Strata Logging Service
Threat CEF Fields
Table of Contents
Expand All
|
Collapse All
Strata Logging Service Docs
Threat CEF Fields
Example Threat log in CEF:
Mar 1 20:48:22 gke-standard-cluster-2-default-pool-2c7fa720-sw0m 4465 <14>1 2021-03-01T20:48:22.900Z stream-logfwd20-587718190-03011242-xynu-harness-l80k logforwarder - panwlogs - CEF:0|Palo Alto Networks|LF|2.0|THREAT|spyware|1|ProfileToken=xxxxx dtz=UTC rt=Mar 01 2021 20:48:21 deviceExternalId=xxxxxxxxxxxxx start=Mar 01 2021 20:48:16 PanOSApplicationCategory=general-internet PanOSApplicationContainer=sina-weibo PanOSApplicationRisk=4 PanOSApplicationSubcategory=social-networking PanOSApplicationTechnology=browser-based PanOSCaptivePortal=false PanOSCloudHostname=xxxxx PanOSCortexDataLakeTenantID=xxxxxxxxxxxxx PanOSDestinationDeviceClass= PanOSDestinationDeviceOS= dntdom=paloaltonetwork duser=xxxxx duid= PanOSHTTPMethod=get PanOSInboundInterfaceDetailsPort=0 PanOSInboundInterfaceDetailsSlot=0 PanOSInboundInterfaceDetailsType=unknown PanOSInboundInterfaceDetailsUnit=0 PanOSIsClienttoServer=true PanOSIsContainer=false PanOSIsDecryptMirror=false PanOSIsDecrypted=false PanOSIsDuplicateLog=false PanOSIsEncrypted=false PanOSIsIPV6=false PanOSIsMptcpOn=false PanOSIsNonStandardDestinationPort=false PanOSIsPacketCapture=false PanOSIsPhishing=false PanOSIsPrismaNetwork=false PanOSIsPrismaUsers=false PanOSIsProxy=false PanOSIsReconExcluded=false PanOSIsSaaSApplication=false PanOSIsServertoClient=false PanOSIsSourceXForwarded=true PanOSIsSystemReturn=true PanOSIsTransaction=false PanOSIsTunnelInspected=false PanOSIsURLDenied=false PanOSLogExported=false PanOSLogForwarded=true PanOSLogSource=firewall PanOSLogSourceTimeZoneOffset= PanOSNAT=false PanOSNonStandardDestinationPort=13884 PanOSOutboundInterfaceDetailsPort=0 PanOSOutboundInterfaceDetailsSlot=0 PanOSOutboundInterfaceDetailsType=unknown PanOSOutboundInterfaceDetailsUnit=0 PanOSPacket= PanOSPayloadProtocolID=-1 PanOSSanctionedStateOfApp=false PanOSSeverity=Informational PanOSSourceDeviceClass= PanOSSourceDeviceOS= sntdom=paloaltonetwork suser=xxxxx suid= cat=27379 PanOSThreatNameFirewall=27379 PanOSTunneledApplication=tunneled-app PanOSURLDomain= PanOSUsers=paloaltonetwork\\xxxxx PanOSVerdict= PanOSVirtualSystemID=1 c6a2=fe80:110:8897:efab:9202:b3ff:fe1e:8329 c6a2Label=Source IPv6 Address c6a3=fe80:110:8897:efab:9202:b3ff:fe1e:8329 c6a3Label=Destination IPv6 Address sourceTranslatedAddress=xxx.xx.x.xx destinationTranslatedAddress=xxx.xx.x.xx cs1=deny-attackers cs1Label=Rule suser0=paloaltonetwork\\xxxxx duser0=paloaltonetwork\\xxxxx app=sina-weibo-base cs3=vsys1 cs3Label=VirtualLocation cs4=datacenter cs4Label=FromZone cs5=ethernet4Zone-test4 cs5Label=ToZone deviceInboundInterface=unknown deviceOutboundInterface=unknown cs6=rs-logging cs6Label=LogSetting cn1=947181 cn1Label=SessionID cnt=1 spt=13884 dpt=4228 sourceTranslatedPort=30116 destinationTranslatedPort=20966 proto=tcp act=drop-all request=some other fake filename PanOSThreatID=27379(27379) flexString2=server