Traps Logs Formats

The following topics list the fields of each Traps log type that the Cortex Data Lake app can forward to an external server or email destination.
With log forwarding to a syslog receiver, the Cortex Data Lake sends logs in the IETF syslog message format defined in RFC 5424. To facilitate parsing, the delimiter is a comma and each field is a comma-separated value (CSV) string. The FUTURE_USE tag applies to fields that Traps management service does not currently implement.
With log forwarding to an email destination, the Cortex Data Lake sends an email with each field on a separate line in the email body.

Threat Logs

Syslog format
: recordType, class, FUTURE_USE, eventType, generatedTime, serverTime, agentTime, tzOffset, FUTURE_USE, facility, customerId, trapsId, serverHost, serverComponentVersion, regionId, isEndpoint, agentId, osType, isVdi, osVersion, is64, agentIp, deviceName, deviceDomain, severity, trapsSeverity, agentVersion, contentVersion, protectionStatus, preventionKey, moduleId, profile, moduleStatusId, verdict, preventionMode, terminate, terminateTarget, quarantine, block, postDetected, eventParameters(Array), sourceProcessIdx(Array), targetProcessIdx(Array), fileIdx(Array), processes(Array), files(Array), users(Array), urls(Array), description(Array)
Email body format example
:
recordType: threat messageData/class: threat messageData/subClass: eventType: AgentSecurityEvent generatedTime: 2019-01-29T05:07:58.045-08:00 serverTime: 2018-07-02T20:01:39.591Z endPointHeader/agentTime: 2018-07-02T20:01:03Z endPointHeader/tzOffset: 180 product: facility: TrapsAgent customerId: 245143 trapsId: mac510a2monday-01 serverHost: coreop-qaauta-2606-0-112132729246-266 serverComponentVersion: 2.0.2 regionId: 70 isEndpoint: 1 agentId: dc3af3198f172048082c21ff0956866b endPointHeader/osType: 2 endPointHeader/isVdi: 0 endPointHeader/osVersion: 10.11.6 endPointHeader/is64: 1 endPointHeader/agentIp: 10.200.37.201 endPointHeader/deviceName: A1260700MC1011 endPointHeader/deviceDomain: severity: emergency messageData/trapsSeverity: medium endPointHeader/agentVersion: 5.1.0.1401 endPointHeader/contentVersion: 26-3625 endPointHeader/protectionStatus: 0 messageData/preventionKey: 9a94965188d2455486dd8d60cf4b3849 messageData/moduleId: COMPONENT_EPM_J01 messageData/profile: ExploitModules messageData/moduleStatusId: CYSTATUS_JIT_EXCEPTION messageData/verdict: messageData/preventionMode: blocked messageData/terminate: 1 messageData/terminateTarget: quarantine: messageData/block: 0 messageData/postDetected: 0 messageData/eventParameters: "[""/Users/administrator/Desktop/JitMac/j01_test"",""711046b89e2f2c70cdbb41f615c54bd1b4270ecbbb176edeb1bb4fe4619""]" messageData/sourceProcessIdx: 0 messageData/targetProcessIdx: -1 messageData/fileIdx: 0 messageData/processes: "[{""exeFileIdx"":0,""commandLine"":""/Users/Administrator/Desktop/JitMac/j01_test test=system depth=1"",""userIdx"":0,""pid"":1359,""parentId"":452}]" messageData/files: "[{""sha256"":""711046b89e2f2c70cdbb41f615c54bd1b4270ecbbb176edeb1bb4654619"", ""rawFullPath"":""/Users/administrator/Desktop/JitMac/j01_test"",""signers"":[""N/A""],""fileName"":""j01_test""}]" messageData/users: "[{""userName"":""Administrator""}]" messageData/urls: [] messageData/description: Memory Corruption Exploit
Field Name
Description
recordType
Record type associated with the event and that you can use when managing logging quotas. In this case, the record type is threat which includes logs related to security events that occur on the endpoints.
class
Class of Traps management service log: config, policy, system, or agent_log.
eventType
Subtype of event: AgentActionReport, AgentDeviceControlViolation, AgentGenericMessage, AgentSamReport, AgentScanReport, AgentSecurityEvent, AgentStatistics, AgentTimelineEvent, ServerLogPerAgent, ServerLogPerTenant, or ServerLogSystem.
generatedTime
Coordinated Universal Time (UTC) equivalent of the time at which an event was logged. For agent events, this represents the time on the endpoint. For policy, configuration, and system events, this represents the time on Traps management service in ISO-8601 string representation (for example, 2017-01-24T09:08:59Z).
serverTime
Coordinated Universal Time (UTC) equivalent of the time at which the server generated the log. If the log was generated on an endpoint, this field identifies the time the server received the log in ISO-8601 string representation (for example, 2017-01-24T09:08:59Z).
agentTime
Coordinated Universal Time (UTC) equivalent of the time at which an agent logged an event in ISO-8601 string representation.
tzOffset
Effective endpoint time zone offset from UTC, in minutes.
facility
The Traps system component that initiated the event, for example: TrapsAgent, TrapsServiceCore, TrapsServiceManagement, and TrapsServiceBackend.
customerId
The ID that uniquely identifies the Cortex Data Lake instance which received this log record.
trapsId
Tenant external ID.
serverHost
Hostname of Traps management service.
serverComponentVersion
Software version of Traps management service.
regionId
ID of Traps management service region:
  • 10
    —Americas (N. Virginia)
  • 70
    —EMEA (Frankfurt)
isEndpoint
Indicates whether the event occurred on an endpoint.
  • 0
    —No, host is not an endpoint.
