File Threat Messages

Vendor Documentation

https://docs.paloaltonetworks.com/cortex/cortex-data-lake/log-forwarding-schema-reference/network-logs/network-file-log/network-file-cef-fields.html

Classification

Rule Name	Rule Type	Classification	Common Event
File Threat Messages	Base Rule	Activity	General Threat Message
Potentially Threatening File Alert	Sub Rule	Activity	Potentially Threatening File Observed
Potentially Threatening File Allowed	Sub Rule	Activity	Potentially Threatening File Observed
User Continue File Block	Sub Rule	Activity	Potentially Threatening File Observed
User Override File Block	Sub Rule	Activity	Potentially Threatening File Observed
Potentially Threatening File Blocked	Sub Rule	Failed Activity	Threat Blocked

Mapping with LogRhythm Schema

Device Key in Log Message	LogRhythm Schema	Data Type	Schema Description
N/A	N/A	N/A	deviceVendor
N/A	N/A	N/A	deviceProduct
N/A	N/A	N/A	Version
N/A	N/A	N/A	LogType
N/A	<vmid>	Text/String	SubType
N/A	<severity>	Number	deviceSeverity
ProfileToken	N/A	N/A	N/A
dtz	N/A	N/A	N/A
rt	N/A	N/A	Time the log was received in Cortex Data Lake. This string contains a timestamp value that is the number of microseconds since the Unix epoch.
deviceExternalId	<serialnumber>	Text/String	ID that uniquely identifies the source of the log - serial number of the firewall that generated the log.
PanOSConfigVersion	N/A	N/A	Version number of the firewall operating system that wrote this log record.
PanOSApplicationCategory	<subject>	Text/String	Identifies the high-level family of the application.
PanOSApplicationContainer	N/A	N/A	Identifies the managing application or parent of the application associated with this network traffic.
PanOSApplicationRisk	N/A	N/A	Indicates how risky the application is from a network security perspective.
PanOSApplicationSubcategory	N/A	N/A	Identifies the application's subcategory. The subcategory is related to the application's category, which is identified in app_category.
PanOSApplicationTechnology	N/A	N/A	The networking technology used by the identified application.
PanOSCaptivePortal	N/A	N/A	Indicates if user information for the session was captured through Captive Portal.
PanOSCloudHostname	N/A	N/A	The hostname in which the VM-series firewall is running.
PanOSCortexDataLakeTenantID	N/A	N/A	The ID that uniquely identifies the Cortex Data Lake instance which received this log record.
PanOSDLPVersionFlag	N/A	N/A	Indicates whether these are old or new data filtering logs.
PanOSDestinationDeviceClass	N/A	N/A	Destination device class.
PanOSDestinationDeviceOS	N/A	N/A	Destination device OS type.
dntdom	<domainimpacted>	Text/String	Domain to which the Destination User belongs.
dusername	<account>	Text/String	The Destination User. That is, the username to which the network traffic was destined.
duid		N/A	Unique identifier assigned to the Destination User.
PanOSFileType	<objecttype>	Text/String	Palo Alto Networks textual identifier for the threat.
PanOSInboundInterfaceDetailsPort	N/A	N/A	Hardware port or socket from which the network traffic was sourced.
PanOSInboundInterfaceDetailsSlot	N/A	N/A	Interface slot from which the network traffic was sourced.
PanOSInboundInterfaceDetailsType	N/A	N/A	The type of interface from which the network traffic was sourced.
PanOSInboundInterfaceDetailsUnit	N/A	N/A	Internal use.
PanOSIsClienttoServer	N/A	N/A	Indicates if direction of traffic is from client to server.
PanOSIsContainer	N/A	N/A	Indicates if the session is a container page access (Container Page).
PanOSIsDecryptMirror	N/A	N/A	Indicates whether decrypted traffic was sent out in clear text through a mirror port.
PanOSIsDecrypted	N/A	N/A	Flag that indicates that the session is decrypted.
PanOSIsDuplicateLog	N/A	N/A	Indicates whether this log data is available in multiple locations, such as from Cortex Data Lake as well as from an on-premise log collector.
PanOSIsEncrypted	N/A	N/A	Flag that indicates that the session is encrypted.
PanOSIsIPV6	N/A	N/A	Indicates whether IPV6 was used for the session.
