SCTP Messages

Vendor Documentation

https://docs.paloaltonetworks.com/cortex/cortex-data-lake/log-forwarding-schema-reference/network-logs/network-sctp-log/network-sctp-cef-fields.html

Classification

Rule Name	Rule Type	Classification	Common Event
SCTP Messages	Base Rule	Network Traffic	General Network Traffic
Traffic Allowed	Sub Rule	Network Allow	Traffic Allowed by Network Firewall
Traffic Denied	Sub Rule	Network Deny	Traffic Denied by Network Firewall

Mapping with LogRhythm Schema

Device Key in Log Message	LogRhythm Schema	Data Type	Schema Description
N/A	N/A	N/A	deviceVendor
N/A	N/A	N/A	deviceProduct
N/A	N/A	N/A	Version
N/A	<vmid>	Text/String	LogType
N/A	N/A	N/A	SubType
N/A	<severity>	Number	deviceSeverity
ProfileToken	N/A	N/A	N/A
dtz	N/A	N/A	N/A
rt	N/A	N/A	Time the log was received in Cortex Data Lake. This string contains a timestamp value that is the number of microseconds since the Unix epoch.
deviceExternalId	<serialnumber>	Text/String/Number	ID that uniquely identifies the source of the log. That is, the serial number of the firewall that generated the log.
PanOSCaptivePortal	N/A	N/A	Indicates if user information for the session was captured through Captive Portal.
PanOSContentVersion	N/A	N/A	Version of the content on the firewall.
PanOSCortexDataLakeTenantID	N/A	N/A	The ID that uniquely identifies the Cortex Data Lake instance which received this log record.
PanOSDestinationDeviceClass	N/A	N/A	Destination device class.
PanOSDestinationDeviceMac	<dmac>	Text/String	Destination device MAC address.
PanOSDestinationDeviceModel	N/A	N/A	Destination device model.
PanOSDestinationDeviceOS	N/A	N/A	Destination device OS type.
PanOSDestinationDeviceVendor	N/A	N/A	Destination device vendor.
PanOSDestinationLocation	N/A	N/A	Destination country or internal region for private addresses.
PanOSDestinationUUID	N/A	N/A	Identifies the destination universal unique identifier for a guest virtual machine in the VMware NSX environment.
PanOSDestinationUserDomain	<domainimpacted>	Text/String	Domain to which the Destination User belongs.
PanOSDestinationUserName	<account>	Text/String	The Destination User. That is, the username to which the network traffic was destined.
PanOSDestinationUserUUID	N/A	N/A	Unique identifier assigned to the Destination User.
PanOSInboundInterfaceDetailsPort	N/A	N/A	Hardware port or socket from which the network traffic was sourced.
PanOSInboundInterfaceDetailsSlot	N/A	N/A	Interface slot from which the network traffic was sourced.
PanOSInboundInterfaceDetailsType	N/A	N/A	The type of interface from which the network traffic was sourced.
PanOSInboundInterfaceDetailsUnit	N/A	N/A	Internal use.
PanOSIsClienttoServer	N/A	N/A	Indicates if direction of traffic is from client to server.
PanOSIsContainer	N/A	N/A	Indicates if the session is a container page access (Container Page).
PanOSIsDecryptMirror	N/A	N/A	Indicates whether decrypted traffic was sent out in clear text through a mirror port.
PanOSIsDecryptedLog	N/A	N/A	Unknown field. No information is available at this time.
PanOSIsDecryptedPayloadForward	N/A	N/A	Unknown field. No information is available at this time.
PanOSIsDuplicateLog	N/A	N/A	Indicates whether this log data is available in multiple locations, such as from Cortex Data Lake as well as from an on-premise log collector.
PanOSIsIPV6	N/A	N/A	Indicates whether IPV6 was used for the session.
PanOSIsInspectrionBeforeSession	N/A	N/A	Unknown field. No information is available at this time.
PanOSIsMptcpOn	N/A	N/A	Indicates whether the option is enabled on the next-generation firewall that allows a client to use multiple paths to connect to a destination host.
PanOSIsNonStandardDestinationPort	N/A	N/A	Indicates if the destination port is non-standard.
PanOSIsPacketCapture	N/A	N/A	Indicates whether the session has a packet capture (PCAP).
PanOSIsPhishing	N/A	N/A	Indicates whether enterprise credentials were submitted by an end user.
PanOSIsPrismaNetwork	N/A	N/A	Internal-use field. If set to 1, the log was generated on a cloud-based firewall. If 0, the firewall was running on-premise.
PanOSIsPrismaUsers	N/A	N/A	Internal use field. If set to 1, the log record was generated using a cloud-based GlobalProtect instance. If 0, GlobalProtect was hosted on-premise.
PanOSIsProxy	N/A	N/A	Indicates whether the SSL session is decrypted (SSL Proxy).
PanOSIsReconExcluded	N/A	N/A	Indicates whether source for the flow is on the firewall allow list and not subject to recon protection.
PanOSIsServertoClient	N/A	N/A	Indicates if direction of traffic is from server to client.