  • 1
    —Yes, host is an endpoint.
agentId
Unique identifier for the Traps agent.
osType
Operating system of the endpoint:
  • 1
    —Windows
  • 2
    —OS X/macOS
  • 3
    —Android
  • 4
    —Linux
isVdi
Indicates whether the endpoint is a virtual desktop infrastructure (VDI):
  • 0
    —The endpoint is not a VDI
  • 1
    —The endpoint is a VDI
osVersion
Full version number of the operating system running on the endpoint. For example, 6.1.7601.19135.
is64
Indicates whether the endpoint is running a 64-bit version of Windows:
  • 0
    —The endpoint is not running x64 architecture
  • 1
    —The endpoint is running x64 architecture
agentIp
IP address of the endpoint.
deviceName
Hostname of the endpoint on which the event was logged.
deviceDomain
Domain to which the endpoint belongs.
severity
Syslog severity level associated with the event.
  • 2
    —Critical. Used for events that require immediate attention.
  • 3
    —Error. Used for events that require special handling.
  • 4
    —Warning. Used for events that sometimes require special handling.
  • 5
    —Notice. Used for normal but significant events that can require attention.
  • 6
    —Informational. Informational events that do not require attention.
Each event also has an associated Traps severity. See the
messageData.trapsSeverity
field for details.
trapsSeverity
Severity level associated with the event defined for Traps management service. Each of these severities corresponds to a syslog severity level:
  • 0
    —Informational. Informational messages that do not require attention. Identical to the syslog 6 (Informational) severity level.
  • 1
    —Low. Used for normal but significant events that can require attention. Corresponds to the syslog 5 (Notice) severity level.
  • 2
    —Medium. Used for events that sometimes require special handling. Corresponds to the syslog 4 (Warning) severity level.
  • 3
    —High. Used for events that require special handling. Corresponds to the syslog 3 (Error) severity level.
  • 4
    —Critical. Used for events that require immediate attention. Corresponds to the syslog 2 (Critical) severity level.
See also the
severity
log field.
agentVersion
Version of the Traps agent.
contentVersion
Content version in the local security policy.
protectionStatus
Traps agent protection status:
  • 0
    —Protected
  • 1
    —OsVersionIncompatible
  • 2
    —AgentIncompatible
preventionKey
Unique identifier for security events.
moduleId
Security module name.
profile
Name of the security profile that triggered the event.
moduleStatusId
Identifies the specific component of Traps modules.
  • CYSTATUS_ABNORMAL_PROCESS_TERMINATION
  • CYSTATUS_ALIGNED_HEAP_SPRAY_DETECTED
  • CYSTATUS_CHILD_PROCESS_BLOCKED
  • CYSTATUS_CORE_LIBRARY_LOADED
  • CYSTATUS_CORE_LIBRARY_UNLOADING
  • CYSTATUS_CPLPROT_BLACKLIST
  • CYSTATUS_CPLPROT_REMOTE_DRIVE
  • CYSTATUS_CPLPROT_REMOVABLE_DRIVE
  • CYSTATUS_CYINJCT_DISPATCH
  • CYSTATUS_CYINJCT_MAPPING
  • CYSTATUS_CYVERA_PREVENTION
  • CYSTATUS_DANGEROUS_SYSTEM_SERVICE_CALLED
  • CYSTATUS_DEMO_EVENT
  • CYSTATUS_DEP_SEH_INF_VIOLATION
  • CYSTATUS_DEP_SEH_VIOLATION
  • CYSTATUS_DEP_VIOLATION
  • CYSTATUS_DEP_VIOLATION_UNALLOCATED
  • CYSTATUS_DEVICE_BLOCKED
  • CYSTATUS_DLLPROT_BLACKLIST
  • CYSTATUS_DLLPROT_CURRENT_WORKING_DIRECTORY
  • CYSTATUS_DLLPROT_REMOTE_DRIVE
  • CYSTATUS_DLLPROT_REMVABLE_DRIVE
  • CYSTATUS_DOTNET_CRITICAL
  • CYSTATUS_DSE
  • CYSTATUS_EPM_INIT_FAILED
  • CYSTATUS_FAILED_CHECK_MEDIA
  • CYSTATUS_FILE_DELETION_BOOT_DONE
  • CYSTATUS_FILE_DELETION_FAILED
  • CYSTATUS_FILE_DELETION_SUCCEEDED
  • CYSTATUS_FINGERPRINTING_ATTEMPT
  • CYSTATUS_FONT_PROT_DUQU
  • CYSTATUS_FORBIDDEN_MEDIA
  • CYSTATUS_FORBIDDEN_OPTICAL_MEDIA
  • CYSTATUS_FORBIDDEN_REMOTE_MEDIA
  • CYSTATUS_FORBIDDEN_REMOVABLE_MEDIA
  • CYSTATUS_GS_COOKIE_CORRUPTED_COOKIE
  • CYSTATUS_GUARD_PAGE_VIOLATION
  • CYSTATUS_HASH_CONTROL
  • CYSTATUS_HEAP_CORRUPTION
  • CYSTATUS_HOOKING_ENTRY_POINT_FAILED
  • CYSTATUS_HOTPATCH_HIJACKING
  • CYSTATUS_ILLEGAL_EXECUTABLE
  • CYSTATUS_ILLEGAL_UNSIGNED_EXECUTABLE
  • CYSTATUS_INJ_APPCONTAINER_FAILURE
  • CYSTATUS_INJ_CTX_FAILURE
  • CYSTATUS_JAVA_FILE
  • CYSTATUS_JAVA_PROC
  • CYSTATUS_JAVA_REG
  • CYSTATUS_JIT_EXCEPTION
  • CYSTATUS_LINUX_BRUTEFORCE_PREVENTED
  • CYSTATUS_LINUX_ROOT_ESCALATION_PREVENTED
  • CYSTATUS_LINUX_SHELLCODE_PREVENTED
  • CYSTATUS_LINUX_SOCKET_SHELL_PREVENTED
