Skip to main content
Skip table of contents

V 2.0 Wildfire Threat Messages

Vendor Documentation

Classification

Rule Name

Rule Type

Common Event

Classification

V 2.0 Wildfire Threat MessagesBase RuleGeneral Threat MessageActivity
V 2.0 Wildfire Malicious File BlockedSub RuleFailed Malware ActivityFailed Malware
V 2.0 Wildfire Benign DeterminationSub RuleGeneral ActivityActivity
V 2.0 Wildfire Grayware DeterminationSub RulePossible Malware ActivityMalware
V 2.0 Wildfire Malware DeterminationSub RuleDetected Malware ActivityMalware
V 2.0 Wildfire Phishing DeterminationSub RuleFailed Phishing ActivityFailed Attack

Mapping with LogRhythm Schema  

Device Key in Log MessageLogRhythm SchemaData TypeSchema Description
Type (type)<vmid>Text/StringSpecifies the type of log; value is THREAT.
Threat/Content Type (subtype)<vendorinfo>Text/StringSubtype of threat log. Values include the following:
data—Data pattern matching a Data Filtering profile.
file—File type matching a File Blocking profile.
flood—Flood detected via a Zone Protection profile.
packet—Packet-based attack protection triggered by a Zone Protection profile.
scan—Scan detected via a Zone Protection profile.
spyware —Spyware detected via an Anti-Spyware profile.
url—URL filtering log.
ml-virus—Virus detected by WildFire Inline ML via an Antivirus profile.
virus—Virus detected via an Antivirus profile.
vulnerability —Vulnerability exploit detected via a Vulnerability Protection profile.
wildfire —A WildFire verdict generated when the firewall submits a file to WildFire per a WildFire Analysis profile and a verdict (malware, phishing, grayware, or benign, depending on what you are logging) is logged in the WildFire Submissions log.
wildfire-virus—Virus detected via an Antivirus profile.
Source address (src)<sip>IP AddressOriginal session source IP address
Destination address (dst)<dip>IP AddressOriginal session destination IP address
NAT Source IP (natsrc)<snatip>IP AddressIf Source NAT performed, the post-NAT Source IP address
NAT Destination IP (natdst)<dnatip>IP AddressIf Destination NAT performed, the post-NAT Destination IP address
Rule Name (rule)<policy>Text/StringName of the rule that the session matched
Source User (srcuser)<domainorigin>
<login>
Text/StringUsername of the user who initiated the session
Inbound Interface (inbound_if)<sinterface>Text/StringInterface that the session was sourced from
Outbound Interface (outbound_if)<dinterface>Text/StringInterface that the session was destined to
Session ID (sessionid)<session>NumberAn internal numerical identifier applied to each session
Repeat Count (repeatcnt)<quantity>NumberNumber of sessions with same Source IP, Destination IP, Application, and Subtype seen within 5 seconds
Source Port (sport)<sport>NumberSource port utilized by the session
Destination Port (dport)<dport>NumberDestination port utilized by the session
NAT Source Port (natsport)<snatport>NumberPost-NAT source port
NAT Destination Port (natdport)<dnatport>NumberPost-NAT destination port
IP Protocol (proto)<protname>Text/StringIP protocol associated with the session
Action (action)<action>
<tag1>
Text/StringAction taken for the session; values are alert, allow, deny, drop, drop-all-packets, reset-client, reset-server, reset-both, block-url.
alert—threat or URL detected but not blocked
allow— flood detection alert
deny—flood detection mechanism activated and deny traffic based on configuration
drop— threat detected and associated session was dropped
reset-client —threat detected and a TCP RST is sent to the client
reset-server —threat detected and a TCP RST is sent to the server
reset-both —threat detected and a TCP RST is sent to both the client and the server
block-url —URL request was blocked because it matched a URL category that was set to be blocked
block-ip—threat detected and client IP is blocked
random-drop—flood detected and packet was randomly dropped
sinkhole—DNS sinkhole activated
syncookie-sent—syncookie alert
block-continue (URL subtype only)—a HTTP request is blocked and redirected to a Continue page with a button for confirmation to proceed
continue (URL subtype only)—response to a block-continue URL continue page indicating a block-continue request was allowed to proceed
block-override (URL subtype only)—a HTTP request is blocked and redirected to an Admin override page that requires a pass code from the firewall administrator to continue
override-lockout (URL subtype only)—too many failed admin override pass code attempts from the source IP. IP is now blocked from the block-override redirect page
override (URL subtype only)—response to a block-override page where a correct pass code is provided and the request is allowed
block (Wildfire only)—file was blocked by the firewall and uploaded to Wildfire
URL/Filename (misc)<object>Text/StringField with variable length. A Filename has a maximum of 63 characters. A URL has a maximum of 1023 characters
The actual URI when the subtype is url
File name or file type when the subtype is file
File name when the subtype is virus
File name when the subtype is wildfire-virus
File name when the subtype is wildfire
URL or File name when the subtype is vulnerability if applicable
URL when Threat Category is domain-edl
Threat/Content Name (threatid)<threatname>
<threatid>
Text/String/NumberPalo Alto Networks identifier for the threat. It is a description string followed by a 64-bit numerical identifier in parentheses for some Subtypes
Category (category)<result>
<tag2>
Text/StringFor URL Subtype, it is the URL Category; For WildFire subtype, it is the verdict on the file and is either ‘malicious’, ‘phishing’, ‘grayware’, or ‘benign’; For other subtypes, the value is ‘any’.
Severity (severity)<severity>Text/StringSeverity associated with the threat; values are informational, low, medium, high, critical.
File Digest (filedigest)<hash>Text/StringOnly for WildFire subtype; all other types do not use this field
The filedigest string shows the binary hash of the file sent to be analyzed by the WildFire service.
File Type (filetype)<objecttype>Text/StringOnly for WildFire subtype; all other types do not use this field.
Specifies the type of file that the firewall forwarded for WildFire analysis.
Sender (sender)<sender>Text/StringSpecifies the name of the sender of an email.
Subject (subject)<subject>Text/StringSpecifies the subject of an email.
Recipient (recipient)<recipient>Text/StringSpecifies the name of the receiver of an email.
Application Characteristic (characteristic_of_app)**<objectname>Text/StringComma-separated list of applicable characteristic of the application
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.