Decryption EMAIL Fields
Focus
Focus
Strata Logging Service

Decryption EMAIL Fields

Table of Contents

Decryption EMAIL Fields

Example Decryption log in EMAIL:
TimeReceived=2021-02-23T02:43:57.000000Z DeviceSN=xxxxxxxxxxxxx SubType=end ConfigVersion=null TimeGenerated=2021-02-23T02:43:57.000000Z CaptivePortal=false CortexDataLakeTenantID=xxxxxxxxxxxxx-ingest Cpadding=0 DGHierarchyLevel1=12 DGHierarchyLevel2=0 DGHierarchyLevel3=0 DGHierarchyLevel4=0 DestinationDeviceClass= DestinationDeviceOS= DestinationLocation=IN DestinationUserDomain=paloaltonetwork DestinationUserName=xxxxx DestinationUserUUID=0 DeviceName=PA-VM Domain=0 InboundInterfaceDetailsPort=1 InboundInterfaceDetailsSlot=1 InboundInterfaceDetailsType=ethernet InboundInterfaceDetailsUnit=0 IsCertCNTruncated=false IsCertECDSA=false IsCertRSA=false IsClienttoServer=false IsContainer=false IsDecryptMirror=false IsDecrypted= IsDuplicateLog=false IsEncrypted= IsForwarded=true IsIPV6= IsIssuerCNTruncated=false IsMptcpOn=false IsNAT=false IsNonStandardDestinationPort=true IsPhishing=false IsPrismaNetwork=false IsPrismaUsers=false IsProxy=false IsReconExcluded=false IsResumeSession=false IsRootCNTruncated=false IsSNITruncated=false IsServertoClient=false IsSourceXForwarded= IsSystemReturn=false SourceAddress=xxx.xx.x.xx DestinationAddress=xxx.xx.x.xx NATSource=xxx.xx.x.xx NATDestination=xxx.xx.x.xx Rule=allow-all-employees SourceUser="paloaltonetwork\\xxxxx" DestinationUser="paloaltonetwork\\xxxxx" Application=gmail-base VirtualLocation=vsys1 FromZone=datacenter ToZone=ethernet4Zone-test1 InboundInterface=ethernet1/1 OutboundInterface=tunnel.901 LogSetting=test TimeReceivedManagementPlane=2019-12-12T22:16:48.000000Z SessionID=106112 CountOfRepeat=1 SourcePort=16524 DestinationPort=20122 NATSourcePort=15856 NATDestinationPort=10128 Protocol=tcp Action=deny Tunnel=N/A SourceUUID= DestinationUUID= RuleUUID=fnullacnullnulle1-2c69-4f2b-8293-46ee4c73737e ClientToFirewall=null FirewallToClient=null TLSVersion=null TLSKeyExchange=null TLSEncryptionAlgorithm=null TLSAuth=null PolicyName= EllipticCurve= ErrorIndex=null RootStatus=null ChainStatus=null ProxyType=null CertificateSerial= Fingerprint= TimeNotBefore=0 TimeNotAfter=0 CertificateVersion=null CertificateSize=0 CommonNameLength=0 IssuerNameLength=0 RootCNLength=0 SNILength=0 CertificateFlags=0 CommonName= IssuerCommonName= RootCommonName= ServerNameIndication= ErrorMessage= ContainerID= ContainerNameSpace= ContainerName= SourceEDL= DestinationEDL= SourceDynamicAddressGroup= DestinationDynamicAddressGroup=test TimeGeneratedHighResolution=2019-07-25T23:30:12.000000Z SourceDeviceCategory= SourceDeviceProfile= SourceDeviceModel= SourceDeviceVendor= SourceDeviceOSFamily= SourceDeviceOSVersion= SourceDeviceHost= SourceDeviceMac= DestinationDeviceCategory= DestinationDeviceProfile= DestinationDeviceModel= DestinationDeviceVendor= DestinationDeviceOSFamily= DestinationDeviceOSVersion= DestinationDeviceHost= DestinationDeviceMac= SequenceNo=8026543790
