V 2.0 Scan Threat Messages
Vendor Documentation
Classification
Rule Name | Rule Type | Common Event | Classification |
|---|---|---|---|
| V 2.0 Scan Threat Messages | Base Rule | General Threat Message | Activity |
Mapping with LogRhythm Schema
| Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
|---|---|---|---|
| Type (type) | <vmid> | Text/String | Specifies the type of log; the value is THREAT. |
| Threat/Content Type (subtype) | <vendorinfo> | Text/String | A subtype of threat log. Values include the following: data—Data pattern matching a Data Filtering profile. file—File type matching a File Blocking profile. flood—Flood detected via a Zone Protection profile. packet—Packet-based attack protection triggered by a Zone Protection profile. scan—Scan detected via a Zone Protection profile. spyware —Spyware detected via an Anti-Spyware profile. url—URL filtering log. ml-virus—Virus detected by WildFire Inline ML via an Antivirus profile. virus—Virus detected via an Antivirus profile. vulnerability —Vulnerability exploit detected via a Vulnerability Protection profile. wildfire —A WildFire verdict is generated when the firewall submits a file to WildFire per a WildFire Analysis profile and a verdict (malware, phishing, grayware, or benign, depending on what you are logging) is logged in the WildFire Submissions log. wildfire-virus—Virus detected via an Antivirus profile. |
| Source address (src) | <sip> | IP Address | Original session source IP address |
| Destination address (dst) | <dip> | IP Address | Original session destination IP address |
| NAT Source IP (natsrc) | <snatip> | IP Address | If Source NAT is performed, the post-NAT Source IP address |
| NAT Destination IP (natdst) | <dnatip> | IP Address | If Destination NAT is performed, the post-NAT Destination IP address |
| Rule Name (rule) | <policy> | Text/String | Name of the rule that the session matched |
| Source User (srcuser) | <domainorigin> <login> | Text/String | The username of the user who initiated the session |
| Destination User (dstuser) | <domainimpacted> <account> | Text/String | The username of the user to which the session was destined |
| Inbound Interface (inbound_if) | <sinterface> | Text/String | Interface that the session was sourced from |
| Outbound Interface (outbound_if) | <dinterface> | Text/String | Interface that the session was destined to |
| Session ID (sessionid) | <session> | Number | An internal numerical identifier is applied to each session |
| Repeat Count (repeatcnt) | <quantity> | Number | Number of sessions with the same Source IP, Destination IP, Application, and Subtype seen within 5 seconds |
| Source Port (sport) | <sport> | Number | Source port utilized by the session |
| Destination Port (dport) | <dport> | Number | Destination port utilized by the session |
| NAT Source Port (natsport) | <snatport> | Number | Post-NAT source port |
| NAT Destination Port (natdport) | <dnatport> | Number | Post-NAT destination port |
| IP Protocol (proto) | <protname> | Text/String | IP protocol associated with the session |
| Action (action) | <action> | Text/String | Action is taken for the session; values are alert, allow, deny, drop, drop-all-packets, reset-client, reset-server, reset-both, and block-URL. alert—threat or URL detected but not blocked allow— flood detection alert deny—flood detection mechanism activated and deny traffic based on configuration drop— threat detected and associated session was dropped reset-client —threat detected and a TCP RST is sent to the client reset-server —threat detected and a TCP RST is sent to the server reset-both —threat detected and a TCP RST is sent to both the client and the server block-URL —The URL request was blocked because it matched a URL category that was set to be blocked block-ip—threat detected and client IP is blocked random-drop—flood detected and a packet was randomly dropped sinkhole—DNS sinkhole activated syncookie-sent—syncookie alert block-continue (URL subtype only)—an HTTP request is blocked and redirected to a Continue page with a button for confirmation to proceed continue (URL subtype only)—response to a block-continue URL continue page indicating a block-continue request was allowed to proceed block-override (URL subtype only)—an HTTP request is blocked and redirected to an Admin override page that requires a passcode from the firewall administrator to continue override-lockout (URL subtype only)—too many failed admin override passcode attempts from the source IP. IP is now blocked from the block-override redirect page override (URL subtype only)—response to a block-override page where a correct passcode is provided and the request is allowed block (Wildfire only)—The file was blocked by the firewall and uploaded to Wildfire |
| Threat/Content Name (threatid) | <threatname> <threatid> | Text/String/Number | Palo Alto Networks identifier for the threat. It is a description string followed by a 64-bit numerical identifier in parentheses for some Subtypes |
| Severity (severity) | <severity> | Text/String | Severity associated with the threat; values are informational, low, medium, high, critical. |
| Device Name (device_name) | <objectname> | Text/String | The hostname of the firewall on which the session was logged |
| Application Characteristic (characteristic_of_app)** | <result> | Text/String | Comma-separated list of applicable characteristics of the application |