Skip to main content
Skip table of contents

File Threat Messages

Vendor Documentation

Classification

Rule NameRule TypeClassificationCommon Event
File Threat MessagesBase RuleActivityGeneral Threat Message
Potentially Threatening File AlertSub RuleActivityPotentially Threatening File Observed
Potentially Threatening File AllowedSub RuleActivityPotentially Threatening File Observed
User Continue File BlockSub RuleActivityPotentially Threatening File Observed
User Override File BlockSub RuleActivityPotentially Threatening File Observed
Potentially Threatening File BlockedSub RuleFailed ActivityThreat Blocked

Mapping with LogRhythm Schema

Device Key in Log Message

LogRhythm SchemaData TypeSchema Description
 N/A N/AN/AdeviceVendor
 N/A N/AN/AdeviceProduct
 N/A N/AN/AVersion
N/A  N/AN/ALogType
N/A <vmid>Text/StringSubType
 N/A<severity>NumberdeviceSeverity
ProfileToken N/AN/A N/A
dtzN/A N/A N/A
rtN/A N/ATime the log was received in Cortex Data Lake. This string contains a timestamp value that is the number of microseconds since the Unix epoch.
deviceExternalId<serialnumber>Text/StringID that uniquely identifies the source of the log - serial number of the firewall that generated the log.
PanOSConfigVersionN/A N/AVersion number of the firewall operating system that wrote this log record.
PanOSApplicationCategory<subject>Text/StringIdentifies the high-level family of the application.
PanOSApplicationContainerN/AN/AIdentifies the managing application or parent of the application associated with this network traffic.
PanOSApplicationRiskN/AN/AIndicates how risky the application is from a network security perspective.
PanOSApplicationSubcategoryN/AN/AIdentifies the application's subcategory. The subcategory is related to the application's category, which is identified in app_category.
PanOSApplicationTechnologyN/AN/AThe networking technology used by the identified application.
PanOSCaptivePortalN/AN/AIndicates if user information for the session was captured through Captive Portal.
PanOSCloudHostnameN/AN/AThe hostname in which the VM-series firewall is running.
PanOSCortexDataLakeTenantIDN/AN/AThe ID that uniquely identifies the Cortex Data Lake instance which received this log record.
PanOSDLPVersionFlagN/AN/AIndicates whether these are old or new data filtering logs.
PanOSDestinationDeviceClassN/AN/ADestination device class.
PanOSDestinationDeviceOSN/AN/ADestination device OS type.
dntdom<domainimpacted>Text/StringDomain to which the Destination User belongs.
dusername<account>Text/StringThe Destination User. That is, the username to which the network traffic was destined.
duid
N/AUnique identifier assigned to the Destination User.
PanOSFileType<objecttype>Text/StringPalo Alto Networks textual identifier for the threat.
PanOSInboundInterfaceDetailsPortN/AN/AHardware port or socket from which the network traffic was sourced.
PanOSInboundInterfaceDetailsSlotN/AN/AInterface slot from which the network traffic was sourced.
PanOSInboundInterfaceDetailsTypeN/AN/AThe type of interface from which the network traffic was sourced.
PanOSInboundInterfaceDetailsUnitN/AN/AInternal use.
PanOSIsClienttoServerN/AN/AIndicates if direction of traffic is from client to server.
PanOSIsContainerN/AN/AIndicates if the session is a container page access (Container Page).
PanOSIsDecryptMirrorN/AN/AIndicates whether decrypted traffic was sent out in clear text through a mirror port.
PanOSIsDecryptedN/AN/AFlag that indicates that the session is decrypted.
PanOSIsDuplicateLogN/AN/AIndicates whether this log data is available in multiple locations, such as from Cortex Data Lake as well as from an on-premise log collector.
PanOSIsEncryptedN/AN/AFlag that indicates that the session is encrypted.
PanOSIsIPV6N/AN/AIndicates whether IPV6 was used for the session.
PanOSIsMptcpOnN/AN/AIndicates whether the option is enabled on the next-generation firewall that allows a client to use multiple paths to connect to a destination host.