to client flexString2Label=DirectionOfAttack externalId=xxxxxxxxxxxxx PanOSSourceLocation=LY PanOSDestinationLocation=BR fileId=0 PanOSFileHash= PanOSApplianceOrCloud= PanOSURLCounter=0 PanOSFileType= PanOSSenderEmail= PanOSEmailSubject= PanOSRecipientEmail= PanOSReportID=0 PanOSDGHierarchyLevel1=11 PanOSDGHierarchyLevel2=0 PanOSDGHierarchyLevel3=0 PanOSDGHierarchyLevel4=0 PanOSVirtualSystemName= dvchost=xxxxx PanOSSourceUUID= PanOSDestinationUUID= PanOSIMSI=0 PanOSIMEI= PanOSParentSessionID=0 PanOSParentStarttime=Jan 01 1970 00:00:00 PanOSTunnel=N/A PanOSThreatCategory=unknown PanOSContentVersion=50059 PanOSSigFlags=0x0 PanOSRuleUUID=017e4d76-2003-47f4-8afc-1d35c808c615 PanOSHTTP2Connection=0 PanOSDynamicUserGroupName= PanOSX-Forwarded-ForIP= PanOSSourceDeviceCategory=X-Phone PanOSSourceDeviceProfile=x-profile PanOSSourceDeviceModel=Note 4G PanOSSourceDeviceVendor=Lenovo PanOSSourceDeviceOSFamily=K6 PanOSSourceDeviceOSVersion=Android v9 PanOSSourceDeviceHost=pan-505 PanOSSourceDeviceMac=596703749274 PanOSDestinationDeviceCategory=X-Phone PanOSDestinationDeviceProfile=x-profile PanOSDestinationDeviceModel=MI PanOSDestinationDeviceVendor=Xiaomi PanOSDestinationDeviceOSFamily=A1 PanOSDestinationDeviceOSVersion=Android v9.1 PanOSDestinationDeviceHost=pan-622 PanOSDestinationDeviceMac=620797415366 PanOSContainerID=1873cc5c-0d31 PanOSContainerNameSpace=pns_default PanOSSourceEDL= PanOSDestinationEDL= PanOSHostID=xxxxxxxxxxxxxx PanOSEndpointSerialNumber=xxxxxxxxxxxxxx PanOSDomainEDL= PanOSSourceDynamicAddressGroup= PanOSDestinationDynamicAddressGroup= PanOSPartialHash=0 PanOSTimeGeneratedHighResolution=Mar 01 2021 20:48:16 PanOSNSSAINetworkSliceType=dc
The following table identifies the Threat field names that the Log Forwarding app
uses when you forward logs using the CEF log format.
|
CEF Name
|
Field Details
|
|---|---|
|
act
|
Query Name: action.value
Header Type: Predefined
Max Length: 63
|
|
app
|
Query Name: app
Header Type: Predefined
Max Length: 31
|
|
PanOSApplicationCategory
|
Query Name: app_category
Header Type: Custom
|
|
PanOSApplicationSubcategory
|
Query Name: app_sub_category
Header Type: Custom
|
|
PanOSApplianceOrCloud
|
Query Name: cloud
Header Type: Custom
|
|
PanOSCloudHostname
|
Query Name: cloud_hostname
Header Type: Custom
|
|
PanOSCloudReportID
|
Query Name: cloud_reportid
Header Type: Custom
|
|
PanOSConfigVersion
|
Query Name: config_version.value
Header Type: Custom
|
|
PanOSContainerID
|
Query Name: container_id
Header Type: Custom
|
|
PanOSApplicationContainer
|
Query Name: container_of_app
Header Type: Custom
|
|
PanOSContentVersion
|
Query Name: content_version
Header Type: Custom
|
|
cnt
|
Query Name: count_of_repeats
Header Type: Predefined
|
|
PanOSCortexDataLakeTenantID
|
Query Name: customer_id
Header Type: Custom
|
|
PanOSDestinationDeviceCategory
|
Query Name: dest_device_category
Header Type: Custom
|
|
PanOSDestinationDeviceClass
|
Query Name: dest_device_class
Header Type: Custom
|
|
PanOSDestinationDeviceHost
|
