V 2.0 Vulnerability Threat Messages

Vendor Documentation

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/threat-log-fields.html

Classification

Rule Name	Rule Type	Common Event	Classification
V 2.0 Vulnerability Threat Messages	Base Rule	Vuln Medium Severity: Firewall	Vulnerability
V 2.0 Potential Vulnerability Exploit Alert	Sub Rule	Vuln Medium Severity: Information Gathering	Vulnerability
V 2.0 Potential Vulnerability Exploit Allowed	Sub Rule	Potential Vulnerability Exploit Allowed	Activity
V 2.0 Vulnerability Exploit Blocked	Sub Rule	Failed General Attack Activity	Failed Attack

Mapping with LogRhythm Schema

Device Key in Log Message	LogRhythm Schema	Data Type	Schema Description
Type (type)	<vmid>	Text/String	Specifies the type of log; the value is THREAT.
Threat/Content Type (subtype)	<vendorinfo>	Text/String	A subtype of threat log. Values include the following: data—Data pattern matching a Data Filtering profile. file—File type matching a File Blocking profile. flood—Flood detected via a Zone Protection profile. packet—Packet-based attack protection triggered by a Zone Protection profile. scan—Scan detected via a Zone Protection profile. spyware —Spyware detected via an Anti-Spyware profile. url—URL filtering log. ml-virus—Virus detected by WildFire Inline ML via an Antivirus profile. virus—Virus detected via an Antivirus profile. vulnerability —Vulnerability exploit detected via a Vulnerability Protection profile. wildfire —A WildFire verdict is generated when the firewall submits a file to WildFire per a WildFire Analysis profile and a verdict (malware, phishing, grayware, or benign, depending on what you are logging) is logged in the WildFire Submissions log. wildfire-virus—Virus detected via an Antivirus profile.
Source address (src)	<sip>	IP Address	Original session source IP address
Destination address (dst)	<dip>	IP Address	Original session destination IP address
NAT Source IP (natsrc)	<snatip>	IP Address	If Source NAT is performed, the post-NAT Source IP address
NAT Destination IP (natdst)	<dnatip>	IP Address	If Destination NAT is performed, the post-NAT Destination IP address
Rule Name (rule)	<policy>	Text/String	Name of the rule that the session matched
Source User (srcuser)	<domainorigin> <login>	Text/String	The username of the user who initiated the session
Destination User (dstuser)	<domainimpacted> <account>	Text/String	The username of the user to which the session was destined
Inbound Interface (inbound_if)	<sinterface>	Text/String	Interface that the session was sourced from
Outbound Interface (outbound_if)	<dinterface>	Text/String	Interface that the session was destined to
Session ID (sessionid)	<session>	Number	An internal numerical identifier is applied to each session
Repeat Count (repeatcnt)	<quantity>	Number	Number of sessions with the same Source IP, Destination IP, Application, and Subtype seen within 5 seconds
Source Port (sport)	<sport>	Number	Source port utilized by the session
Destination Port (dport)	<dport>	Number	Destination port utilized by the session
NAT Source Port (natsport)	<snatport>	Number	Post-NAT source port
NAT Destination Port (natdport)	<dnatport>	Number	Post-NAT destination port
IP Protocol (proto)	<protname>	Text/String	IP protocol associated with the session
Action (action)	<action> <tag1>	Text/String	Action is taken for the session; values are alert, allow, deny, drop, drop-all-packets, reset-client, reset-server, reset-both, and block-URL. alert—threat or URL detected but not blocked allow— flood detection alert deny—flood detection mechanism activated and deny traffic based on configuration drop— threat detected and associated session was dropped reset-client —threat detected and a TCP RST is sent to the client reset-server —threat detected and a TCP RST is sent to the server reset-both —threat detected and a TCP RST is sent to both the client and the server block-URL —The URL request was blocked because it matched a URL category that was set to be blocked block-ip—threat detected and client IP is blocked random-drop—flood detected and a packet was randomly dropped sinkhole—DNS sinkhole activated syncookie-sent—syncookie alert block-continue (URL subtype only)—an HTTP request is blocked and redirected to a Continue page with a button for confirmation to proceed continue (URL subtype only)—response to a block-continue URL continue page indicating a block-continue request was allowed to proceed block-override (URL subtype only)—an HTTP request is blocked and redirected to an Admin override page that requires a passcode from the firewall administrator to continue override-lockout (URL subtype only)—too many failed admin override passcode attempts from the source IP. IP is now blocked from the block-override redirect page override (URL subtype only)—response to a block-override page where a correct passcode is provided and the request is allowed block (Wildfire only)—The file was blocked by the firewall and uploaded to Wildfire
URL/Filename (misc)	<object>	Text/String	Field with variable length. A Filename has a maximum of 63 characters. A URL has a maximum of 1023 characters The actual URI when the subtype is URL File name or file type when the subtype is a file File name when the subtype is virus File name when the subtype is wildfire-virus File name when the subtype is wildfire URL or File name when the subtype is vulnerable if applicable URL when Threat Category is domain-edl
Threat/Content Name (threatID)	<threatname> <threatid>	Text/String/Number	Palo Alto Networks identifier for the threat. It is a description string followed by a 64-bit numerical identifier in parentheses for some Subtypes
Category (category)	<subject>	Text/String	For the URL Subtype, it is the URL Category; For the WildFire subtype, it is the verdict on the file and is either ‘malicious’, ‘phishing’, ‘grayware’, or ‘benign’; For other subtypes, the value is ‘any’.
Severity (severity)	<severity>	Text/String	Severity associated with the threat; values are informational, low, medium, high, critical.
Device Name (device_name)	<objectname>	Text/String	The hostname of the firewall on which the session was logged.
Application Characteristic (characteristic_of_app)**	<result>	Text/String	Comma-separated list of applicable characteristics of the application