Threat Event (Palo Alto Cortex Data Lake)

Vendor Documentation

https://docs.paloaltonetworks.com/cortex/cortex-data-lake/log-forwarding-schema-reference/network-logs/network-threat-log/network-threat-cef-fields.html

Classification

Rule Name	Rule Type	Classification	Common Event
Threat Event	Base Rule	Activity	General Threat Message
Potential Spyware Allowed	Sub Rule	Malware	Possible Spyware Activity
Potential Spyware Allowed	Sub Rule	Malware	Possible Spyware Activity
User Overrode Spyware Block	Sub Rule	Malware	Possible Spyware Activity
User Overrode Spyware Block	Sub Rule	Malware	Possible Spyware Activity
Potentially Threatening Spyware Blocked	Sub Rule	Failed Malware	Failed Spyware Activity
DLP Event Allowed	Sub Rule	Network Allow	Traffic Allowed by DLP
DLP Event Allowed	Sub Rule	Network Allow	Traffic Allowed by DLP
User Overrode DLP Block	Sub Rule	Network Allow	Traffic Allowed by DLP
User Overrode DLP Block	Sub Rule	Network Allow	Traffic Allowed by DLP
DLP Event Denied	Sub Rule	Network Deny	Traffic Denied by DLP
Potential Denial of Service Detected	Sub Rule	Denial of Service	Network Denial of Service
Potential Denial of Service Blocked	Sub Rule	Failed Denial of Service	Failed Network Denial of Service
Potentially Malicious Content Allowed	Sub Rule	Malware	Detected Malware Activity
Potentially Malicious Content Allowed	Sub Rule	Malware	Detected Malware Activity
Potentially Threatening File Blocked	Sub Rule	Failed Malware	Failed Malware Activity
Potentially Threatening Packet Allowed	Sub Rule	Attack	General Attack Activity
Potentially Threatening Packet Dropped	Sub Rule	Failed Attack	Failed General Attack Activity
Scan Threat Messages	Sub Rule	Activity	General Threat Message
Potentially Malicious Content Allowed	Sub Rule	Malware	Detected Malware Activity
Potentially Malicious Content Allowed	Sub Rule	Malware	Detected Malware Activity
Potentially Threatening File Blocked	Sub Rule	Failed Malware	Failed Malware Activity
Potential Vulnerability Exploit Allowed	Sub Rule	Attack	General Attack Activity
Vulnerability Exploit Allowed	Sub Rule	Attack	General Attack Activity
Vulnerability Exploit Blocked	Sub Rule	Failed Attack	Failed General Attack Activity

Mapping with LogRhythm Schema

Device Key in Log Message	LogRhythm Schema	Data Type	Schema Description
N/A	N/A	N/A	deviceVendor
N/A	N/A	N/A	deviceProduct
N/A	N/A	N/A	Version
N/A	N/A	N/A	LogType
N/A	<vmid> <tag1>	Text/String	SubType
N/A	<severity>	Number	deviceSeverity
ProfileToken	N/A	N/A	N/A
dtz	N/A	N/A	N/A
rt	N/A	N/A	Time the log was received in Cortex Data Lake. This string contains a timestamp value that is the number of microseconds since the Unix epoch.
deviceExternalId	<serialnumber>	Text/String/Number	ID that uniquely identifies the source of the log. That is, the serial number of the firewall that generated the log.
start	N/A	N/A	Time the log was generated in data plane with millisec granularity in format YYYY-MM-DDTHH:MM:SS[.DDDDDD]Z.
PanOSApplicationCategory	N/A	N/A	Identifies the high-level family of the application.
PanOSApplicationContainer	N/A	N/A	Identifies the managing application or parent of the application associated with this network traffic.
PanOSApplicationRisk	N/A	N/A	Indicates how risky the application is from a network security perspective.
PanOSApplicationSubcategory	N/A	N/A	Identifies the application's subcategory. The subcategory is related to the application's category, which is identified in app_category.
