Skip to main content
Skip table of contents

V 2.0 Wildfire Threat Messages

Vendor Documentation


Rule Name

Rule Type

Common Event


V 2.0 Wildfire Threat MessagesBase RuleGeneral Threat MessageActivity
V 2.0 Wildfire Malicious File BlockedSub RuleFailed Malware ActivityFailed Malware
V 2.0 Wildfire Benign DeterminationSub RuleGeneral ActivityActivity
V 2.0 Wildfire Grayware DeterminationSub RulePossible Malware ActivityMalware
V 2.0 Wildfire Malware DeterminationSub RuleDetected Malware ActivityMalware
V 2.0 Wildfire Phishing DeterminationSub RuleFailed Phishing ActivityFailed Attack

Mapping with LogRhythm Schema  

Device Key in Log MessageLogRhythm SchemaData TypeSchema Description
Type (type)<vmid>Text/StringSpecifies the type of log; the value is THREAT.
Threat/Content Type (subtype)<vendorinfo>Text/StringThe subtype of threat log. Values include the following:
  • data—Data pattern matching a Data Filtering profile.
  • file—File type matching a File Blocking profile.
  • flood—Flood detected via a Zone Protection profile.
  • packet—Packet-based attack protection triggered by a Zone Protection profile.
  • scan—Scan detected via a Zone Protection profile.
  • spyware —Spyware detected via an Anti-Spyware profile.
  • url—URL filtering log.
  • ml-virus—Virus detected by WildFire Inline ML via an Antivirus profile.
  • virus—Virus detected via an Antivirus profile.
  • vulnerability —Vulnerability exploit detected via a Vulnerability Protection profile.
  • wildfire —A WildFire verdict is generated when the firewall submits a file to WildFire per a WildFire Analysis profile and a verdict (malware, phishing, grayware, or benign, depending on what you are logging) is logged in the WildFire Submissions log.
  • wildfire-virus—Virus detected via an Antivirus profile.
Source address (src)<sip>IP AddressOriginal session source IP address
Destination address (dst)<dip>IP AddressOriginal session destination IP address
NAT Source IP (natsrc)<snatip>IP AddressIf Source NAT is performed, the post-NAT Source IP address
NAT Destination IP (natdst)<dnatip>IP AddressIf Destination NAT is performed, the post-NAT Destination IP address
Rule Name (rule)<policy>Text/StringName of the rule that the session matched
Source User (srcuser)<domainorigin>
Text/StringThe username of the user who initiated the session
Inbound Interface (inbound_if)<sinterface>Text/StringInterface that the session was sourced from
Outbound Interface (outbound_if)<dinterface>Text/StringInterface that the session was destined to
Session ID (sessionid)<session>NumberAn internal numerical identifier is applied to each session
Repeat Count (repeatcnt)<quantity>NumberNumber of sessions with the same Source IP, Destination IP, Application, and Subtype seen within 5 seconds
Source Port (sport)<sport>NumberSource port utilized by the session
Destination Port (dport)<dport>NumberDestination port utilized by the session
NAT Source Port (natsport)<snatport>NumberPost-NAT source port
NAT Destination Port (natdport)<dnatport>NumberPost-NAT destination port
IP Protocol (proto)<protname>Text/StringIP protocol associated with the session
Action (action)<action>
Text/StringAction is taken for the session; values are alert, allow, deny, drop, drop-all-packets, reset-client, reset-server, reset-both, and block-URL.
alert—threat or URL detected but not blocked
allow— flood detection alert
deny—flood detection mechanism activated and deny traffic based on configuration
drop— threat detected and associated session was dropped
reset-client —threat detected and a TCP RST is sent to the client
reset-server —threat detected and a TCP RST is sent to the server
reset-both —threat detected and a TCP RST is sent to both the client and the server
block-URL —The URL request was blocked because it matched a URL category that was set to be blocked
block-ip—threat detected and client IP is blocked
random-drop—flood detected and a packet was randomly dropped
sinkhole—DNS sinkhole activated
syncookie-sent—syncookie alert
block-continue (URL subtype only)—an HTTP request is blocked and redirected to a Continue page with a button for confirmation to proceed
continue (URL subtype only)—response to a block-continue URL continue page indicating a block-continue request was allowed to proceed
block-override (URL subtype only)—an HTTP request is blocked and redirected to an Admin override page that requires a passcode from the firewall administrator to continue
override-lockout (URL subtype only)—too many failed admin override passcode attempts from the source IP. IP is now blocked from the block-override redirect page
override (URL subtype only)—response to a block-override page where a correct passcode is provided and the request is allowed
block (Wildfire only)—The file was blocked by the firewall and uploaded to Wildfire
URL/Filename (misc)<object>Text/StringField with variable length. A Filename has a maximum of 63 characters. A URL has a maximum of 1023 characters
The actual URI when the subtype is URL
File name or file type when the subtype is a file
File name when the subtype is virus
File name when the subtype is wildfire-virus
File name when the subtype is wildfire
URL or File name when the subtype is vulnerable if applicable
URL when Threat Category is domain-edl
Threat/Content Name (threatID)<threatname>
Text/String/NumberPalo Alto Networks identifier for the threat. It is a description string followed by a 64-bit numerical identifier in parentheses for some Subtypes
Category (category)<result>
Text/StringFor the URL Subtype, it is the URL Category; For the WildFire subtype, it is the verdict on the file and is either ‘malicious’, ‘phishing’, ‘grayware’, or ‘benign’; For other subtypes, the value is ‘any’.
Severity (severity)<severity>Text/StringSeverity associated with the threat; values are informational, low, medium, high, critical.
File Digest (filedigest)<hash>Text/StringOnly for the WildFire subtype; all other types do not use this field
The file digest string shows the binary hash of the file sent to be analyzed by the WildFire service.
File Type (filetype)<objecttype>Text/StringOnly for the WildFire subtype; all other types do not use this field.
Specifies the type of file that the firewall forwarded for WildFire analysis.
Sender (sender)<sender>Text/StringSpecifies the name of the sender of an email.
Subject (subject)<subject>Text/StringSpecifies the subject of an email.
Recipient (recipient)<recipient>Text/StringSpecifies the name of the receiver of an email.
Device Name (device_name)<objectname>Text/StringThe hostname of the firewall on which the session was logged.
Application Characteristic (characteristic_of_app)**<result>Text/StringComma-separated list of applicable characteristics of the application
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.