V 2.0 Wildfire Threat Messages
Vendor Documentation
Classification
Rule Name | Rule Type | Common Event | Classification |
---|---|---|---|
V 2.0 Wildfire Threat Messages | Base Rule | General Threat Message | Activity |
V 2.0 Wildfire Malicious File Blocked | Sub Rule | Failed Malware Activity | Failed Malware |
V 2.0 Wildfire Benign Determination | Sub Rule | General Activity | Activity |
V 2.0 Wildfire Grayware Determination | Sub Rule | Possible Malware Activity | Malware |
V 2.0 Wildfire Malware Determination | Sub Rule | Detected Malware Activity | Malware |
V 2.0 Wildfire Phishing Determination | Sub Rule | Failed Phishing Activity | Failed Attack |
Mapping with LogRhythm Schema
Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
---|---|---|---|
Type (type) | <vmid> | Text/String | Specifies the type of log; the value is THREAT. |
Threat/Content Type (subtype) | <vendorinfo> | Text/String | The subtype of threat log. Values include the following:
|
Source address (src) | <sip> | IP Address | Original session source IP address |
Destination address (dst) | <dip> | IP Address | Original session destination IP address |
NAT Source IP (natsrc) | <snatip> | IP Address | If Source NAT is performed, the post-NAT Source IP address |
NAT Destination IP (natdst) | <dnatip> | IP Address | If Destination NAT is performed, the post-NAT Destination IP address |
Rule Name (rule) | <policy> | Text/String | Name of the rule that the session matched |
Source User (srcuser) | <domainorigin> <login> | Text/String | The username of the user who initiated the session |
Inbound Interface (inbound_if) | <sinterface> | Text/String | Interface that the session was sourced from |
Outbound Interface (outbound_if) | <dinterface> | Text/String | Interface that the session was destined to |
Session ID (sessionid) | <session> | Number | An internal numerical identifier is applied to each session |
Repeat Count (repeatcnt) | <quantity> | Number | Number of sessions with the same Source IP, Destination IP, Application, and Subtype seen within 5 seconds |
Source Port (sport) | <sport> | Number | Source port utilized by the session |
Destination Port (dport) | <dport> | Number | Destination port utilized by the session |
NAT Source Port (natsport) | <snatport> | Number | Post-NAT source port |
NAT Destination Port (natdport) | <dnatport> | Number | Post-NAT destination port |
IP Protocol (proto) | <protname> | Text/String | IP protocol associated with the session |
Action (action) | <action> <tag1> | Text/String | Action is taken for the session; values are alert, allow, deny, drop, drop-all-packets, reset-client, reset-server, reset-both, and block-URL. alert—threat or URL detected but not blocked allow— flood detection alert deny—flood detection mechanism activated and deny traffic based on configuration drop— threat detected and associated session was dropped reset-client —threat detected and a TCP RST is sent to the client reset-server —threat detected and a TCP RST is sent to the server reset-both —threat detected and a TCP RST is sent to both the client and the server block-URL —The URL request was blocked because it matched a URL category that was set to be blocked block-ip—threat detected and client IP is blocked random-drop—flood detected and a packet was randomly dropped sinkhole—DNS sinkhole activated syncookie-sent—syncookie alert block-continue (URL subtype only)—an HTTP request is blocked and redirected to a Continue page with a button for confirmation to proceed continue (URL subtype only)—response to a block-continue URL continue page indicating a block-continue request was allowed to proceed block-override (URL subtype only)—an HTTP request is blocked and redirected to an Admin override page that requires a passcode from the firewall administrator to continue override-lockout (URL subtype only)—too many failed admin override passcode attempts from the source IP. IP is now blocked from the block-override redirect page override (URL subtype only)—response to a block-override page where a correct passcode is provided and the request is allowed block (Wildfire only)—The file was blocked by the firewall and uploaded to Wildfire |
URL/Filename (misc) | <object> | Text/String | Field with variable length. A Filename has a maximum of 63 characters. A URL has a maximum of 1023 characters The actual URI when the subtype is URL File name or file type when the subtype is a file File name when the subtype is virus File name when the subtype is wildfire-virus File name when the subtype is wildfire URL or File name when the subtype is vulnerable if applicable URL when Threat Category is domain-edl |
Threat/Content Name (threatID) | <threatname> <threatid> | Text/String/Number | Palo Alto Networks identifier for the threat. It is a description string followed by a 64-bit numerical identifier in parentheses for some Subtypes |
Category (category) | <result> <tag2> | Text/String | For the URL Subtype, it is the URL Category; For the WildFire subtype, it is the verdict on the file and is either ‘malicious’, ‘phishing’, ‘grayware’, or ‘benign’; For other subtypes, the value is ‘any’. |
Severity (severity) | <severity> | Text/String | Severity associated with the threat; values are informational, low, medium, high, critical. |
File Digest (filedigest) | <hash> | Text/String | Only for the WildFire subtype; all other types do not use this field The file digest string shows the binary hash of the file sent to be analyzed by the WildFire service. |
File Type (filetype) | <objecttype> | Text/String | Only for the WildFire subtype; all other types do not use this field. Specifies the type of file that the firewall forwarded for WildFire analysis. |
Sender (sender) | <sender> | Text/String | Specifies the name of the sender of an email. |
Subject (subject) | <subject> | Text/String | Specifies the subject of an email. |
Recipient (recipient) | <recipient> | Text/String | Specifies the name of the receiver of an email. |
Device Name (device_name) | <objectname> | Text/String | The hostname of the firewall on which the session was logged. |
Application Characteristic (characteristic_of_app)** | <result> | Text/String | Comma-separated list of applicable characteristics of the application |