Decryption LEEF Fields

Table of Contents

Decryption LEEF Fields

Example Decryption log in LEEF:

Sep 21 02:00:51 gke-standard-cluster-2-pool-3-f004381a-0gw6 2462 <14>1 2021-09-21T02:00:51.988Z stream-logfwd20-d324e775--09201841-lxtx-harness-0cc4 logforwarder - panwlogs - LEEF:2.0|Palo Alto Networks|Next Generation Firewall|10.1|Cleartext|	|TimeReceived=2021-09-21T02:00:51.000000Z	DeviceSN=xxxxxxxxxxxxx	cat=decryption	SubType=start	ConfigVersion=10.1	devTime=2021-09-21T02:00:48.000000Z	src=xxx.xx.x.xx	dst=xxx.xx.x.xx	srcPostNAT=xxx.xx.x.xx	dstPostNAT=xxx.xx.x.xx	Rule=deny-attackers	usrName=paloaltonetwork\xxxxx	DestinationUser=xxxxx\xxxxx o"'"test	Application=chrome-remote-desktop	VirtualLocation=vsys1	FromZone=ethernet4Zone-test1	ToZone=partners	InboundInterface=ethernet1/1	OutboundInterface=ethernet1/4	LogSetting=rs-logging	TimeReceivedManagementPlane=2021-09-21T02:00:48.000000Z	SessionID=643753	CountOfRepeat=1	srcPort=5327	dstPort=13609	srcPostNATPort=28043	dstPostNATPort=21523	proto=tcp	Action=allow	Tunnel=IPSEC	SourceUUID=	DestinationUUID=	RuleUUID=017e4d76-2003-47f4-8afc-1d35c808c615	ClientToFirewall=Unknown	FirewallToClient=Unknown	TLSVersion=SSL2.0	TLSKeyExchange=TLS1.3	TLSEncryptionAlgorithm=CHACHA20_POLY1305	TLSAuth=SHA512	PolicyName=	EllipticCurve=X9_62_prime192v1	ErrorIndex=None	RootStatus=uninspected	ChainStatus=Uninspected	CertificateSerial=bd786e20508c58d8bed	Fingerprint=fb9291df2dbeaf773075061a50181b42ca92e8ce4aed36353eed764230985a9b	TimeNotBefore=1632189648	TimeNotAfter=1634781648	CertificateVersion=V3	CertificateSize=571	CommonNameLength=23	IssuerNameLength=32	RootCNLength=32	SNILength=21	CertificateFlags=4	CommonName=CN = Bin Lu Server Cert	IssuerCommonName=CN = Thawte  Premium  Server CA1	RootCommonName=CN = Thawte  Premium  Server CA1	ServerNameIndication=devop-host.panw.local	ErrorMessage=	ContainerID=1873cc5c-0d31	ContainerNameSpace=pns_default	ContainerName=pan-dp-77754f4	SourceEDL=	DestinationEDL=	SourceDynamicAddressGroup=	DestinationDynamicAddressGroup=	TimeGeneratedHighResolution=2021-09-21T02:00:48.822000Z	SourceDeviceCategory=A-Phone	SourceDeviceProfile=a-profile	SourceDeviceModel=iPhone	SourceDeviceVendor=Apple	SourceDeviceOSFamily=X	SourceDeviceOSVersion=iOS 11	SourceDeviceHost=pan-211	SourceDeviceMac=304566879056	DestinationDeviceCategory=A-Phone	DestinationDeviceProfile=a-profile	DestinationDeviceModel=iPhone	DestinationDeviceVendor=Apple	DestinationDeviceOSFamily=9	DestinationDeviceOSVersion=iOS 9	DestinationDeviceHost=pan-233	DestinationDeviceMac=743514319696	SequenceNo=7003061089434423021	devTimeFormat=YYYY-MM-DD'T'HH:mm:ss.SSSZ

The following table identifies the Decryption field names that the Log Forwarding app uses when you forward logs using the LEEF log format.

When you create a syslog forwarding profile , you can optionally create a profile token that the Log Forwarding app uses when it sends logs to the syslog server. If you configure a profile token, it appears in the log line immediately after the log type information (for example, TRAFFIC, THREAT, HIPMATCH, and so forth). The token will appear on a parameter called profileToken.

