Traps Logs Formats

The following topics list the fields of each Traps log type that the Cortex Data Lake app can forward to an external server or email destination.
With log forwarding to a syslog receiver, the Cortex Data Lake sends logs in the IETF syslog message format defined in RFC 5424. To facilitate parsing, the delimiter is a comma and each field is a comma-separated value (CSV) string. The FUTURE_USE tag applies to fields that Traps management service does not currently implement.
With log forwarding to an email destination, the Cortex Data Lake sends an email with each field on a separate line in the email body.

Threat Logs

Syslog format: recordType, class, FUTURE_USE, eventType, generatedTime, serverTime, agentTime, tzoffset, FUTURE_USE, facility, customerId, trapsId, serverHost, serverComponentVersion, regionId, isEndpoint, agentId, osType, isVdi, osVersion, is64, agentIp, deviceName, deviceDomain, severity, trapsSeverity, agentVersion, contentVersion, protectionStatus, preventionKey, moduleId, profile, moduleStatusId, verdict, preventionMode, terminate, terminateTarget, quarantine, block, postDetected, eventParametersArray, sourceProcessesIdx, targetProcessIdx, fileIdx, processesArray, filesArray, usersArray, urlsArray, description
Email body format example:
recordType: threat
messageData/class: threat
messageData/subClass: 
eventType: AgentSecurityEvent
generatedTime: 2019-01-29T05:07:58.045-08:00
serverTime: 2018-07-02T20:01:39.591Z
endPointHeader/agentTime: 2018-07-02T20:01:03Z
endPointHeader/tzOffset: 180
product: 
facility: TrapsAgent
customerId: 245143
trapsId: mac510a2monday-01
serverHost: coreop-qaauta-2606-0-112132729246-266
serverComponentVersion: 2.0.2
regionId: 70
isEndpoint: 1
agentId: dc3af3198f172048082c21ff0956866b
endPointHeader/osType: 2
endPointHeader/isVdi: 0
endPointHeader/osVersion: 10.11.6
endPointHeader/is64: 1
endPointHeader/agentIp: 10.200.37.201
endPointHeader/deviceName: A1260700MC1011
endPointHeader/deviceDomain: 
severity: emergency
messageData/trapsSeverity: medium
endPointHeader/agentVersion: 5.1.0.1401
endPointHeader/contentVersion: 26-3625
endPointHeader/protectionStatus: 0
messageData/preventionKey: 9a94965188d2455486dd8d60cf4b3849
messageData/moduleId: COMPONENT_EPM_J01
messageData/profile: ExploitModules
messageData/moduleStatusId: CYSTATUS_JIT_EXCEPTION
messageData/verdict: 
messageData/preventionMode: blocked
messageData/terminate: 1
messageData/terminateTarget: 
quarantine: 
messageData/block: 0
messageData/postDetected: 0
messageData/eventParameters: "[""/Users/administrator/Desktop/JitMac/j01_test"",""711046b89e2f2c70cdbb41f615c54bd1b4270ecbbb176edeb1bb4fe4619""]"
messageData/sourceProcessIdx: 0
messageData/targetProcessIdx: -1
messageData/fileIdx: 0
messageData/processes: "[{""exeFileIdx"":0,""commandLine"":""/Users/Administrator/Desktop/JitMac/j01_test test=system depth=1"",""userIdx"":0,""pid"":1359,""parentId"":452}]"
messageData/files: "[{""sha256"":""711046b89e2f2c70cdbb41f615c54bd1b4270ecbbb176edeb1bb4654619"", ""rawFullPath"":""/Users/administrator/Desktop/JitMac/j01_test"",""signers"":[""N/A""],""fileName"":""j01_test""}]"
messageData/users: "[{""userName"":""Administrator""}]"
messageData/urls: []
messageData/description: Memory Corruption Exploit
Field NameDescription
recordType
Record type associated with the event and that you can use when managing logging quotas. In this case, the record type is threat which includes logs related to security events that occur on the endpoints.
class
Class of Traps management service log: config, policy, system, and agent_log.
eventTypeSubtype of event.
generatedTime
Coordinated Universal Time (UTC) equivalent of the time at which an event was logged. For agent events, this represents the time on the endpoint. For policy, configuration, and system events, this represents the time on Traps management service in ISO-8601 string representation (for example, 2017-01-24T09:08:59Z).
serverTime
Coordinated Universal Time (UTC) equivalent of the time at which the server generated the log. If the log was generated on an endpoint, this field identifies the time the server received the log in ISO-8601 string representation (for example, 2017-01-24T09:08:59Z).
agentTime
Coordinated Universal Time (UTC) equivalent of the time at which an agent logged an event in ISO-8601 string representation.
tzOffsetEffective endpoint time zone offset from UTC, in minutes.
facilityThe Traps system component that initiated the event, for example: TrapsAgent, TrapsServiceCore, TrapsServiceManagement, and TrapsServiceBackend.
customerIdThe ID that uniquely identifies the Cortex Data Lake instance which received this log record.
trapsIdTenant external ID.
serverHostHostname of Traps management service.
serverComponentVersionSoftware version of Traps management service.
regionId
ID of Traps management service region:
  • 10—Americas (N. Virginia)
  • 70—EMEA (Frankfurt)
isEndpoint
Indicates whether the event occurred on an endpoint.
