Threat Event (Palo Alto Cortex Data Lake)
Vendor Documentation
Classification
| Rule Name | Rule Type | Classification | Common Event |
|---|---|---|---|
| Threat Event | Base Rule | Activity | General Threat Message |
| Potential Spyware Allowed | Sub Rule | Malware | Possible Spyware Activity |
| Potential Spyware Allowed | Sub Rule | Malware | Possible Spyware Activity |
| User Overrode Spyware Block | Sub Rule | Malware | Possible Spyware Activity |
| User Overrode Spyware Block | Sub Rule | Malware | Possible Spyware Activity |
| Potentially Threatening Spyware Blocked | Sub Rule | Failed Malware | Failed Spyware Activity |
| DLP Event Allowed | Sub Rule | Network Allow | Traffic Allowed by DLP |
| DLP Event Allowed | Sub Rule | Network Allow | Traffic Allowed by DLP |
| User Overrode DLP Block | Sub Rule | Network Allow | Traffic Allowed by DLP |
| User Overrode DLP Block | Sub Rule | Network Allow | Traffic Allowed by DLP |
| DLP Event Denied | Sub Rule | Network Deny | Traffic Denied by DLP |
| Potential Denial of Service Detected | Sub Rule | Denial of Service | Network Denial of Service |
| Potential Denial of Service Blocked | Sub Rule | Failed Denial of Service | Failed Network Denial of Service |
| Potentially Malicious Content Allowed | Sub Rule | Malware | Detected Malware Activity |
| Potentially Malicious Content Allowed | Sub Rule | Malware | Detected Malware Activity |
| Potentially Threatening File Blocked | Sub Rule | Failed Malware | Failed Malware Activity |
| Potentially Threatening Packet Allowed | Sub Rule | Attack | General Attack Activity |
| Potentially Threatening Packet Dropped | Sub Rule | Failed Attack | Failed General Attack Activity |
| Scan Threat Messages | Sub Rule | Activity | General Threat Message |
| Potentially Malicious Content Allowed | Sub Rule | Malware | Detected Malware Activity |
| Potentially Malicious Content Allowed | Sub Rule | Malware | Detected Malware Activity |
| Potentially Threatening File Blocked | Sub Rule | Failed Malware | Failed Malware Activity |
| Potential Vulnerability Exploit Allowed | Sub Rule | Attack | General Attack Activity |
| Vulnerability Exploit Allowed | Sub Rule | Attack | General Attack Activity |
| Vulnerability Exploit Blocked | Sub Rule | Failed Attack | Failed General Attack Activity |
Mapping with LogRhythm Schema
| Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
|---|---|---|---|
| N/A | N/A | N/A | deviceVendor |
| N/A | N/A | N/A | deviceProduct |
| N/A | N/A | N/A | Version |
| N/A | N/A | N/A | LogType |
| N/A | <vmid> <tag1> | Text/String | SubType |
| N/A | <severity> | Number | deviceSeverity |
| ProfileToken | N/A | N/A | N/A |
| dtz | N/A | N/A | N/A |
| rt | N/A | N/A | Time the log was received in Cortex Data Lake. This string contains a timestamp value that is the number of microseconds since the Unix epoch. |
| deviceExternalId | <serialnumber> | Text/String/Number | ID that uniquely identifies the source of the log. That is, the serial number of the firewall that generated the log. |
| start | N/A | N/A | Time the log was generated in data plane with millisec granularity in format YYYY-MM-DDTHH:MM:SS[.DDDDDD]Z. |
| PanOSApplicationCategory | N/A | N/A | Identifies the high-level family of the application. |
| PanOSApplicationContainer | N/A | N/A | Identifies the managing application or parent of the application associated with this network traffic. |
| PanOSApplicationRisk | N/A | N/A | Indicates how risky the application is from a network security perspective. |
| PanOSApplicationSubcategory | N/A | N/A | Identifies the application's subcategory. The subcategory is related to the application's category, which is identified in app_category. |
| PanOSApplicationTechnology | N/A | N/A | Threat category of the detected threat. |
| PanOSCaptivePortal | N/A | N/A | Indicates if user information for the session was captured through Captive Portal. |