PanOSApplicationTechnology	N/A	N/A	Threat category of the detected threat.
PanOSCaptivePortal	N/A	N/A	Indicates if user information for the session was captured through Captive Portal.
PanOSCloudHostname	N/A	N/A	The hostname in which the VM-series firewall is running.
PanOSCortexDataLakeTenantID	N/A	N/A	The ID that uniquely identifies the Cortex Data Lake instance which received this log record.
PanOSDestinationDeviceClass	N/A	N/A	Destination device class.
PanOSDestinationDeviceOS	N/A	N/A	Destination device OS type.
dntdom	<domainimpacted>	Text/String	Domain to which the Destination User belongs.
dusername	<account>	Text/String	The username to which the network traffic was destined.
duid	N/A	N/A	Unique identifier assigned to the Destination User.
PanOSHTTPMethod	<command>	Text/String	Describes the HTTP Method used in the web request.
PanOSInboundInterfaceDetailsPort	N/A	N/A	Hardware port or socket from which the network traffic was sourced.
PanOSInboundInterfaceDetailsSlot	N/A	N/A	Interface slot from which the network traffic was sourced.
PanOSInboundInterfaceDetailsType	N/A	N/A	The type of interface from which the network traffic was sourced.
PanOSInboundInterfaceDetailsUnit	N/A	N/A	Internal use.
PanOSIsClienttoServer	N/A	N/A	Indicates if direction of traffic is from client to server.
PanOSIsContainer	N/A	N/A	Indicates if the session is a container page access (Container Page).
PanOSIsDecryptMirror	N/A	N/A	Indicates whether decrypted traffic was sent out in clear text through a mirror port.
PanOSIsDecrypted	N/A	N/A	Flag that indicates that the session is decrypted.
PanOSIsDuplicateLog	N/A	N/A	Indicates whether this log data is available in multiple locations, such as from Cortex Data Lake as well as from an on-premise log collector.
PanOSIsEncrypted	N/A	N/A	Flag that indicates that the session is encrypted.
PanOSIsIPV6	N/A	N/A	Indicates whether IPV6 was used for the session.
PanOSIsMptcpOn	N/A	N/A	Indicates whether the option is enabled on the next-generation firewall that allows a client to use multiple paths to connect to a destination host.
PanOSIsNonStandardDestinationPort	N/A	N/A	Indicates if the destination port is non-standard.
PanOSIsPacketCapture	N/A	N/A	Indicates whether the session has a packet capture (PCAP).
PanOSIsPhishing	N/A	N/A	Indicates whether enterprise credentials were submitted by an end user.
PanOSIsPrismaNetwork	N/A	N/A	Internal-use field. If set to 1, the log was generated on a cloud-based firewall. If 0, the firewall was running on-premise.
PanOSIsPrismaUsers	N/A	N/A	Internal use field. If set to 1, the log record was generated using a cloud-based GlobalProtect instance. If 0, GlobalProtect was hosted on-premise.
PanOSIsProxy	N/A	N/A	Indicates whether the SSL session is decrypted (SSL Proxy).
PanOSIsReconExcluded	N/A	N/A	Indicates whether source for the flow is on the firewall allow list and not subject to recon protection.
PanOSIsSaaSApplication	N/A	N/A	Internal use field. Indicates whether the application associated with this network traffic is a SAAS application.
PanOSIsServertoClient	N/A	N/A	Indicates if direction of traffic is from server to client.
PanOSIsSourceXForwarded	N/A	N/A	Indicates whether the X-Forwarded-For value from a proxy is in the source user field.
PanOSIsSystemReturn	N/A	N/A	Indicates whether symmetric return was used to forward traffic for this session.
PanOSIsTransaction	N/A	N/A	Indicates whether the log corresponds to a transaction within an HTTP proxy session (Proxy Transaction).
PanOSIsTunnelInspected	N/A	N/A	Indicates whether the payload for the outer tunnel was inspected.
