServerContentUpdateFailure
LEEF:1.0|Palo Alto Networks|Traps ESM| @Model["ProductVersion"]| Server Content Update Failed|cat=Policy subtype=Server Content Update Failed devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"] src=@Model["EsmIp"] shost=@Model["esmHost"] suser=@Model["user"] msg=Content version failed to update to @Model["ContentVersion"]. Error: @Model["Error"] sev=@Model.ExternalSeverity
ServerContentUpdateSuccess
LEEF:1.0|Palo Alto Networks|Traps ESM| @Model["ProductVersion"]| Server Content Update Success|cat=Policy subtype=Server Content Update Success devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"] src=@Model["EsmIp"] shost=@Model["esmHost"] suser=@Model["user"] msg=Content version was updated to @Model["ContentVersion"] successfully sev=@Model.ExternalSeverity
ServerHeartbeat
LEEF:1.0|Palo Alto Networks|Traps ESM| @Model["ProductVersion"]|ESM Heartbeat|cat=System subtype=ESM Heartbeat devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"] src=@Model["EsmIp"] shost=@Model["esmHost"] suser=@Model["user"] dhost=@Model["host"] msg=ESM heartbeat sev=@Model.ExternalSeverity
ServiceAlive
LEEF:1.0|Palo Alto Networks|Traps Agent| @Model["ProductVersion"]|Service Alive|cat=Agent subtype=Service Alive devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"] src=@Model["EsmIp"] dhost=@Model["host"] duser=@Model["user"] msg=Service start sev=@Model.ExternalSeverity
ServiceStartFailed
LEEF:1.0|Palo Alto Networks|Traps Agent| @Model["ProductVersion"]|Service Start Failed| cat=Agent subtype=Service Start Failed devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"] src=@Model["EsmIp"] dhost=@Model["host"] duser=@Model["user"] msg=Service start failed sev=@Model.ExternalSeverity
ServiceStopped
LEEF:1.0|Palo Alto Networks|Traps Agent| @Model["ProductVersion"]|Service Stopped|cat=Agent subtype=Service Stopped devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"] src=@Model["EsmIp"] dhost=@Model["host"] duser=@Model["user"] msg=Service stopped sev=@Model.ExternalSeverity
ServiceWarning
LEEF:1.0|Palo Alto Networks|Traps Agent| @Model["ProductVersion"]|Service Warning|cat=Threat subtype=Service Warning devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"] src=@Model["EsmIp"] dhost=@Model["host"] duser=@Model["user"] Module=@Model["EPM"] dst=@Model["AgentIp"] msg=Warning- Java sandboxed file access to @Model["TargetValue"] sev=@Model.ExternalSeverity
SystemShutdown
LEEF:1.0|Palo Alto Networks|Traps Agent| @Model["ProductVersion"]|System Shutdown|cat=Agent subtype=System Shutdown devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"] src=@Model["EsmIp"] dhost=@Model["host"] duser=@Model["user"] msg=Service shutdown sev=@Model.ExternalSeverity
TechSupportFileStatus
LEEF:1.0|Palo Alto Networks|Traps ESM| @Model["ProductVersion"]|Tech Support File| cat=System subtype=Tech Support File devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"] src=@Model["EsmIp"] shost=@Model["esmHost"] msg=Tech Support File: Status:@Model["Status"] sev=@Model.ExternalSeverity
TrapsServiceStatusChange
LEEF:1.0|Palo Alto Networks|Traps Agent| @Model["ProductVersion"]|Traps Service Status Change| cat=Agent subtype=Traps Service Status Change devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"] src=@Model["EsmIp"] dhost=@Model["host"] duser=@Model["user"] msg=Agent Service Status Changed: @Model["OldStatus"]-> @Model["NewStatus"] sev=@Model.ExternalSeverity
UserDeleted
LEEF:1.0|Palo Alto Networks|Traps ESM| @Model["ProductVersion"]|User Deleted|cat=Config subtype=User Deleted devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"] src=@Model["EsmIp"] shost=@Model["esmHost"] suser=@Model["user"] msg=User @Model["Name"] was deleted. sev=@Model.ExternalSeverity
UserEdited