PanOSIsMptcpOn	N/A	N/A	Indicates whether the option is enabled on the next-generation firewall that allows a client to use multiple paths to connect to a destination host.
PanOSIsNonStandardDestinationPort	N/A	N/A	Indicates if the destination port is non-standard.
PanOSIsPacketCapture	N/A	N/A	Indicates whether the session has a packet capture (PCAP).
PanOSIsPhishing	N/A	N/A	Indicates whether enterprise credentials were submitted by an end user.
PanOSIsPrismaNetwork	N/A	N/A	Internal-use field. If set to 1, the log was generated on a cloud-based firewall. If 0, the firewall was running on-premise.
PanOSIsPrismaUsers	N/A	N/A	Internal use field. If set to 1, the log record was generated using a cloud-based GlobalProtect instance. If 0, GlobalProtect was hosted on-premise.
PanOSIsProxy	N/A	N/A	Indicates whether the SSL session is decrypted (SSL Proxy).
PanOSIsReconExcluded	N/A	N/A	Indicates whether source for the flow is on the firewall allow list and not subject to recon protection.
PanOSIsSaaSApplication	N/A	N/A	Internal use field. Indicates whether the application associated with this network traffic is a SAAS application.
PanOSIsServertoClient	N/A	N/A	Indicates if direction of traffic is from server to client.
PanOSIsSourceXForwarded	N/A	N/A	Indicates whether the X-Forwarded-For value from a proxy is in the source user field.
PanOSIsSystemReturn	N/A	N/A	Indicates whether symmetric return was used to forward traffic for this session.
PanOSIsTransaction	N/A	N/A	Indicates whether the log corresponds to a transaction within an HTTP proxy session (Proxy Transaction).
PanOSIsTunnelInspected	N/A	N/A	Indicates whether the payload for the outer tunnel was inspected.
PanOSIsURLDenied	N/A	N/A	Indicates whether the session was denied due to a URL filtering rule.
PanOSLogExported	N/A	N/A	Indicates if this log was exported from the firewall using the firewall's log export function.
PanOSLogForwarded	N/A	N/A	Internal-use field that indicates if the log is being forwarded.
PanOSLogSource	N/A	N/A	Identifies the origin of the data - the system that produced the data.
PanOSLogSourceTimeZoneOffset	N/A	N/A	Time Zone offset from GMT of the source of the log.
PanOSNAT	N/A	N/A	Indicates if the firewall is performing network address translation (NAT) for the logged traffic.
PanOSNonStandardDestinationPort	N/A	N/A	Identifies the non-standard or unexpected port used by the application associated with this session.
PanOSOutboundInterfaceDetailsPort	N/A	N/A	Hardware port or socket to which the network traffic was sent.
PanOSOutboundInterfaceDetailsSlot	N/A	N/A	Interface slot to which the network traffic was sent.
PanOSOutboundInterfaceDetailsType	N/A	N/A	The type of interface to which the network traffic was sent.
PanOSOutboundInterfaceDetailsUnit	N/A	N/A	Internal use.
PanOSPacket	N/A	N/A	Packet that triggered the firewall to generate this threat log record.
PanOSProfileName	N/A	N/A	Data filtering profile name.
PanOSSanctionedStateOfApp	N/A	N/A	Indicates whether the application has been flagged as sanctioned by the firewall administrator.
PanOSSeverity	N/A	N/A	Severity as defined by the platform.
PanOSSourceDeviceClass	N/A	N/A	Source device class.
PanOSSourceDeviceOS	N/A	N/A	Source device OS type.
sntdom	<domainorigin>	Text/String	Domain to which the Source User belongs.
susername	<domainorigin>\<login>	Text/String	The Source User. That is, the username that initiated the network traffic.
suid	N/A	N/A	Unique identifier assigned to the Source User.
PanOSThreatCategory	N/A	N/A	Threat category of the detected threat.
PanOSThreatNameFirewall	<threatname>	Text/String	Threat Name written by the firewall.
PanOSTunneledApplication	N/A	N/A	For internal use only.
PanOSURL	N/A	N/A	The name of the internet domain that was visited in this session.
PanOSUsers	N/A	N/A	Source/Destination user. If neither is available, source_ip is used.