  • CYSTATUS_LOCAL_ANALYSIS
  • CYSTATUS_MACOS_DLPROT_CWD_HIJACK
  • CYSTATUS_MACOS_DLPROT_DUPLICATE_PATH_CHECK
  • CYSTATUS_MACOS_G02_BLOCK_ALL
  • CYSTATUS_MACOS_G02_SIGNER_NAME_MISMATCH
  • CYSTATUS_MACOS_G02_SIGN_LEVEL_BELOW_MIN
  • CYSTATUS_MACOS_G02_SIGN_LEVEL_BELOW_PARENT
  • CYSTATUS_MACOS_MALICIOUS_DYLIB
  • CYSTATUS_MACOS_ROOT_ESCALATION_PREVENTED
  • CYSTATUS_MALICIOUS_APK
  • CYSTATUS_MALICIOUS_DLL
  • CYSTATUS_MALICIOUS_EXE
  • CYSTATUS_MALICIOUS_EXE_ASYNC
  • CYSTATUS_MALICIOUS_MACRO
  • CYSTATUS_MALICIOUS_STRING_DETECTED
  • CYSTATUS_MEMORY_USAGE_LIMIT_EXCEEDED
  • CYSTATUS_NOP_SLED_DETECTED
  • CYSTATUS_NO_MEMORY
  • CYSTATUS_NO_REGISTER_CORRECTED
  • CYSTATUS_PREALLOCATED_ADDR_ACCESSED
  • CYSTATUS_PROCESS_CREATION_VIOLATION
  • CYSTATUS_QUARANTINE_FAILED
  • CYSTATUS_QUARANTINE_SUCCEEDED
  • CYSTATUS_RANSOMWARE
  • CYSTATUS_RESTORE_FAILED
  • CYSTATUS_RESTORE_SUCCEEDED
  • CYSTATUS_ROP_MITIGATION
  • CYSTATUS_SEH_CRITICAL
  • CYSTATUS_SEH_INF_CRITICAL
  • CYSTATUS_SHELL_CODE_TRAP_CALLED
  • CYSTATUS_STACK_OVERFLOW
  • CYSTATUS_SUSPENDED_PROCESS_BLOCKED
  • CYSTATUS_SUSPICIOUS_APC
  • CYSTATUS_SUSPICIOUS_LINK_FILE
  • CYSTATUS_SYSTEM_SCAN_FINISHED
  • CYSTATUS_SYSTEM_SCAN_STARTED
  • CYSTATUS_THREAD_INJECTION
  • CYSTATUS_TLA_MODEL_NOT_LOADED
  • CYSTATUS_TOKEN_THEFT_FILE_OPERATION
  • CYSTATUS_TOKEN_THEFT_PROCESS_CREATED
  • CYSTATUS_TOKEN_THEFT_REGISTRY_OPERATION
  • CYSTATUS_TOKEN_THEFT_THREAD_CREATED
  • CYSTATUS_TOKEN_THEFT_THREAD_INJECTED
  • CYSTATUS_TOKEN_THEFT_THREAD_STARTED
  • CYSTATUS_UASLR_CRITICAL
  • CYSTATUS_UNALLOWED_CODE_SEGMENT
  • CYSTATUS_UNAUTHORIZED_CALL_TO_SYSTEM_SERVICE
  • CYSTATUS_UNSIGNED_CHILD_PROCESS_BLOCKED
  • CYSTATUS_WILDFIRE_GRAYWARE
  • CYSTATUS_WILDFIRE_MALWARE
  • CYSTATUS_WILDFIRE_UNKNOWN
verdict
Verdict for the file:
  • 0
    —Benign
  • 1
    —Malware
  • 2
    —Grayware
  • 4
    —Phishing
  • 99
    —Unknown
preventionMode
Action carried out by the Traps agent (block or notify). The prevention mode is specified in the rule configuration.
terminate
Termination action taken on the file.
  • 0
    —Traps did not terminate the file.
  • 1
    —Traps terminated the file.
terminateTarget
Termination action taken on the target file (relevant for some child process execution events where we terminate the child process but not the parent process):
  • 0
    —Target file was not terminated.
  • 1
    —Target file was terminated.
quarantine
Quarantine action taken on the file:
  • 0
    —File was not quarantined.
  • 1
    —File was quarantined.
block
Block action taken on the file:
  • 0
    —File was not blocked
  • 1
    —File was blocked.
postDetected
Post detection status of the file:
  • 0
    —Initial prevention.
  • 1
    —Detected after an initial execution.
eventParameters(Array)
Parameters associated with the type of event. For example, username, endpoint hostname, and filename.
sourceProcessIdx(Array)
The prevention source process index in the processes array.
targetProcessIdx(Array)
Target process index in the processes array. A missing or negative value means there is no target process.
fileIdx(Array)
Index of target files for specific security events such as: Scanning, Malicious DLL, Malicious Macro events.
processes(Array)
All related details for the process file that triggered an event:
  • 1
    —System process ID
  • 2
    —Parent process ID
  • 3
    —File object corresponding to the process executable file
  • 4
    —Command line arguments (if any)
  • 5
    —Description field of the VERSIONINFO resource
  • 6
    —File version field of the VERSIONINFO resource
files(Array)
File object includes:
  • 1
    —SHA256 hash value of the file
  • 2
    —SHA256 hash value of the macro
  • 3
    —Raw full filepath
  • 4
    —A predefined drive type: local, network mapped drive, UNC path host, removable media, etc.
  • 5
    —File name (with no extension), such as AdapterTroubleshooter
  • 6
    —File extension (for example, EXE or DLL)
  • 7
    —File type defined by the Traps agent
  • 8
    —UTC file creation time
  • 9
    —UTC file modification time
  • 10
    —UTC file access time
  • 11
    —File attributes bitmask
  • 12
    —File size in bytes
  • 13
    —Signer field of the code signing certificate
users(Array)
Details about the active user on the endpoint when the event occurred:
  • 1
    —Username of the active user on the endpoint.
