Axon Log Parsing Guide

1

Windows

TimeCreated

vendor_information.log_generation_time

Log Gen Time

1/22/2021 13:45 UTC

AWS

eventTime

2018-08-02T17:07:00.094207600Z (UTC Time)

Azure

time

2024-01-27T19:27:04Z

Fortigate Firewall

FTNTFGTeventtime

12/1/2020 17:01

Palo Alto NGFW

Timestamp

1683889190121 (EPOCH Time)

2

Windows

Channel

vendor_information.log_type

Vendor Log Type

Security / Application / System / Powershell etc.

AWS

eventCategory

Management / Insight

Azure

category

ApplicationManagement / Administrative / Policy

Fortigate Firewall

type

Threat / Traffic etc.

Palo Alto NGFW

Type (type)

Authentication/ Config etc.

Origin

This container of fields corresponds to data referencing the originator, or source, as described in a signal message. For example, the source host in a network traffic log message or the user account modifying AD group membership.

Target

This container of fields corresponds to data referencing the target, or destination, as described in a signal message. For example, the destination host in a network traffic log or the user account is added to an AD group.

Observer

This container of fields corresponds to data referencing an observer as described in the signal message. An observer is an actor that is neither the origin nor target of the described action. An observer is a host or account witnessing, or observing, the transaction and potentially the host or account executing the action as described in the log message. An example of an observer is a firewall observing a network transaction and taking the action of allowing or denying the traffic based on configured rule logic.

Origin Account Name

origin.account.name

The account name is documented within a signal message. This could be a named user account, computer account, or another account.

admin

Origin Account ID

origin.account.id

A unique ID number is associated with an account. This is separate from the account name or other attributes and should not be confused with them.

S-1-5-21-3457937927-2839227994-823803824-1104

Origin Account UPN

origin.account.user_principal_name

An account's User Principal Name. This is commonly seen in Microsoft Active Directory both in local and Azure environments. They are formatted like email addresses and should not be confused contextually.

john.doe@logrhythm.com

Origin Account DN

origin.account.distinguished_name

This field represents the Distinguished Name (DN) of the account. A DN is a structured descriptor for a specific object. The DN concept is referenced in RFC2253.

CN=john.doe,OU=Users,DC=logrhythm,DC=
com

Origin Account Domain

origin.account.domain

The domain associated with the identified account.

LOGRHYTHM

Origin Account Display Name

origin.account.display_name

The display_name field determines the name of the user account, not specifically a named user account, computer account, or another account.

John Doe

Origin Host Name

origin.host.name

This field represents the name of the host as described within the signal message. This is not to be confused with the name of the identity.

workstation1

Origin Host ID

origin.host.id

This field represents a unique identifier for a host as described within the signal message. This is not to be confused with Identity information.

20456b14-3d9a-446a-8f22-83887c809eff

Origin Host IP

origin.host.ip_address.value

This field represents an IP address. It can be in Version 4 or Version 6 format.

10.1.1.2

Origin Host MAC

origin.host.mac_address

This field represents the MAC address associated with the host as described within the signal message. This value is normalized to a standard format by the signal processing engine. This field is not applicable to the Observer context.

02:1A:C5:14:59:C9

Origin Host Serial

origin.host.serial_number

This field represents any serial number associated with the host as described within the signal message.

123456Fg234a

Origin Host DN

origin.host.distinguished_name

This field represents the Distinguished Name (DN) of the account. A DN is a structured descriptor for a specific object. The DN concept is referenced in RFC2253.

CN=workstation1,OU=computers,DC=logrhythm,DC=
com

Origin Host Domain

origin.host.domain

The domain name of the identified Host.

LOGRHYTHM

Vendor Log Subtype

vendor_information.log_subtype

ProviderName

Determines the provider's name, which can uniquely identify the log of a particular provider. 

Microsoft-Windows-Security-Auditing / Microsoft-Windows-PerfNet / Microsoft-Windows-WinRM

Mandatory

Log Gen Time

vendor_information.log_generation_time

TimeCreated

The time when the event was logged.

SystemTime='2018-08-01T08:25:23.000000000Z'

Mandatory

Vendor Severity

vendor_information.severity

Level

The severity level defined in the event, such as Error, Warning, Information, etc.

Error / Information / Critical / Warning

Mandatory

Vendor Message ID

vendor_information.id

EventID

The unique identifier number that specifies the event that occurred.

Any Integer like 4624, 4625 etc.

Mandatory

Vendor Log Type

vendor_information.log_type

Channel

The channel to which the event was logged.

Security
Application
System
Powershell

Mandatory

Observer Host Name

observer.host.name

Computer

The name of the computer on which the event occurred.