PanOSIsNonStandardDestinationPortN/AN/AIndicates if the destination port is non-standard.
PanOSIsPacketCaptureN/AN/AIndicates whether the session has a packet capture (PCAP).
PanOSIsPhishingN/AN/AIndicates whether enterprise credentials were submitted by an end user.
PanOSIsPrismaNetworkN/AN/AInternal-use field. If set to 1, the log was generated on a cloud-based firewall. If 0, the firewall was running on-premise.
PanOSIsPrismaUsersN/AN/AInternal use field. If set to 1, the log record was generated using a cloud-based GlobalProtect instance. If 0, GlobalProtect was hosted on-premise.
PanOSIsProxyN/AN/AIndicates whether the SSL session is decrypted (SSL Proxy).
PanOSIsReconExcludedN/AN/AIndicates whether source for the flow is on the firewall allow list and not subject to recon protection.
PanOSIsSaaSApplicationN/AN/AInternal use field. Indicates whether the application associated with this network traffic is a SAAS application.
PanOSIsServertoClientN/AN/AIndicates if direction of traffic is from server to client.
PanOSIsSourceXForwardedN/AN/AIndicates whether the X-Forwarded-For value from a proxy is in the source user field.
PanOSIsSystemReturnN/AN/AIndicates whether symmetric return was used to forward traffic for this session.
PanOSIsTransactionN/AN/AIndicates whether the log corresponds to a transaction within an HTTP proxy session (Proxy Transaction).
PanOSIsTunnelInspectedN/AN/AIndicates whether the payload for the outer tunnel was inspected.
PanOSIsURLDeniedN/AN/AIndicates whether the session was denied due to a URL filtering rule.
PanOSLogExportedN/AN/AIndicates if this log was exported from the firewall using the firewall's log export function.
PanOSLogForwardedN/AN/AInternal-use field that indicates if the log is being forwarded.
PanOSLogSourceN/AN/AIdentifies the origin of the data - the system that produced the data.
PanOSLogSourceTimeZoneOffsetN/AN/ATime Zone offset from GMT of the source of the log.
PanOSNATN/AN/AIndicates if the firewall is performing network address translation (NAT) for the logged traffic.
PanOSNonStandardDestinationPortN/AN/AIdentifies the non-standard or unexpected port used by the application associated with this session.
PanOSOutboundInterfaceDetailsPortN/AN/AHardware port or socket to which the network traffic was sent.
PanOSOutboundInterfaceDetailsSlotN/AN/AInterface slot to which the network traffic was sent.
PanOSOutboundInterfaceDetailsTypeN/AN/AThe type of interface to which the network traffic was sent.
PanOSOutboundInterfaceDetailsUnitN/AN/AInternal use.
PanOSPacketN/AN/APacket that triggered the firewall to generate this threat log record.
PanOSProfileNameN/AN/AData filtering profile name.
PanOSSanctionedStateOfAppN/AN/AIndicates whether the application has been flagged as sanctioned by the firewall administrator.
PanOSSeverityN/AN/ASeverity as defined by the platform.
PanOSSourceDeviceClassN/AN/ASource device class.
PanOSSourceDeviceOSN/AN/ASource device OS type.
sntdom<domainorigin>Text/StringDomain to which the Source User belongs.
susername<domainorigin>\<login>Text/StringThe Source User. That is, the username that initiated the network traffic.
suid N/AN/AUnique identifier assigned to the Source User.
PanOSThreatCategoryN/A N/AThreat category of the detected threat.
PanOSThreatNameFirewall<threatname>Text/StringThreat Name written by the firewall.
PanOSTunneledApplication N/AN/AFor internal use only.
PanOSURLN/A N/AThe name of the internet domain that was visited in this session.
PanOSUsersN/A N/ASource/Destination user. If neither is available, source_ip is used.
PanOSVirtualSystemIDN/A N/AA unique identifier for a virtual system on a Palo Alto Networks firewall.
start N/AN/ATime when the log was generated on the firewall's data plane. This string contains a timestamp value that is the number of microseconds since the Unix epoch.