Query Name: dest_device_host
Header Type: Custom
|
|
PanOSDestinationDeviceMac
|
Query Name: dest_device_mac
Header Type: Custom
|
|
PanOSDestinationDeviceModel
|
Query Name: dest_device_model
Header Type: Custom
|
|
PanOSDestinationDeviceOS
|
Query Name: dest_device_os
Header Type: Custom
|
|
PanOSDestinationDeviceOSFamily
|
Query Name: dest_device_osfamily
Header Type: Custom
|
|
PanOSDestinationDeviceOSVersion
|
Query Name: dest_device_osversion
Header Type: Custom
|
|
PanOSDestinationDeviceProfile
|
Query Name: dest_device_profile
Header Type: Custom
|
|
PanOSDestinationDeviceVendor
|
Query Name: dest_device_vendor
Header Type: Custom
|
|
PanOSDestinationDynamicAddressGroup
|
Query Name: dest_dynamic_address_group
Header Type: Custom
|
|
PanOSDestinationEDL
|
Query Name: dest_edl
Header Type: Custom
|
|
dst or c6a3
|
Query Name: dest_ip.value
Header Type: Predefined
Label: || c6a3Label
Label Text: || Destination IPv6 Address
|
|
PanOSDestinationLocation
|
Query Name: dest_location
Header Type: Custom
|
|
dpt
|
Query Name: dest_port
Header Type: Predefined
|
|
duser
|
Query Name: dest_user
Header Type: Predefined
Max Length: 1023
|
|
dntdom
|
Query Name: dest_user_info.domain
Header Type: Predefined
Max Length: 255
|
|
dusername
|
Query Name: dest_user_info.name
Header Type: Predefined
Max Length: 255
|
|
duid
|
Query Name: dest_user_info.uuid
Header Type: Predefined
Max Length: 255
|
|
PanOSDestinationUUID
|
Query Name: dest_uuid
Header Type: Custom
|
|
PanOSDGHierarchyLevel1
|
Query Name: dg_hier_level_1
Header Type: Custom
|
|
PanOSDGHierarchyLevel2
|
Query Name: dg_hier_level_2
Header Type: Custom
|
|
PanOSDGHierarchyLevel3
|
Query Name: dg_hier_level_3
Header Type: Custom
|
|
PanOSDGHierarchyLevel4
|
Query Name: dg_hier_level_4
Header Type: Custom
|
|
flexString2
|
Query Name: direction_of_attack.value
Header Type: Predefined
Label: flexString2Label
Label Text: DirectionOfAttack
Max Length: 1023
|
|
PanOSDomainEDL
|
Query Name: domain_edl
Header Type: Custom
|
|
PanOSDynamicUserGroupName
|
Query Name: dynusergroup_name
Header Type: Custom
|
|
PanOSEndpointSerialNumber
|
Query Name: endpoint_serial_number
Header Type: Custom
|
|
request
|
Query Name: file_name
Header Type: Predefined
Max Length: 1023
|
|
PanOSFileHash
|
Query Name: file_sha_256
Header Type: Custom
|
|
PanOSFileType
|
Query Name: file_type
Header Type: Custom
|
|
PanOSFileURL
|
Query Name: file_url
Header Type: Custom
|
|
FlowType
|
Query Name: flow_type.value
Header Type: Custom
|
|
cs4
|
Query Name: from_zone
Header Type: Predefined
Label: cs4Label
Label Text: FromZone
Max Length: 4000
|
|
PanOSHostID
|
Query Name: host_id
Header Type: Custom
|
|
PanOSHTTP2Connection
|
Query Name: http2_connection
Header Type: Custom
|
|
PanOSHTTPMethod
|
Query Name: http_method.value
Header Type: Custom
|
|
deviceInboundInterface
|
Query Name: inbound_if.value
Header Type: Predefined
Max Length: 128
|
|
PanOSInboundInterfaceDetailsPort
|
Query Name: inbound_if_details.port
Header Type: Custom
|
|
PanOSInboundInterfaceDetailsSlot