DC01.logrhythm.com
abc.localworkstation1.
logrhythm.com

Mandatory

Target Host Name

target.host.name

Host name of the machine on which an activity was performed, such as successful logon, user created etc.

Mandatory

Vendor Description

vendor_information.description

Task

The task is defined in the event.

None / Info / Kerberos Service Ticket Operations / 0

Mandatory

Result Message

action.result.message

Keywords

The output of activity.

Audit Success / Audit Failure / Classic / 0x80000000000000

Mandatory

Origin Host IP

origin.host.ip_address.value

IpAddress

IP address of the machine from which an activity was performed, such as logon, access attempt, etc.

10.1.1.1

Optional

Origin Host IP Port

origin.host.network_port.value

IpPort

Source port of the machine from which an activity was performed, such as logon, access attempt etc.

80

Optional

Target Host IP

target.host.ip_address.value

DestAddress

IP address to which the connection was received.

10.1.1.2

Optional

Target Host IP Port

target.host.network_port.value

Destport

Port on which the connection was received.

443

Optional

Result Code

action.result.code

Status

Result code for the activity that occurred.

0x0 / 0x10

Optional

Action Session Type

action.session.type

logon type

The type of logon that was performed.

2

Optional

Origin Account ID

origin.account.id

SubjectUserSid

SID of the user who has performed the activity.

S-1-5-21-3457937927-2839227994-823803824-1104

Optional

Origin Account Name

origin.account.name

SubjectUserName

Account name of the user who has performed the activity.

user1

Optional

Origin Account Domain

origin.account.domain

SubjectDomainName

Domain name of the user who has performed the activity.

LOGRHYTHM

Optional

Action Session ID

action.session.id

SubjectLogonId

The user's session ID, in hexadecimal format.

0x55cd1d

Optional

Target Account Name

target.account.name

TargetUserName

Impacted user name.

user2

Optional

Target Account Domain

target.account.domain

TargetDomainName

Domain name of the impacted user.

LOGRHYTHM

Optional

Vendor Log Type

vendor_information.log_type

Carbon Black Cloud

type

Type of alert - CB_ANALYTICS, DEVICE_CONTROL WATCHLIST, etc.

WATCHLIST

Crowdstrike Events

metadata.eventType

Name of the event.

DetectionSummaryEvent

SentinelOne CEF

cat

Name of the category in the log.

EndpointDeviceControlEvent

Sophos Central

type

Describes the type of device on which alert was generated.

Event::Endpoint::CoreRemoteDetection, Event::Endpoint::WebControlViolation

Microsoft Windows Defender

Channel

The channel to which the event was logged. In Progress

Microsoft-Windows-Windows Defender/Operational

Microsoft Defender Advanced Hunting

category

Determines the log category.

AdvancedHunting-CloudAppEvents, AdvancedHunting-DeviceFileEvents, AdvancedHunting-EmailAttachmentInfo

Vendor Log Subtype

vendor_information.log_subtype

Carbon Black Cloud

category

The category of the alert - THREAT, MONITORED, etc.

THREAT

Crowdstrike Events

event.OperationName

Event operation name. 

detection_update, activateUser, create_policy, twoFactorAuthenticate

SentinelOne CEF

No vendor field is present

No vendor field is present in the log.

N/A

Sophos Central

No vendor field is present

No vendor field is present in the log.

N/A

Microsoft Windows Defender

Provider Name

Determines the provider's name, which can uniquely identify the log of a particular provider.

Microsoft-Windows-Windows Defender

Microsoft Defender Advanced Hunting

No vendor field is present

No vendor field is present in the log.

N/A

Threat Severity

threat.severity

Carbon Black Cloud

severity

The threat ranking of the alert, from 1-10.

8

Crowdstrike Events

event.Severity

(N/A),
1 (Informational),
2 (Low),
3 (Medium),
4 (High),
5 (Critical)

2

SentinelOne CEF

threatConfidenceLevel

Threat confidence level.

malicious

Sophos Central

severity

The severity for this alert.

LOW, MEDIUM, HIGH

Microsoft Windows Defender

Severity

Determines the severity of the threat event.

Low, Moderate, High, or Severe

Microsoft Defender Advanced Hunting

properties.severity,

properties.VulnerabilitySeverityLevel

properties.severity indicates the potential impact (high, medium, or low) of the threat indicator or breach activity identified by the alert.

properties.VulnerabilitySeverityLevel is the severity level assigned to the security vulnerability based on the CVSS score and dynamic factors influenced by the threat landscape.

Medium

Threat Category

threat.category

Carbon Black Cloud

blocked_threat_category

The category of threat on which action was able to be taken.

