Vendor Documentation
Classification
|
Rule Name |
Rule Type |
Classification |
Common Event |
|---|---|---|---|
|
Threat Event |
Base Rule |
Activity |
General Threat Message |
|
Potential Spyware Allowed |
Sub Rule |
Malware |
Possible Spyware Activity |
|
Potential Spyware Allowed |
Sub Rule |
Malware |
Possible Spyware Activity |
|
User Overrode Spyware Block |
Sub Rule |
Malware |
Possible Spyware Activity |
|
User Overrode Spyware Block |
Sub Rule |
Malware |
Possible Spyware Activity |
|
Potentially Threatening Spyware Blocked |
Sub Rule |
Failed Malware |
Failed Spyware Activity |
|
DLP Event Allowed |
Sub Rule |
Network Allow |
Traffic Allowed by DLP |
|
DLP Event Allowed |
Sub Rule |
Network Allow |
Traffic Allowed by DLP |
|
User Overrode DLP Block |
Sub Rule |
Network Allow |
Traffic Allowed by DLP |
|
User Overrode DLP Block |
Sub Rule |
Network Allow |
Traffic Allowed by DLP |
|
DLP Event Denied |
Sub Rule |
Network Deny |
Traffic Denied by DLP |
|
Potential Denial of Service Detected |
Sub Rule |
Denial of Service |
Network Denial of Service |
|
Potential Denial of Service Blocked |
Sub Rule |
Failed Denial of Service |
Failed Network Denial of Service |
|
Potentially Malicious Content Allowed |
Sub Rule |
Malware |
Detected Malware Activity |
|
Potentially Malicious Content Allowed |
Sub Rule |
Malware |
Detected Malware Activity |
|
Potentially Threatening File Blocked |
Sub Rule |
Failed Malware |
Failed Malware Activity |
|
Potentially Threatening Packet Allowed |
Sub Rule |
Attack |
General Attack Activity |
|
Potentially Threatening Packet Dropped |
Sub Rule |
Failed Attack |
Failed General Attack Activity |
|
Scan Threat Messages |
Sub Rule |
Activity |
General Threat Message |
|
Potentially Malicious Content Allowed |
Sub Rule |
Malware |
Detected Malware Activity |
|
Potentially Malicious Content Allowed |
Sub Rule |
Malware |
Detected Malware Activity |
|
Potentially Threatening File Blocked |
Sub Rule |
Failed Malware |
Failed Malware Activity |
|
Potential Vulnerability Exploit Allowed |
Sub Rule |
Attack |
General Attack Activity |
|
Vulnerability Exploit Allowed |
Sub Rule |
Attack |
General Attack Activity |
|
Vulnerability Exploit Blocked |
Sub Rule |
Failed Attack |
Failed General Attack Activity |
Mapping with LogRhythm Schema
|
Device Key in Log Message |
LogRhythm Schema |
Data Type |
Schema Description |
|---|---|---|---|
|
N/A |
N/A |
N/A |
deviceVendor |
|
N/A |
N/A |
N/A |
deviceProduct |
|
N/A |
N/A |
N/A |
Version |
|
N/A |
N/A |
N/A |
LogType |
|
N/A |
<vmid>
|
Text/String |
SubType |
|
N/A |
<severity> |
Number |
deviceSeverity |
|
ProfileToken |
N/A |
N/A |
N/A |
|
dtz |
N/A |
N/A |
N/A |
|
rt |
N/A |
N/A |
Time the log was received in Cortex Data Lake. This string contains a timestamp value that is the number of microseconds since the Unix epoch. |
|
deviceExternalId |
<serialnumber> |
Text/String/Number |
ID that uniquely identifies the source of the log. That is, the serial number of the firewall that generated the log. |
|
start |
N/A |
N/A |
Time the log was generated in data plane with millisec granularity in format YYYY-MM-DDTHH:MM:SS[.DDDDDD]Z. |
|
PanOSApplicationCategory |
N/A |
N/A |
Identifies the high-level family of the application. |
|
PanOSApplicationContainer |
N/A |
N/A |
Identifies the managing application or parent of the application associated with this network traffic. |
|
PanOSApplicationRisk |
N/A |
N/A |
Indicates how risky the application is from a network security perspective. |
|
PanOSApplicationSubcategory |
N/A |
N/A |
Identifies the application's subcategory. The subcategory is related to the application's category, which is identified in app_category. |
|
PanOSApplicationTechnology |
N/A |
N/A |
Threat category of the detected threat. |
|
PanOSCaptivePortal |
N/A |
N/A |
Indicates if user information for the session was captured through Captive Portal. |
|
PanOSCloudHostname |
N/A |
N/A |