|
Query Name: inbound_if_details.slot
Header Type: Custom
|
|
PanOSInboundInterfaceDetailsType
|
Query Name: inbound_if_details.type.value
Header Type: Custom
|
|
PanOSInboundInterfaceDetailsUnit
|
Query Name: inbound_if_details.unit
Header Type: Custom
|
|
PanOSCaptivePortal
|
Query Name: is_captive_portal
Header Type: Custom
|
|
PanOSIsClienttoServer
|
Query Name: is_client_to_server
Header Type: Custom
|
|
PanOSIsContainer
|
Query Name: is_container
Header Type: Custom
|
|
PanOSIsDecryptMirror
|
Query Name: is_decrypt_mirror
Header Type: Custom
|
|
PanOSIsDecrypted
|
Query Name: is_decrypted
Header Type: Custom
|
|
PanOSIsDuplicateLog
|
Query Name: is_dup_log
Header Type: Custom
|
|
PanOSIsEncrypted
|
Query Name: is_encrypted
Header Type: Custom
|
|
PanOSLogExported
|
Query Name: is_exported
Header Type: Custom
|
|
PanOSLogForwarded
|
Query Name: is_forwarded
Header Type: Custom
|
|
PanOSIsIPV6
|
Query Name: is_ipv6
Header Type: Custom
|
|
PanOSIsMptcpOn
|
Query Name: is_mptcp_on
Header Type: Custom
|
|
PanOSNAT
|
Query Name: is_nat
Header Type: Custom
|
|
PanOSIsNonStandardDestinationPort
|
Query Name: is_non_std_dest_port
Header Type: Custom
|
|
PanOSIsPacketCapture
|
Query Name: is_packet_capture
Header Type: Custom
|
|
PanOSIsPhishing
|
Query Name: is_phishing
Header Type: Custom
|
|
PanOSIsPrismaNetwork
|
Query Name: is_prisma_branch
Header Type: Custom
|
|
PanOSIsPrismaUsers
|
Query Name: is_prisma_mobile
Header Type: Custom
|
|
PanOSIsProxy
|
Query Name: is_proxy
Header Type: Custom
|
|
PanOSIsReconExcluded
|
Query Name: is_recon_excluded
Header Type: Custom
|
|
PanOSIsSaaSApplication
|
Query Name: is_saas_app
Header Type: Custom
|
|
PanOSIsServertoClient
|
Query Name: is_server_to_client
Header Type: Custom
|
|
PanOSIsSourceXForwarded
|
Query Name: is_source_x_fwded
Header Type: Custom
|
|
PanOSIsSystemReturn
|
Query Name: is_sym_return
Header Type: Custom
|
|
PanOSIsTransaction
|
Query Name: is_transaction
Header Type: Custom
|
|
PanOSIsTunnelInspected
|
Query Name: is_tunnel_inspected
Header Type: Custom
|
|
PanOSIsURLDenied
|
Query Name: is_url_denied
Header Type: Custom
|
|
PanOSK8SClusterID
|
Query Name: k8s_cluster_id
Header Type: Custom
|
|
PanOSLocalDeepLearningAnalyzed
|
Query Name: local_deep_learning
Header Type: Custom
|
|
PanOSLocation
|
Query Name: location
Header Type: Custom
|
|
cs6
|
Query Name: log_set
Header Type: Predefined
Label: cs6Label
Label Text: LogSetting
Max Length: 4000
|
|
PanOSLogSource
|
Query Name: log_source
Header Type: Custom
|
|
LogSourceGroupID
|
Query Name: log_source_group_id
Header Type: Custom
|
|
deviceExternalId
|
Query Name: log_source_id
Header Type: Predefined
Max Length: 255
|
|
dvchost
|
Query Name: log_source_name
Header Type: Predefined
Max Length: 100
|
|
PanOSLogSourceTimeZoneOffset
|
Query Name: log_source_tz_offset
Header Type: Custom
|
|
rt
|
Query Name: log_time
Header Type: Predefined
|
|
Device Event Class ID
|
Query Name: log_type.value
Header Type: Custom
|
|
PanOSIMEI
|