  • 0—No, host is not an endpoint.
  • 1—Yes, host is an endpoint.
agentId
Unique identifier for the Traps agent.
osType
Operating system of the endpoint:
  • 1—Windows
  • 2—OS X/macOS
  • 3—Android
  • 4—Linux
isVdi
Indicates whether the endpoint is a virtual desktop infrastructure (VDI):
  • 0—The endpoint is not a VDI
  • 1—The endpoint is a VDI
osVersionFull version number of the operating system running on the endpoint. For example, 6.1.7601.19135.
is64
Indicates whether the endpoint is running a 64-bit version of Windows:
  • 0—The endpoint is not running x64 architecture
  • 1—The endpoint is running x64 architecture
agentIpIP address of the endpoint.
deviceNameHostname of the endpoint on which the event was logged.
deviceDomainDomain to which the endpoint belongs.
severity
Syslog severity level associated with the event.
  • 2—Critical. Used for events that require immediate attention.
  • 3—Error. Used for events that require special handling.
  • 4—Warning. Used for events that sometimes require special handling.
  • 5—Notice. Used for normal but significant events that can require attention.
  • 6—Informational. Informational events that do not require attention.
Each event also has an associated Traps severity. See the messageData.trapsSeverity field for details.
trapsSeverity
Severity level associated with the event defined for Traps management service. Each of these severities corresponds to a syslog severity level:
  • 0—Informational. Informational messages that do not require attention. Identical to the syslog 6 (Informational) severity level.
  • 1—Low. Used for normal but significant events that can require attention. Corresponds to the syslog 5 (Notice) severity level.
  • 2—Medium. Used for events that sometimes require special handling. Corresponds to the syslog 2 (Warning) severity level.
  • 3—High. Used for events that require special handling. Corresponds to the syslog 3 (Error) severity level.
  • 4—Critical. Used for events that require immediate attention. Corresponds to the syslog 2 (Critical) severity level.
See also the severity log field.
agentVersionVersion of the Traps agent.
contentVersionContent version in the local security policy.
protectionStatus
Traps agent protection status:
  • 0—Protected
  • 1—OsVersionIncompatible
  • 2—AgentIncompatible
preventionKeyUnique identifier for security events.
moduleIdSecurity module name.
profileName of the security profile that triggered the event.
moduleStatusId
Identifies the specific component of Traps modules. For example, CYSTATUS_DEP_VIOLATION_UNALLOCATED or DLLPROT_BLACKLIST.
verdict
Verdict for the file:
  • 0—Benign
  • 1—Malware
  • 2—Grayware
  • 4—Phishing
  • 99—Unknown
preventionMode
Action carried out by the Traps agent (block or notify). The prevention mode is specified in the rule configuration.
terminate
Termination action taken on the file.
  • 0—Traps did not terminate the file.
  • 1—Traps terminated the file.
terminateTarget
Termination action taken on the target file (relevant for some child process execution events where we terminate the child process but not the parent process):
  • 0—Target file was not terminated.
  • 1—Target file was terminated.
quarantine
Quarantine action taken on the file:
  • 0—File was not quarantined.
  • 1—File was quarantined.
block
Block action taken on the file:
  • 0—File was not blocked
  • 1—File was blocked.
postDetected
Post detection status of the file:
  • 0—Initial prevention.
  • 1—Detected after an initial execution.
eventParameters(Array)Parameters associated with the type of event. For example, username, endpoint hostname, and filename.
sourceProcessIdx(Array)The prevention source process index in the processes array.
targetProcessIdx(Array)Target process index in the processes array. A missing or negative value means there is no target process.
fileIdx(Array)Index of target files for specific security events such as: Scanning, Malicious DLL, Malicious Macro events.
processes(Array)
All related details for the process file that triggered an event:
  • 1—System process ID
  • 2—Parent process ID
  • 3—File object corresponding to the process executable file
  • 4—Command line arguments (if any)
  • 5—Description field of the VERSIONINFO resource
  • 6—File version field of the VERSIONINFO resource
files(Array)
File object includes:
  • 1—SHA256 hash value of the file
  • 2—SHA256 hash value of the macro
  • 3—Raw full filepath
  • 4—A predefined drive type: local, network mapped drive, UNC path host, removable media, etc.