  • 2
    —Domain to which the user account belongs.
urls(Array)
Additional details related to a URL:
  • 1
    —Raw URL
  • 2
    —URL schema; For example: HTTP, HTTPS, FTP, LDAP
  • 3
    —Hostname in punycode
  • 4
    —Host port
  • 5
    —Canonicalized URL path part according to schema requirements
  • 6
    —Query parameters (for http\s only)
  • 7
    —Fragment parameters (for http\s only)
description(Array)
(
Mac only
) Description of components related to Traps. For example, the description of the ROP, JIT, Dylib hijacking modules for Mac endpoints is Memory Corruption Exploit.

Config Logs

Syslog format
: recordType, class, FUTURE_USE, subClassId, eventType, eventCategory, generatedTime, serverTime, FUTURE_USE, facility, customerId, trapsId, serverHost, serverComponentVersion, regionId, isEndpoint, severity, trapsSeverity, messageCode, friendlyName, FUTURE_USE, msgTextEn, userFullName, userName, userRole, userDomain, additionalData(Array), messageCode, errorText, errorData, resultData
Email body format example
:
recordType: system messageData/class: system messageData/subClass: Provisioning messageData/subClassId: 13 eventType: ServerLogPerTenant messageData/eventCategory: tenant generatedTime: 2019-01-31T18:15:19.000000+00:00 serverTime: 2019-01-31T18:15:19.000000+00:00 product: facility: TrapsServerManagement customerId: 004403511 trapsId: 18520498190303952 serverHost: 14917869646-201.proda.brz serverComponentVersion: 2.0.9+624 regionId: isEndpoint: 0 agentId: severity: notice messageData/trapsSeverity: informational messageData/messageCode: 19015 messageData/friendlyName: User Login messageData/msgTextLoc: messageData/msgTextEn: User username@paloaltonetworks.com has logged in with role superadmin endPointHeader/userFullName: endPointHeader/username: endPointHeader/userRole: endPointHeader/userDomain: endPointHeader/agentTime: endPointHeader/tzOffset: endPointHeader/osType: endPointHeader/isVdi: endPointHeader/osVersion: endPointHeader/is64: endPointHeader/agentIp: endPointHeader/deviceName: endPointHeader/deviceDomain: endPointHeader/agentVersion: endPointHeader/contentVersion: endPointHeader/protectionStatus: messageData/userFullName: messageData/username: messageData/userRole: messageData/userDomain: messageData/messageName: messageData/messageId: messageData/processStatus: messageData/errorText: messageData/errorData: messageData/resultData: messageData/parameters: messageData/additionalData: {}
Field Name
Description
recordType
Record type associated with the event and that you can use when managing logging quotas. In this case, the record type is config which includes logs related to Traps management service administration and configuration changes.
class
Class of Traps management service log. System logs have a value of system.
subClass
Subclass of event. Used to categorize logs in Traps management service user interface.
subClassId
Numeric representation of the subClass field for easy sorting and filtering.
eventType
Subtype of event.
eventCategory
Category of event, used internally for processing the flow of logs. Event categories vary by class:
  • config
    —deviceManagement, distributionManagement, reportManagement, securityEventManagement, systemManagement
  • policy
    —exceptionManagement, policyManagement, profileManagement, sam
  • system
    —licensing, provisioning, tenant, userAuthentication, workerProcessing
  • agent_log
    —agentFlow
generatedTime
Coordinated Universal Time (UTC) equivalent of the time at which an event was logged. For agent events, this represents the time on the endpoint. For policy, configuration, and system events, this represents the time on Traps management service in ISO-8601 string representation (for example, 2017-01-24T09:08:59Z).
serverTime
Coordinated Universal Time (UTC) equivalent of the time at which the server generated the log. If the log was generated on an endpoint, this field identifies the time the server received the log in ISO-8601 string representation (for example, 2017-01-24T09:08:59Z).
facility
The Traps system component that initiated the event, for example: TrapsAgent, TrapsServiceCore, TrapsServiceManagement, and TrapsServiceBackend.
customerId
The ID that uniquely identifies the Cortex Data Lake instance which received this log record.
trapsId
Tenant external ID.
serverHost
Hostname of Traps management service.
serverComponentVersion
Software version of Traps management service.
regionId
ID of Traps management service region:
  • 10
    —Americas (N. Virginia)
  • 70
    —EMEA (Frankfurt)
isEndpoint
Indicates whether the event occurred on an endpoint.
  • 0
    —No, host is not an endpoint.
  • 1
    —Yes, host is an endpoint.
agentId
Unique identifier for the Traps agent.
severity
Syslog severity level associated with the event.
  • 2
    —Critical. Used for events that require immediate attention.
  • 3
    —Error. Used for events that require special handling.
  • 4
    —Warning. Used for events that sometimes require special handling.
  • 5
    —Notice. Used for normal but significant events that can require attention.
  • 6
    —Informational. Informational events that do not require attention.
Each event also has an associated Traps severity. See the
messageData.trapsSeverity
field for details.
trapsSeverity
Severity level associated with the event defined for Traps management service. Each of these severities corresponds to a syslog severity level:
  • 0
    —Informational. Informational messages that do not require attention. Identical to the syslog 6 (Informational) severity level.
  • 1
    —Low. Used for normal but significant events that can require attention. Corresponds to the syslog 5 (Notice) severity level.
  • 2
    —Medium. Used for events that sometimes require special handling. Corresponds to the syslog 4 (Warning) severity level.
  • 3
    —High. Used for events that require special handling. Corresponds to the syslog 3 (Error) severity level.
  • 4
    —Critical. Used for events that require immediate attention. Corresponds to the syslog 2 (Critical) severity level.