The following table identifies the Decryption field names that the Log Forwarding app uses when you forward logs using the EMAIL log format.
EMAIL Name
Query Name
Action
Application
ApplicationCategory
ApplicationSubcategory
CertificateFlags
CertificateSerial
CertificateSize
CertificateVersion
ChainStatus
ApplicationCharacteristics
ClientToFirewall
CommonName
CommonNameLength
ConfigVersion
ContainerID
ApplicationContainer
RepeatCount
Cpadding
CortexDataLakeTenantID
DestinationDeviceCategory
DestinationDeviceClass
DestinationDeviceHost
DestinationDeviceMac
DestinationDeviceModel
DestinationDeviceOS
DestinationDeviceOSFamily
DestinationDeviceOSVersion
DestinationDeviceProfile
DestinationDeviceVendor
DestinationDynamicAddressGroup
DestinationEDL
DestinationAddress
DestinationLocation
DestinationPort
DestinationUser
DestinationUserDomain
DestinationUserName
DestinationUserUUID
DestinationUUID
DGHierarchyLevel1
DGHierarchyLevel2
DGHierarchyLevel3
DGHierarchyLevel4
Domain
EllipticCurve
ErrorIndex
ErrorMessage
Fingerprint
FirewallToClient
FromZone
InboundInterface
InboundInterfaceDetailsPort
InboundInterfaceDetailsSlot
InboundInterfaceDetailsType
InboundInterfaceDetailsUnit
CaptivePortal
IsCertECDSA
IsCertRSA
IsCertCNTruncated
IsClienttoServer
IsContainer
IsDecryptMirror
IsDecrypted
IsDuplicateLog
IsEncrypted
LogExported
IsForwarded
IsIPV6
IsIssuerCNTruncated
IsMptcpOn
IsNAT
IsNonStandardDestinationPort
PacketCapture
IsPhishing
IsPrismaNetwork
IsPrismaUsers
IsProxy
IsReconExcluded
IsResumeSession
IsRootCNTruncated
IsSaaSApplication
IsServertoClient
IsSNITruncated
IsSourceXForwarded
IsSystemReturn
IsTransaction
IsTunnelInspected
IsURLDenied
IssuerCommonName
IssuerNameLength
LogSetting
LogSource
LogSourceGroupID
DeviceSN
DeviceName
LogSourceTimeZoneOffset
TimeReceived
LogType
NATDestination
NATDestinationPort
NATSource
NATSourcePort
TimeNotAfter
TimeNotBefore
OutboundInterface
OutboundInterfaceDetailsPort
OutboundInterfaceDetailsSlot
OutboundInterfaceDetailsType
OutboundInterfaceDetailsUnit
Padding
Padding3
PanoramaSN
PlatformType
ContainerName
ContainerNameSpace
PolicyName
Protocol
ProxyType
ApplicationRisk
RootCommonName
RootCNLength
RootStatus
Rule
RuleUUID
SanctionedStateOfApp
SequenceNo
SessionID
ServerNameIndication
SNILength
SourceDeviceCategory
SourceDeviceClass
SourceDeviceHost
SourceDeviceMac
SourceDeviceModel
SourceDeviceOS
SourceDeviceOSFamily
SourceDeviceOSVersion
SourceDeviceProfile
SourceDeviceVendor
SourceDynamicAddressGroup
SourceEDL
SourceAddress
SourceLocation
SourcePort
SourceUser
SourceUserDomain
SourceUserName
SourceUserUUID
SourceUUID
Subtype
ApplicationTechnology
TimeGenerated
TimeGeneratedHighResolution
TimeReceivedManagementPlane
TLSAuth
TLSEncryptionAlgorithm
TLSKeyExchange
TLSVersion
ToZone
Tpadding
Tunnel
TunneledApplication
VendorName
Vpadding
VirtualLocation
VirtualSystemID
VirtualSystemName