The hostname in which the VM-series firewall is running. |
|
PanOSCortexDataLakeTenantID |
N/A |
N/A |
The ID that uniquely identifies the Cortex Data Lake instance which received this log record. |
|
PanOSDestinationDeviceClass |
N/A |
N/A |
Destination device class. |
|
PanOSDestinationDeviceOS |
N/A |
N/A |
Destination device OS type. |
|
dntdom |
<domainimpacted> |
Text/String |
Domain to which the Destination User belongs. |
|
dusername |
<account> |
Text/String |
The username to which the network traffic was destined. |
|
duid |
N/A |
N/A |
Unique identifier assigned to the Destination User. |
|
PanOSHTTPMethod |
<command> |
Text/String |
Describes the HTTP Method used in the web request. |
|
PanOSInboundInterfaceDetailsPort |
N/A |
N/A |
Hardware port or socket from which the network traffic was sourced. |
|
PanOSInboundInterfaceDetailsSlot |
N/A |
N/A |
Interface slot from which the network traffic was sourced. |
|
PanOSInboundInterfaceDetailsType |
N/A |
N/A |
The type of interface from which the network traffic was sourced. |
|
PanOSInboundInterfaceDetailsUnit |
N/A |
N/A |
Internal use. |
|
PanOSIsClienttoServer |
N/A |
N/A |
Indicates if direction of traffic is from client to server. |
|
PanOSIsContainer |
N/A |
N/A |
Indicates if the session is a container page access (Container Page). |
|
PanOSIsDecryptMirror |
N/A |
N/A |
Indicates whether decrypted traffic was sent out in clear text through a mirror port. |
|
PanOSIsDecrypted |
N/A |
N/A |
Flag that indicates that the session is decrypted. |
|
PanOSIsDuplicateLog |
N/A |
N/A |
Indicates whether this log data is available in multiple locations, such as from Cortex Data Lake as well as from an on-premise log collector. |
|
PanOSIsEncrypted |
N/A |
N/A |
Flag that indicates that the session is encrypted. |
|
PanOSIsIPV6 |
N/A |
N/A |
Indicates whether IPV6 was used for the session. |
|
PanOSIsMptcpOn |
N/A |
N/A |
Indicates whether the option is enabled on the next-generation firewall that allows a client to use multiple paths to connect to a destination host. |
|
PanOSIsNonStandardDestinationPort |
N/A |
N/A |
Indicates if the destination port is non-standard. |
|
PanOSIsPacketCapture |
N/A |
N/A |
Indicates whether the session has a packet capture (PCAP). |
|
PanOSIsPhishing |
N/A |
N/A |
Indicates whether enterprise credentials were submitted by an end user. |
|
PanOSIsPrismaNetwork |
N/A |
N/A |
Internal-use field. If set to 1, the log was generated on a cloud-based firewall. If 0, the firewall was running on-premise. |
|
PanOSIsPrismaUsers |
N/A |
N/A |
Internal use field. If set to 1, the log record was generated using a cloud-based GlobalProtect instance. If 0, GlobalProtect was hosted on-premise. |
|
PanOSIsProxy |
N/A |
N/A |
Indicates whether the SSL session is decrypted (SSL Proxy). |
|
PanOSIsReconExcluded |
N/A |
N/A |
Indicates whether source for the flow is on the firewall allow list and not subject to recon protection. |
|
PanOSIsSaaSApplication |
N/A |
N/A |
Internal use field. Indicates whether the application associated with this network traffic is a SAAS application. |
|
PanOSIsServertoClient |
N/A |
N/A |
Indicates if direction of traffic is from server to client. |
|
PanOSIsSourceXForwarded |
N/A |
N/A |
Indicates whether the X-Forwarded-For value from a proxy is in the source user field. |
|
PanOSIsSystemReturn |
N/A |
N/A |
Indicates whether symmetric return was used to forward traffic for this session. |
|
PanOSIsTransaction |
N/A |
N/A |
Indicates whether the log corresponds to a transaction within an HTTP proxy session (Proxy Transaction). |
|
PanOSIsTunnelInspected |
N/A |
N/A |
Indicates whether the payload for the outer tunnel was inspected. |
|
PanOSIsURLDenied |
N/A |
N/A |
Indicates whether the session was denied due to a URL filtering rule. |
|
PanOSLogExported |
N/A |
N/A |
Indicates if this log was exported from the firewall using the firewall's log export function. |
|
PanOSLogForwarded |
N/A |
N/A |