See also the
severity
log field.
messageCode
System-wide unique message code.
friendlyName
Descriptive log message name.
msgTextEn
Description of the event, in English.
userFullName
Full username of Traps management service user.
userName
Username associated with Traps management service user.
userRole
Role assigned to Traps management service user.
userDomain
Domain to which the user belongs.
agentTime
Coordinated Universal Time (UTC) equivalent of the time at which an agent logged an event in ISO-8601 string representation.
tzOffset
Effective endpoint time zone offset from UTC, in minutes.
osType
Operating system of the endpoint:
  • 1
    —Windows
  • 2
    —OS X/macOS
  • 3
    —Android
  • 4
    —Linux
isVdi
Indicates whether the endpoint is a virtual desktop infrastructure (VDI):
  • 0
    —The endpoint is not a VDI
  • 1
    —The endpoint is a VDI
osVersion
Full version number of the operating system running on the endpoint. For example, 6.1.7601.19135.
is64
Indicates whether the endpoint is running a 64-bit version of Windows:
  • 0
    —The endpoint is not running x64 architecture
  • 1
    —The endpoint is running x64 architecture
agentIp
IP address of the endpoint.
deviceName
Hostname of the endpoint on which the event was logged.
deviceDomain
Domain to which the endpoint belongs.
agentVersion
Version of the Traps agent.
contentVersion
Content version in the local security policy.
protectionStatus
Traps agent protection status:
  • 0
    —Protected
  • 1
    —OsVersionIncompatible
  • 2
    —AgentIncompatible
userFullName
Full name of Traps management service user.
userName
Username associated with Traps management service user.
userRole
Role assigned to Traps management service user.
userDomain
Domain to which the user belongs.
messageName
Name of the message.
messageId
Unique numeric identifier of the message.
processStatus
State of the process related to the event.
errorText
If known, a description of the documented error.
errorData
Parameters related to an event error.
resultData
Parameters related to a successful event.
parameters
Parameters supplied in the log message.
additionalData(Array)
Additional information regarding event parameters.
loggedInUser
User that is logged in to the Traps management service.

Analytics Logs

Syslog format
: recordType, class, FUTURE_USE, eventType, eventCategory, generatedTime, serverTime, agentTime, tzOffset, FUTURE_USE, facility, customerId, trapsId, serverHost, serverComponentVersion, regionId, isEndpoint, agentId, osType, isVdi, osVersion, is64, agentIp, deviceName, deviceDomain, severity, agentVersion, contentVersion, protectionStatus, sha256, type, parentSha256, lastSeen, fileName, filePath, fileSize, localAnalysisResult, reported, blocked, executionCount
Email body format example
:
recordType: analytics messageData/class: agent_data messageData/subClass: eventType: AgentTimelineEvent messageData/eventCategory: hash generatedTime: 2019-01-31T18:00:43Z serverTime: 2019-01-31T18:59:46.586Z endPointHeader/agentTime: 2019-01-31T18:00:43Z endPointHeader/tzOffset: -480 product: facility: TrapsAgent customerId: 110044035 trapsId: 18520039498190352 serverHost: coreop-f-proda-mnmauto03930348053-311.proda.brz serverComponentVersion: 2.0.9+564 regionId: 10 isEndpoint: 1 agentId: 3bcf7e5ff56e2891c78684a38b728e49 endPointHeader/osType: 2 endPointHeader/isVdi: 0 endPointHeader/osVersion: 10.12.6 endPointHeader/is64: 1 endPointHeader/agentIp: 192.168.0.21 endPointHeader/deviceName: Jeffreys-MacBook-Pro.local endPointHeader/deviceDomain: severity: endPointHeader/agentVersion: 5.0.5.1193 endPointHeader/contentVersion: 42-6337 endPointHeader/protectionStatus: 0 messageData/sha256: 87e27ba9128d9c3b3d113c67623a06817a030b3bbb4d2871d1e6da9002206f26 messageData/type: macho messageData/parentSha256: messageData/lastSeen: 2019-01-31T18:00:43Z messageData/fileName: crashpad_handler messageData/filePath: /users/username/library/google/googlesoftwareupdate/googlesoftwareupdate.bundle/contents/macos/ messageData/fileSize: 353680 messageData/localAnalysisResult: "{""contentVersion"":""42-6337"",""result"":""Benign"",""trusted"":""None"", ""publishers"":[""developer id application: google, inc. (eqhxz8m8av)""],""resultId"":0,""trustedId"":0}" messageData/reported: 0 messageData/blocked: 0 messageData/executionCount: 4179
Field Name
Description
recordType
Record type associated with the event and that you can use when managing logging quotas. In this case, the record type is analytics which includes hash execution reports from the agent.
class
Class of Traps management service log: config, policy, system, and agent_log.
eventType
Subtype of event.
eventCategory
Category of event, used internally for processing the flow of logs. Event categories vary by class:
  • config
    —deviceManagement, distributionManagement, securityEventManagement, systemManagement
  • policy
    —exceptionManagement, policyManagement, profileManagement, sam
  • system
    —licensing, provisioning, tenant, userAuthentication, workerProcessing
  • agent_log
    —agentFlow
generatedTime
Coordinated Universal Time (UTC) equivalent of the time at which an event was logged. For agent events, this represents the time on the endpoint. For policy, configuration, and system events, this represents the time on Traps management service in ISO-8601 string representation (for example, 2017-01-24T09:08:59Z).
serverTime
Coordinated Universal Time (UTC) equivalent of the time at which the server generated the log. If the log was generated on an endpoint, this field identifies the time the server received the log in ISO-8601 string representation (for example, 2017-01-24T09:08:59Z).
agentTime
Coordinated Universal Time (UTC) equivalent of the time at which an agent logged an event in ISO-8601 string representation.
tzOffset
Effective endpoint time zone offset from UTC, in minutes.
facility
The Traps system component that initiated the event, for example: TrapsAgent, TrapsServiceCore, TrapsServiceManagement, and TrapsServiceBackend.
customerId
The ID that uniquely identifies the Cortex Data Lake instance which received this log record.
trapsId
Tenant external ID.
serverHost
Hostname of Traps management service.
serverComponentVersion
Software version of Traps management service.
regionId
ID of Traps management service region:
  • 10
    —Americas (N. Virginia)
  • 70
    —EMEA (Frankfurt)
isEndpoint
Indicates whether the event occurred on an endpoint.
