Skip to main content
Skip table of contents

V 2.0 URL Threat Messages 1

Vendor Documentation

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/threat-log-fields.html

Classification

Rule Name

Rule Type

Common Event

Classification

V 2.0 URL Threat Messages

Base Rule

General Threat Message

Activity

V 2.0 Potentially Malicious URL Allowed

Sub Rule

Traffic Allowed by Proxy

Network Allow

V 2.0 User Continue URL Block

Sub Rule

Traffic Allowed by Proxy

Network Allow

V 2.0 User Override URL Block

Sub Rule

Traffic Allowed by Proxy

Network Allow

V 2.0 Malicious URL Blocked

Sub Rule

Traffic Denied by Proxy

Network Deny

Mapping with LogRhythm Schema  

Device Key in Log Message

LogRhythm Schema

Data Type

Schema Description

Type (type)

<vmid>

Text/String

Specifies the type of log; the value is THREAT.

Threat/Content Type (subtype)

<vendorinfo>

Text/String

The subtype of threat log. Values include the following:

  • data—Data pattern matching a Data Filtering profile.

  • file—File type matching a File Blocking profile.

  • flood—Flood detected via a Zone Protection profile.

  • packet—Packet-based attack protection triggered by a Zone Protection profile.

  • scan—Scan detected via a Zone Protection profile.

  • spyware —Spyware detected via an Anti-Spyware profile.

  • url—URL filtering log.

  • ml-virus—Virus detected by WildFire Inline ML via an Antivirus profile.

  • virus—Virus detected via an Antivirus profile.

  • vulnerability —Vulnerability exploit detected via a Vulnerability Protection profile.

  • wildfire —A WildFire verdict is generated when the firewall submits a file to WildFire per a WildFire Analysis profile and a verdict (malware, phishing, grayware, or benign, depending on what you are logging) is logged in the WildFire Submissions log.

  • wildfire-virus—Virus detected via an Antivirus profile.

Source address (src)

<sip>

IP Address

Original session source IP address

Destination address (dst)

<dip>

IP Address

Original session destination IP address

NAT Source IP (natsrc)

<snatip>

IP Address

If Source NAT is performed, the post-NAT Source IP address

NAT Destination IP (natdst)

<dnatip>

IP Address

If Destination NAT is performed, the post-NAT Destination IP address

Rule Name (rule)

<policy>

Text/String

Name of the rule that the session matched

Source User (srcuser)

<domainorigin>
<login>

Text/String

The username of the user who initiated the session

Destination User (dstuser)

<domainimpacted>
<account>

Text/String

The username of the user to which the session was destined

Inbound Interface (inbound_if)

<sinterface>

Text/String

Interface that the session was sourced from

Outbound Interface (outbound_if)

<dinterface>

Text/String

Interface that the session was destined to

Session ID (sessionid)

<session>

Number

An internal numerical identifier is applied to each session

Repeat Count (repeatcnt)

<quantity>

Number

Number of sessions with the same Source IP, Destination IP, Application, and Subtype seen within 5 seconds

Source Port (sport)

<sport>

Number

Source port utilized by the session

Destination Port (dport)

<dport>

Number

Destination port utilized by the session

NAT Source Port (natsport)

<snatport>

Number

Post-NAT source port

NAT Destination Port (natdport)

<dnatport>

Number

Post-NAT destination port

Flags (flags)

<sessiontype>

Text/String

A 32-bit field that provides details on the session

IP Protocol (proto)

<protname>

Text/String

IP protocol associated with the session

Action (action)

<action>
<tag1>

Text/String

Action is taken for the session; values are alert, allow, deny, drop, drop-all-packets, reset-client, reset-server, reset-both, block-url.
alert—threat or URL detected but not blocked
allow— flood detection alert
deny—flood detection mechanism activated and deny traffic based on configuration
drop— threat detected and associated session was dropped
reset-client —threat detected and a TCP RST is sent to the client
reset-server —threat detected and a TCP RST is sent to the server
reset-both —threat detected and a TCP RST is sent to both the client and the server
block-url —URL request was blocked because it matched a URL category that was set to be blocked
block-ip—threat detected and client IP is blocked
random-drop—flood detected and packet was randomly dropped
sinkhole—DNS sinkhole activated
syncookie-sent—syncookie alert
block-continue (URL subtype only)—an HTTP request is blocked and redirected to a Continue page with a button for confirmation to proceed
continue (URL subtype only)—response to a block-continue URL continue page indicating a block-continue request was allowed to proceed
block-override (URL subtype only)—an HTTP request is blocked and redirected to an Admin override page that requires a passcode from the firewall administrator to continue
override-lockout (URL subtype only)—too many failed admin override passcode attempts from the source IP. IP is now blocked from the block-override redirect page
override (URL subtype only)—response to a block-override page where a correct passcode is provided and the request is allowed
block (Wildfire only)—The file was blocked by the firewall and uploaded to Wildfire

URL/Filename (misc)

<url>

Text/String

Field with variable length. A Filename has a maximum of 63 characters. A URL has a maximum of 1023 characters
The actual URI when the subtype is URL
File name or file type when the subtype is a file
File name when the subtype is virus
File name when the subtype is wildfire-virus
File name when the subtype is wildfire
URL or File name when the subtype is vulnerable if applicable
URL when Threat Category is domain-edl

Category (category)

<subject>

Text/String

For URL Subtype, it is the URL Category; For the WildFire subtype, it is the verdict on the file and is either ‘malicious’, ‘phishing’, ‘grayware’, or ‘benign’; For other subtypes, the value is ‘any’.

Severity (severity)

<severity>

Text/String

Severity associated with the threat; values are informational, low, medium, high, critical.

User Agent (user_agent)

<useragent>

Text/String

Only for the URL Filtering subtype; all other types do not use this field.
The User Agent field specifies the web browser that the user used to access the URL, for example, Internet Explorer. This information is sent in the HTTP request to the server.

Device Name (device_name)

<objectname>

Text/String

The hostname of the firewall on which the session was logged.

Application Characteristic (characteristic_of_app)**

<group>

Text/String

Comma-separated list of applicable characteristics of the application

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close