PanOSVirtualSystemID	N/A	N/A	A unique identifier for a virtual system on a Palo Alto Networks firewall.
start	N/A	N/A	Time when the log was generated on the firewall's data plane. This string contains a timestamp value that is the number of microseconds since the Unix epoch.
src	<sip>	IP Address	Original source IP address.
dst	<dip>	IP Address	Original destination IP address.
sourceTranslatedAddress	<snatip>	IP Address	If source NAT was performed, the post-NAT source IP address.
destinationTranslatedAddress	<dnatip>	IP Address	If destination NAT performed, the post-NAT destination IP address.
cs1	N/A	N/A	Name of the security policy rule that the network traffic matched.
cs1Label	N/A	N/A
susername0	<domainorigin><login>	Text/String	The username that initiated the network traffic.
dusername0	<account>	Text/String	The username to which the network traffic was destined.
app	N/A	N/A	Application associated with the network traffic.
cs3	N/A	N/A	String representation of the unique identifier for a virtual system on a Palo Alto Networks firewall.
cs3Label	N/A	N/A	N/A
cs4	N/A	N/A	The networking zone from which the traffic originated.
cs4Label	N/A	N/A	N/A
cs5	N/A	N/A	Networking zone to which the traffic was sent.
cs5Label	N/A	N/A	N/A
deviceInboundInterface	<sinterface>	Text/String	Interface from which the network traffic was sourced.
deviceOutboundInterface	<dinterface>	Text/String	Interface to which the network traffic was destined.
cs6	N/A	N/A	Log forwarding profile name that was applied to the session. This name was defined by the firewall's administrator.
cs6Label	N/A	N/A	N/A
cn1	<session>	Number	Identifies the firewall's internal identifier for a specific network session.
cn1Label		N/A	N/A
cnt	<quantity>	Number	Number of sessions with same Source IP, Destination IP, Application, and Content/Threat Type seen for the summary interval.
spt	<sport>	Number	Source port utilized by the session.
dpt	<dport>	Number	Network traffic's destination port. If this value is 0, then the app is using its standard port.
sourceTranslatedPort	<snatport>	Number	Post-NAT source port.
destinationTranslatedPort	<dnatport>	Number	Post-NAT destination port.
proto	<protname>	Text/String	IP protocol associated with the session.
act	<action> <tag1>	Text/String	Identifies the action that the firewall took for the network traffic.
filePath	<object>	Text/String	The name of the file that is blocked.
cs2	N/A	N/A	The URL category.
cs2Label	N/A	N/A	N/A
flexString2	N/A	N/A	Indicates the direction of the attack.
flexString2Label	N/A	N/A	N/A
externalId	N/A	N/A	The log entry identifier, which is incremented sequentially. Each log type has a unique number space.
PanOSSourceLocation	N/A	N/A	Source country or internal region for private addresses.
PanOSDestinationLocation	N/A	N/A	Destination country or internal region for private addresses.
fileId	N/A	N/A	Packet capture ID. Used to correlate threat pcap files with extended pcaps taken as a part of the session flow.
PanOSFileHash	<hash>	Text/String	The binary hash (SHA256) of the file.
PanOSReportID	N/A	N/A	Identifies the analysis requested from the sandbox (cloud or appliance).
PanOSDGHierarchyLevel1	N/A	N/A	A sequence of identification numbers that indicate the device group’s location within a device group hierarchy.
PanOSDGHierarchyLevel2	N/A	N/A	A sequence of identification numbers that indicate the device group’s location within a device group hierarchy.
PanOSDGHierarchyLevel3	N/A	N/A	A sequence of identification numbers that indicate the device group’s location within a device group hierarchy.
PanOSDGHierarchyLevel4	N/A	N/A	A sequence of identification numbers that indicate the device group’s location within a device group hierarchy.
PanOSVirtualSystemName	N/A	N/A	The name of the virtual system associated with the network traffic.
dvchost	N/A	N/A	Name of the source of the log - hostname of the firewall that logged the network traffic.
PanOSSourceUUID	N/A	N/A	Identifies the source universal unique identifier for a guest virtual machine in the VMware NSX environment.
PanOSDestinationUUID	N/A	N/A	Identifies the destination universal unique identifier for a guest virtual machine in the VMware NSX environment.
PanOSIMSI	N/A	N/A	ID of the tunnel being inspected or the International Mobile Subscriber Identity (IMSI) ID of the mobile user.