LEEF:1.0|Palo Alto Networks|Traps ESM| @Model["ProductVersion"]|User Edited|cat=Config subtype=User Edited devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"] src=@Model["EsmIp"] shost=@Model["esmHost"] suser=@Model["user"] msg=User @Model.Data.Name was added\changed. sev=@Model.ExternalSeverity
UserLogin
LEEF:1.0|Palo Alto Networks|Traps ESM| @Model["ProductVersion"]|User Login|cat=System subtype=User Login devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"] src=@Model["EsmIp"] shost=@Model["esmHost"] suser=@Model["user"] msg=User @Model.Data.Username logged in to ESM console sev=@Model.ExternalSeverity
UserStatusChanged
LEEF:1.0|Palo Alto Networks|Traps ESM| @Model["ProductVersion"]|User Status Changed| cat=Config subtype=User Status Changed devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"] src=@Model["EsmIp"] shost=@Model["esmHost"] suser=@Model["user"] msg=User @Model["Name"] status was changed to @Model["Status"] sev=@Model.ExternalSeverity
VerdictChangeAnyToMalware
LEEF:1.0|Palo Alto Networks|Traps ESM| @Model["ProductVersion"]| Verdict Changed Any To Malware|cat=Policy subtype=Verdict Changed Any To Malware devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"] src=@Model["EsmIp"] shost=@Model["esmHost"] suser=@Model["user"] fileHash=@Model["Hash"] NewVerdict=@Model["NewVerdict"] msg=Hash verdict changed to Malware. @Model["OldVerdict"] -> @Model["NewVerdict"] sev=@Model.ExternalSeverity
VerdictChangeMalwareToAny
LEEF:1.0|Palo Alto Networks|Traps ESM| @Model["ProductVersion"]| Verdict Change Malware To Any|cat=Policy subtype=Verdict Change Malware To Any devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"] src=@Model["EsmIp"] shost=@Model["esmHost"] suser=@Model["user"] fileHash=@Model["Hash"] NewVerdict=@Model["NewVerdict"] msg=Hash verdict changed from Malware. Awaiting to restore: @Model["QuarantineStatus"]. @Model["OldVerdict"] -> @Model["NewVerdict"] sev=@Model.ExternalSeverity
VerdictChangeNoconnectionToAny
LEEF:1.0|Palo Alto Networks|Traps ESM| @Model["ProductVersion"]| Verdict Change No Connection To Any|cat=Policy subtype=Verdict Change No Connection To Any devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"] src=@Model["EsmIp"] shost=@Model["esmHost"] suser=@Model["user"] fileHash=@Model["Hash"] NewVerdict=@Model["NewVerdict"] msg=Hash verdict changed from No Connection. @Model["OldVerdict"] -> @Model["NewVerdict"] sev=@Model.ExternalSeverity
VerdictChangeUnknownToAny
LEEF:1.0|Palo Alto Networks|Traps ESM| @Model["ProductVersion"]| Verdict Change Unknown To Any|cat=Policy subtype=Verdict Change Unknown To Any devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"] src=@Model["EsmIp"] shost=@Model["esmHost"] suser=@Model["user"] fileHash=@Model["Hash"] NewVerdict=@Model["NewVerdict"] msg=Hash verdict changed from Unknown. @Model["OldVerdict"] -> @Model["NewVerdict"] sev=@Model.ExternalSeverity
VerdictChangeAwaitingAnalysisToAny
LEEF:1.0|Palo Alto Networks|Traps ESM| @Model["ProductVersion"]| Verdict Change Awaiting Analysis To Any|cat=Policy subtype=Verdict Change Awaiting Analysis To Any devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"] src=@Model["EsmIp"] shost=@Model["esmHost"] suser=@Model["user"] fileHash=@Model["Hash"] NewVerdict=@Model["NewVerdict"] msg=Hash verdict changed from Awaiting Analysis. @Model["OldVerdict"] -> @Model["NewVerdict"] sev=@Model.ExternalSeverity
VerdictChange
LEEF:1.0|Palo Alto Networks|Traps ESM| @Model["ProductVersion"]|Verdict Changed|cat=Policy subtype=Verdict Changed devTimeFormat=MMM dd yyyy HH:mm:ss devTime=@Model["Time"] src=@Model["EsmIp"] shost=@Model["esmHost"] suser=@Model["user"] fileHash=@Model["Hash"] NewVerdict=@Model["NewVerdict"] msg=Hash verdict changed. @Model["OldVerdict"] -> @Model["NewVerdict"] sev=@Model.ExternalSeverity