LEEF Name	Query Name	Field Type
Action	action.value	Custom
Application	app	Custom
ApplicationCategory	app_category	Custom
ApplicationSubcategory	app_sub_category	Custom
CertificateFlags	cert_flags	Custom
CertificateSerial	cert_serial	Custom
CertificateSize	certificate_size	Custom
CertificateVersion	certificate_version.value	Custom
ChainStatus	chain_status.value	Custom
ApplicationCharacteristics	characteristics_of_app	Custom
ClientToFirewall	client_to_firewall.value	Custom
CommonName	cn	Custom
CommonNameLength	cn_len	Custom
ConfigVersion	config_version.value	Custom
ContainerID	container_id	Custom
ApplicationContainer	container_of_app	Custom
CountOfRepeat	count_of_repeats	Custom
Cpadding	cpadding	Custom
CortexDataLakeTenantID	customer_id	Custom
DestinationDeviceCategory	dest_device_category	Custom
DestinationDeviceClass	dest_device_class	Custom
DestinationDeviceHost	dest_device_host	Custom
DestinationDeviceMac	dest_device_mac	Custom
DestinationDeviceModel	dest_device_model	Custom
DestinationDeviceOS	dest_device_os	Custom
DestinationDeviceOSFamily	dest_device_osfamily	Custom
DestinationDeviceOSVersion	dest_device_osversion	Custom
DestinationDeviceProfile	dest_device_profile	Custom
DestinationDeviceVendor	dest_device_vendor	Custom
DestinationDynamicAddressGroup	dest_dynamic_address_group	Custom
DestinationEDL	dest_edl	Custom
dst	dest_ip.value	Predefined
DestinationLocation	dest_location	Custom
dstPort	dest_port	Predefined
DestinationUser	dest_user	Custom
DestinationUserDomain	dest_user_info.domain	Custom
DestinationUserName	dest_user_info.name	Custom
DestinationUserUUID	dest_user_info.uuid	Custom
DestinationUUID	dest_uuid	Custom
DGHierarchyLevel1	dg_hier_level_1	Custom
DGHierarchyLevel2	dg_hier_level_2	Custom
DGHierarchyLevel3	dg_hier_level_3	Custom
DGHierarchyLevel4	dg_hier_level_4	Custom
Domain	domain	Custom
EllipticCurve	elliptic_curve.value	Custom
ErrorIndex	error_index.value	Custom
ErrorMessage	error_message	Custom
Fingerprint	fingerprint	Custom
FirewallToClient	firewall_to_client.value	Custom
FromZone	from_zone	Custom
InboundInterface	inbound_if.value	Custom
InboundInterfaceDetailsPort	inbound_if_details.port	Custom
InboundInterfaceDetailsSlot	inbound_if_details.slot	Custom
InboundInterfaceDetailsType	inbound_if_details.type.value	Custom
InboundInterfaceDetailsUnit	inbound_if_details.unit	Custom
CaptivePortal	is_captive_portal	Custom
IsCertECDSA	is_cert_ECDSA	Custom
IsCertRSA	is_cert_RSA	Custom
IsCertCNTruncated	is_cert_cn_truncated	Custom
IsClienttoServer	is_client_to_server	Custom
IsContainer	is_container	Custom
IsDecryptMirror	is_decrypt_mirror	Custom
IsDecrypted	is_decrypted	Custom
IsDuplicateLog	is_dup_log	Custom
IsEncrypted	is_encrypted	Custom
LogExported	is_exported	Custom
IsForwarded	is_forwarded	Custom
IsIPV6	is_ipv6	Custom
IsIssuerCNTruncated	is_issuer_cn_truncated	Custom
IsMptcpOn	is_mptcp_on	Custom
IsNAT	is_nat	Custom
IsNonStandardDestinationPort	is_non_std_dest_port	Custom
PacketCapture	is_packet_capture	Custom
IsPhishing	is_phishing	Custom
IsPrismaNetwork	is_prisma_branch	Custom
IsPrismaUsers	is_prisma_mobile	Custom
IsProxy	is_proxy	Custom
IsReconExcluded	is_recon_excluded	Custom
IsResumeSession	is_resume_session	Custom
IsRootCNTruncated	is_root_cn_truncated	Custom
IsSaaSApplication	is_saas_app	Custom
IsServertoClient	is_server_to_client	Custom
IsSNITruncated	is_sni_truncated	Custom
IsSourceXForwarded	is_source_x_fwded	Custom