PanOSIsURLDenied	N/A	N/A	Indicates whether the session was denied due to a URL filtering rule.
PanOSLogExported	N/A	N/A	Indicates if this log was exported from the firewall using the firewall's log export function.
PanOSLogForwarded	N/A	N/A	Internal-use field. Indicates if the log is being forwarded.
PanOSLogSource	N/A	N/A	Identifies the origin of the data - the system that produced the data.
PanOSLogSourceTimeZoneOffset	N/A	N/A	Time Zone offset from GMT of the source of the log.
PanOSNAT	N/A	N/A	Indicates if the firewall is performing network address translation (NAT) for the logged traffic.
PanOSNonStandardDestinationPort	N/A	N/A	Identifies the non-standard or unexpected port used by the application associated with this session.
PanOSOutboundInterfaceDetailsPort	N/A	N/A	Hardware port or socket to which the network traffic was sent.
PanOSOutboundInterfaceDetailsSlot	N/A	N/A	Interface slot to which the network traffic was sent.
PanOSOutboundInterfaceDetailsType	N/A	N/A	The type of interface to which the network traffic was sent.
PanOSOutboundInterfaceDetailsUnit	N/A	N/A	Internal use.
PanOSPacket	N/A	N/A	Packet that triggered the firewall to generate this threat log record.
PanOSPayloadProtocolID	N/A	N/A	The associated Payload Protocol Identifier.
PanOSSanctionedStateOfApp	N/A	N/A	Indicates whether the application has been flagged as sanctioned by the firewall administrator.
PanOSSeverity	N/A	N/A	Severity as defined by the platform.
PanOSSourceDeviceClass	N/A	N/A	Source device class.
PanOSSourceDeviceOS	N/A	N/A	Source device OS type.
sntdom	<domainorigin>	Text/String	Domain to which the Source User belongs.
susername	<login>	Text/String	The username that initiated the network traffic.
suid	N/A	N/A	Unique identifier assigned to the Source User.
cat	<subject>	Text/String	Threat Name written by the firewall.
PanOSThreatNameFirewall	N/A	N/A	Time when the log was generated on the firewall's data plane. This string contains a timestamp value that is the number of microseconds since the Unix epoch.
PanOSTunneledApplication	N/A	N/A	ID of the tunnel being inspected or the International Mobile Subscriber Identity (IMSI) ID of the mobile user.
PanOSURLDomain	N/A	N/A	The column that correlates the traffic, url and sandbox logs.
PanOSUsers	N/A	N/A	Identifies the vendor that produced the data.
PanOSVerdict	N/A	N/A	String representation of the unique identifier for a virtual system on a Palo Alto Networks firewall.
PanOSVirtualSystemID	N/A	N/A	The name of the virtual system associated with the network traffic.
c6a2	N/A	N/A	Source IPv6 Address
c6a2Label	N/A	N/A	N/A
c6a3	N/A	N/A	Destination IPv6 Address
c6a3Label	N/A	N/A	N/A
src	<sip>	IP Address	N/A
dst	<dip>	IP Address	N/A
sourceTranslatedAddress	<snatip>	IP Address	If source NAT was performed, the post-NAT source IP address.
destinationTranslatedAddress	<dnatip>	IP Address	If destination NAT performed, the post-NAT destination IP address.
cs1	N/A	N/A	Name of the security policy rule that the network traffic matched.
cs1Label	N/A	N/A
susername0	N/A	N/A	The Source User. That is, the username that initiated the network traffic.
dusername0	N/A	N/A	The Destination User. That is, the username to which the network traffic was destined.
app	N/A	N/A	Application associated with the network traffic.
cs3	N/A	N/A	A unique identifier for a virtual system on a Palo Alto Networks firewall.
cs3Label	N/A	N/A	N/A
cs4	N/A	N/A	The networking zone from which the traffic originated.
cs4Label	N/A	N/A	N/A
cs5	N/A	N/A	Type of tunnel.