PanOSIsSourceXForwarded	N/A	N/A	Indicates whether the X-Forwarded-For value from a proxy is in the source user field.
PanOSIsSystemReturn	N/A	N/A	Indicates whether symmetric return was used to forward traffic for this session.
PanOSIsTransaction	N/A	N/A	Indicates whether the log corresponds to a transaction within an HTTP proxy session (Proxy Transaction).
PanOSIsTunnelInspected	N/A	N/A	Indicates whether the payload for the outer tunnel was inspected.
PanOSIsURLDenied	N/A	N/A	Indicates whether the session was denied due to a URL filtering rule.
PanOSLogExported	N/A	N/A	Indicates if this log was exported from the firewall using the firewall's log export function.
PanOSLogForwarded	N/A	N/A	Internal-use field that indicates if the log is being forwarded.
PanOSLogSource	N/A	N/A	Identifies the origin of the data. That is, the system that produced the data.
PanOSLogSourceTimeZoneOffset	N/A	N/A	Time Zone offset from GMT of the source of the log.
PanOSNAT	N/A	N/A	Indicates if the firewall is performing network address translation (NAT) for the logged traffic.
PanOSOutboundInterfaceDetailsPort	N/A	N/A	Hardware port or socket to which the network traffic was sent.
PanOSOutboundInterfaceDetailsSlot	N/A	N/A	Interface slot to which the network traffic was sent.
PanOSOutboundInterfaceDetailsType	N/A	N/A	The type of interface to which the network traffic was sent.
PanOSOutboundInterfaceDetailsUnit	N/A	N/A	Internal use.
PanOSSessionEndReason	<reason>	Text/String	The reason a session terminated.
PanOSSessionOwnerMidx	N/A	N/A	Unknown field. No information is available at this time.
PanOSSessionTracker	N/A	N/A	Unknown field. No information is available at this time.
PanOSSeverity	N/A	N/A	Severity as defined by the platform.
PanOSSourceDeviceClass	N/A	N/A	Source device class.
PanOSSourceDeviceMac	<smac>	Text/String	Source device MAC address.
PanOSSourceDeviceModel	N/A	N/A	Source device model.
PanOSSourceDeviceOS	N/A	N/A	Source device OS type.
PanOSSourceDeviceVendor	N/A	N/A	Source device vendor.
PanOSSourceLocation	N/A	N/A	Source country or internal region for private addresses.
PanOSSourceUUID	N/A	N/A	Identifies the source universal unique identifier for a guest virtual machine in the VMware NSX environment.
PanOSSourceUserDomain	<domainorigin>	Text/String	Domain to which the Source User belongs.
PanOSSourceUserName	<login>	Text/String	The Source User. That is, the username that initiated the network traffic.
PanOSSourceUserUUID	N/A	N/A	Unique identifier assigned to the Source User.
PanOSTunnel	N/A	N/A	Type of tunnel.
PanOSVirtualSystemID	N/A	N/A	A unique identifier for a virtual system on a Palo Alto Networks firewall.
PanOSConfigVersion	N/A	N/A	Version number of the firewall operating system that wrote this log record.
start	N/A	N/A	Time when the log was generated on the firewall's data plane. This string contains a timestamp value that is the number of microseconds since the Unix epoch.
src	<sip>	IP Address	Original source IP address.
dst	<dip>	IP Address	Original destination IP address.
PanOSNATSource	<snatip>	IP Address	If source NAT was performed, the post-NAT source IP address.
PanOSNATDestination	<dnatip>	IP Address	If destination NAT performed, the post-NAT destination IP address.
cs1	<policy>	Text/String	Name of the security policy rule that the network traffic matched.
cs1Label	N/A	N/A
PanOSSourceUser	N/A	N/A	The username that initiated the network traffic.
PanOSDestinationUser	N/A	N/A	The username to which the network traffic was destined.
PanOSApplication	N/A	N/A	Application associated with the network traffic.
cs3	N/A	N/A	String representation of the unique identifier for a virtual system on a Palo Alto Networks firewall.
cs3Label	N/A	N/A
cs4	N/A	N/A	The networking zone from which the traffic originated.
cs4Label	N/A	N/A
cs5	N/A	N/A	Networking zone to which the traffic was sent.
cs5Label	N/A	N/A
PanOSInboundInterface	<sinterface>	Text/String	Interface from which the network traffic was sourced.
deviceOutboundInterface	<dinterface>	Text/String	Interface to which the network traffic was destined.
cs6	N/A	N/A	Log forwarding profile name that was applied to the session. This name was defined by the firewall's administrator.
cs6Label	N/A	N/A
PanOSSessionID	<session>	Number	Identifies the firewall's internal identifier for a specific network session.
cnt	<quantity>	Number	Number of sessions with same Source IP, Destination IP, Application, and Content/Threat Type seen for the summary interval.
spt	<sport>	Number	Source port utilized by the session.