UNKNOWN

Crowdstrike Events

event.IncidentType

Gives information about the type of incident. Possible values and their meanings:
1  = Normal incident from the CrowdScore engine
2  = Overwatch Incident

DOMAIN_COMPROMISE, 1

SentinelOne CEF

threatClassifier

Classifier of the threat. In Progress

LOGIC

Sophos Central

No vendor field is present

No vendor field is present in the log.

N/A

Microsoft Windows Defender

Category

Determines the category of the threat event.

Virus

Microsoft Defender Advanced Hunting

properties.ThreatFamily,

properties.Category/properties.
Categories,

properties.AdditionalFields.category,

properties.ThreatTypes 

properties.ThreatFamily is the malware family under which the suspicious or malicious file or process has been classified.

properties.Category/properties.Categories is the type of threat indicator or breach activity identified by the behavior.

properties.ThreatTypes is the verdict from the email filtering stack on whether the email contains malware, phishing, or other threats.

null

Threat ID

threat.id

Carbon Black Cloud

threat_id

The identifier of a threat to which this alert belongs. Threats are a combination of factors that can be repeated across devices.

4b379b7c5d0003a89fccc9e719da3659

Crowdstrike Events

event.DetectId,

event.IncidentID

The Detection ID for the detection. It can be used in other APIs, such as Detection Resolution and ThreatGraph.

For example:
"ldt:05c0273d48f2432271b2f1d1b49264b5:4297692922"

58cdxxx4a65f45b18a57cca04f10d338:ind:58cdb954a65f45b18a57cca04f10d338:B33C156F-0F3C-424A-8BCD-6D2EFBEE96C5,

inc:c62dc78f88304c10b9b7c3aa4c48d4c6:2cb39927dead48adbbeef6edd899713e

SentinelOne CEF

threatID

The threat ID assigned by the vendor.

1886001251971213386

Sophos Central

No vendor field is present

No vendor field is present in the log.

N/A

Microsoft Windows Defender

ID

Determines ID of the threat event.

2147726038

Microsoft Defender Advanced Hunting

No vendor field is present

No vendor field is present in the log.

N/A

Threat Name

threat.name

Carbon Black Cloud

No vendor field is present

No vendor field is present in the log.

N/A

Crowdstrike Events

event.ScanResults.ResultName, event.DetectName

Malware name.

Security Vulnerability CVE-2016-0636 in Oracle JDK, Unusual login to an endpoint

SentinelOne CEF

threatClassification

Classification of the threat. In Progress

Ransomware

Sophos Central

threat

The name of the threat responsible for the generation of alert.

ML/PE-A

Microsoft Windows Defender

Name, ThreatName

It determines the name of the threat.

Virus:DOS/EICAR_Test_File, HackTool:PowerShell/PsAttack.B

Microsoft Defender Advanced Hunting

properties.ThreatNames

Detection name for malware or other threats found.

null

Threat Source

threat.source

Carbon Black Cloud

threat_cause_vector

The source of the threat caused.

EMAIL, WEB, GENERIC_SERVER, GENERIC_CLIENT, REMOTE_DRIVE, REMOVABLE_MEDIA, UNKNOWN, APP_STORE, THIRD_PARTY

Crowdstrike Events

No vendor field is present

No vendor field is present in the log.

N/A

SentinelOne CEF

threatClassificationSource

The source of the identified threat. In Progress

Static

Sophos Central

No vendor field is present

No vendor field is present in the log.

N/A

Microsoft Windows Defender

Detection Source

It determines source of the detection. In Progress

User: user initiated, System: system initiated, Real-time: real-time component initiated

Microsoft Defender Advanced Hunting

properties.DetectionSource

Detection technology or sensor that identified the notable component or activity. In Progress to map it to threat.source for "AlertEvidence".

Microsoft Defender for Identity

Threat Description

threat.description

Carbon Black Cloud

reason

Description of the alert. In Progress.

Process chrome.exe was detected by the report \"badfile.exe.exe\" in watchlist \"test watchlist1\"

Crowdstrike Events

event.DetectDescription, event.IncidentDescription

event.DetectDescription is a description of what an adversary was trying to do in the environment and guidance on how to begin an investigation.

event.IncidentDescription is a description of the identity-based incident.

Terminated a process related to the deletion of backups, which is often indicative of ransomware activity.

SentinelOne CEF

No vendor field is present

No vendor field is present in the log.

N/A

Sophos Central

name, description

The description of the alert that was generated.