Query Name: monitor_tag_imei
Header Type: Custom
|
|
destinationTranslatedAddress
|
Query Name: nat_dest.value
Header Type: Predefined
|
|
destinationTranslatedPort
|
Query Name: nat_dest_port
Header Type: Predefined
|
|
sourceTranslatedAddress
|
Query Name: nat_source.value
Header Type: Predefined
|
|
sourceTranslatedPort
|
Query Name: nat_source_port
Header Type: Predefined
|
|
PanOSNonStandardDestinationPort
|
Query Name: non_standard_dest_port
Header Type: Custom
|
|
PanOSNSSAINetworkSliceType
|
Query Name: nssai_network_slice_type.value
Header Type: Custom
|
|
deviceOutboundInterface
|
Query Name: outbound_if.value
Header Type: Predefined
Max Length: 128
|
|
PanOSOutboundInterfaceDetailsPort
|
Query Name: outbound_if_details.port
Header Type: Custom
|
|
PanOSOutboundInterfaceDetailsSlot
|
Query Name: outbound_if_details.slot
Header Type: Custom
|
|
PanOSOutboundInterfaceDetailsType
|
Query Name: outbound_if_details.type.value
Header Type: Custom
|
|
PanOSOutboundInterfaceDetailsUnit
|
Query Name: outbound_if_details.unit
Header Type: Custom
|
|
PanOSPanoramaSN
|
Query Name: panorama_serial
Header Type: Custom
|
|
PanOSParentSessionID
|
Query Name: parent_session_id
Header Type: Custom
|
|
PanOSParentStarttime
|
Query Name: parent_start_time
Header Type: Custom
|
|
PanOSPartialHash
|
Query Name: partial_hash
Header Type: Custom
|
|
PanOSPayloadProtocolID
|
Query Name: payload_protocol_id
Header Type: Custom
|
|
PanOSPacket
|
Query Name: pcap
Header Type: Custom
|
|
fileId
|
Query Name: pcap_id
Header Type: Predefined
Max Length: 1023
|
|
PlatformType
|
Query Name: platform_type
Header Type: Custom
|
|
PanOSContainerName
|
Query Name: pod_name
Header Type: Custom
|
|
PanOSContainerNameSpace
|
Query Name: pod_namespace
Header Type: Custom
|
|
proto
|
Query Name: protocol.value
Header Type: Predefined
Max Length: 31
|
|
PanOSRecipientEmail
|
Query Name: recipient_of_virus
Header Type: Custom
|
|
PanOSReportID
|
Query Name: report_id
Header Type: Custom
|
|
PanOSApplicationRisk
|
Query Name: risk_of_app
Header Type: Custom
|
|
cs1
|
Query Name: rule_matched
Header Type: Predefined
Label: cs1Label
Label Text: Rule
Max Length: 4000
|
|
PanOSRuleUUID
|
Query Name: rule_matched_uuid
Header Type: Custom
|
|
PanOSSanctionedStateOfApp
|
Query Name: sanctioned_state_of_app
Header Type: Custom
|
|
PanOSSenderEmail
|
Query Name: sender_of_virus
Header Type: Custom
|
|
externalId
|
Query Name: sequence_no
Header Type: Predefined
Max Length: 40
|
|
cn1
|
Query Name: session_id
Header Type: Predefined
Label: cn1Label
Label Text: SessionID
|
|
PanOSSeverity
|
Query Name: severity
Header Type: Custom
|
|
PanOSSigFlags
|
Query Name: sig_flags
Header Type: Custom
|
|
PanOSSourceDeviceCategory
|
Query Name: source_device_category
Header Type: Custom
|
|
PanOSSourceDeviceClass
|
Query Name: source_device_class
Header Type: Custom
|
|
PanOSSourceDeviceHost
|
Query Name: source_device_host
Header Type: Custom
|
|
PanOSSourceDeviceMac
|
Query Name: source_device_mac
Header Type: Custom
|
|
