File EMAIL Fields

Table of Contents

File EMAIL Fields

Example File log in EMAIL:

TimeReceived=2021-02-22T05:27:37.000000Z
DeviceSN=xxxxxxxxxxxxx
LogType=THREAT
SubType=file
ConfigVersion=10.0
TimeGenerated=2021-02-22T05:27:21.000000Z
SourceAddress=xxx.xx.x.xx
DestinationAddress=xxx.xx.x.xx
NATSource=xxx.xx.x.xx
NATDestination=xxx.xx.x.xx
Rule=deny-time-wasters
SourceUser="paloaltonetwork\xxxxx"
DestinationUser="paloaltonetwork\xxxxx"
Application=groupwise
VirtualLocation=vsys1
FromZone=untrust
ToZone=ethernet4Zone-test2
InboundInterface=unknown
OutboundInterface=unknown
LogSetting=rs-logging
SessionID=644314
RepeatCount=1
SourcePort=15810
DestinationPort=19884
NATSourcePort=11883
NATDestinationPort=6753
Protocol=tcp
Action=reset-client
FileName=0123456789012345678901234567890123456789012345678901234
URLCategory=sports
VendorSeverity=Critical
DirectionOfAttack=server to client
SequenceNo=2638705012
SourceLocation=dallas
DestinationLocation=BR
PacketID=0
FileHash=
ReportID=0
DGHierarchyLevel1=11
DGHierarchyLevel2=0
DGHierarchyLevel3=0
DGHierarchyLevel4=0
VirtualSystemName=
DeviceName=xxxxx
SourceUUID=
DestinationUUID=
IMSI=0
IMEI=
ParentSessionID=0
ParentStartTime=1970-01-01T00:00:00.000000Z
Tunnel=N/A
ContentVersion=50194
SigFlags=4
RuleUUID=2fb8efd4-2f01-421d-a113-097992777432
HTTP2Connection=0
DynamicUserGroup=
X-Forwarded-ForIP=
SourceDeviceCategory=N-Phone
SourceDeviceProfile=n-profile
SourceDeviceModel=Nexus
SourceDeviceVendor=Google
SourceDeviceOSFamily=LG-H790
SourceDeviceOSVersion=Android v6
SourceDeviceHost=pan-301
SourceDeviceMac=839147449905
DestinationDeviceCategory=N-Phone
DestinationDeviceProfile=n-profile
DestinationDeviceModel=Nexus
DestinationDeviceVendor=Google
DestinationDeviceOSFamily=H1511
DestinationDeviceOSVersion=Android v7
DestinationDeviceHost=pan-355
DestinationDeviceMac=530589561221
ContainerID=1873cc5c-0d31
ContainerNameSpace=pns_default
ContainerName=pan-dp-77754f4
SourceEDL=
DestinationEDL=
HostID=3030303030
EndpointSerialNumber=xxxxxxxxxxxxxx
DomainEDL=
SourceDynamicAddressGroup=
DestinationDynamicAddressGroup= red_dag
PartialHash=0
TimeGeneratedHighResolution=2021-02-22T05:27:21.528000Z
ReasonForDataFilteringAction=
Justification=
NSSAINetworkSliceType=bf

The following table identifies the File field names that the Log Forwarding app uses when you forward logs using the EMAIL log format.