Internal-use field. Indicates if the log is being forwarded. |
|
PanOSLogSource |
N/A |
N/A |
Identifies the origin of the data - the system that produced the data. |
|
PanOSLogSourceTimeZoneOffset |
N/A |
N/A |
Time Zone offset from GMT of the source of the log. |
|
PanOSNAT |
N/A |
N/A |
Indicates if the firewall is performing network address translation (NAT) for the logged traffic. |
|
PanOSNonStandardDestinationPort |
N/A |
N/A |
Identifies the non-standard or unexpected port used by the application associated with this session. |
|
PanOSOutboundInterfaceDetailsPort |
N/A |
N/A |
Hardware port or socket to which the network traffic was sent. |
|
PanOSOutboundInterfaceDetailsSlot |
N/A |
N/A |
Interface slot to which the network traffic was sent. |
|
PanOSOutboundInterfaceDetailsType |
N/A |
N/A |
The type of interface to which the network traffic was sent. |
|
PanOSOutboundInterfaceDetailsUnit |
N/A |
N/A |
Internal use. |
|
PanOSPacket |
N/A |
N/A |
Packet that triggered the firewall to generate this threat log record. |
|
PanOSPayloadProtocolID |
N/A |
N/A |
The associated Payload Protocol Identifier. |
|
PanOSSanctionedStateOfApp |
N/A |
N/A |
Indicates whether the application has been flagged as sanctioned by the firewall administrator. |
|
PanOSSeverity |
N/A |
N/A |
Severity as defined by the platform. |
|
PanOSSourceDeviceClass |
N/A |
N/A |
Source device class. |
|
PanOSSourceDeviceOS |
N/A |
N/A |
Source device OS type. |
|
sntdom |
<domainorigin> |
Text/String |
Domain to which the Source User belongs. |
|
susername |
<login> |
Text/String |
The username that initiated the network traffic. |
|
suid |
N/A |
N/A |
Unique identifier assigned to the Source User. |
|
cat |
<subject> |
Text/String |
Threat Name written by the firewall. |
|
PanOSThreatNameFirewall |
N/A |
N/A |
Time when the log was generated on the firewall's data plane. This string contains a timestamp value that is the number of microseconds since the Unix epoch. |
|
PanOSTunneledApplication |
N/A |
N/A |
ID of the tunnel being inspected or the International Mobile Subscriber Identity (IMSI) ID of the mobile user. |
|
PanOSURLDomain |
N/A |
N/A |
The column that correlates the traffic, url and sandbox logs. |
|
PanOSUsers |
N/A |
N/A |
Identifies the vendor that produced the data. |
|
PanOSVerdict |
N/A |
N/A |
String representation of the unique identifier for a virtual system on a Palo Alto Networks firewall. |
|
PanOSVirtualSystemID |
N/A |
N/A |
The name of the virtual system associated with the network traffic. |
|
c6a2 |
N/A |
N/A |
Source IPv6 Address |
|
c6a2Label |
N/A |
N/A |
N/A |
|
c6a3 |
N/A |
N/A |
Destination IPv6 Address |
|
c6a3Label |
N/A |
N/A |
N/A |
|
src |
<sip> |
IP Address |
N/A |
|
dst |
<dip> |
IP Address |
N/A |
|
sourceTranslatedAddress |
<snatip> |
IP Address |
If source NAT was performed, the post-NAT source IP address. |
|
destinationTranslatedAddress |
<dnatip> |
IP Address |
If destination NAT performed, the post-NAT destination IP address. |
|
cs1 |
N/A |
N/A |
Name of the security policy rule that the network traffic matched. |
|
cs1Label |
N/A |
N/A |
|
|
susername0 |
N/A |
N/A |
The Source User. That is, the username that initiated the network traffic. |
|
dusername0 |
N/A |
N/A |
The Destination User. That is, the username to which the network traffic was destined. |
|
app |
N/A |
N/A |
Application associated with the network traffic. |
|
cs3 |
N/A |
N/A |
A unique identifier for a virtual system on a Palo Alto Networks firewall. |
|
cs3Label |
N/A |
N/A |
N/A |
|
cs4 |
N/A |
N/A |
The networking zone from which the traffic originated. |
|
cs4Label |
N/A |
N/A |
N/A |
|
cs5 |
N/A |
N/A |
Type of tunnel. |
|
cs5Label |
N/A |
N/A |
N/A |
|
deviceInboundInterface |
<sinterface> |
Text/String |
Interface from which the network traffic was sourced. |
|
deviceOutboundInterface |
<dinterface> |
Text/String |
Interface to which the network traffic was destined. |
|
cs6 |
N/A |
N/A |
