Breadcrumbs

V 2.0 Vulnerability Threat Messages

Vendor Documentation

Classification

Rule Name

Rule Type

Common Event

Classification

V 2.0 Vulnerability Threat Messages

Base Rule

Vuln Medium Severity: Firewall

Vulnerability

V 2.0 Potential Vulnerability Exploit Alert

Sub Rule

Vuln Medium Severity: Information Gathering

Vulnerability

V 2.0 Potential Vulnerability Exploit Allowed

Sub Rule

Potential Vulnerability Exploit Allowed

Activity

V 2.0 Vulnerability Exploit Blocked

Sub Rule

Failed General Attack Activity

Failed Attack

Mapping with LogRhythm Schema  

Device Key in Log Message

LogRhythm Schema

Data Type

Schema Description

Type (type)

<vmid>

Text/String

Specifies the type of log; the value is THREAT.

Threat/Content Type (subtype)

<vendorinfo>

Text/String

A subtype of threat log. Values include the following:

  • data—Data pattern matching a Data Filtering profile.

  • file—File type matching a File Blocking profile.

  • flood—Flood detected via a Zone Protection profile.

  • packet—Packet-based attack protection triggered by a Zone Protection profile.

  • scan—Scan detected via a Zone Protection profile.

  • spyware —Spyware detected via an Anti-Spyware profile.

  • url—URL filtering log.

  • ml-virus—Virus detected by WildFire Inline ML via an Antivirus profile.

  • virus—Virus detected via an Antivirus profile.

  • vulnerability —Vulnerability exploit detected via a Vulnerability Protection profile.

  • wildfire —A WildFire verdict is generated when the firewall submits a file to WildFire per a WildFire Analysis profile and a verdict (malware, phishing, grayware, or benign, depending on what you are logging) is logged in the WildFire Submissions log.

  • wildfire-virus—Virus detected via an Antivirus profile.

Source address (src)

<sip>

IP Address

Original session source IP address

Destination address (dst)

<dip>

IP Address

Original session destination IP address

NAT Source IP (natsrc)

<snatip>

IP Address

If Source NAT is performed, the post-NAT Source IP address

NAT Destination IP (natdst)

<dnatip>

IP Address

If Destination NAT is performed, the post-NAT Destination IP address

Rule Name (rule)

<policy>

Text/String

Name of the rule that the session matched

Source User (srcuser)

<domainorigin>
<login>

Text/String

The username of the user who initiated the session

Destination User (dstuser)

<domainimpacted>
<account>

Text/String

The username of the user to which the session was destined

Inbound Interface (inbound_if)

<sinterface>

Text/String

Interface that the session was sourced from

Outbound Interface (outbound_if)

<dinterface>

Text/String

Interface that the session was destined to

Session ID (sessionid)

<session>

Number

An internal numerical identifier is applied to each session

Repeat Count (repeatcnt)

<quantity>

Number

Number of sessions with the same Source IP, Destination IP, Application, and Subtype seen within 5 seconds

Source Port (sport)

<sport>

Number

Source port utilized by the session

Destination Port (dport)

<dport>

Number

Destination port utilized by the session

NAT Source Port (natsport)

<snatport>

Number

Post-NAT source port

NAT Destination Port (natdport)

<dnatport>

Number

Post-NAT destination port

IP Protocol (proto)

<protname>

Text/String

IP protocol associated with the session

Action (action)

<action>
<tag1>

Text/String

Action is taken for the session; values are alert, allow, deny, drop, drop-all-packets, reset-client, reset-server, reset-both, and block-URL.

  • alert—threat or URL detected but not blocked

  • allow— flood detection alert

  • deny—flood detection mechanism activated and deny traffic based on configuration

  • drop— threat detected and associated session was dropped

  • reset-client —threat detected and a TCP RST is sent to the client

  • reset-server —threat detected and a TCP RST is sent to the server

  • reset-both —threat detected and a TCP RST is sent to both the client and the server

  • block-URL —The URL request was blocked because it matched a URL category that was set to be blocked

  • block-ip—threat detected and client IP is blocked

  • random-drop—flood detected and a packet was randomly dropped

  • sinkhole—DNS sinkhole activated

  • syncookie-sent—syncookie alert

  • block-continue (URL subtype only)—an HTTP request is blocked and redirected to a Continue page with a button for confirmation to proceed

  • continue (URL subtype only)—response to a block-continue URL continue page indicating a block-continue request was allowed to proceed

  • block-override (URL subtype only)—an HTTP request is blocked and redirected to an Admin override page that requires a passcode from the firewall administrator to continue

  • override-lockout (URL subtype only)—too many failed admin override passcode attempts from the source IP. IP is now blocked from the block-override redirect page

  • override (URL subtype only)—response to a block-override page where a correct passcode is provided and the request is allowed

  • block (Wildfire only)—The file was blocked by the firewall and uploaded to Wildfire

URL/Filename (misc)

<object>

Text/String

Field with variable length. A Filename has a maximum of 63 characters. A URL has a maximum of 1023 characters
The actual URI when the subtype is URL
File name or file type when the subtype is a file
File name when the subtype is virus
File name when the subtype is wildfire-virus
File name when the subtype is wildfire
URL or File name when the subtype is vulnerable if applicable
URL when Threat Category is domain-edl

Threat/Content Name (threatID)

<threatname>
<threatid>

Text/String/Number

Palo Alto Networks identifier for the threat. It is a description string followed by a 64-bit numerical identifier in parentheses for some Subtypes

Category (category)

<subject>

Text/String

For the URL Subtype, it is the URL Category; For the WildFire subtype, it is the verdict on the file and is either ‘malicious’, ‘phishing’, ‘grayware’, or ‘benign’; For other subtypes, the value is ‘any’.

Severity (severity)

<severity>

Text/String

Severity associated with the threat; values are informational, low, medium, high, critical.

Device Name (device_name)

<objectname>

Text/String

The hostname of the firewall on which the session was logged.

Application Characteristic (characteristic_of_app)**

<group>

Text/String

Comma-separated list of applicable characteristics of the application