cs5Label	N/A	N/A	N/A
deviceInboundInterface	<sinterface>	Text/String	Interface from which the network traffic was sourced.
deviceOutboundInterface	<dinterface>	Text/String	Interface to which the network traffic was destined.
cs6	N/A	N/A	Log forwarding profile name that was applied to the session. This name was defined by the firewall's administrator.
cs6Label	N/A	N/A	N/A
cn1	N/A	N/A	Identifies the firewall's internal identifier for a specific network session.
cn1Label	N/A	N/A	N/A
cnt	N/A	N/A	Number of sessions with same Source IP, Destination IP, Application, and Content/Threat Type seen for the summary interval.
spt	<sport>	Number	Source port utilized by the session.
dpt	<dport>	Number	Network traffic's destination port. If this value is 0, then the app is using its standard port.
sourceTranslatedPort	<snatport>	Number	Post-NAT source port.
destinationTranslatedPort	<dnatport>	Number	Post-NAT destination port.
proto	<protname>	Text/String	IP protocol associated with the session.
act	<action> <tag2>	Text/String	Identifies the action that the firewall took for the network traffic.
request	<object>	Text/String	The name of the infected file when the threat is 'virus'.
PanOSThreatID	<threatname> <threatid>	Text/String/Number	Palo Alto Networks textual identifier for the threat.
flexString2	N/A	N/A	Indicates the direction of the attack.
flexString2Label	N/A	N/A	N/A
externalId	N/A	N/A	The log entry identifier, which is incremented sequentially. Each log type has a unique number space.
PanOSSourceLocation	N/A	N/A	Source country or internal region for private addresses.
PanOSDestinationLocation	N/A	N/A	Destination country or internal region for private addresses.
fileId	N/A	N/A	Packet capture ID. Used to correlate threat pcap files with extended pcaps taken as a part of the session flow.
PanOSFileHash	<hash>	Text/String	The binary hash (SHA256) of the file sent for virus analysis.
PanOSApplianceOrCloud	N/A	N/A	FQDN of either the appliance (private) or the cloud (public) from where the file was uploaded for analysis.
PanOSURLCounter	N/A	N/A	Source/Destination user. If neither is available, source_ip is used.
PanOSFileType	<objecttype>	Text/String	The type of the file sent for virus analysis.
PanOSSenderEmail	<sender>	Text/String	Identifies the sender of an email that sandbox determined to be malicious when it was analyzing an email link forwarded by the firewall.
PanOSEmailSubject	<subject>	Text/String	The networking technology used by the identified application.
PanOSRecipientEmail	<receipent>	Text/String	Identifies the recipient of an email that sandbox determined to be malicious when it was analyzing an email link forwarded by the firewall.
PanOSReportID	N/A	N/A	Identifies the analysis requested from the sandbox (cloud or appliance).
PanOSDGHierarchyLevel1	N/A	N/A	A sequence of identification numbers that indicate the device group’s location within a device group hierarchy.
PanOSDGHierarchyLevel2	N/A	N/A	A sequence of identification numbers that indicate the device group’s location within a device group hierarchy.
PanOSDGHierarchyLevel3	N/A	N/A	A sequence of identification numbers that indicate the device group’s location within a device group hierarchy.
PanOSDGHierarchyLevel4	N/A	N/A	A sequence of identification numbers that indicate the device group’s location within a device group hierarchy.
PanOSVirtualSystemName	N/A	N/A	X-Forwarded-For IP.
dvchost	N/A	N/A	Name of the source of the log. That is, the hostname of the firewall that logged the network traffic.
PanOSSourceUUID	N/A	N/A	Identifies the source universal unique identifier for a guest virtual machine in the VMware NSX environment.
PanOSDestinationUUID	N/A	N/A	Identifies the destination universal unique identifier for a guest virtual machine in the VMware NSX environment.
PanOSIMSI	N/A	N/A	The name of the internet domain that was visited in this session.
PanOSIMEI	N/A	N/A	A string used to group similar traffic together for logging and reporting. This value is globally defined on the firewall by the administrator.