| PanOSCloudHostname | N/A | N/A | The hostname in which the VM-series firewall is running. |
| PanOSCortexDataLakeTenantID | N/A | N/A | The ID that uniquely identifies the Cortex Data Lake instance which received this log record. |
| PanOSDestinationDeviceClass | N/A | N/A | Destination device class. |
| PanOSDestinationDeviceOS | N/A | N/A | Destination device OS type. |
| dntdom | <domainimpacted> | Text/String | Domain to which the Destination User belongs. |
| dusername | <account> | Text/String | The username to which the network traffic was destined. |
| duid | N/A | N/A | Unique identifier assigned to the Destination User. |
| PanOSHTTPMethod | <command> | Text/String | Describes the HTTP Method used in the web request. |
| PanOSInboundInterfaceDetailsPort | N/A | N/A | Hardware port or socket from which the network traffic was sourced. |
| PanOSInboundInterfaceDetailsSlot | N/A | N/A | Interface slot from which the network traffic was sourced. |
| PanOSInboundInterfaceDetailsType | N/A | N/A | The type of interface from which the network traffic was sourced. |
| PanOSInboundInterfaceDetailsUnit | N/A | N/A | Internal use. |
| PanOSIsClienttoServer | N/A | N/A | Indicates if direction of traffic is from client to server. |
| PanOSIsContainer | N/A | N/A | Indicates if the session is a container page access (Container Page). |
| PanOSIsDecryptMirror | N/A | N/A | Indicates whether decrypted traffic was sent out in clear text through a mirror port. |
| PanOSIsDecrypted | N/A | N/A | Flag that indicates that the session is decrypted. |
| PanOSIsDuplicateLog | N/A | N/A | Indicates whether this log data is available in multiple locations, such as from Cortex Data Lake as well as from an on-premise log collector. |
| PanOSIsEncrypted | N/A | N/A | Flag that indicates that the session is encrypted. |
| PanOSIsIPV6 | N/A | N/A | Indicates whether IPV6 was used for the session. |
| PanOSIsMptcpOn | N/A | N/A | Indicates whether the option is enabled on the next-generation firewall that allows a client to use multiple paths to connect to a destination host. |
| PanOSIsNonStandardDestinationPort | N/A | N/A | Indicates if the destination port is non-standard. |
| PanOSIsPacketCapture | N/A | N/A | Indicates whether the session has a packet capture (PCAP). |
| PanOSIsPhishing | N/A | N/A | Indicates whether enterprise credentials were submitted by an end user. |
| PanOSIsPrismaNetwork | N/A | N/A | Internal-use field. If set to 1, the log was generated on a cloud-based firewall. If 0, the firewall was running on-premise. |
| PanOSIsPrismaUsers | N/A | N/A | Internal use field. If set to 1, the log record was generated using a cloud-based GlobalProtect instance. If 0, GlobalProtect was hosted on-premise. |
| PanOSIsProxy | N/A | N/A | Indicates whether the SSL session is decrypted (SSL Proxy). |
| PanOSIsReconExcluded | N/A | N/A | Indicates whether source for the flow is on the firewall allow list and not subject to recon protection. |
| PanOSIsSaaSApplication | N/A | N/A | Internal use field. Indicates whether the application associated with this network traffic is a SAAS application. |
| PanOSIsServertoClient | N/A | N/A | Indicates if direction of traffic is from server to client. |
| PanOSIsSourceXForwarded | N/A | N/A | Indicates whether the X-Forwarded-For value from a proxy is in the source user field. |
| PanOSIsSystemReturn | N/A | N/A | Indicates whether symmetric return was used to forward traffic for this session. |
| PanOSIsTransaction | N/A | N/A | Indicates whether the log corresponds to a transaction within an HTTP proxy session (Proxy Transaction). |
| PanOSIsTunnelInspected | N/A | N/A | Indicates whether the payload for the outer tunnel was inspected. |
| PanOSIsURLDenied | N/A | N/A | Indicates whether the session was denied due to a URL filtering rule. |
| PanOSLogExported | N/A | N/A | Indicates if this log was exported from the firewall using the firewall's log export function. |