  • 0
    —No, host is not an endpoint.
  • 1
    —Yes, host is an endpoint.
agentId
Unique identifier for the Traps agent.
osType
Operating system of the endpoint:
  • 1
    —Windows
  • 2
    —OS X/macOS
  • 3
    —Android
  • 4
    —Linux
isVdi
Indicates whether the endpoint is a virtual desktop infrastructure (VDI):
  • 0
    —The endpoint is not a VDI
  • 1
    —The endpoint is a VDI
osVersion
Full version number of the operating system running on the endpoint. For example, 6.1.7601.19135.
is64
Indicates whether the endpoint is running a 64-bit version of Windows:
  • 0
    —The endpoint is not running x64 architecture
  • 1
    —The endpoint is running x64 architecture
agentIp
IP address of the endpoint.
deviceName
Hostname of the endpoint on which the event was logged.
deviceDomain
Domain to which the endpoint belongs.
severity
Syslog severity level associated with the event.
  • 2
    —Critical. Used for events that require immediate attention.
  • 3
    —Error. Used for events that require special handling.
  • 4
    —Warning. Used for events that sometimes require special handling.
  • 5
    —Notice. Used for normal but significant events that can require attention.
  • 6
    —Informational. Informational events that do not require attention.
Each event also has an associated Traps severity. See the
messageData.trapsSeverity
field for details.
agentVersion
Version of the Traps agent.
contentVersion
Content version in the local security policy.
protectionStatus
Traps agent protection status:
  • 0
    —Protected
  • 1
    —OsVersionIncompatible
  • 2
    —AgentIncompatible
sha256
Hash of the file using SHA256 encoding.
type
Type of file:
  • 0
    —Unknown
  • 1
    —PE
  • 2
    —Mach-o
  • 3
    —DLL
  • 4
    —Office file (containing a macro)
parentSha256
Hash of the parent file using SHA256 encoding.
lastSeen
Coordinated Universal Time (UTC) equivalent of the time when the file last ran on an endpoint in ISO-8601 string representation (for example, 2017-01-24T09:08:59Z).
fileName
File name, without the path or the file type extension.
filePath
Full path, aligned to the OS format.
fileSize
Size of the file in bytes.
localAnalysisResult
This object includes the content version, local analysis module version, verdict result, file signer, and trusted signer result. The trusted signer result is an integer value:
  • 0
    —Traps did not evaluate the signer of the file.
  • 1
    —The signer is trusted.
  • 2
    —The signer is not trusted.
reported
Reporting status of the file, in integer value:
  • 0
    —Traps did not report the security event.
  • 1
    —Traps reported the security event.
blocked
Blocking status of the file, in integer value:
  • 0
    —Traps did not block the process or file.
  • 1
    —Traps blocked the process or file.
executionCount
The total number of times a file identified by a specific hash was executed.

System Logs

Syslog format
: recordType, class, FUTURE_USE, subClassId, eventType, eventCategory, generatedTime, serverTime, FUTURE_USE, facility, customerId, trapsId, serverHost, serverComponentVersion, regionId, isEndpoint, agentId, severity, trapsSeverity, messageCode, friendlyName, FUTURE_USE, msgTextEn, userFullName, username, userRole, userDomain, agentTime, tzOffset, osType, isVdi, osVersion, is64, agentIp, deviceName, deviceDomain, agentVersion, contentVersion, protectionStatus, userFullName, username, userRole, userDomain, messageName, messageId, processStatus, errorText, errorData, resultData, parameters, additionalData(Array)
Email body format example
:
recordType: system messageData/class: system messageData/subClass: Provisioning messageData/subClassId: 13 eventType: ServerLogPerTenant messageData/eventCategory: tenant generatedTime: 2019-01-31T18:15:19.000000+00:00 serverTime: 2019-01-31T18:15:19.000000+00:00 product: facility: TrapsServerManagement customerId: 004403511 trapsId: 18520498190303952 serverHost: 14917869646-201.proda.brz serverComponentVersion: 2.0.9+624 regionId: isEndpoint: 0 agentId: severity: notice messageData/trapsSeverity: informational messageData/messageCode: 19015 messageData/friendlyName: User Login messageData/msgTextLoc: messageData/msgTextEn: User username@paloaltonetworks.com has logged in with role superadmin endPointHeader/userFullName: endPointHeader/username: endPointHeader/userRole: endPointHeader/userDomain: endPointHeader/agentTime: endPointHeader/tzOffset: endPointHeader/osType: endPointHeader/isVdi: endPointHeader/osVersion: endPointHeader/is64: endPointHeader/agentIp: endPointHeader/deviceName: endPointHeader/deviceDomain: endPointHeader/agentVersion: endPointHeader/contentVersion: endPointHeader/protectionStatus: messageData/userFullName: messageData/username: messageData/userRole: messageData/userDomain: messageData/messageName: messageData/messageId: messageData/processStatus: messageData/errorText: messageData/errorData: messageData/resultData: messageData/parameters: messageData/additionalData: {}
Field Name
Description
recordType
Record type associated with the event and that you can use when managing logging quotas. In this case, the record type is system which includes logs related to automated system management and agent reporting events.
class
Class of Traps management service log. System logs have a value of system.
subClass
Subclass of event. Used to categorize logs in Traps management service user interface.
subClassId
Numeric representation of the subClass field for easy sorting and filtering.
eventType
Subtype of event.