Log forwarding profile name that was applied to the session. This name was defined by the firewall's administrator. |
|
cs6Label |
N/A |
N/A |
N/A |
|
cn1 |
N/A |
N/A |
Identifies the firewall's internal identifier for a specific network session. |
|
cn1Label |
N/A |
N/A |
N/A |
|
cnt |
N/A |
N/A |
Number of sessions with same Source IP, Destination IP, Application, and Content/Threat Type seen for the summary interval. |
|
spt |
<sport> |
Number |
Source port utilized by the session. |
|
dpt |
<dport> |
Number |
Network traffic's destination port. If this value is 0, then the app is using its standard port. |
|
sourceTranslatedPort |
<snatport> |
Number |
Post-NAT source port. |
|
destinationTranslatedPort |
<dnatport> |
Number |
Post-NAT destination port. |
|
proto |
<protname> |
Text/String |
IP protocol associated with the session. |
|
act |
<action>
|
Text/String |
Identifies the action that the firewall took for the network traffic. |
|
request |
<object> |
Text/String |
The name of the infected file when the threat is 'virus'. |
|
PanOSThreatID |
<threatname>
|
Text/String/Number |
Palo Alto Networks textual identifier for the threat. |
|
flexString2 |
N/A |
N/A |
Indicates the direction of the attack. |
|
flexString2Label |
N/A |
N/A |
N/A |
|
externalId |
N/A |
N/A |
The log entry identifier, which is incremented sequentially. Each log type has a unique number space. |
|
PanOSSourceLocation |
N/A |
N/A |
Source country or internal region for private addresses. |
|
PanOSDestinationLocation |
N/A |
N/A |
Destination country or internal region for private addresses. |
|
fileId |
N/A |
N/A |
Packet capture ID. Used to correlate threat pcap files with extended pcaps taken as a part of the session flow. |
|
PanOSFileHash |
<hash> |
Text/String |
The binary hash (SHA256) of the file sent for virus analysis. |
|
PanOSApplianceOrCloud |
N/A |
N/A |
FQDN of either the appliance (private) or the cloud (public) from where the file was uploaded for analysis. |
|
PanOSURLCounter |
N/A |
N/A |
Source/Destination user. If neither is available, source_ip is used. |
|
PanOSFileType |
<objecttype> |
Text/String |
The type of the file sent for virus analysis. |
|
PanOSSenderEmail |
<sender> |
Text/String |
Identifies the sender of an email that sandbox determined to be malicious when it was analyzing an email link forwarded by the firewall. |
|
PanOSEmailSubject |
<subject> |
Text/String |
The networking technology used by the identified application. |
|
PanOSRecipientEmail |
<receipent> |
Text/String |
Identifies the recipient of an email that sandbox determined to be malicious when it was analyzing an email link forwarded by the firewall. |
|
PanOSReportID |
N/A |
N/A |
Identifies the analysis requested from the sandbox (cloud or appliance). |
|
PanOSDGHierarchyLevel1 |
N/A |
N/A |
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. |
|
PanOSDGHierarchyLevel2 |
N/A |
N/A |
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. |
|
PanOSDGHierarchyLevel3 |
N/A |
N/A |
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. |
|
PanOSDGHierarchyLevel4 |
N/A |
N/A |
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. |
|
PanOSVirtualSystemName |
N/A |
N/A |
X-Forwarded-For IP. |
|
dvchost |
N/A |
N/A |
Name of the source of the log. That is, the hostname of the firewall that logged the network traffic. |
|
PanOSSourceUUID |
N/A |
N/A |
Identifies the source universal unique identifier for a guest virtual machine in the VMware NSX environment. |
|
PanOSDestinationUUID |
N/A |
N/A |
Identifies the destination universal unique identifier for a guest virtual machine in the VMware NSX environment. |
|
PanOSIMSI |
N/A |
N/A |
The name of the internet domain that was visited in this session. |
|
PanOSIMEI |
N/A |
N/A |
A string used to group similar traffic together for logging and reporting. This value is globally defined on the firewall by the administrator. |
|
PanOSParentSessionID |
N/A |
N/A |