| PanOSLogForwarded | N/A | N/A | Internal-use field. Indicates if the log is being forwarded. |
| PanOSLogSource | N/A | N/A | Identifies the origin of the data - the system that produced the data. |
| PanOSLogSourceTimeZoneOffset | N/A | N/A | Time Zone offset from GMT of the source of the log. |
| PanOSNAT | N/A | N/A | Indicates if the firewall is performing network address translation (NAT) for the logged traffic. |
| PanOSNonStandardDestinationPort | N/A | N/A | Identifies the non-standard or unexpected port used by the application associated with this session. |
| PanOSOutboundInterfaceDetailsPort | N/A | N/A | Hardware port or socket to which the network traffic was sent. |
| PanOSOutboundInterfaceDetailsSlot | N/A | N/A | Interface slot to which the network traffic was sent. |
| PanOSOutboundInterfaceDetailsType | N/A | N/A | The type of interface to which the network traffic was sent. |
| PanOSOutboundInterfaceDetailsUnit | N/A | N/A | Internal use. |
| PanOSPacket | N/A | N/A | Packet that triggered the firewall to generate this threat log record. |
| PanOSPayloadProtocolID | N/A | N/A | The associated Payload Protocol Identifier. |
| PanOSSanctionedStateOfApp | N/A | N/A | Indicates whether the application has been flagged as sanctioned by the firewall administrator. |
| PanOSSeverity | N/A | N/A | Severity as defined by the platform. |
| PanOSSourceDeviceClass | N/A | N/A | Source device class. |
| PanOSSourceDeviceOS | N/A | N/A | Source device OS type. |
| sntdom | <domainorigin> | Text/String | Domain to which the Source User belongs. |
| susername | <login> | Text/String | The username that initiated the network traffic. |
| suid | N/A | N/A | Unique identifier assigned to the Source User. |
| cat | <subject> | Text/String | Threat Name written by the firewall. |
| PanOSThreatNameFirewall | N/A | N/A | Time when the log was generated on the firewall's data plane. This string contains a timestamp value that is the number of microseconds since the Unix epoch. |
| PanOSTunneledApplication | N/A | N/A | ID of the tunnel being inspected or the International Mobile Subscriber Identity (IMSI) ID of the mobile user. |
| PanOSURLDomain | N/A | N/A | The column that correlates the traffic, url and sandbox logs. |
| PanOSUsers | N/A | N/A | Identifies the vendor that produced the data. |
| PanOSVerdict | N/A | N/A | String representation of the unique identifier for a virtual system on a Palo Alto Networks firewall. |
| PanOSVirtualSystemID | N/A | N/A | The name of the virtual system associated with the network traffic. |
| c6a2 | N/A | N/A | Source IPv6 Address |
| c6a2Label | N/A | N/A | N/A |
| c6a3 | N/A | N/A | Destination IPv6 Address |
| c6a3Label | N/A | N/A | N/A |
| sourceTranslatedAddress | <snatip> | IP Address | If source NAT was performed, the post-NAT source IP address. |
| destinationTranslatedAddress | <dnatip> | IP Address | If destination NAT performed, the post-NAT destination IP address. |
| cs1 | N/A | N/A | Name of the security policy rule that the network traffic matched. |
| cs1Label | N/A | N/A | |
| susername0 | N/A | N/A | The Source User. That is, the username that initiated the network traffic. |
| dusername0 | N/A | N/A | The Destination User. That is, the username to which the network traffic was destined. |
| app | N/A | N/A | Application associated with the network traffic. |
| cs3 | N/A | N/A | A unique identifier for a virtual system on a Palo Alto Networks firewall. |
| cs3Label | N/A | N/A | N/A |
| cs4 | N/A | N/A | The networking zone from which the traffic originated. |
| cs4Label | N/A | N/A | N/A |
| cs5 | N/A | N/A | Type of tunnel. |
| cs5Label | N/A | N/A | N/A |
| deviceInboundInterface | <sinterface> | Text/String | Interface from which the network traffic was sourced. |
| deviceOutboundInterface | <dinterface> | Text/String | Interface to which the network traffic was destined. |