  • 5—File name (with no extension), such as AdapterTroubleshooter
  • 6—File extension (for example, EXE or DLL)
  • 7—File type defined by the Traps agent
  • 8—UTC file creation time
  • 9—UTC file modification time
  • 10—UTC file access time
  • 11—File attributes bitmask
  • 12—File size in bytes
  • 13—Signer field of the code signing certificate
users(Array)
Details about the active user on the endpoint when the event occurred:
  • 1—Username of the active user on the endpoint.
  • 2—Domain to which the user account belongs.
urls(Array)
Additional details related to a URL:
  • 1—Raw URL
  • 2—URL schema; For example: HTTP, HTTPS, FTP, LDAP
  • 3—Hostname in punycode
  • 4—Host port
  • 5—Canonicalized URL path part according to schema requirements
  • 6—Query parameters (for http\s only)
  • 7—Fragment parameters (for http\s only)
description(Array)(Mac only) Description of components related to Traps. For example, the description of the ROP, JIT, Dylib hijacking modules for Mac endpoints is Memory Corruption Exploit.

Config Logs

Syslog format: recordType, class, FUTURE_USE, subClassId, eventType, eventCategory, generatedTime, serverTime, FUTURE_USE, facility, customerId, trapsId, serverHost, serverComponentVersion, regionId, isEndpoint, agentId, severity, trapsSeverity, messageCode, friendlyName, FUTURE_USE, msgTextEn, additionalData, userRole, loggedInUser
Email body format example:
recordType: system
messageData/class: system
messageData/subClass: Provisioning
messageData/subClassId: 13
eventType: ServerLogPerTenant
messageData/eventCategory: tenant
generatedTime: 2019-01-31T18:15:19.000000+00:00
serverTime: 2019-01-31T18:15:19.000000+00:00
product: 
facility: TrapsServerManagement
customerId: 004403511
trapsId: 18520498190303952
serverHost: 14917869646-201.proda.brz
serverComponentVersion: 2.0.9+624
regionId: 
isEndpoint: 0
agentId: 
severity: notice
messageData/trapsSeverity: informational
messageData/messageCode: 19015
messageData/friendlyName: User Login
messageData/msgTextLoc: 
messageData/msgTextEn: User username@paloaltonetworks.com has logged in with role superadmin
endPointHeader/userFullName: 
endPointHeader/username: 
endPointHeader/userRole: 
endPointHeader/userDomain: 
endPointHeader/agentTime: 
endPointHeader/tzOffset: 
endPointHeader/osType: 
endPointHeader/isVdi: 
endPointHeader/osVersion: 
endPointHeader/is64: 
endPointHeader/agentIp: 
endPointHeader/deviceName: 
endPointHeader/deviceDomain: 
endPointHeader/agentVersion: 
endPointHeader/contentVersion: 
endPointHeader/protectionStatus: 
messageData/userFullName: 
messageData/username: 
messageData/userRole: 
messageData/userDomain: 
messageData/messageName: 
messageData/messageId: 
messageData/processStatus: 
messageData/errorText: 
messageData/errorData: 
messageData/resultData: 
messageData/parameters: 
messageData/additionalData: {}
Field NameDescription
recordType
Record type associated with the event and that you can use when managing logging quotas. In this case, the record type is config which includes logs related to Traps management service administration and configuration changes.
class
Class of Traps management service log. System logs have a value of system.
subClassSubclass of event. Used to categorize logs in Traps management service user interface.
subClassIdNumeric representation of the subClass field for easy sorting and filtering.
eventTypeSubtype of event.
eventCategory
Category of event, used internally for processing the flow of logs. Event categories vary by class:
  • config—deviceManagement, distributionManagement, reportManagement, securityEventManagement, systemManagement
  • policy—exceptionManagement, policyManagement, profileManagement, sam
  • system—licensing, provisioning, tenant, userAuthentication, workerProcessing
  • agent_log—agentFlow
generatedTime
Coordinated Universal Time (UTC) equivalent of the time at which an event was logged. For agent events, this represents the time on the endpoint. For policy, configuration, and system events, this represents the time on Traps management service in ISO-8601 string representation (for example, 2017-01-24T09:08:59Z).
serverTime
Coordinated Universal Time (UTC) equivalent of the time at which the server generated the log. If the log was generated on an endpoint, this field identifies the time the server received the log in ISO-8601 string representation (for example, 2017-01-24T09:08:59Z).
facilityThe Traps system component that initiated the event, for example: TrapsAgent, TrapsServiceCore, TrapsServiceManagement, and TrapsServiceBackend.
customerIdThe ID that uniquely identifies the Cortex Data Lake instance which received this log record.
trapsIdTenant external ID.
serverHostHostname of Traps management service.
serverComponentVersionSoftware version of Traps management service.
regionId
ID of Traps management service region:
  • 10—Americas (N. Virginia)
  • 70—EMEA (Frankfurt)
isEndpoint
Indicates whether the event occurred on an endpoint.
  • 0—No, host is not an endpoint.