Malware 'ML/PE-A' detected in network location '\\\\bd-dml\\Everyone\\
Printing_final.exe' requires attention

Microsoft Windows Defender

Description of the Event

Determines the description of the event. In Progress

The antimalware platform encountered a critical error when trying to take action on malware or other potentially unwanted software.

Microsoft Defender Advanced Hunting

properties.VulnerabilityDescription

The description of vulnerability and associated risks.

N/A

Origin Host Name

origin.host.name

Carbon Black Cloud

device_name

The hostname of the device associated with the alert.

workstation1

Crowdstrike Events

event.ComputerName,

event.HostnameField,

event.SourceEndpointHostName

Host name.

XXX-4XV0VG3.xxx.LOCAL, hostname1

SentinelOne CEF

sourceHostName

Hostname of the source associated with the alert.

Hostname1

Sophos Central

No vendor field is present

No vendor field is present in the log.

N/A

Microsoft Windows Defender

No vendor field is present

No vendor field is present in the log.

N/A

Microsoft Defender Advanced Hunting

properties.DeviceName

Fully qualified domain name (FQDN) of the machine.

workstation1.
logrhythm.com, workstation1, workstation1.local

Origin Account Name

origin.account.name

Carbon Black Cloud

device_username

The username of the logged-on user during the alert. If the user is not available, then this may populate the device owner.

user1@logrhythm.
com

Crowdstrike Events

event.UserId,

event.UserName,

event.SourceAccountName

User that performed the operation, e.g. the person that performed the operation to create a new user account.

user1@logrhythm.
com, AWSReservedSSO_SaasIO-SRE_a3cd63ddf254de7e, xxxhdar, demo

SentinelOne CEF

sourceUserName

Username associated with the alert.

user1

Sophos Central

source

Describes the source from alert was generated. Will be mapped TBD.

NEW_MILL\\HackettC

Microsoft Windows Defender

User

User: Domain\User

NT AUTHORITY\SYSTEM

Microsoft Defender Advanced Hunting

properties.AccountDisplayName,

properties.AccountName,

properties.InitiatingProcessAccountName

properties.AccountDisplayName is the name of the account user displayed in the address book. Typically a combination of a given or first name, a middle initial, and a last name or surname. In Progress

properties.AccountName is the user name of the account.

properties.InitiatingProcessAccount
Name is the user name of the account that ran the process responsible for the event.

User Name1, UserName1, system

Action State

action.state

Carbon Black Cloud

state

State supports open and dismissed
remediation supports ACTION_TAKEN, NO_ACTION_NEEDED, FALSE_POSITIVE_KNOWN_GOOD_
SOFTWARE, FALSE_POSITIVE_KNOWN_GOOD_
BEHAVIOR or a custom string

OPEN

Crowdstrike Events

event.state,

event.status,

event.disposition

event.state is an identity-based incident status: NEW, IN_PROGRESS, DISMISS, RESOLVED, AUTO_RESOLVED.

event.state shows a value of open or closed, depending on whether the incident is still active.

event.status is an integer representing the state of the execution, with 1 representing “Done” (successful execution), 2 representing “Failed”, and 3 representing “No Data”.

event.disposition is the disposition of this event (Failed/Passed).

NEW, 1, open, Failed

SentinelOne CEF

SourceNetworkState

Network event status.

connected

Sophos Central

No vendor field is present

No vendor field is present in the log.

N/A

Microsoft Windows Defender

Status, Action Status, Post Clean Status

Description of other action's status.

No additional actions required

Microsoft Defender Advanced Hunting

properties.RiskState,

properties.EvidenceRole,

properties.EntityRole,z

properties.RawEventData.ResultStatus,

properties.NetworkAdapterStatus,

properties.IsCompliant,

properties.EndOfSupportStatus,

properties.IsAccountEnabled, 

properties.RiskState indicates a risky user state. Possible values:
0 (none),
1 (confirmed safe),
2 (remediated),
3 (dismissed),
4 (at risk), or
5 (confirmed compromised).

properties.EvidenceRole describes how the entity is involved in an alert, indicating whether it is impacted or is merely related.

properties.EntityRole indicates whether the entity is impacted or merely related.

properties.NetworkAdapterStatus is the operational status of the network adapter.

properties.IsCompliant indicates whether the configuration or policy is properly configured. In Progress Common events assignment.

properties.EndOfSupportStatus indicates the lifecycle stage of the software product relative to its specified end-of-support (EOS) or end-of-life (EOL) date.

properties.IsAccountEnabled indicates whether or not the account is enabled.

properties.RiskState: 1

properties.Evidence
Role: Impacted

properties.RawEvent
Data.
ResultStatus: Succeeded

properties.Network
AdapterStatus: Present

Action Message

action.message

Carbon Black Cloud

sensor_action

The action taken by the sensor, according to the rule of the policy.