PanOSSourceDeviceModel
|
Query Name: source_device_model
Header Type: Custom
|
|
PanOSSourceDeviceOS
|
Query Name: source_device_os
Header Type: Custom
|
|
PanOSSourceDeviceOSFamily
|
Query Name: source_device_osfamily
Header Type: Custom
|
|
PanOSSourceDeviceOSVersion
|
Query Name: source_device_osversion
Header Type: Custom
|
|
PanOSSourceDeviceProfile
|
Query Name: source_device_profile
Header Type: Custom
|
|
PanOSSourceDeviceVendor
|
Query Name: source_device_vendor
Header Type: Custom
|
|
PanOSSourceDynamicAddressGroup
|
Query Name: source_dynamic_address_group
Header Type: Custom
|
|
PanOSSourceEDL
|
Query Name: source_edl
Header Type: Custom
|
|
src or c6a2
|
Query Name: source_ip.value
Header Type: Predefined
Label: || c6a2Label
Label Text: || Source IPv6 Address
|
|
PanOSSourceLocation
|
Query Name: source_location
Header Type: Custom
|
|
spt
|
Query Name: source_port
Header Type: Predefined
|
|
suser
|
Query Name: source_user
Header Type: Predefined
Max Length: 1023
|
|
sntdom
|
Query Name: source_user_info.domain
Header Type: Predefined
Max Length: 1023
|
|
susername
|
Query Name: source_user_info.name
Header Type: Predefined
Max Length: 1023
|
|
suid
|
Query Name: source_user_info.uuid
Header Type: Predefined
Max Length: 1023
|
|
PanOSSourceUUID
|
Query Name: source_uuid
Header Type: Custom
|
|
Name
|
Query Name: sub_type.value
Header Type: Custom
|
|
PanOSEmailSubject
|
Query Name: subject_of_email
Header Type: Custom
|
|
PanOSApplicationTechnology
|
Query Name: technology_of_app
Header Type: Custom
|
|
PanOSThreatCategory
|
Query Name: threat_category.value
Header Type: Custom
|
|
PanOSThreatID
|
Query Name: threat_id
Header Type: Custom
|
|
cat
|
Query Name: threat_name
Header Type: Predefined
Max Length: 1023
|
|
PanOSThreatNameFirewall
|
Query Name: threat_name_firewall
Header Type: Custom
|
|
start
|
Query Name: time_generated
Header Type: Predefined
|
|
PanOSTimeGeneratedHighResolution
|
Query Name: time_generated_high_res
Header Type: Custom
|
|
cs5
|
Query Name: to_zone
Header Type: Predefined
Label: cs5Label
Label Text: ToZone
Max Length: 4000
|
|
PanOSTunnel
|
Query Name: tunnel.value
Header Type: Custom
|
|
PanOSTunneledApplication
|
Query Name: tunneled_app
Header Type: Custom
|
|
PanOSIMSI
|
Query Name: tunnelid_imsi
Header Type: Custom
|
|
PanOSURLDomain
|
Query Name: url_domain
Header Type: Custom
|
|
PanOSURLCounter
|
Query Name: url_idx
Header Type: Custom
|
|
PanOSUsers
|
Query Name: users
Header Type: Custom
|
|
Device Vendor
|
Query Name: vendor_name
Header Type: Custom
|
|
PanOSVendorSeverity
|
Query Name: vendor_severity.value
Header Type: Custom
|
|
PanOSVerdict
|
Query Name: verdict.value
Header Type: Custom
|
|
cs3
|
Query Name: vsys
Header Type: Predefined
Label: cs3Label
Label Text: VirtualLocation
Max Length: 4000
|
|
PanOSVirtualSystemID
|
Query Name: vsys_id
Header Type: Custom
|
|
PanOSVirtualSystemName
|
Query Name: vsys_name
Header Type: Custom
|
|
PanOSX-Forwarded-ForIP
|
Query Name: xff_ip.value
Header Type: Custom
|