eventCategory
Category of event, used internally for processing the flow of logs. Event categories vary by class:
  • config
    —deviceManagement, distributionManagement, securityEventManagement, systemManagement
  • policy
    —exceptionManagement, policyManagement, profileManagement, sam
  • system
    —licensing, provisioning, tenant, userAuthentication, workerProcessing
  • agent_log
    —agentFlow
generatedTime
Coordinated Universal Time (UTC) equivalent of the time at which an event was logged. For agent events, this represents the time on the endpoint. For policy, configuration, and system events, this represents the time on Traps management service in ISO-8601 string representation (for example, 2017-01-24T09:08:59Z).
serverTime
Coordinated Universal Time (UTC) equivalent of the time at which the server generated the log. If the log was generated on an endpoint, this field identifies the time the server received the log in ISO-8601 string representation (for example, 2017-01-24T09:08:59Z).
facility
The Traps system component that initiated the event, for example: TrapsAgent, TrapsServiceCore, TrapsServiceManagement, and TrapsServiceBackend.
customerId
The ID that uniquely identifies the Cortex Data Lake instance which received this log record.
trapsId
Tenant external ID.
serverHost
Hostname of Traps management service.
serverComponentVersion
Software version of Traps management service.
regionId
ID of Traps management service region:
  • 10
    —Americas (N. Virginia)
  • 70
    —EMEA (Frankfurt)
isEndpoint
Indicates whether the event occurred on an endpoint.
  • 0
    —No, host is not an endpoint.
  • 1
    —Yes, host is an endpoint.
agentId
Unique identifier for the Traps agent.
severity
Syslog severity level associated with the event.
  • 2
    —Critical. Used for events that require immediate attention.
  • 3
    —Error. Used for events that require special handling.
  • 4
    —Warning. Used for events that sometimes require special handling.
  • 5
    —Notice. Used for normal but significant events that can require attention.
  • 6
    —Informational. Informational events that do not require attention.
Each event also has an associated Traps severity. See the
messageData.trapsSeverity
field for details.
trapsSeverity
Severity level associated with the event defined for Traps management service. Each of these severities corresponds to a syslog severity level:
  • 0
    —Informational. Informational messages that do not require attention. Identical to the syslog 6 (Informational) severity level.
  • 1
    —Low. Used for normal but significant events that can require attention. Corresponds to the syslog 5 (Notice) severity level.
  • 2
    —Medium. Used for events that sometimes require special handling. Corresponds to the syslog 4 (Warning) severity level.
  • 3
    —High. Used for events that require special handling. Corresponds to the syslog 3 (Error) severity level.
  • 4
    —Critical. Used for events that require immediate attention. Corresponds to the syslog 2 (Critical) severity level.
See also the
severity
log field.
messageCode
System-wide unique message code.
friendlyName
Descriptive log message name.
msgTextEn
Description of the event, in English.
userFullName
Full username of Traps management service user.
userName
Username associated with Traps management service user.
userRole
Role assigned to Traps management service user.
userDomain
Domain to which the user belongs.
agentTime
Coordinated Universal Time (UTC) equivalent of the time at which an agent logged an event in ISO-8601 string representation.
tzOffset
Effective endpoint time zone offset from UTC, in minutes.
osType
Operating system of the endpoint:
  • 1
    —Windows
  • 2
    —OS X/macOS
  • 3
    —Android
  • 4
    —Linux
isVdi
Indicates whether the endpoint is a virtual desktop infrastructure (VDI):
  • 0
    —The endpoint is not a VDI
  • 1
    —The endpoint is a VDI
osVersion
Full version number of the operating system running on the endpoint. For example, 6.1.7601.19135.
is64
Indicates whether the endpoint is running a 64-bit version of Windows:
  • 0
    —The endpoint is not running x64 architecture
  • 1
    —The endpoint is running x64 architecture
agentIp
IP address of the endpoint.
deviceName
Hostname of the endpoint on which the event was logged.
deviceDomain
Domain to which the endpoint belongs.
agentVersion
Version of the Traps agent.
contentVersion
Content version in the local security policy.
protectionStatus
Traps agent protection status:
  • 0
    —Protected
  • 1
    —OsVersionIncompatible
  • 2
    —AgentIncompatible
userFullName
Full name of Traps management service user.
userName
Username associated with Traps management service user.
userRole
Role assigned to Traps management service user.
userDomain
Domain to which the user belongs.
messageName
Name of the message.
messageId
Unique numeric identifier of the message.
processStatus
State of the process related to the event.
errorText
If known, a description of the documented error.
errorData
Parameters related to an event error.
resultData
Parameters related to a successful event.
parameters
Parameters supplied in the log message.
additionalData(Array)
Additional information regarding event parameters.
loggedInUser
User that is logged in to the Traps management service.

Analytics Logs

Format
: recordType, class, FUTURE_USE, eventType, category, generatedTime, serverTime, agentTime, tzoffset, FUTURE_USE, facility, customerId, trapsId, serverHost, serverComponentVersion, regionId, isEndpoint, agentId, osType, isVdi, osVersion, is64, agentIp, deviceName, deviceDomain, severity, agentVersion, contentVersion, protectionStatus, sha256, type, parentSha256, lastSeen, fileName, filePath, fileSize, localAnalysisResult, reported, blocked, executionCount
Email body format example
:
recordType: analytics messageData/class: agent_data messageData/subClass: eventType: AgentTimelineEvent messageData/eventCategory: hash generatedTime: 2019-01-31T18:00:43Z serverTime: 2019-01-31T18:59:46.586Z endPointHeader/agentTime: 2019-01-31T18:00:43Z endPointHeader/tzOffset: -480 product: facility: TrapsAgent customerId: 110044035 trapsId: 18520039498190352 serverHost: coreop-f-proda-mnmauto03930348053-311.proda.brz serverComponentVersion: 2.0.9+564 regionId: 10 isEndpoint: 1 agentId: 3bcf7e5ff56e2891c78684a38b728e49 endPointHeader/osType: 2 endPointHeader/isVdi: 0 endPointHeader/osVersion: 10.12.6 endPointHeader/is64: 1 endPointHeader/agentIp: 192.168.0.21 endPointHeader/deviceName: Jeffreys-MacBook-Pro.local endPointHeader/deviceDomain: severity: endPointHeader/agentVersion: 5.0.5.1193 endPointHeader/contentVersion: 42-6337 endPointHeader/protectionStatus: 0 messageData/sha256: 87e27ba9128d9c3b3d113c67623a06817a030b3bbb4d2871d1e6da9002206f26 messageData/type: macho messageData/parentSha256: messageData/lastSeen: 2019-01-31T18:00:43Z messageData/fileName: crashpad_handler messageData/filePath: /users/username/library/google/googlesoftwareupdate/googlesoftwareupdate.bundle/contents/macos/ messageData/fileSize: 353680 messageData/localAnalysisResult: "{""contentVersion"":""42-6337"",""result"":""Benign"",""trusted"":""None"", ""publishers"":[""developer id application: google, inc. (eqhxz8m8av)""],""resultId"":0,""trustedId"":0}" messageData/reported: 0 messageData/blocked: 0 messageData/executionCount: 4179
Field Name
Description
recordType
Record type associated with the event and that you can use when managing logging quotas:
  • config
    —Traps management service administration and configuration changes.