POLICY_NOT_APPLIED, ALLOW, ALLOW_AND_LOG, TERMINATE, DENY

Crowdstrike Events

event.EventAction,

event.PatternDispositionDescription,

event.RuleAction

event.PatternDispositionDescription is the description of the pattern associated to the action taken on the behavior.

event.RuleAction is the action taken on the activity:
1: allowed
2: blocked
0: invalid

For example, the rule specifies traffic on a non-existent disk drive.

AuthorizeSecurity
Group
Egress, 0

SentinelOne CEF

eventDesc

Description of the alert.

SentinelOne: Device Control Allowed USB Apple Inc. Apple Internal Keyboard / Trackpad on Sheldon-MBP19 (ABC),

Threat marked as resolved.

Sophos Central

No vendor field is present

No vendor field is present in the log.

N/A

Microsoft Windows Defender

Action

Determines the action taken by MS Defender on the threat.

Quarantine

Microsoft Defender Advanced Hunting

properties.Description,

properties.InitiatingProcessVersionInfoFile
Description,

properties.Context,

properties.RecommendedSecurityUpdate,

properties.EmailAction, properties.Action, 

properties.Description provides a description of the behavior.

properties.InitiatingProcessVersionInfoFile
Description provides a description from the version information of the process (image file) responsible for the event.

properties.Context provides additional contextual information about the configuration or policy.

properties.RecommendedSecurity
Update provides a name or description of the security update provided by the software publisher to address the vulnerability.

properties.EmailAction gives the final action taken on the email based on filter verdict, policies, and user actions.

properties.Action gives the action taken on the entity.

properties.InitiatingProcessVersionInfoFile
Description: Antimalware Service Executable

properties.EmailAction: Move message to junk mail folder, Modify subject, Redirect message.

Policy ID

object.policy.id

Carbon Black Cloud

policy_id

The identifier for the policy associated with the device at the time of the alert.

32064

Crowdstrike Events

event.PolicyId

The unique ID of the firewall policy matched.

a8bdd37d5cbc48b29bda1e2e767c308e, 212

SentinelOne CEF

No vendor field is present

No vendor field is present in the log.

N/A

Sophos Central

No vendor field is present

No vendor field is present in the log.

N/A

Microsoft Windows Defender

No vendor field is present

No vendor field is present in the log.

N/A

Microsoft Defender Advanced Hunting

properties.ConditionalAccessStatus,

properties.ConfigurationId

properties.ConditionalAccessStatus gives the status of the conditional access policies applied to the sign-in. Possible values:
0 (policies applied),
1 (attempt to apply policies failed),
2 (policies not applied).

properties.ConfigurationId gives a unique identifier for a specific configuration. In Progress

0, 1, 2

Policy Name

object.policy.name

Carbon Black Cloud

policy_name

The name of the policy associated with the device at the time of the alert.

test

Crowdstrike Events

event.PolicyStatement,

event.PolicyName

event.PolicyStatement is the statement of the associated policy.

event.PolicyName is the name of the firewall policy matched.

EC2 security group modified to allow egress to the public internet

SentinelOne CEF

No vendor field is present

No vendor field is present in the log.

N/A

Sophos Central

No vendor field is present

No vendor field is present in the log.

N/A

Microsoft Windows Defender

No vendor field is present

No vendor field is present in the log.

N/A

Microsoft Defender Advanced Hunting

properties.ConfigurationName,

properties.EmailActionPolicy

properties.ConfigurationName gives the display name of the configuration.

properties.EmailActionPolicy gives the action policy that took effect.

properties.EmailAction
Policy: null, Antispam high-confidence, Antispam, Antispam bulk mail, Antispam phishing, Anti-phishing domain impersonation, Anti-phishing user impersonation, Anti-phishing spoof, Anti-phishing graph impersonation, Antimalware, Safe Attachments, Enterprise Transport Rules (ETR)

Vendor Description

vendor_information.description

Cisco ASA

DeviceProduct

Name of the product from Cisco.

ASA

Palo Alto NGFW

Description (opaque)

Detailed description of the event, up to a maximum of 512 bytes.

dns-signature cloud service connection refused.

Vendor Severity

vendor_information.severity

Cisco ASA

Severity level

Determines the severity level as described in the signal message.

6

Palo Alto NGFW

Severity (severity)

Severity associated with the event. Values are informational, low, medium, high, critical.

informational

Vendor Message ID

vendor_information.id

Cisco ASA

Event ID

Event ID as denoted in the signal message.

