Skip to main content
Skip table of contents

V 2.0 Wildfire-Virus Threat Messages

Vendor Documentation


Rule Name

Rule Type

Common Event


V 2.0 Wildfire-Virus Threat Messages

Base Rule

General Threat Message


V 2.0 Potentially Malicious File Allowed

Sub RuleDetected Malware Activity


V 2.0 Potentially Malicious File AllowedSub RuleDetected Malware ActivityMalware
V 2.0 Malicious File Blocked By WildfireSub RuleFailed Malware ActivityFailed Malware

Mapping with LogRhythm Schema  

Device Key in Log MessageLogRhythm SchemaData TypeSchema Description
Type (type)<vmid>Text/StringSpecifies the type of log; value is THREAT.
Threat/Content Type (subtype)<vendorinfo>Text/StringSubtype of threat log. Values include the following:
data—Data pattern matching a Data Filtering profile.
file—File type matching a File Blocking profile.
flood—Flood detected via a Zone Protection profile.
packet—Packet-based attack protection triggered by a Zone Protection profile.
scan—Scan detected via a Zone Protection profile.
spyware —Spyware detected via an Anti-Spyware profile.
url—URL filtering log.
ml-virus—Virus detected by WildFire Inline ML via an Antivirus profile.
virus—Virus detected via an Antivirus profile.
vulnerability —Vulnerability exploit detected via a Vulnerability Protection profile.
wildfire —A WildFire verdict generated when the firewall submits a file to WildFire per a WildFire Analysis profile and a verdict (malware, phishing, grayware, or benign, depending on what you are logging) is logged in the WildFire Submissions log.
wildfire-virus—Virus detected via an Antivirus profile.
Source address (src)<sip>IP AddressOriginal session source IP address
Destination address (dst)<dip>IP AddressOriginal session destination IP address
NAT Source IP (natsrc)<snatip>IP AddressIf Source NAT performed, the post-NAT Source IP address
NAT Destination IP (natdst)<dnatip>IP AddressIf Destination NAT performed, the post-NAT Destination IP address
Rule Name (rule)<policy>Text/StringName of the rule that the session matched
Source User (srcuser)<domainorigin>
Text/StringUsername of the user who initiated the session
Inbound Interface (inbound_if)<sinterface>Text/StringInterface that the session was sourced from
Outbound Interface (outbound_if)<dinterface>Text/StringInterface that the session was destined to
Session ID (sessionid)<session>NumberAn internal numerical identifier applied to each session
Repeat Count (repeatcnt)<quantity>NumberNumber of sessions with same Source IP, Destination IP, Application, and Subtype seen within 5 seconds
Source Port (sport)<sport>NumberSource port utilized by the session
Destination Port (dport)<dport>NumberDestination port utilized by the session
NAT Source Port (natsport)<snatport>NumberPost-NAT source port
NAT Destination Port (natdport)<dnatport>NumberPost-NAT destination port
IP Protocol (proto)<protname>Text/StringIP protocol associated with the session
Action (action)<action>
Text/StringAction taken for the session; values are alert, allow, deny, drop, drop-all-packets, reset-client, reset-server, reset-both, block-url.
alert—threat or URL detected but not blocked
allow— flood detection alert
deny—flood detection mechanism activated and deny traffic based on configuration
drop— threat detected and associated session was dropped
reset-client —threat detected and a TCP RST is sent to the client
reset-server —threat detected and a TCP RST is sent to the server
reset-both —threat detected and a TCP RST is sent to both the client and the server
block-url —URL request was blocked because it matched a URL category that was set to be blocked
block-ip—threat detected and client IP is blocked
random-drop—flood detected and packet was randomly dropped
sinkhole—DNS sinkhole activated
syncookie-sent—syncookie alert
block-continue (URL subtype only)—a HTTP request is blocked and redirected to a Continue page with a button for confirmation to proceed
continue (URL subtype only)—response to a block-continue URL continue page indicating a block-continue request was allowed to proceed
block-override (URL subtype only)—a HTTP request is blocked and redirected to an Admin override page that requires a pass code from the firewall administrator to continue
override-lockout (URL subtype only)—too many failed admin override pass code attempts from the source IP. IP is now blocked from the block-override redirect page
override (URL subtype only)—response to a block-override page where a correct pass code is provided and the request is allowed
block (Wildfire only)—file was blocked by the firewall and uploaded to Wildfire
URL/Filename (misc)<object>Text/StringField with variable length. A Filename has a maximum of 63 characters. A URL has a maximum of 1023 characters
The actual URI when the subtype is url
File name or file type when the subtype is file
File name when the subtype is virus
File name when the subtype is wildfire-virus
File name when the subtype is wildfire
URL or File name when the subtype is vulnerability if applicable
URL when Threat Category is domain-edl
Threat/Content Name (threatid)<threatname>
Text/String/NumberPalo Alto Networks identifier for the threat. It is a description string followed by a 64-bit numerical identifier in parentheses for some Subtypes
Severity (severity)<severity>Text/StringSeverity associated with the threat; values are informational, low, medium, high, critical.
Sender (sender)<sender>Text/StringSpecifies the name of the sender of an email.
Subject (subject)<subject>Text/StringSpecifies the subject of an email.
Recipient (recipient)<recipient>Text/StringSpecifies the name of the receiver of an email.
Application Characteristic (characteristic_of_app)**<objectname>Text/StringComma-separated list of applicable characteristic of the application
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.