V 2.0 Data/File/Virus/Spyware Threat Messages

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/threat-log-fields.html

V 2.0 Data/File/Virus/Spyware Threat Messages

Base Rule

General Threat Message

Activity

V 2.0 Spyware Alert

Sub Rule

Possible Spyware Activity

Malware

V 2.0 Spyware Allowed

Sub Rule

Possible Spyware Activity

Malware

V 2.0 Spyware Denied

Sub Rule

Possible Spyware Activity

Malware

V 2.0 Spyware Dropped

Sub Rule

Possible Spyware Activity

Malware

V 2.0 Spyware Activity

Sub Rule

Failed Spyware Activity

Failed Malware

V 2.0 DLP Alert

Sub Rule

General Alert Log Message

Activity

V 2.0 DLP Event Allowed

Sub Rule

Traffic Allowed by DLP

Network Allow

V 2.0 DLP Event Denied

Sub Rule

Traffic Denied by DLP

Network Deny

V 2.0 DLP Event Dropped

Sub Rule

Traffic Denied by DLP

Network Deny

V 2.0 DLP Event

Sub Rule

Traffic Denied by DLP

Network Deny

V 2.0 Potentially Threatening File Alert

Sub Rule

Potentially Threatening File Observed

Activity

V 2.0 Potentially Threatening File Allowed

Sub Rule

Potentially Threatening File Observed

Activity

V 2.0 Potentially Threatening File Denied

Sub Rule

Failed Suspicious Activity

Failed Suspicious

V 2.0 Potentially Threatening File Dropped

Sub Rule

Failed Suspicious Activity

Failed Suspicious

V 2.0 Potentially Threatening File

Sub Rule

Threat Blocked

Failed Activity

V 2.0 Virus Alert

Sub Rule

Possible Virus Activity

Malware

V 2.0 Virus Allow

Sub Rule

Detected Virus Activity

Malware

V 2.0 Virus Denied

Sub Rule

Failed Virus Activity

Failed Malware

V 2.0 Virus Drop

Sub Rule

Failed Virus Activity

Failed Malware

V 2.0 Virus Activity

Sub Rule

Threat Blocked

Failed Activity

Type (type)

<vmid>

Text/String

Specifies the type of log; value is THREAT.

Threat/Content Type (subtype)

<vendorinfo>
<tag1>

Text/String

Subtype of threat log. Values include the following:
data—Data pattern matching a Data Filtering profile.
file—File type matching a File Blocking profile.
flood—Flood detected via a Zone Protection profile.
packet—Packet-based attack protection triggered by a Zone Protection profile.
scan—Scan detected via a Zone Protection profile.
spyware —Spyware detected via an Anti-Spyware profile.
url—URL filtering log.
ml-virus—Virus detected by WildFire Inline ML via an Antivirus profile.
virus—Virus detected via an Antivirus profile.
vulnerability —Vulnerability exploit detected via a Vulnerability Protection profile.
wildfire —A WildFire verdict generated when the firewall submits a file to WildFire per a WildFire Analysis profile and a verdict (malware, phishing, grayware, or benign, depending on what you are logging) is logged in the WildFire Submissions log.
wildfire-virus—Virus detected via an Antivirus profile.

Source address (src)

<sip>

IP Address

Original session source IP address

Destination address (dst)

<dip>

IP Address

Original session destination IP address

NAT Source IP (natsrc)

<snatip>

IP Address

If Source NAT performed, the post-NAT Source IP address

NAT Destination IP (natdst)

<dnatip>

IP Address

If Destination NAT performed, the post-NAT Destination IP address

Rule Name (rule)

<policy>

Text/String

Name of the rule that the session matched

Source User (srcuser)

<domainorigin>
<login>

Text/String

Username of the user who initiated the session

Destination User (dstuser)

<domainimpacted>
<account>

Text/String

Username of the user to which the session was destined

Inbound Interface (inbound_if)

<sinterface>

Text/String

Interface that the session was sourced from

Outbound Interface (outbound_if)

<dinterface>

Text/String

Interface that the session was destined to

Session ID (sessionid)

<session>

Number

An internal numerical identifier applied to each session

Repeat Count (repeatcnt)

<quantity>

Number

Number of sessions with same Source IP, Destination IP, Application, and Subtype seen within 5 seconds

Source Port (sport)

<sport>

Number

Source port utilized by the session

Destination Port (dport)

<dport>

Number

Destination port utilized by the session

NAT Source Port (natsport)

<snatport>

Number

Post-NAT source port

NAT Destination Port (natdport)

<dnatport>

Number

Post-NAT destination port

IP Protocol (proto)

<protname>

Text/String

IP protocol associated with the session

Action (action)

<action>
<tag2>

Text/String

Action taken for the session; values are alert, allow, deny, drop, drop-all-packets, reset-client, reset-server, reset-both, block-url.
alert—threat or URL detected but not blocked
allow— flood detection alert
deny—flood detection mechanism activated and deny traffic based on configuration
drop— threat detected and associated session was dropped
reset-client —threat detected and a TCP RST is sent to the client
reset-server —threat detected and a TCP RST is sent to the server
reset-both —threat detected and a TCP RST is sent to both the client and the server
block-url —URL request was blocked because it matched a URL category that was set to be blocked
block-ip—threat detected and client IP is blocked
random-drop—flood detected and packet was randomly dropped
sinkhole—DNS sinkhole activated
syncookie-sent—syncookie alert
block-continue (URL subtype only)—a HTTP request is blocked and redirected to a Continue page with a button for confirmation to proceed
continue (URL subtype only)—response to a block-continue URL continue page indicating a block-continue request was allowed to proceed
block-override (URL subtype only)—a HTTP request is blocked and redirected to an Admin override page that requires a pass code from the firewall administrator to continue
override-lockout (URL subtype only)—too many failed admin override pass code attempts from the source IP. IP is now blocked from the block-override redirect page
override (URL subtype only)—response to a block-override page where a correct pass code is provided and the request is allowed
block (Wildfire only)—file was blocked by the firewall and uploaded to Wildfire

URL/Filename (misc)

<object>

Text/String

Field with variable length. A Filename has a maximum of 63 characters. A URL has a maximum of 1023 characters
The actual URI when the subtype is url
File name or file type when the subtype is file
File name when the subtype is virus
File name when the subtype is wildfire-virus
File name when the subtype is wildfire
URL or File name when the subtype is vulnerability if applicable
URL when Threat Category is domain-edl

Threat/Content Name (threatid)

<threatname>
<threatid>

Text/String/Number

Palo Alto Networks identifier for the threat. It is a description string followed by a 64-bit numerical identifier in parentheses for some Subtypes

Category (category)

<subject>

Text/String

For URL Subtype, it is the URL Category; For WildFire subtype, it is the verdict on the file and is either ‘malicious’, ‘phishing’, ‘grayware’, or ‘benign’; For other subtypes, the value is ‘any’.

Severity (severity)

<severity>

Text/String

Severity associated with the threat; values are informational, low, medium, high, critical.

Sender (sender)

<sender>

Text/String

Specifies the name of the sender of an email.

Subject (subject)

<subject>

Text/String

Specifies the subject of an email.

Recipient (recipient)

<recipient>

Text/String

Specifies the name of the receiver of an email.

Device Name (device_name)

<objectname>

Text/String

The hostname of the firewall on which the session was logged

Application Characteristic (characteristic_of_app)**

<group>

Text/String

Comma-separated list of applicable characteristic of the application