Skip to main content
Skip table of contents

V 2.0 Vulnerability Threat Messages

Vendor Documentation

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/threat-log-fields.html

Classification

Rule Name

Rule Type

Common Event

Classification

V 2.0 Vulnerability Threat Messages

Base Rule

Vuln Medium Severity: Firewall

Vulnerability

V 2.0 Potential Vulnerability Exploit Alert

Sub Rule

Vuln Medium Severity: Information Gathering

Vulnerability

V 2.0 Potential Vulnerability Exploit Allowed

Sub Rule

Potential Vulnerability Exploit Allowed

Activity

V 2.0 Vulnerability Exploit Blocked

Sub Rule

Failed General Attack Activity

Failed Attack

Mapping with LogRhythm Schema  

Device Key in Log Message

LogRhythm Schema

Data Type

Schema Description

Type (type)

<vmid>

Text/String

Specifies the type of log; the value is THREAT.

Threat/Content Type (subtype)

<vendorinfo>

Text/String

A subtype of threat log. Values include the following:

  • data—Data pattern matching a Data Filtering profile.

  • file—File type matching a File Blocking profile.

  • flood—Flood detected via a Zone Protection profile.

  • packet—Packet-based attack protection triggered by a Zone Protection profile.

  • scan—Scan detected via a Zone Protection profile.

  • spyware —Spyware detected via an Anti-Spyware profile.

  • url—URL filtering log.

  • ml-virus—Virus detected by WildFire Inline ML via an Antivirus profile.

  • virus—Virus detected via an Antivirus profile.

  • vulnerability —Vulnerability exploit detected via a Vulnerability Protection profile.

  • wildfire —A WildFire verdict is generated when the firewall submits a file to WildFire per a WildFire Analysis profile and a verdict (malware, phishing, grayware, or benign, depending on what you are logging) is logged in the WildFire Submissions log.

  • wildfire-virus—Virus detected via an Antivirus profile.

Source address (src)

<sip>

IP Address

Original session source IP address

Destination address (dst)

<dip>

IP Address

Original session destination IP address

NAT Source IP (natsrc)

<snatip>

IP Address

If Source NAT is performed, the post-NAT Source IP address

NAT Destination IP (natdst)

<dnatip>

IP Address

If Destination NAT is performed, the post-NAT Destination IP address

Rule Name (rule)

<policy>

Text/String

Name of the rule that the session matched

Source User (srcuser)

<domainorigin>
<login>

Text/String

The username of the user who initiated the session

Destination User (dstuser)

<domainimpacted>
<account>

Text/String

The username of the user to which the session was destined

Inbound Interface (inbound_if)

<sinterface>

Text/String

Interface that the session was sourced from

Outbound Interface (outbound_if)

<dinterface>

Text/String

Interface that the session was destined to

Session ID (sessionid)

<session>

Number

An internal numerical identifier is applied to each session

Repeat Count (repeatcnt)

<quantity>

Number

Number of sessions with the same Source IP, Destination IP, Application, and Subtype seen within 5 seconds

Source Port (sport)

<sport>

Number

Source port utilized by the session

Destination Port (dport)

<dport>

Number

Destination port utilized by the session

NAT Source Port (natsport)

<snatport>

Number

Post-NAT source port

NAT Destination Port (natdport)

<dnatport>

Number

Post-NAT destination port

IP Protocol (proto)

<protname>

Text/String

IP protocol associated with the session

Action (action)

<action>
<tag1>

Text/String

Action is taken for the session; values are alert, allow, deny, drop, drop-all-packets, reset-client, reset-server, reset-both, and block-URL.

  • alert—threat or URL detected but not blocked

  • allow— flood detection alert

  • deny—flood detection mechanism activated and deny traffic based on configuration

  • drop— threat detected and associated session was dropped

  • reset-client —threat detected and a TCP RST is sent to the client

  • reset-server —threat detected and a TCP RST is sent to the server

  • reset-both —threat detected and a TCP RST is sent to both the client and the server

  • block-URL —The URL request was blocked because it matched a URL category that was set to be blocked

  • block-ip—threat detected and client IP is blocked

  • random-drop—flood detected and a packet was randomly dropped

  • sinkhole—DNS sinkhole activated

  • syncookie-sent—syncookie alert

  • block-continue (URL subtype only)—an HTTP request is blocked and redirected to a Continue page with a button for confirmation to proceed

  • continue (URL subtype only)—response to a block-continue URL continue page indicating a block-continue request was allowed to proceed

  • block-override (URL subtype only)—an HTTP request is blocked and redirected to an Admin override page that requires a passcode from the firewall administrator to continue

  • override-lockout (URL subtype only)—too many failed admin override passcode attempts from the source IP. IP is now blocked from the block-override redirect page

  • override (URL subtype only)—response to a block-override page where a correct passcode is provided and the request is allowed

  • block (Wildfire only)—The file was blocked by the firewall and uploaded to Wildfire

URL/Filename (misc)

<object>

Text/String

Field with variable length. A Filename has a maximum of 63 characters. A URL has a maximum of 1023 characters
The actual URI when the subtype is URL
File name or file type when the subtype is a file
File name when the subtype is virus
File name when the subtype is wildfire-virus
File name when the subtype is wildfire
URL or File name when the subtype is vulnerable if applicable
URL when Threat Category is domain-edl

Threat/Content Name (threatID)

<threatname>
<threatid>

Text/String/Number

Palo Alto Networks identifier for the threat. It is a description string followed by a 64-bit numerical identifier in parentheses for some Subtypes

Category (category)

<subject>

Text/String

For the URL Subtype, it is the URL Category; For the WildFire subtype, it is the verdict on the file and is either ‘malicious’, ‘phishing’, ‘grayware’, or ‘benign’; For other subtypes, the value is ‘any’.

Severity (severity)

<severity>

Text/String

Severity associated with the threat; values are informational, low, medium, high, critical.

Device Name (device_name)

<objectname>

Text/String

The hostname of the firewall on which the session was logged.

Application Characteristic (characteristic_of_app)**

<group>

Text/String

Comma-separated list of applicable characteristics of the application

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close