PanOSIMEI	N/A	N/A	A string used to group similar traffic together for logging and reporting. This value is globally defined on the firewall by the administrator.
PanOSParentSessionID	N/A	N/A	ID of the session in which this network traffic was tunneled.
PanOSParentStartTime	N/A	N/A	Time that the parent session began. This string contains a timestamp value that is the number of microseconds since the Unix epoch.
PanOSTunnel	N/A	N/A	Type of tunnel.
PanOSContentVersion	N/A	N/A	Applications and Threats version installed on the firewall when the log was generated.
PanOSSigFlags	N/A	N/A	Internal use only.
PanOSRuleUUID	N/A	N/A	Unique identifier for the security policy rule that the network traffic matched.
PanOSHTTP2Connection	N/A	N/A	Parent session ID for an HTTP/2 connection. If the traffic is not using HTTP/2, this field is set to 0.
PanOSDynamicUserGroup	<group>	Text/String	Dynamic user group of the user who initiated the network connection.
PanOSX-Forwarded-ForIP	N/A	N/A	X-Forwarded-For IP.
PanOSSourceDeviceCategory	N/A	N/A	Category of the device from which the session originated.
PanOSSourceDeviceProfile	N/A	N/A	Profile of the device from which the session originated.
PanOSSourceDeviceModel	N/A	N/A	Model of the device from which the session originated.
PanOSSourceDeviceVendor	N/A	N/A	Vendor of the device from which the session originated.
PanOSSourceDeviceOSFamily	N/A	N/A	OS family of the device from which the session originated.
PanOSSourceDeviceOSVersion	N/A	N/A	OS version of the device from which the session originated.
PanOSSourceDeviceHost	N/A	Text/String	Hostname of the device from which the session originated.
PanOSSourceDeviceMac	<smac>	Text/String	MAC Address of the device from which the session originated.
PanOSDestinationDeviceCategory	N/A	N/A	Category of the device to which the session was directed.
PanOSDestinationDeviceProfile	N/A	N/A	Profile of the device to which the session was directed.
PanOSDestinationDeviceModel	N/A	N/A	Model of the device to which the session was directed.
PanOSDestinationDeviceVendor	N/A	N/A	Vendor of the device to which the session was directed.
PanOSDestinationDeviceOSFamily	N/A	N/A	OS family of the device to which the session was directed.
PanOSDestinationDeviceOSVersion	N/A	N/A	OS version of the device to which the session was directed.
PanOSDestinationDeviceHost	<dname>	Text/String	Hostname of the device to which the session was directed.
PanOSDestinationDeviceMac	<dmac>	Text/String	MAC Address of the device to which the session was directed.
PanOSContainerID	N/A	N/A	Unknown field. No information is available at this time.
PanOSContainerNameSpace	N/A	N/A	Container namespace.
PanOSContainerName	N/A	N/A	Container name.
PanOSSourceEDL	N/A	N/A	The name of the external dynamic list that contains the source IP address of the traffic.
PanOSDestinationEDL	N/A	N/A	The name of the external dynamic list that contains the destination IP address of the traffic.
PanOSHostID	N/A	N/A	A unique ID that GlobalProtect assigns to identify the host.
PanOSEndpointSerialNumber	N/A	N/A	Serial number of the host on which GlobalProtect is installed.
PanOSDomainEDL	N/A	N/A	Domain External Dynamic List. That is, the name of the external dynamic list that contains the destination domain of the traffic.
PanOSSourceDynamicAddressGroup	N/A	N/A	The dynamic address group that Device-ID identifies as the source of the traffic.
PanOSDestinationDynamicAddressGroup	N/A	N/A	The dynamic address group that Device-ID identifies as the destination for the traffic.
PanOSPartialHash	N/A	N/A	Machine learning partial hash.
PanOSTimeGeneratedHighResolution	N/A	N/A	Time the log was generated in data plane with millisec granularity in format YYYY-MM-DDTHH:MM:SS[.DDDDDD]Z.
PanOSReasonForDataFilteringAction	<reason>	Text/String	Reason for data filtering action.
PanOSJustification	N/A	N/A	Justification string.
PanOSNSSAINetworkSliceType	N/A	N/A	Network Slice Type (SST part of SNSSAI).
PanOSLocation	N/A	N/A	Prisma Access Region/Location.