  • system
    —Automated system management and agent reporting events.
  • analytics
    —Hourly hash execution report from the agent.
  • threats
    —Security events that occur on the endpoints.
class
Class of Traps management service log: config, policy, system, and agent_log.
eventType
Subtype of event.
eventCategory
Category of event, used internally for processing the flow of logs. Event categories vary by class:
  • config
    —deviceManagement, distributionManagement, securityEventManagement, systemManagement
  • policy
    —exceptionManagement, policyManagement, profileManagement, sam
  • system
    —licensing, provisioning, tenant, userAuthentication, workerProcessing
  • agent_log
    —agentFlow
generatedTime
Coordinated Universal Time (UTC) equivalent of the time at which an event was logged. For agent events, this represents the time on the endpoint. For policy, configuration, and system events, this represents the time on Traps management service in ISO-8601 string representation (for example, 2017-01-24T09:08:59Z).
serverTime
Coordinated Universal Time (UTC) equivalent of the time at which the server generated the log. If the log was generated on an endpoint, this field identifies the time the server received the log in ISO-8601 string representation (for example, 2017-01-24T09:08:59Z).
agentTime
Coordinated Universal Time (UTC) equivalent of the time at which an agent logged an event in ISO-8601 string representation.
tzOffset
Effective endpoint time zone offset from UTC, in minutes.
facility
The Traps system component that initiated the event, for example: TrapsAgent, TrapsServiceCore, TrapsServiceManagement, and TrapsServiceBackend.
customerId
The ID that uniquely identifies the Cortex Data Lake instance which received this log record.
trapsId
Tenant external ID.
serverHost
Hostname of Traps management service.
serverComponentVersion
Software version of Traps management service.
regionId
ID of Traps management service region:
  • 10
    —Americas (N. Virginia)
  • 70
    —EMEA (Frankfurt)
isEndpoint
Indicates whether the event occurred on an endpoint.
  • 0
    —No, host is not an endpoint.
  • 1
    —Yes, host is an endpoint.
agentId
Unique identifier for the Traps agent.
osType
Operating system of the endpoint:
  • 1
    —Windows
  • 2
    —OS X/macOS
  • 3
    —Android
  • 4
    —Linux
isVdi
Indicates whether the endpoint is a virtual desktop infrastructure (VDI):
  • 0
    —The endpoint is not a VDI
  • 1
    —The endpoint is a VDI
osVersion
Full version number of the operating system running on the endpoint. For example, 6.1.7601.19135.
is64
Indicates whether the endpoint is running a 64-bit version of Windows:
  • 0
    —The endpoint is not running x64 architecture
  • 1
    —The endpoint is running x64 architecture
agentIp
IP address of the endpoint.
deviceName
Hostname of the endpoint on which the event was logged.
deviceDomain
Domain to which the endpoint belongs.
severity
Syslog severity level associated with the event.
  • 2
    —Critical. Used for events that require immediate attention.
  • 3
    —Error. Used for events that require special handling.
  • 4
    —Warning. Used for events that sometimes require special handling.
  • 5
    —Notice. Used for normal but significant events that can require attention.
  • 6
    —Informational. Informational events that do not require attention.
Each event also has an associated Traps severity. See the
messageData.trapsSeverity
field for details.
agentVersion
Version of the Traps agent.
contentVersion
Content version in the local security policy.
protectionStatus
Traps agent protection status:
  • 0
    —Protected
  • 1
    —OsVersionIncompatible
  • 2
    —AgentIncompatible
sha256
Hash of the file using SHA256 encoding.
type
Type of file:
  • 0
    —Unknown
  • 1
    —PE
  • 2
    —Mach-o
  • 3
    —DLL
  • 4
    —Office file (containing a macro)
parentSha256
Hash of the parent file using SHA256 encoding.
lastSeen
Coordinated Universal Time (UTC) equivalent of the time when the file last ran on an endpoint in ISO-8601 string representation (for example, 2017-01-24T09:08:59Z).
fileName
File name, without the path or the file type extension.
filePath
Full path, aligned to the OS format.
fileSize
Size of the file in bytes.
localAnalysisResult
This object includes the content version, local analysis module version, verdict result, file signer, and trusted signer result. The trusted signer result is an integer value:
  • 0
    —Traps did not evaluate the signer of the file.
  • 1
    —The signer is trusted.
  • 2
    —The signer is not trusted.
reported
Reporting status of the file, in integer value:
  • 0
    —Traps did not report the security event.
  • 1
    —Traps reported the security event.
blocked
Blocking status of the file, in integer value:
  • 0
    —Traps did not block the process or file.
  • 1
    —Traps blocked the process or file.
executionCount
The total number of times a file identified by a specific hash was executed.

Related Documentation