ID of the session in which this network traffic was tunneled. |
|
PanOSParentStarttime |
N/A |
N/A |
Time that the parent session began. This string contains a timestamp value that is the number of microseconds since the Unix epoch. |
|
PanOSTunnel |
N/A |
N/A |
For internal use only. |
|
PanOSThreatCategory |
N/A |
N/A |
Numerical identifier for the threat type. |
|
PanOSContentVersion |
N/A |
N/A |
Applications and Threats version installed on the firewall when the log was generated. |
|
PanOSSigFlags |
N/A |
N/A |
Internal use only. |
|
PanOSRuleUUID |
N/A |
N/A |
Unique identifier for the security policy rule that the network traffic matched. |
|
PanOSHTTP2Connection |
N/A |
N/A |
Parent session ID for an HTTP/2 connection. If the traffic is not using HTTP/2, this field is set to 0. |
|
PanOSDynamicUserGroupName |
N/A |
N/A |
Dynamic user group of the user who initiated the network connection. |
|
PanOSX-Forwarded-ForIP |
N/A |
N/A |
X-Forwarded-For IP. |
|
PanOSSourceDeviceCategory |
N/A |
N/A |
Category of the device from which the session originated. |
|
PanOSSourceDeviceProfile |
N/A |
N/A |
Profile of the device from which the session originated. |
|
PanOSSourceDeviceModel |
N/A |
N/A |
Model of the device from which the session originated. |
|
PanOSSourceDeviceVendor |
N/A |
N/A |
Vendor of the device from which the session originated. |
|
PanOSSourceDeviceOSFamily |
N/A |
N/A |
OS family of the device from which the session originated. |
|
PanOSSourceDeviceOSVersion |
N/A |
N/A |
OS version of the device from which the session originated. |
|
PanOSSourceDeviceHost |
<sname> |
Text/String |
Hostname of the device from which the session originated. |
|
PanOSSourceDeviceMac |
<smac> |
Text/String/Number |
MAC Address of the device from which the session originated. |
|
PanOSDestinationDeviceCategory |
N/A |
N/A |
Category of the device to which the session was directed. |
|
PanOSDestinationDeviceProfile |
N/A |
N/A |
Profile of the device to which the session was directed. |
|
PanOSDestinationDeviceModel |
N/A |
N/A |
Model of the device to which the session was directed. |
|
PanOSDestinationDeviceVendor |
N/A |
N/A |
Vendor of the device to which the session was directed. |
|
PanOSDestinationDeviceOSFamily |
N/A |
N/A |
OS family of the device to which the session was directed. |
|
PanOSDestinationDeviceOSVersion |
N/A |
N/A |
OS version of the device to which the session was directed. |
|
PanOSDestinationDeviceHost |
<dname> |
Text/String |
Hostname of the device to which the session was directed. |
|
PanOSDestinationDeviceMac |
<dmac> |
Text/String/Number |
MAC Address of the device to which the session was directed. |
|
PanOSContainerID |
N/A |
N/A |
Unknown field. No information is available at this time. |
|
PanOSContainerNameSpace |
N/A |
N/A |
Container namespace. |
|
PanOSSourceEDL |
N/A |
N/A |
The name of the external dynamic list that contains the source IP address of the traffic. |
|
PanOSDestinationEDL |
N/A |
N/A |
The name of the external dynamic list that contains the destination IP address of the traffic. |
|
PanOSHostID |
N/A |
N/A |
A unique ID that GlobalProtect assigns to identify the host. |
|
PanOSEndpointSerialNumber |
N/A |
N/A |
Serial number of the host on which GlobalProtect is installed. |
|
PanOSDomainEDL |
N/A |
N/A |
Domain External Dynamic List. That is, the name of the external dynamic list that contains the destination domain of the traffic. |
|
PanOSSourceDynamicAddressGroup |
N/A |
N/A |
The dynamic address group that Device-ID identifies as the source of the traffic. |
|
PanOSDestinationDynamicAddressGroup |
N/A |
N/A |
The dynamic address group that Device-ID identifies as the destination for the traffic. |
|
PanOSPartialHash |
N/A |
N/A |
Machine learning partial hash. |
|
PanOSTimeGeneratedHighResolution |
N/A |
N/A |
Networking zone to which the traffic was sent. |
|
PanOSNSSAINetworkSliceType |
N/A |
N/A |
Network Slice Type (SST part of SNSSAI). |