106015

Palo Alto NGFW

No vendor field is present

No vendor field is present in the log.

N/A

Vendor Log Type

vendor_information.log_type

Cisco ASA

No vendor field is present

No vendor field is present in the log.

N/A

Palo Alto NGFW

Type (type)

Specifies the type of log.

CORRELATION, DECRYPTION, THREAT, SYSTEM, GLOBALPROTECT, SCTP etc.

Vendor Log Subtype

vendor_information.log_subtype

Cisco ASA

No vendor field is present

No vendor field is present in the log.

N/A

Palo Alto NGFW

Threat/Content Type (subtype),
Content/Threat Type (subtype)

Specifies the subtype of log.

auth, ddns, dhcp, vpn, data, file, flood, ml-virus, vulnerability, wildfire, wildfire-virus etc.

Log Gen Time

vendor_information.log_generation_time

Cisco ASA

Syslog header timestamp

Timestamp observed in the syslog header portion of the log. In Progress

For example: <161>Apr 16 2024 12:58:27 10.1.1.1 : %ASA-1-106021: Deny TCP reverse path check from 10.1.1.2 to 10.1.1.3 on interface Router\par

In this example, Apr 16 2024 12:58:27 is the Log Gen Time.

Apr 16 2024 12:58:27

Palo Alto NGFW

Generated Time (time_generated or cef-formatted-time_generated),

Generate Time (time_generated)

Time the log was generated on the data plane. In Progress

2021/11/30 15:40:55

Observer Host IP

observer.host.ip_address.value

Cisco ASA

Syslog header host IP

It represents the IP address associated with the host that observed the action as described within the signal message. In Progress

The Observer context is for Accounts or Hosts that witnessed the Action described within the message.

For example:  <161>Apr 16 2024 12:58:27 10.1.1.1 : %ASA-1-106021: Deny TCP reverse path check from 10.1.1.2 to 10.1.1.3 on interface Router\par

In this example, 10.1.1.1 is the Observer IP in the syslog header portion.

10.1.1.1

Palo Alto NGFW

No vendor field is present

No vendor field is present in the log.

N/A

Observer Host Name

observer.host.name

Cisco ASA

Syslog header hostname

Represents the name of the host that observed the action as described within the signal message. In Progress

Note: The Observer context is for Accounts or Hosts that witnessed the Action described within the message.

For example:  <161>Apr 16 2024 12:58:27 firewall01 : %ASA-1-106021: Deny TCP reverse path check from 10.1.1.2 to 10.1.1.3 on interface Router\par

In this example, firewall01 is the Observer hostname in the syslog header portion.

firewall01

Palo Alto NGFW

Device Name (device_name)

The hostname of the firewall on which the session was logged.

FW1

Observer Host Serial

observer.host.serial_number

Cisco ASA

No vendor field is present

No vendor field is present in the log.

N/A

Palo Alto NGFW

Serial Number (serial)

The serial number of the firewall that generated the log.

13201019325

Observer Host Ingress Int

observer.host.ingress_interface

Cisco ASA

No vendor field is present

No vendor field is present in the log.

N/A

Palo Alto NGFW

Inbound Interface (inbound_if)

Interface from which the session was sourced.

ethernet1/5

Observer Host Egress Int

observer.host.egress_interface

Cisco ASA

No vendor field is present

No vendor field is present in the log.

N/A

Palo Alto NGFW

Outbound Interface (outbound_if)

Interface that the session was destined to

ethernet1/1

Origin Host Name

origin.host.name

Cisco ASA

No vendor field is present

No vendor field is present in the log.

N/A

Palo Alto NGFW

Machine Name (machinename),

Source Hostname (src_host)

Machine Name (machinename) is the name of the user’s machine.

Source Hostname (src_host) is the hostname of the device that Device-ID identifies as the source of the traffic.

workstation1

Origin Host IP

origin.host.ip_address.value

Cisco ASA

Source IP

This value has been extracted from the actual message of the log corresponding to its Event ID.

For example: <161>Apr 16 2024 12:58:27 10.1.1.5 : %ASA-6-106015: Deny TCP (no connection) from 10.1.1.1/64580 to 10.1.1.2/443 flags RST  on interface CRMP\par

In this example, 10.1.1.1 is the Source IP.

10.1.1.1

Palo Alto NGFW

Source IP (IP),

Host (host),

Source Address (src),

Public IP (public_ip)

Source IP (ip) is the original session source IP address.

Host (host) is the hostname or IP address of the client machine.

Source Address (src) is the IP address of the user who initiated the event.

Public IP (public_ip) is the public IP address for the user who initiated the session.