  • 1—Yes, host is an endpoint.
agentId
Unique identifier for the Traps agent.
severity
Syslog severity level associated with the event.
  • 2—Critical. Used for events that require immediate attention.
  • 3—Error. Used for events that require special handling.
  • 4—Warning. Used for events that sometimes require special handling.
  • 5—Notice. Used for normal but significant events that can require attention.
  • 6—Informational. Informational events that do not require attention.
Each event also has an associated Traps severity. See the messageData.trapsSeverity field for details.
trapsSeverity
Severity level associated with the event defined for Traps management service. Each of these severities corresponds to a syslog severity level:
  • 0—Informational. Informational messages that do not require attention. Identical to the syslog 6 (Informational) severity level.
  • 1—Low. Used for normal but significant events that can require attention. Corresponds to the syslog 5 (Notice) severity level.
  • 2—Medium. Used for events that sometimes require special handling. Corresponds to the syslog 2 (Warning) severity level.
  • 3—High. Used for events that require special handling. Corresponds to the syslog 3 (Error) severity level.
  • 4—Critical. Used for events that require immediate attention. Corresponds to the syslog 2 (Critical) severity level.
See also the severity log field.
messageCodeSystem-wide unique message code.
friendlyNameDescriptive log message name.
msgTextEnDescription of the event, in English.
userFullNameFull username of Traps management service user.
userNameUsername associated with Traps management service user.
userRoleRole assigned to Traps management service user.
userDomainDomain to which the user belongs.
agentTimeCoordinated Universal Time (UTC) equivalent of the time at which an agent logged an event in ISO-8601 string representation.
tzOffsetEffective endpoint time zone offset from UTC, in minutes.
osType
Operating system of the endpoint:
  • 1—Windows
  • 2—OS X/macOS
  • 3—Android
  • 4—Linux
isVdi
Indicates whether the endpoint is a virtual desktop infrastructure (VDI):
  • 0—The endpoint is not a VDI
  • 1—The endpoint is a VDI
osVersionFull version number of the operating system running on the endpoint. For example, 6.1.7601.19135.
is64
Indicates whether the endpoint is running a 64-bit version of Windows:
  • 0—The endpoint is not running x64 architecture
  • 1—The endpoint is running x64 architecture
agentIpIP address of the endpoint.
deviceNameHostname of the endpoint on which the event was logged.
deviceDomainDomain to which the endpoint belongs.
agentVersionVersion of the Traps agent.
contentVersionContent version in the local security policy.
protectionStatus
Traps agent protection status:
  • 0—Protected
  • 1—OsVersionIncompatible
  • 2—AgentIncompatible
userFullNameFull name of Traps management service user.
userNameUsername associated with Traps management service user.
userRoleRole assigned to Traps management service user.
userDomainDomain to which the user belongs.
messageNameName of the message.
messageIdUnique numeric identifier of the message.
processStatusState of the process related to the event.
errorTextIf known, a description of the documented error.
errorDataParameters related to an event error.
resultDataParameters related to a successful event.
parametersParameters supplied in the log message.
additionalData(Array)Additional information regarding event parameters.
loggedInUserUser that is logged in to the Traps management service.

Analytics Logs

Format: recordType, class, FUTURE_USE, eventType, category, generatedTime, serverTime, agentTime, tzoffset, FUTURE_USE, facility, customerId, trapsId, serverHost, serverComponentVersion, regionId, isEndpoint, agentId, osType, isVdi, osVersion, is64, agentIp, deviceName, deviceDomain, severity, agentVersion, contentVersion, protectionStatus, sha256, type, parentSha256, lastSeen, fileName, filePath, fileSize, localAnalysisResult, reported, blocked, executionCount
Email body format example:
recordType: analytics
messageData/class: agent_data
messageData/subClass: 
eventType: AgentTimelineEvent
messageData/eventCategory: hash
generatedTime: 2019-01-31T18:00:43Z
serverTime: 2019-01-31T18:59:46.586Z
endPointHeader/agentTime: 2019-01-31T18:00:43Z
endPointHeader/tzOffset: -480
product: 
facility: TrapsAgent
customerId: 110044035
trapsId: 18520039498190352
serverHost: coreop-f-proda-mnmauto03930348053-311.proda.brz
serverComponentVersion: 2.0.9+564
regionId: 10
isEndpoint: 1
agentId: 3bcf7e5ff56e2891c78684a38b728e49
endPointHeader/osType: 2
endPointHeader/isVdi: 0
endPointHeader/osVersion: 10.12.6
endPointHeader/is64: 1
endPointHeader/agentIp: 192.168.0.21
endPointHeader/deviceName: Jeffreys-MacBook-Pro.local
endPointHeader/deviceDomain: 
severity: 
endPointHeader/agentVersion: 5.0.5.1193
endPointHeader/contentVersion: 42-6337
endPointHeader/protectionStatus: 0
messageData/sha256: 87e27ba9128d9c3b3d113c67623a06817a030b3bbb4d2871d1e6da9002206f26
messageData/type: macho
messageData/parentSha256: 
messageData/lastSeen: 2019-01-31T18:00:43Z
messageData/fileName: crashpad_handler
messageData/filePath: /users/username/library/google/googlesoftwareupdate/googlesoftwareupdate.bundle/contents/macos/
messageData/fileSize: 353680
messageData/localAnalysisResult: "{""contentVersion"":""42-6337"",""result"":""Benign"",""trusted"":""None"",
	""publishers"":[""developer id application: google, inc. (eqhxz8m8av)""],""resultId"":0,""trustedId"":0}"
messageData/reported: 0
messageData/blocked: 0
messageData/executionCount: 4179
Field NameDescription
recordType
Record type associated with the event and that you can use when managing logging quotas. In this case, the record type is analytics which includes hash execution reports from the agent.