src<sip>IP AddressOriginal source IP address.
dst<dip>IP AddressOriginal destination IP address.
sourceTranslatedAddress<snatip>IP AddressIf source NAT was performed, the post-NAT source IP address.
destinationTranslatedAddress<dnatip>IP AddressIf destination NAT performed, the post-NAT destination IP address.
cs1 N/AN/AName of the security policy rule that the network traffic matched.
cs1LabelN/A N/A
susername0<domainorigin><login>Text/StringThe username that initiated the network traffic.
dusername0<account>Text/StringThe username to which the network traffic was destined.
appN/AN/AApplication associated with the network traffic.
cs3N/AN/AString representation of the unique identifier for a virtual system on a Palo Alto Networks firewall.
cs3LabelN/AN/A N/A
cs4N/AN/AThe networking zone from which the traffic originated.
cs4LabelN/AN/A N/A
cs5N/AN/ANetworking zone to which the traffic was sent.
cs5LabelN/AN/A N/A
deviceInboundInterface<sinterface>Text/StringInterface from which the network traffic was sourced.
deviceOutboundInterface<dinterface>Text/StringInterface to which the network traffic was destined.
cs6 N/AN/ALog forwarding profile name that was applied to the session. This name was defined by the firewall's administrator.
cs6LabelN/A N/A N/A
cn1<session>NumberIdentifies the firewall's internal identifier for a specific network session.
cn1Label
N/AN/A 
cnt<quantity>NumberNumber of sessions with same Source IP, Destination IP, Application, and Content/Threat Type seen for the summary interval.
spt<sport>NumberSource port utilized by the session.
dpt<dport>NumberNetwork traffic's destination port. If this value is 0, then the app is using its standard port.
sourceTranslatedPort<snatport>NumberPost-NAT source port.
destinationTranslatedPort<dnatport>NumberPost-NAT destination port.
proto<protname>Text/StringIP protocol associated with the session.
act<action>
<tag1>
Text/StringIdentifies the action that the firewall took for the network traffic.
filePath<object>Text/StringThe name of the file that is blocked.
cs2N/AN/AThe URL category.
cs2LabelN/AN/A N/A
flexString2N/AN/AIndicates the direction of the attack.
flexString2LabelN/AN/A N/A
externalIdN/AN/AThe log entry identifier, which is incremented sequentially. Each log type has a unique number space.
PanOSSourceLocationN/AN/ASource country or internal region for private addresses.
PanOSDestinationLocationN/AN/ADestination country or internal region for private addresses.
fileIdN/AN/APacket capture ID. Used to correlate threat pcap files with extended pcaps taken as a part of the session flow.
PanOSFileHash<hash>Text/StringThe binary hash (SHA256) of the file.
PanOSReportIDN/AN/AIdentifies the analysis requested from the sandbox (cloud or appliance).
PanOSDGHierarchyLevel1N/AN/AA sequence of identification numbers that indicate the device group’s location within a device group hierarchy.
PanOSDGHierarchyLevel2N/AN/AA sequence of identification numbers that indicate the device group’s location within a device group hierarchy.
PanOSDGHierarchyLevel3N/AN/AA sequence of identification numbers that indicate the device group’s location within a device group hierarchy.
PanOSDGHierarchyLevel4N/AN/AA sequence of identification numbers that indicate the device group’s location within a device group hierarchy.
PanOSVirtualSystemNameN/AN/AThe name of the virtual system associated with the network traffic.
dvchostN/AN/AName of the source of the log - hostname of the firewall that logged the network traffic.
PanOSSourceUUIDN/AN/AIdentifies the source universal unique identifier for a guest virtual machine in the VMware NSX environment.
PanOSDestinationUUIDN/AN/AIdentifies the destination universal unique identifier for a guest virtual machine in the VMware NSX environment.
PanOSIMSIN/AN/AID of the tunnel being inspected or the International Mobile Subscriber Identity (IMSI) ID of the mobile user.