10.1.1.1

Origin Host NAT IP

origin.host.ip_address.nat_value

Cisco ASA

No vendor field is present

No vendor field is present in the log.

N/A

Palo Alto NGFW

NAT Source IP (natsrc),

Private IP (private_ip)

NAT Source IP (natsrc) - displays the post-NAT Source IP address if Source NAT was performed.

Private IP (private_ip) is the private IP address for the user who initiated the session.

10.1.1.1

Origin Host IP Port

origin.host.network_port.value

Cisco ASA

Source Port

This value has been extracted from the actual message of the log corresponding to its Event ID.

For example: <161>Apr 16 2024 12:58:27 10.1.1.5 : %ASA-6-106015: Deny TCP (no connection) from 10.1.1.1/64580 to 10.1.1.2/443 flags RST  on interface CRMP\par

In this example, 64580 is the Source Port.

64580

Palo Alto NGFW

Source Port (sport)

Source port utilized by the session.

60453

Origin Host NAT IP Port

origin.host.network_port.nat_value

Cisco ASA

No vendor field is present

No vendor field is present in the log.

N/A

Palo Alto NGFW

NAT Source Port (natsport)

Post-NAT source port.

57602

Origin Host Interface Name

origin.host.interface.name

Cisco ASA

Source Interface

This value has been extracted from the actual message of the log corresponding to its Event ID.

For example: <161>Apr 16 2024 12:58:27 10.1.1.5 : %ASA-3-324005: Unable to create tunnel from interface1 :10.1.1.1 /64580 to interface2 :10.1.1.2 /443

In this example, interface1 is the Source Interface.

interface1

Palo Alto NGFW

No vendor field is present

No vendor field is present in the log.

N/A

Target Host Name

target.host.name

Cisco ASA

No vendor field is present

No vendor field is present in the log.

N/A

Palo Alto NGFW

Destination Hostname (dst_host)

The hostname of the device that Device-ID identifies as the destination for the traffic.

workstation2

Target Host IP

target.host.ip_address.value

Cisco ASA

Target IP

This value has been extracted from the actual message of the log corresponding to its Event ID.

For example: <161>Apr 16 2024 12:58:27 10.1.1.5 : %ASA-6-106015: Deny TCP (no connection) from 10.1.1.1/64580 to 10.1.1.2/443 flags RST  on interface CRMP\par

In this example, 10.1.1.2 is the Target IP.

10.1.1.2

Palo Alto NGFW

Destination Address (dst)

Original session destination IP address.

10.1.1.1

Target Host NAT IP

target.host.ip_address.nat_value

Cisco ASA

No vendor field is present

No vendor field is present in the log.

N/A

Palo Alto NGFW

NAT Destination IP (natdst)

If Destination NAT performed, the post-NAT Destination IP address.

10.1.1.1

Target Host IP Port

target.host.network_port.value

Cisco ASA

Target Port

This value has been extracted from the actual message of the log corresponding to its Event ID.

For example: <161>Apr 16 2024 12:58:27 10.1.1.5 : %ASA-6-106015: Deny TCP (no connection) from 10.1.1.1/64580 to 10.1.1.2/443 flags RST  on interface CRMP\par

In this example, 443 is the Target Port.

443

Palo Alto NGFW

Destination Port (dport)

Destination port utilized by the session.

25

Target Host NAT IP Port

target.host.network_port.nat_value

Cisco ASA

No vendor field is present

No vendor field is present in the log.

N/A

Palo Alto NGFW

NAT Destination Port (natdport)

Post-NAT destination port

80

Target Host Interface Name

target.host.interface.name

Cisco ASA

Target Interface

This value has been extracted from the actual message of the log corresponding to its Event ID.

For example: <161>Apr 16 2024 12:58:27 10.1.1.5 : %ASA-3-324005: Unable to create tunnel from interface1 :10.1.1.1 /64580 to interface2 :10.1.1.2 /443

In this example, interface2 is the Target Interface.

interface2

Palo Alto NGFW

No vendor field is present

No vendor field is present in the log.

N/A

Action Message

action.message

Cisco ASA

Message

Actual message part of the log. In Progress to map the complete message portion to "Action Message".

>Deny TCP (no connection) from 10.1.1.1/64580 to 10.1.1.2/443 flags RST  on interface CRMP\par

>No matching connection for ICMP error message: icmp src Users:10.1.1.1 dst Servers:10.1.1.2 (type 3, code 3) on Users interface.  Original IP payload: udp src 10.1.1.2/53 dst 10.1.1.1/59602.\par

Palo Alto NGFW

Action (action)

The action taken for the session. Values are alert, allow, deny, drop, drop-all-packets, reset-client, reset-server, reset-both, block-url.

reset-both

Action Type

action.type

Cisco ASA

connection type, message type, action type

For a few Event IDs, connection type, message type, and action type are mapped to "Action Type".