PanOSParentSessionID	N/A	N/A	ID of the session in which this network traffic was tunneled.
PanOSParentStarttime	N/A	N/A	Time that the parent session began. This string contains a timestamp value that is the number of microseconds since the Unix epoch.
PanOSTunnel	N/A	N/A	For internal use only.
PanOSThreatCategory	N/A	N/A	Numerical identifier for the threat type.
PanOSContentVersion	N/A	N/A	Applications and Threats version installed on the firewall when the log was generated.
PanOSSigFlags	N/A	N/A	Internal use only.
PanOSRuleUUID	N/A	N/A	Unique identifier for the security policy rule that the network traffic matched.
PanOSHTTP2Connection	N/A	N/A	Parent session ID for an HTTP/2 connection. If the traffic is not using HTTP/2, this field is set to 0.
PanOSDynamicUserGroupName	N/A	N/A	Dynamic user group of the user who initiated the network connection.
PanOSX-Forwarded-ForIP	N/A	N/A	X-Forwarded-For IP.
PanOSSourceDeviceCategory	N/A	N/A	Category of the device from which the session originated.
PanOSSourceDeviceProfile	N/A	N/A	Profile of the device from which the session originated.
PanOSSourceDeviceModel	N/A	N/A	Model of the device from which the session originated.
PanOSSourceDeviceVendor	N/A	N/A	Vendor of the device from which the session originated.
PanOSSourceDeviceOSFamily	N/A	N/A	OS family of the device from which the session originated.
PanOSSourceDeviceOSVersion	N/A	N/A	OS version of the device from which the session originated.
PanOSSourceDeviceHost	<sname>	Text/String	Hostname of the device from which the session originated.
PanOSSourceDeviceMac	<smac>	Text/String/Number	MAC Address of the device from which the session originated.
PanOSDestinationDeviceCategory	N/A	N/A	Category of the device to which the session was directed.
PanOSDestinationDeviceProfile	N/A	N/A	Profile of the device to which the session was directed.
PanOSDestinationDeviceModel	N/A	N/A	Model of the device to which the session was directed.
PanOSDestinationDeviceVendor	N/A	N/A	Vendor of the device to which the session was directed.
PanOSDestinationDeviceOSFamily	N/A	N/A	OS family of the device to which the session was directed.
PanOSDestinationDeviceOSVersion	N/A	N/A	OS version of the device to which the session was directed.
PanOSDestinationDeviceHost	<dname>	Text/String	Hostname of the device to which the session was directed.
PanOSDestinationDeviceMac	<dmac>	Text/String/Number	MAC Address of the device to which the session was directed.
PanOSContainerID	N/A	N/A	Unknown field. No information is available at this time.
PanOSContainerNameSpace	N/A	N/A	Container namespace.
PanOSSourceEDL	N/A	N/A	The name of the external dynamic list that contains the source IP address of the traffic.
PanOSDestinationEDL	N/A	N/A	The name of the external dynamic list that contains the destination IP address of the traffic.
PanOSHostID	N/A	N/A	A unique ID that GlobalProtect assigns to identify the host.
PanOSEndpointSerialNumber	N/A	N/A	Serial number of the host on which GlobalProtect is installed.
PanOSDomainEDL	N/A	N/A	Domain External Dynamic List. That is, the name of the external dynamic list that contains the destination domain of the traffic.
PanOSSourceDynamicAddressGroup	N/A	N/A	The dynamic address group that Device-ID identifies as the source of the traffic.
PanOSDestinationDynamicAddressGroup	N/A	N/A	The dynamic address group that Device-ID identifies as the destination for the traffic.
PanOSPartialHash	N/A	N/A	Machine learning partial hash.
PanOSTimeGeneratedHighResolution	N/A	N/A	Networking zone to which the traffic was sent.
PanOSNSSAINetworkSliceType	N/A	N/A	Network Slice Type (SST part of SNSSAI).