class
Class of Traps management service log: config, policy, system, and agent_log.
eventTypeSubtype of event.
eventCategory
Category of event, used internally for processing the flow of logs. Event categories vary by class:
  • config—deviceManagement, distributionManagement, securityEventManagement, systemManagement
  • policy—exceptionManagement, policyManagement, profileManagement, sam
  • system—licensing, provisioning, tenant, userAuthentication, workerProcessing
  • agent_log—agentFlow
generatedTimeCoordinated Universal Time (UTC) equivalent of the time at which an event was logged. For agent events, this represents the time on the endpoint. For policy, configuration, and system events, this represents the time on Traps management service in ISO-8601 string representation (for example, 2017-01-24T09:08:59Z).
serverTimeCoordinated Universal Time (UTC) equivalent of the time at which the server generated the log. If the log was generated on an endpoint, this field identifies the time the server received the log in ISO-8601 string representation (for example, 2017-01-24T09:08:59Z).
agentTimeCoordinated Universal Time (UTC) equivalent of the time at which an agent logged an event in ISO-8601 string representation.
tzOffsetEffective endpoint time zone offset from UTC, in minutes.
facilityThe Traps system component that initiated the event, for example: TrapsAgent, TrapsServiceCore, TrapsServiceManagement, and TrapsServiceBackend.
customerIdThe ID that uniquely identifies the Cortex Data Lake instance which received this log record.
trapsIdTenant external ID.
serverHostHostname of Traps management service.
serverComponentVersionSoftware version of Traps management service.
regionId
ID of Traps management service region:
  • 10—Americas (N. Virginia)
  • 70—EMEA (Frankfurt)
isEndpoint
Indicates whether the event occurred on an endpoint.
  • 0—No, host is not an endpoint.
  • 1—Yes, host is an endpoint.
agentId
Unique identifier for the Traps agent.
osType
Operating system of the endpoint:
  • 1—Windows
  • 2—OS X/macOS
  • 3—Android
  • 4—Linux
isVdi
Indicates whether the endpoint is a virtual desktop infrastructure (VDI):
  • 0—The endpoint is not a VDI
  • 1—The endpoint is a VDI
osVersionFull version number of the operating system running on the endpoint. For example, 6.1.7601.19135.
is64
Indicates whether the endpoint is running a 64-bit version of Windows:
  • 0—The endpoint is not running x64 architecture
  • 1—The endpoint is running x64 architecture
agentIpIP address of the endpoint.
deviceNameHostname of the endpoint on which the event was logged.
deviceDomainDomain to which the endpoint belongs.
severity
Syslog severity level associated with the event.
  • 2—Critical. Used for events that require immediate attention.
  • 3—Error. Used for events that require special handling.
  • 4—Warning. Used for events that sometimes require special handling.
  • 5—Notice. Used for normal but significant events that can require attention.
  • 6—Informational. Informational events that do not require attention.
Each event also has an associated Traps severity. See the messageData.trapsSeverity field for details.
agentVersionVersion of the Traps agent.
contentVersionContent version in the local security policy.
protectionStatus
Traps agent protection status:
  • 0—Protected
  • 1—OsVersionIncompatible
  • 2—AgentIncompatible
sha256Hash of the file using SHA256 encoding.
type
Type of file:
  • 0—Unknown
  • 1—PE
  • 2—Mach-o
  • 3—DLL
  • 4—Office file (containing a macro)
parentSha256Hash of the parent file using SHA256 encoding.
lastSeenCoordinated Universal Time (UTC) equivalent of the time when the file last ran on an endpoint in ISO-8601 string representation (for example, 2017-01-24T09:08:59Z).
fileNameFile name, without the path or the file type extension.
filePathFull path, aligned to the OS format.
fileSizeSize of the file in bytes.
localAnalysisResult
This object includes the content version, local analysis module version, verdict result, file signer, and trusted signer result. The trusted signer result is an integer value:
  • 0—Traps did not evaluate the signer of the file.