PanOSIMEIN/AN/AA string used to group similar traffic together for logging and reporting. This value is globally defined on the firewall by the administrator.
PanOSParentSessionIDN/AN/AID of the session in which this network traffic was tunneled.
PanOSParentStartTimeN/AN/ATime that the parent session began. This string contains a timestamp value that is the number of microseconds since the Unix epoch.
PanOSTunnelN/AN/AType of tunnel.
PanOSContentVersionN/AN/AApplications and Threats version installed on the firewall when the log was generated.
PanOSSigFlagsN/AN/AInternal use only.
PanOSRuleUUIDN/AN/AUnique identifier for the security policy rule that the network traffic matched.
PanOSHTTP2ConnectionN/AN/AParent session ID for an HTTP/2 connection. If the traffic is not using HTTP/2, this field is set to 0.
PanOSDynamicUserGroup<group>Text/StringDynamic user group of the user who initiated the network connection.
PanOSX-Forwarded-ForIPN/AN/AX-Forwarded-For IP.
PanOSSourceDeviceCategoryN/AN/ACategory of the device from which the session originated.
PanOSSourceDeviceProfileN/AN/AProfile of the device from which the session originated.
PanOSSourceDeviceModelN/AN/AModel of the device from which the session originated.
PanOSSourceDeviceVendorN/AN/AVendor of the device from which the session originated.
PanOSSourceDeviceOSFamilyN/AN/AOS family of the device from which the session originated.
PanOSSourceDeviceOSVersionN/AN/AOS version of the device from which the session originated.
PanOSSourceDeviceHostN/AText/StringHostname of the device from which the session originated.
PanOSSourceDeviceMac<smac>Text/StringMAC Address of the device from which the session originated.
PanOSDestinationDeviceCategoryN/AN/ACategory of the device to which the session was directed.
PanOSDestinationDeviceProfileN/AN/AProfile of the device to which the session was directed.
PanOSDestinationDeviceModelN/AN/AModel of the device to which the session was directed.
PanOSDestinationDeviceVendorN/AN/AVendor of the device to which the session was directed.
PanOSDestinationDeviceOSFamilyN/AN/AOS family of the device to which the session was directed.
PanOSDestinationDeviceOSVersionN/AN/AOS version of the device to which the session was directed.
PanOSDestinationDeviceHost<dname>Text/StringHostname of the device to which the session was directed.
PanOSDestinationDeviceMac<dmac>Text/StringMAC Address of the device to which the session was directed.
PanOSContainerIDN/AN/AUnknown field. No information is available at this time.
PanOSContainerNameSpaceN/AN/AContainer namespace.
PanOSContainerNameN/AN/AContainer name.
PanOSSourceEDLN/AN/AThe name of the external dynamic list that contains the source IP address of the traffic.
PanOSDestinationEDLN/AN/AThe name of the external dynamic list that contains the destination IP address of the traffic.
PanOSHostIDN/AN/AA unique ID that GlobalProtect assigns to identify the host.
PanOSEndpointSerialNumberN/AN/ASerial number of the host on which GlobalProtect is installed.
PanOSDomainEDLN/AN/ADomain External Dynamic List. That is, the name of the external dynamic list that contains the destination domain of the traffic.
PanOSSourceDynamicAddressGroupN/AN/AThe dynamic address group that Device-ID identifies as the source of the traffic.
PanOSDestinationDynamicAddressGroupN/AN/AThe dynamic address group that Device-ID identifies as the destination for the traffic.
PanOSPartialHashN/AN/AMachine learning partial hash.
PanOSTimeGeneratedHighResolutionN/AN/ATime the log was generated in data plane with millisec granularity in format YYYY-MM-DDTHH:MM:SS[.DDDDDD]Z.
PanOSReasonForDataFilteringAction<reason>Text/StringReason for data filtering action.
PanOSJustificationN/AN/AJustification string.
PanOSNSSAINetworkSliceTypeN/AN/ANetwork Slice Type (SST part of SNSSAI).
PanOSLocationN/AN/APrisma Access Region/Location.
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.