IsSystemReturn	is_sym_return	Custom
IsTransaction	is_transaction	Custom
IsTunnelInspected	is_tunnel_inspected	Custom
IsURLDenied	is_url_denied	Custom
IssuerCommonName	issuer_cn	Custom
IssuerNameLength	issuer_len	Custom
LogSetting	log_set	Custom
LogSource	log_source	Custom
LogSourceGroupID	log_source_group_id	Custom
DeviceSN	log_source_id	Custom
DeviceName	log_source_name	Custom
LogSourceTimeZoneOffset	log_source_tz_offset	Custom
TimeReceived	log_time	Custom
cat	log_type.value	Predefined
dstPostNAT	nat_dest.value	Predefined
dstPostNATPort	nat_dest_port	Predefined
srcPostNAT	nat_source.value	Predefined
srcPostNATPort	nat_source_port	Predefined
TimeNotAfter	not_after	Custom
TimeNotBefore	not_before	Custom
OutboundInterface	outbound_if.value	Custom
OutboundInterfaceDetailsPort	outbound_if_details.port	Custom
OutboundInterfaceDetailsSlot	outbound_if_details.slot	Custom
OutboundInterfaceDetailsType	outbound_if_details.type.value	Custom
OutboundInterfaceDetailsUnit	outbound_if_details.unit	Custom
Padding	padding	Custom
Padding3	padding3	Custom
PanoramaSN	panorama_serial	Custom
PlatformType	platform_type	Custom
ContainerName	pod_name	Custom
ContainerNameSpace	pod_namespace	Custom
PolicyName	policy_name	Custom
proto	protocol.value	Predefined
EventID	proxy_type.value	Header
ApplicationRisk	risk_of_app	Custom
RootCommonName	root_cn	Custom
RootCNLength	root_cn_len	Custom
RootStatus	root_status.value	Custom
Rule	rule_matched	Custom
RuleUUID	rule_matched_uuid	Custom
SanctionedStateOfApp	sanctioned_state_of_app	Custom
SequenceNo	sequence_no	Custom
SessionID	session_id	Custom
ServerNameIndication	sni	Custom
SNILength	sni_len	Custom
SourceDeviceCategory	source_device_category	Custom
SourceDeviceClass	source_device_class	Custom
SourceDeviceHost	source_device_host	Custom
SourceDeviceMac	source_device_mac	Custom
SourceDeviceModel	source_device_model	Custom
SourceDeviceOS	source_device_os	Custom
SourceDeviceOSFamily	source_device_osfamily	Custom
SourceDeviceOSVersion	source_device_osversion	Custom
SourceDeviceProfile	source_device_profile	Custom
SourceDeviceVendor	source_device_vendor	Custom
SourceDynamicAddressGroup	source_dynamic_address_group	Custom
SourceEDL	source_edl	Custom
src	source_ip.value	Predefined
SourceLocation	source_location	Custom
srcPort	source_port	Predefined
usrName	source_user	Predefined
SourceUserDomain	source_user_info.domain	Custom
SourceUserName	source_user_info.name	Custom
SourceUserUUID	source_user_info.uuid	Custom
SourceUUID	source_uuid	Custom
SubType	sub_type.value	Custom
ApplicationTechnology	technology_of_app	Custom
devTime	time_generated	Predefined
TimeGeneratedHighResolution	time_generated_high_res	Custom
TimeReceivedManagementPlane	time_received_mp	Custom
TLSAuth	tls_auth.value	Custom
TLSEncryptionAlgorithm	tls_enc_algorithm.value	Custom
TLSKeyExchange	tls_keyxchange.value	Custom
TLSVersion	tls_version.value	Custom
ToZone	to_zone	Custom
Tpadding	tpadding	Custom
Tunnel	tunnel.value	Custom
TunneledApplication	tunneled_app	Custom
Vendor	vendor_name	Header
Vpadding	vpadding	Custom
VirtualLocation	vsys	Custom
VirtualSystemID	vsys_id	Custom
VirtualSystemName	vsys_name	Custom

Decryption HTTPS Fields

File

Strata Logging Service Docs

Decryption LEEF Fields

Strata Logging Service Docs

Decryption LEEF Fields

Activation & Onboarding

Next-Generation Firewalls

SASE

Cloud-Delivered Security Services

Endpoints

Visibility & Monitoring

Best Practices

Experts Corner