  • 1—The signer is trusted.
  • 2—The signer is not trusted.
reported
Reporting status of the file, in integer value:
  • 0—Traps did not report the security event.
  • 1—Traps reported the security event.
blocked
Blocking status of the file, in integer value:
  • 0—Traps did not block the process or file.
  • 1—Traps blocked the process or file.
executionCountThe total number of times a file identified by a specific hash was executed.

System Logs

Syslog format: recordType, class, FUTURE_USE, subClassId, eventType, eventCategory, generatedTime, serverTime, FUTURE_USE, facility, customerId, trapsId, serverHost, serverComponentVersion, regionId, isEndpoint, agentId, severity, trapsSeverity, messageCode, friendlyName, FUTURE_USE, msgTextEn, additionalData, userRole, loggedInUser
Email body format example:
recordType: system
messageData/class: system
messageData/subClass: Provisioning
messageData/subClassId: 13
eventType: ServerLogPerTenant
messageData/eventCategory: tenant
generatedTime: 2019-01-31T18:15:19.000000+00:00
serverTime: 2019-01-31T18:15:19.000000+00:00
product: 
facility: TrapsServerManagement
customerId: 004403511
trapsId: 18520498190303952
serverHost: 14917869646-201.proda.brz
serverComponentVersion: 2.0.9+624
regionId: 
isEndpoint: 0
agentId: 
severity: notice
messageData/trapsSeverity: informational
messageData/messageCode: 19015
messageData/friendlyName: User Login
messageData/msgTextLoc: 
messageData/msgTextEn: User username@paloaltonetworks.com has logged in with role superadmin
endPointHeader/userFullName: 
endPointHeader/username: 
endPointHeader/userRole: 
endPointHeader/userDomain: 
endPointHeader/agentTime: 
endPointHeader/tzOffset: 
endPointHeader/osType: 
endPointHeader/isVdi: 
endPointHeader/osVersion: 
endPointHeader/is64: 
endPointHeader/agentIp: 
endPointHeader/deviceName: 
endPointHeader/deviceDomain: 
endPointHeader/agentVersion: 
endPointHeader/contentVersion: 
endPointHeader/protectionStatus: 
messageData/userFullName: 
messageData/username: 
messageData/userRole: 
messageData/userDomain: 
messageData/messageName: 
messageData/messageId: 
messageData/processStatus: 
messageData/errorText: 
messageData/errorData: 
messageData/resultData: 
messageData/parameters: 
messageData/additionalData: {}
Field NameDescription
recordType
Record type associated with the event and that you can use when managing logging quotas. In this case, the record type is system which includes logs related to automated system management and agent reporting events.
class
Class of Traps management service log. System logs have a value of system.
subClassSubclass of event. Used to categorize logs in Traps management service user interface.
subClassIdNumeric representation of the subClass field for easy sorting and filtering.
eventTypeSubtype of event.
eventCategory
Category of event, used internally for processing the flow of logs. Event categories vary by class:
  • config—deviceManagement, distributionManagement, securityEventManagement, systemManagement
  • policy—exceptionManagement, policyManagement, profileManagement, sam
  • system—licensing, provisioning, tenant, userAuthentication, workerProcessing
  • agent_log—agentFlow
generatedTime
Coordinated Universal Time (UTC) equivalent of the time at which an event was logged. For agent events, this represents the time on the endpoint. For policy, configuration, and system events, this represents the time on Traps management service in ISO-8601 string representation (for example, 2017-01-24T09:08:59Z).
serverTime
Coordinated Universal Time (UTC) equivalent of the time at which the server generated the log. If the log was generated on an endpoint, this field identifies the time the server received the log in ISO-8601 string representation (for example, 2017-01-24T09:08:59Z).
facilityThe Traps system component that initiated the event, for example: TrapsAgent, TrapsServiceCore, TrapsServiceManagement, and TrapsServiceBackend.
customerIdThe ID that uniquely identifies the Cortex Data Lake instance which received this log record.
trapsIdTenant external ID.
serverHostHostname of Traps management service.
serverComponentVersionSoftware version of Traps management service.
regionId
ID of Traps management service region:
  • 10—Americas (N. Virginia)
  • 70—EMEA (Frankfurt)
isEndpoint
Indicates whether the event occurred on an endpoint.
  • 0—No, host is not an endpoint.
  • 1—Yes, host is an endpoint.
agentId
Unique identifier for the Traps agent.
severity
Syslog severity level associated with the event.
  • 2—Critical. Used for events that require immediate attention.
  • 3—Error. Used for events that require special handling.
  • 4—Warning. Used for events that sometimes require special handling.
  • 5—Notice. Used for normal but significant events that can require attention.
  • 6—Informational. Informational events that do not require attention.