SSL, 

Palo Alto NGFW

Event ID (eventid)

String showing the name of the event. In Progress

connect-ldap-sever-failure, ipsec-key-delete

Network Proto Name

action.network.protocol.name

Cisco ASA

protocol name

This value has been extracted from the actual message of the log corresponding to its Event ID.

For example: <161>Apr 16 2024 12:58:27 192.168.21.1 : %ASA-4-500004: Invalid transport field for protocol=tcp , from 10.1.1.1 /64580 to 10.1.1.2 /443

In this example, tcp is the Protocol name.

tcp

Palo Alto NGFW

IP Protocol (proto)

IP protocol associated with the session.

tcp, sctp

Threat Severity

threat.severity

Cisco ASA

level_value

This value has been extracted from the actual message of the log corresponding to its Event ID.

For example: <161>Apr 16 2024 12:58:27 192.168.21.1 : %ASA-4-338003: Dynamic filter monitored blacklisted protocol traffic from in_interface :src_ip_addr /src_port (mapped-ip /mapped-port) to out_interface :dest_ip_addr /dest_port , (mapped-ip /mapped-port), source malicious address resolved from local or dynamic list: ip address/netmask, threat-level: level_value, category: category_name

In this example, level_value is the Threat Severity.

none, very-low, low, moderate, high, and very-high

Palo Alto NGFW

Severity (severity)

Severity associated with the threat; values are informational, low, medium, high, critical.

"Severity" is mapped to "threat.severity" for Threat logs and "vendor_information.severity" for other logs from Palo Alto NGFW.

medium

Threat Name

threat.name

Cisco ASA

No vendor field is present

No vendor field is present in the log.

N/A

Palo Alto NGFW

Threat/Content Name (threatid)

Palo Alto Networks identifier for the threat. It is a description string followed by a 64-bit numerical identifier in parentheses for some Subtypes.

TrickBot.Gen Command and Control Traffic(18087)

Threat ID

threat.id

Cisco ASA

No vendor field is present

No vendor field is present in the log.

N/A

Palo Alto NGFW

(threatid)

Description of the threat followed by a 64-bit numerical identifier in parentheses for some Subtypes.

(18087)

Threat Category

threat.category

Cisco ASA

category_name

This value has been extracted from the actual message of the log corresponding to its Event ID.

For example: <161>Apr 16 2024 12:58:27 192.168.21.1 : %ASA-4-338003: Dynamic filter monitored blacklisted protocol traffic from in_interface :src_ip_addr /src_port (mapped-ip /mapped-port) to out_interface :dest_ip_addr /dest_port , (mapped-ip /mapped-port), source malicious address resolved from local or dynamic list: ip address/netmask, threat-level: level_value, category: category_name

In this example, category_name is the Threat Category.

botnet, Trojan, spyware

Palo Alto NGFW

Threat Category (thr_category)

Describes threat categories used to classify different types of threat signatures.

botnet, flood, scan

Threat Description

threat.description

Cisco ASA

No vendor field is present

No vendor field is present in the log.

N/A

Palo Alto NGFW

Application Characteristic (characteristic_of_app)

Comma-separated list of applicable characteristics of the application.

"able-to-transfer-file,has-known-vulnerability,is-saas,is-hipaa,is-soc2,is-ip-based-restrictions",

"used-by-malware,able-to-transfer-file,has-known-vulnerability,
tunnel-other-application,
pervasive-use"

AWS

Cloud

action.session.type → In Progress

userIdentity.Type

AWS

Cloud

origin.account.name

userIdentity.userName

AWS

Cloud

origin.account.id

userIdentity.accountId

AWS

Cloud

origin.account.name → In Progress

userIdentity.sessionConext.sessionIssuer.userName

AWS

Cloud

vendor_information.log_generation_time

eventTime

AWS

Cloud

vendor_information.description

eventSource

AWS

Cloud

action.message

eventName

AWS

Cloud

origin.host.ip_address.value
origin.host.name

sourceIPAddress

AWS

Cloud

action.user_agent

userAgent

AWS

Cloud

action.result.code

errorCode

AWS

Cloud

action.result.message

errorMessage

AWS

Cloud

action.result.code

responseElements.errorCode

AWS

Cloud

action.result.message

responseElements.errorMessage

AWS

Cloud

action.type → In Progress

eventType

AWS

Cloud

observer.account.id

recipientAccountId

AWS

Cloud

vendor_information.log_type

eventCategory