dpt	<dport>	Number	Network traffic's destination port. If this value is 0, then the app is using its standard port.
PanOSNATSourcePort	<snatport>	Number	Post-NAT source port.
PanOSNATDestinationPort	<dnatport>	Number	Post-NAT destination port.
proto	<protname>	Text/String	IP protocol associated with the session.
act	<action> <tag1>	Text/String	Identifies the action that the firewall took for the network traffic.
PanOSDGHierarchyLevel1	N/A	N/A	A sequence of identification numbers that indicate the device group’s location within a device group hierarchy.
PanOSDGHierarchyLevel2	N/A	N/A	A sequence of identification numbers that indicate the device group’s location within a device group hierarchy.
PanOSDGHierarchyLevel3	N/A	N/A	A sequence of identification numbers that indicate the device group’s location within a device group hierarchy.
PanOSDGHierarchyLevel4	N/A	N/A	A sequence of identification numbers that indicate the device group’s location within a device group hierarchy.
PanOSVirtualSystemName	N/A	N/A	The name of the virtual system associated with the network traffic.
dvchost	N/A	N/A	Name of the source of the log. That is, the hostname of the firewall that logged the network traffic.
externalId	N/A	N/A	The log entry identifier, which is incremented sequentially. Each log type has a unique number space.
PanOSEndpointAssociationID	N/A	N/A	The ID assigned to the endpoint association used for the SCTP network traffic.
PanOSPayloadProtocolID	N/A	N/A	The Payload Protocol Identifier (PPID) associated with the SCTP data chunk.
PanOSSctpChunkType	N/A	N/A	Type of information contained in the SCTP data chunk.
PanOSSCTPEventType	<subject>	Text/String	The SCTP event notification type set for this message.
PanOSEventCode	N/A	N/A	The SCTP event notification code set for this message.
PanOSVerificationTag1	N/A	N/A	The verification tag set for the SCTP packet.
PanOSVerificationTag2	N/A	N/A	The verification tag set for the SCTP packet.
PanOSSctpCauseCode	N/A	N/A	The error cause code found in the SCTP message.
PanOSDiamAppID	N/A	N/A	The IANA ID assigned to the Diameter application associated with this network traffic.
PanOSDiameterCommandCode	N/A	N/A	The Diameter command code used by this network traffic.
PanOSDiamAvpCode	N/A	N/A	The AVP code used by the Diameter application associated with this network traffic.
PanOSStreamID	N/A	N/A	Identifies the firewall's internal identifier for the SCTP stream.
PanOSAssocationEndReason	N/A	N/A	The reason the session terminated. If the termination had multiple reasons, only the highest priority reason is identified here.
PanOSMapAppCode	N/A	N/A	Mobile Application Part (MAP) operation code used for this network traffic.
PanOSSccpCallingSSN	N/A	N/A	The subsystem number (SSN) specified in the called party address used for this SCCP protocol message.
PanOSSccpCallingGt	N/A	N/A	The Global Title (GT) specified in the called party address used for this SCCP protocol message.
PanOSSctpFilter	N/A	N/A	The SCTP filter that the firewall applied to this network traffic.
PanOSChunksTotal	N/A	N/A	The total number of SCTP data chunks in the network traffic.
PanOSChunksSent	N/A	N/A	The total number of SCTP data chunks in the client-to-server network traffic.
PanOSChunksReceived	N/A	N/A	The total number of SCTP data chunks in the server-to-client network traffic.
PanOSPacketsTotal	N/A	N/A	Number of total packets (transmit and receive) seen for the session.
PanOSPacketsSent	<packetsin>	Number	Number of client-to-server packets for the session.
PanOSPacketsReceived	<packetsout>	Number	Number of server-to-client packets for the session.
PanOSRuleUUID	N/A	N/A	Unique identifier for the security policy rule that the network traffic matched.
PanOSContainerID	N/A	N/A	Unknown field. No information is available at this time.
PanOSContainerNameSpace	N/A	N/A	Container namespace.
PanOSContainerName	N/A	N/A	Container name.
PanOSSourceEDL	N/A	N/A	The name of the external dynamic list that contains the source IP address of the traffic.
PanOSDestinationEDL	N/A	N/A	The name of the external dynamic list that contains the destination IP address of the traffic.
PanOSSourceDynamicAddressGroup	N/A	N/A	The dynamic address group that Device-ID identifies as the source of the traffic.
PanOSDestinationDynamicAddressGroup	N/A	N/A	The dynamic address group that Device-ID identifies as the destination for the traffic.
PanOSTimeGeneratedHighResolution	N/A	N/A	Time the log was generated in data plane with millisec granularity in format YYYY-MM-DDTHH:MM:SS[.DDDDDD]Z.
PanOSVendorSeverity	N/A	N/A	Severity associated with the event.