Each event also has an associated Traps severity. See the messageData.trapsSeverity field for details.
trapsSeverity
Severity level associated with the event defined for Traps management service. Each of these severities corresponds to a syslog severity level:
  • 0—Informational. Informational messages that do not require attention. Identical to the syslog 6 (Informational) severity level.
  • 1—Low. Used for normal but significant events that can require attention. Corresponds to the syslog 5 (Notice) severity level.
  • 2—Medium. Used for events that sometimes require special handling. Corresponds to the syslog 2 (Warning) severity level.
  • 3—High. Used for events that require special handling. Corresponds to the syslog 3 (Error) severity level.
  • 4—Critical. Used for events that require immediate attention. Corresponds to the syslog 2 (Critical) severity level.
See also the severity log field.
messageCodeSystem-wide unique message code.
friendlyNameDescriptive log message name.
msgTextEnDescription of the event, in English.
userFullNameFull username of Traps management service user.
userNameUsername associated with Traps management service user.
userRoleRole assigned to Traps management service user.
userDomainDomain to which the user belongs.
agentTimeCoordinated Universal Time (UTC) equivalent of the time at which an agent logged an event in ISO-8601 string representation.
tzOffsetEffective endpoint time zone offset from UTC, in minutes.
osType
Operating system of the endpoint:
  • 1—Windows
  • 2—OS X/macOS
  • 3—Android
  • 4—Linux
isVdi
Indicates whether the endpoint is a virtual desktop infrastructure (VDI):
  • 0—The endpoint is not a VDI
  • 1—The endpoint is a VDI
osVersionFull version number of the operating system running on the endpoint. For example, 6.1.7601.19135.
is64
Indicates whether the endpoint is running a 64-bit version of Windows:
  • 0—The endpoint is not running x64 architecture
  • 1—The endpoint is running x64 architecture
agentIpIP address of the endpoint.
deviceNameHostname of the endpoint on which the event was logged.
deviceDomainDomain to which the endpoint belongs.
agentVersionVersion of the Traps agent.
contentVersionContent version in the local security policy.
protectionStatus
Traps agent protection status:
  • 0—Protected
  • 1—OsVersionIncompatible
  • 2—AgentIncompatible
userFullNameFull name of Traps management service user.
userNameUsername associated with Traps management service user.
userRoleRole assigned to Traps management service user.
userDomainDomain to which the user belongs.
messageNameName of the message.
messageIdUnique numeric identifier of the message.
processStatusState of the process related to the event.
errorTextIf known, a description of the documented error.
errorDataParameters related to an event error.
resultDataParameters related to a successful event.
parametersParameters supplied in the log message.
additionalData(Array)Additional information regarding event parameters.
loggedInUserUser that is logged in to the Traps management service.

Analytics Logs

Format: recordType, class, FUTURE_USE, eventType, category, generatedTime, serverTime, agentTime, tzoffset, FUTURE_USE, facility, customerId, trapsId, serverHost, serverComponentVersion, regionId, isEndpoint, agentId, osType, isVdi, osVersion, is64, agentIp, deviceName, deviceDomain, severity, agentVersion, contentVersion, protectionStatus, sha256, type, parentSha256, lastSeen, fileName, filePath, fileSize, localAnalysisResult, reported, blocked, executionCount
Email body format example:
recordType: analytics
messageData/class: agent_data
messageData/subClass: 
eventType: AgentTimelineEvent
messageData/eventCategory: hash
generatedTime: 2019-01-31T18:00:43Z
serverTime: 2019-01-31T18:59:46.586Z
endPointHeader/agentTime: 2019-01-31T18:00:43Z
endPointHeader/tzOffset: -480
product: 
facility: TrapsAgent
customerId: 110044035
trapsId: 18520039498190352
serverHost: coreop-f-proda-mnmauto03930348053-311.proda.brz
serverComponentVersion: 2.0.9+564
regionId: 10
isEndpoint: 1
agentId: 3bcf7e5ff56e2891c78684a38b728e49
endPointHeader/osType: 2
endPointHeader/isVdi: 0
endPointHeader/osVersion: 10.12.6
endPointHeader/is64: 1
endPointHeader/agentIp: 192.168.0.21
endPointHeader/deviceName: Jeffreys-MacBook-Pro.local
endPointHeader/deviceDomain: 
severity: 
endPointHeader/agentVersion: 5.0.5.1193
endPointHeader/contentVersion: 42-6337
endPointHeader/protectionStatus: 0
messageData/sha256: 87e27ba9128d9c3b3d113c67623a06817a030b3bbb4d2871d1e6da9002206f26
messageData/type: macho
messageData/parentSha256: 
messageData/lastSeen: 2019-01-31T18:00:43Z
messageData/fileName: crashpad_handler
messageData/filePath: /users/username/library/google/googlesoftwareupdate/googlesoftwareupdate.bundle/contents/macos/
messageData/fileSize: 353680
messageData/localAnalysisResult: "{""contentVersion"":""42-6337"",""result"":""Benign"",""trusted"":""None"",
	""publishers"":[""developer id application: google, inc. (eqhxz8m8av)""],""resultId"":0,""trustedId"":0}"
messageData/reported: 0
messageData/blocked: 0
messageData/executionCount: 4179
Field NameDescription
recordType
Record type associated with the event and that you can use when managing logging quotas:
  • config—Traps management service administration and configuration changes.