| cs6 | N/A | N/A | Log forwarding profile name that was applied to the session. This name was defined by the firewall's administrator. |
| cs6Label | N/A | N/A | N/A |
| cn1 | N/A | N/A | Identifies the firewall's internal identifier for a specific network session. |
| cn1Label | N/A | N/A | N/A |
| cnt | N/A | N/A | Number of sessions with same Source IP, Destination IP, Application, and Content/Threat Type seen for the summary interval. |
| spt | <sport> | Number | Source port utilized by the session. |
| dpt | <dport> | Number | Network traffic's destination port. If this value is 0, then the app is using its standard port. |
| sourceTranslatedPort | <snatport> | Number | Post-NAT source port. |
| destinationTranslatedPort | <dnatport> | Number | Post-NAT destination port. |
| proto | <protname> | Text/String | IP protocol associated with the session. |
| act | <action> <tag2> | Text/String | Identifies the action that the firewall took for the network traffic. |
| request | <object> | Text/String | The name of the infected file when the threat is 'virus'. |
| PanOSThreatID | <threatname> <threatid> | Text/String/Number | Palo Alto Networks textual identifier for the threat. |
| flexString2 | N/A | N/A | Indicates the direction of the attack. |
| flexString2Label | N/A | N/A | N/A |
| externalId | N/A | N/A | The log entry identifier, which is incremented sequentially. Each log type has a unique number space. |
| PanOSSourceLocation | N/A | N/A | Source country or internal region for private addresses. |
| PanOSDestinationLocation | N/A | N/A | Destination country or internal region for private addresses. |
| fileId | N/A | N/A | Packet capture ID. Used to correlate threat pcap files with extended pcaps taken as a part of the session flow. |
| PanOSFileHash | <hash> | Text/String | The binary hash (SHA256) of the file sent for virus analysis. |
| PanOSApplianceOrCloud | N/A | N/A | FQDN of either the appliance (private) or the cloud (public) from where the file was uploaded for analysis. |
| PanOSURLCounter | N/A | N/A | Source/Destination user. If neither is available, source_ip is used. |
| PanOSFileType | <objecttype> | Text/String | The type of the file sent for virus analysis. |
| PanOSSenderEmail | <sender> | Text/String | Identifies the sender of an email that sandbox determined to be malicious when it was analyzing an email link forwarded by the firewall. |
| PanOSEmailSubject | <subject> | Text/String | The networking technology used by the identified application. |
| PanOSRecipientEmail | <receipent> | Text/String | Identifies the recipient of an email that sandbox determined to be malicious when it was analyzing an email link forwarded by the firewall. |
| PanOSReportID | N/A | N/A | Identifies the analysis requested from the sandbox (cloud or appliance). |
| PanOSDGHierarchyLevel1 | N/A | N/A | A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. |
| PanOSDGHierarchyLevel2 | N/A | N/A | A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. |
| PanOSDGHierarchyLevel3 | N/A | N/A | A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. |
| PanOSDGHierarchyLevel4 | N/A | N/A | A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. |
| PanOSVirtualSystemName | N/A | N/A | X-Forwarded-For IP. |
| dvchost | N/A | N/A | Name of the source of the log. That is, the hostname of the firewall that logged the network traffic. |
| PanOSSourceUUID | N/A | N/A | Identifies the source universal unique identifier for a guest virtual machine in the VMware NSX environment. |
| PanOSDestinationUUID | N/A | N/A | Identifies the destination universal unique identifier for a guest virtual machine in the VMware NSX environment. |
| PanOSIMSI | N/A | N/A | The name of the internet domain that was visited in this session. |
| PanOSIMEI | N/A | N/A | A string used to group similar traffic together for logging and reporting. This value is globally defined on the firewall by the administrator. |
| PanOSParentSessionID | N/A | N/A | ID of the session in which this network traffic was tunneled. |