EMAIL Name	Query Name
Action	action.value
Application	app
ApplicationCategory	app_category
ApplicationSubcategory	app_sub_category
CloudHostname	cloud_hostname
CloudReportID	cloud_reportid
ConfigVersion	config_version.value
ContainerID	container_id
ApplicationContainer	container_of_app
ContentVersion	content_version
RepeatCount	count_of_repeats
CortexDataLakeTenantID	customer_id
DestinationDeviceCategory	dest_device_category
DestinationDeviceClass	dest_device_class
DestinationDeviceHost	dest_device_host
DestinationDeviceMac	dest_device_mac
DestinationDeviceModel	dest_device_model
DestinationDeviceOS	dest_device_os
DestinationDeviceOSFamily	dest_device_osfamily
DestinationDeviceOSVersion	dest_device_osversion
DestinationDeviceProfile	dest_device_profile
DestinationDeviceVendor	dest_device_vendor
DestinationDynamicAddressGroup	dest_dynamic_address_group
DestinationEDL	dest_edl
DestinationAddress	dest_ip.value
DestinationLocation	dest_location
DestinationPort	dest_port
DestinationUser	dest_user
DestinationUserDomain	dest_user_info.domain
DestinationUserName	dest_user_info.name
DestinationUserUUID	dest_user_info.uuid
DestinationUUID	dest_uuid
DGHierarchyLevel1	dg_hier_level_1
DGHierarchyLevel2	dg_hier_level_2
DGHierarchyLevel3	dg_hier_level_3
DGHierarchyLevel4	dg_hier_level_4
DirectionOfAttack	direction_of_attack.value
DLPVersionFlag	dlp_version_flag
DomainEDL	domain_edl
DynamicUserGroup	dynusergroup_name
EndpointSerialNumber	endpoint_serial_number
FileName	file_name
FileHash	file_sha_256
FileType	file_type
FileURL	file_url
FromZone	from_zone
HostID	gp_host_id
HTTP2Connection	http2_connection
InboundInterface	inbound_if.value
InboundInterfaceDetailsPort	inbound_if_details.port
InboundInterfaceDetailsSlot	inbound_if_details.slot
InboundInterfaceDetailsType	inbound_if_details.type.value
InboundInterfaceDetailsUnit	inbound_if_details.unit
CaptivePortal	is_captive_portal
IsClienttoServer	is_client_to_server
IsContainer	is_container
IsDecryptMirror	is_decrypt_mirror
IsDecrypted	is_decrypted
IsDuplicateLog	is_dup_log
IsEncrypted	is_encrypted
LogExported	is_exported
LogForwarded	is_forwarded
IsIPV6	is_ipv6
IsMptcpOn	is_mptcp_on
NAT	is_nat
IsNonStandardDestinationPort	is_non_std_dest_port
IsPacketCapture	is_packet_capture
IsPhishing	is_phishing
IsPrismaNetwork	is_prisma_branch
IsPrismaUsers	is_prisma_mobile
IsProxy	is_proxy
IsReconExcluded	is_recon_excluded
IsSaaSApplication	is_saas_app
IsServertoClient	is_server_to_client
IsSourceXForwarded	is_source_x_fwded
IsSystemReturn	is_sym_return
IsTransaction	is_transaction
IsTunnelInspected	is_tunnel_inspected
IsURLDenied	is_url_denied
Justification	justification
K8SClusterID	k8s_cluster_id
Location	location
LogSetting	log_set
LogSource	log_source
LogSourceGroupID	log_source_group_id
DeviceSN	log_source_id
DeviceName	log_source_name
LogSourceTimeZoneOffset	log_source_tz_offset
TimeReceived	log_time
LogType	log_type.value
IMEI	monitor_tag_imei
NATDestination	nat_dest.value
NATDestinationPort	nat_dest_port
NATSource	nat_source.value
NATSourcePort	nat_source_port
NonStandardDestinationPort	non_standard_dest_port
NSSAINetworkSliceType	nssai_network_slice_type.value
OutboundInterface	outbound_if.value
OutboundInterfaceDetailsPort	outbound_if_details.port
OutboundInterfaceDetailsSlot	outbound_if_details.slot
OutboundInterfaceDetailsType	outbound_if_details.type.value
OutboundInterfaceDetailsUnit	outbound_if_details.unit
PanoramaSN	panorama_serial
ParentSessionID	parent_session_id
ParentStartTime	parent_start_time
PartialHash	partial_hash
Packet	pcap
PacketID	pcap_id
PlatformType	platform_type
ContainerName	pod_name
ContainerNameSpace	pod_namespace
ProfileName	profile_name
Protocol	protocol.value
ReasonForDataFilteringAction	reason_data_filtering
ReportID	report_id
ApplicationRisk	risk_of_app
Rule	rule_matched
RuleUUID	rule_matched_uuid
SanctionedStateOfApp	sanctioned_state_of_app
SequenceNo	sequence_no
SessionID	session_id
Severity	severity
SigFlags	sig_flags
SourceDeviceCategory	source_device_category
SourceDeviceClass	source_device_class
SourceDeviceHost	source_device_host
SourceDeviceMac	source_device_mac
SourceDeviceModel	source_device_model
SourceDeviceOS	source_device_os
SourceDeviceOSFamily	source_device_osfamily
SourceDeviceOSVersion	source_device_osversion
SourceDeviceProfile	source_device_profile
SourceDeviceVendor	source_device_vendor
SourceDynamicAddressGroup	source_dynamic_address_group
SourceEDL	source_edl
SourceAddress	source_ip.value
SourceLocation	source_location
SourcePort	source_port
SourceUser	source_user
SourceUserDomain	source_user_info.domain
SourceUserName	source_user_info.name
SourceUserUUID	source_user_info.uuid
SourceUUID	source_uuid
Subtype	sub_type.value
ApplicationTechnology	technology_of_app
ThreatCategory	threat_category.value
ThreatNameFirewall	threat_name_firewall
TimeGenerated	time_generated
TimeGeneratedHighResolution	time_generated_high_res
ToZone	to_zone
Tunnel	tunnel.value
TunneledApplication	tunneled_app
IMSI	tunnelid_imsi
URLCategory	url_category.value
URL	url_domain
Users	users
VendorName	vendor_name
VendorSeverity	vendor_severity.value
VirtualLocation	vsys
VirtualSystemID	vsys_id
VirtualSystemName	vsys_name
X-Forwarded-ForIP	xff_ip.value

File CEF Fields

File HTTPS Fields

Strata Logging Service Docs

File EMAIL Fields

Strata Logging Service Docs

File EMAIL Fields

Activation & Onboarding

Next-Generation Firewalls

SASE

Cloud-Delivered Security Services

Endpoints

Visibility & Monitoring

Best Practices

Experts Corner