  • system—Automated system management and agent reporting events.
  • analytics—Hourly hash execution report from the agent.
  • threats—Security events that occur on the endpoints.
class
Class of Traps management service log: config, policy, system, and agent_log.
eventTypeSubtype of event.
eventCategory
Category of event, used internally for processing the flow of logs. Event categories vary by class:
  • config—deviceManagement, distributionManagement, securityEventManagement, systemManagement
  • policy—exceptionManagement, policyManagement, profileManagement, sam
  • system—licensing, provisioning, tenant, userAuthentication, workerProcessing
  • agent_log—agentFlow
generatedTimeCoordinated Universal Time (UTC) equivalent of the time at which an event was logged. For agent events, this represents the time on the endpoint. For policy, configuration, and system events, this represents the time on Traps management service in ISO-8601 string representation (for example, 2017-01-24T09:08:59Z).
serverTimeCoordinated Universal Time (UTC) equivalent of the time at which the server generated the log. If the log was generated on an endpoint, this field identifies the time the server received the log in ISO-8601 string representation (for example, 2017-01-24T09:08:59Z).
agentTimeCoordinated Universal Time (UTC) equivalent of the time at which an agent logged an event in ISO-8601 string representation.
tzOffsetEffective endpoint time zone offset from UTC, in minutes.
facilityThe Traps system component that initiated the event, for example: TrapsAgent, TrapsServiceCore, TrapsServiceManagement, and TrapsServiceBackend.
customerIdThe ID that uniquely identifies the Cortex Data Lake instance which received this log record.
trapsIdTenant external ID.
serverHostHostname of Traps management service.
serverComponentVersionSoftware version of Traps management service.
regionId
ID of Traps management service region:
  • 10—Americas (N. Virginia)
  • 70—EMEA (Frankfurt)
isEndpoint
Indicates whether the event occurred on an endpoint.
  • 0—No, host is not an endpoint.
  • 1—Yes, host is an endpoint.
agentId
Unique identifier for the Traps agent.
osType
Operating system of the endpoint:
  • 1—Windows
  • 2—OS X/macOS
  • 3—Android
  • 4—Linux
isVdi
Indicates whether the endpoint is a virtual desktop infrastructure (VDI):
  • 0—The endpoint is not a VDI
  • 1—The endpoint is a VDI
osVersionFull version number of the operating system running on the endpoint. For example, 6.1.7601.19135.
is64
Indicates whether the endpoint is running a 64-bit version of Windows:
  • 0—The endpoint is not running x64 architecture
  • 1—The endpoint is running x64 architecture
agentIpIP address of the endpoint.
deviceNameHostname of the endpoint on which the event was logged.
deviceDomainDomain to which the endpoint belongs.
severity
Syslog severity level associated with the event.
  • 2—Critical. Used for events that require immediate attention.
  • 3—Error. Used for events that require special handling.
  • 4—Warning. Used for events that sometimes require special handling.
  • 5—Notice. Used for normal but significant events that can require attention.
  • 6—Informational. Informational events that do not require attention.
Each event also has an associated Traps severity. See the messageData.trapsSeverity field for details.
agentVersionVersion of the Traps agent.
contentVersionContent version in the local security policy.
protectionStatus
Traps agent protection status:
  • 0—Protected
  • 1—OsVersionIncompatible
  • 2—AgentIncompatible
sha256Hash of the file using SHA256 encoding.
type
Type of file:
  • 0—Unknown
  • 1—PE
  • 2—Mach-o
  • 3—DLL
  • 4—Office file (containing a macro)
parentSha256Hash of the parent file using SHA256 encoding.
lastSeenCoordinated Universal Time (UTC) equivalent of the time when the file last ran on an endpoint in ISO-8601 string representation (for example, 2017-01-24T09:08:59Z).
fileNameFile name, without the path or the file type extension.
filePathFull path, aligned to the OS format.
fileSizeSize of the file in bytes.
localAnalysisResult
This object includes the content version, local analysis module version, verdict result, file signer, and trusted signer result. The trusted signer result is an integer value:
  • 0—Traps did not evaluate the signer of the file.
  • 1—The signer is trusted.
  • 2—The signer is not trusted.
reported
Reporting status of the file, in integer value:
  • 0—Traps did not report the security event.
  • 1—Traps reported the security event.
blocked
Blocking status of the file, in integer value:
  • 0—Traps did not block the process or file.
  • 1—Traps blocked the process or file.
executionCountThe total number of times a file identified by a specific hash was executed.

Related Documentation