| PanOSParentStarttime | N/A | N/A | Time that the parent session began. This string contains a timestamp value that is the number of microseconds since the Unix epoch. |
| PanOSTunnel | N/A | N/A | For internal use only. |
| PanOSThreatCategory | N/A | N/A | Numerical identifier for the threat type. |
| PanOSContentVersion | N/A | N/A | Applications and Threats version installed on the firewall when the log was generated. |
| PanOSSigFlags | N/A | N/A | Internal use only. |
| PanOSRuleUUID | N/A | N/A | Unique identifier for the security policy rule that the network traffic matched. |
| PanOSHTTP2Connection | N/A | N/A | Parent session ID for an HTTP/2 connection. If the traffic is not using HTTP/2, this field is set to 0. |
| PanOSDynamicUserGroupName | N/A | N/A | Dynamic user group of the user who initiated the network connection. |
| PanOSX-Forwarded-ForIP | N/A | N/A | X-Forwarded-For IP. |
| PanOSSourceDeviceCategory | N/A | N/A | Category of the device from which the session originated. |
| PanOSSourceDeviceProfile | N/A | N/A | Profile of the device from which the session originated. |
| PanOSSourceDeviceModel | N/A | N/A | Model of the device from which the session originated. |
| PanOSSourceDeviceVendor | N/A | N/A | Vendor of the device from which the session originated. |
| PanOSSourceDeviceOSFamily | N/A | N/A | OS family of the device from which the session originated. |
| PanOSSourceDeviceOSVersion | N/A | N/A | OS version of the device from which the session originated. |
| PanOSSourceDeviceHost | <sname> | Text/String | Hostname of the device from which the session originated. |
| PanOSSourceDeviceMac | <smac> | Text/String/Number | MAC Address of the device from which the session originated. |
| PanOSDestinationDeviceCategory | N/A | N/A | Category of the device to which the session was directed. |
| PanOSDestinationDeviceProfile | N/A | N/A | Profile of the device to which the session was directed. |
| PanOSDestinationDeviceModel | N/A | N/A | Model of the device to which the session was directed. |
| PanOSDestinationDeviceVendor | N/A | N/A | Vendor of the device to which the session was directed. |
| PanOSDestinationDeviceOSFamily | N/A | N/A | OS family of the device to which the session was directed. |
| PanOSDestinationDeviceOSVersion | N/A | N/A | OS version of the device to which the session was directed. |
| PanOSDestinationDeviceHost | <dname> | Text/String | Hostname of the device to which the session was directed. |
| PanOSDestinationDeviceMac | <dmac> | Text/String/Number | MAC Address of the device to which the session was directed. |
| PanOSContainerID | N/A | N/A | Unknown field. No information is available at this time. |
| PanOSContainerNameSpace | N/A | N/A | Container namespace. |
| PanOSSourceEDL | N/A | N/A | The name of the external dynamic list that contains the source IP address of the traffic. |
| PanOSDestinationEDL | N/A | N/A | The name of the external dynamic list that contains the destination IP address of the traffic. |
| PanOSHostID | N/A | N/A | A unique ID that GlobalProtect assigns to identify the host. |
| PanOSEndpointSerialNumber | N/A | N/A | Serial number of the host on which GlobalProtect is installed. |
| PanOSDomainEDL | N/A | N/A | Domain External Dynamic List. That is, the name of the external dynamic list that contains the destination domain of the traffic. |
| PanOSSourceDynamicAddressGroup | N/A | N/A | The dynamic address group that Device-ID identifies as the source of the traffic. |
| PanOSDestinationDynamicAddressGroup | N/A | N/A | The dynamic address group that Device-ID identifies as the destination for the traffic. |
| PanOSPartialHash | N/A | N/A | Machine learning partial hash. |
| PanOSTimeGeneratedHighResolution | N/A | N/A | Networking zone to which the traffic was sent. |
| PanOSNSSAINetworkSliceType | N/A | N/A | Network Slice Type (SST part of SNSSAI). |