Threat EMAIL Fields

Table of Contents

Threat EMAIL Fields

Example Threat log in EMAIL:

TimeReceived=2021-02-22T03:56:10.000000Z
DeviceSN=xxxxxxxxxxxxx
LogType=THREAT
Subtype=vulnerability
ConfigVersion=10.0
TimeGenerated=2021-02-22T03:55:57.000000Z
SourceAddress=xxx.xx.x.xx
DestinationAddress=xxx.xx.x.xx
NATSource=
NATDestination=xxx.xx.x.xx
Rule=deny-attackers
SourceUser="paloaltonetwork\xxxxx"
DestinationUser="paloaltonetwork\xxxxx"
Application=gtpv1-c
VirtualLocation=vsys1
FromZone=ethernet4Zone-test2
ToZone=partners
InboundInterface=unknown
OutboundInterface=unknown
LogSetting=rs-logging
SessionID=855279
RepeatCount=1
SourcePort=29447
DestinationPort=10810
NATSourcePort=9459
NATDestinationPort=20230
Protocol=tcp
Action=reset-server
FileName=some other fake filename
ThreatID=Bot: Backdoor_Win32_IRCBot_emv(19974)
VendorSeverity=High
DirectionOfAttack=client to server
SequenceNo=2638696487
SourceLocation=east-coast
DestinationLocation=ZZ
PacketID=0
FileHash=
ApplianceOrCloud=
URLCounter=0
FileType=
SenderEmail=
EmailSubject=
RecipientEmail=
ReportID=0
DGHierarchyLevel1=11
DGHierarchyLevel2=0
DGHierarchyLevel3=0
DGHierarchyLevel4=0
VirtualSystemName=
DeviceName=xxxxx
SourceUUID=
DestinationUUID=
IMSI=47
IMEI=xxxxx
ParentSessionID=7605
ParentStarttime=2021-02-22T03:55:57.000000Z
Tunnel=GTP-U-TCI
ThreatCategory=backdoor
ContentVersion=50199
SigFlags=0x2
RuleUUID=017e4d76-2003-47f4-8afc-1d35c808c615
HTTP2Connection=0
DynamicUserGroupName=
X-Forwarded-ForIP=xxx.xx.x.xx
SourceDeviceCategory=S-Phone
SourceDeviceProfile=s-profile
SourceDeviceModel=720P/60
SourceDeviceVendor=Samsung
SourceDeviceOSFamily=M4500
SourceDeviceOSVersion=Android v8
SourceDeviceHost=pan-123
SourceDeviceMac=264989591511
DestinationDeviceCategory=S-Phone
DestinationDeviceProfile=s-profile
DestinationDeviceModel=S9
DestinationDeviceVendor=Samsung
DestinationDeviceOSFamily=Galaxy
DestinationDeviceOSVersion=Android v9
DestinationDeviceHost=pan-121
DestinationDeviceMac=180872328842
ContainerID=1873cc5c-0d31
ContainerNameSpace=pns_default
ContainerName=pan-dp-77754f4
SourceEDL=
DestinationEDL=
HostID=1010101010
EndpointSerialNumber=xxxxxxxxxxxxxx
DomainEDL=
SourceDynamicAddressGroup=
DestinationDynamicAddressGroup=
PartialHash=0
TimeGeneratedHighResolution=2021-02-22T03:55:57.964000Z
NSSAINetworkSliceType=f1

The following table identifies the Threat field names that the Log Forwarding app uses when you forward logs using the EMAIL log format.

EMAIL Name	Query Name
Action	action.value
Application	app
ApplicationCategory	app_category
ApplicationSubcategory	app_sub_category
ApplianceOrCloud	cloud
CloudHostname	cloud_hostname
CloudReportID	cloud_reportid
ConfigVersion	config_version.value
ContainerID	container_id
ApplicationContainer	container_of_app
ContentVersion	content_version
RepeatCount	count_of_repeats
CortexDataLakeTenantID	customer_id
DestinationDeviceCategory	dest_device_category
DestinationDeviceClass	dest_device_class
DestinationDeviceHost	dest_device_host
DestinationDeviceMac	dest_device_mac
DestinationDeviceModel	dest_device_model
DestinationDeviceOS	dest_device_os
DestinationDeviceOSFamily	dest_device_osfamily
DestinationDeviceOSVersion	dest_device_osversion
DestinationDeviceProfile	dest_device_profile
DestinationDeviceVendor	dest_device_vendor
DestinationDynamicAddressGroup	dest_dynamic_address_group
DestinationEDL	dest_edl
DestinationAddress	dest_ip.value
DestinationLocation	dest_location
DestinationPort	dest_port
DestinationUser	dest_user
DestinationUserDomain	dest_user_info.domain
DestinationUserName	dest_user_info.name
DestinationUserUUID	dest_user_info.uuid
DestinationUUID	dest_uuid
DGHierarchyLevel1	dg_hier_level_1
DGHierarchyLevel2	dg_hier_level_2
DGHierarchyLevel3	dg_hier_level_3
DGHierarchyLevel4	dg_hier_level_4
DirectionOfAttack	direction_of_attack.value
DomainEDL	domain_edl
DynamicUserGroupName	dynusergroup_name
EndpointSerialNumber	endpoint_serial_number
FileName	file_name
FileHash	file_sha_256
FileType	file_type
FileURL	file_url
FlowType	flow_type.value
FromZone	from_zone
HostID	host_id
HTTP2Connection	http2_connection
HTTPMethod	http_method.value
InboundInterface	inbound_if.value
InboundInterfaceDetailsPort	inbound_if_details.port
InboundInterfaceDetailsSlot	inbound_if_details.slot
InboundInterfaceDetailsType	inbound_if_details.type.value
InboundInterfaceDetailsUnit	inbound_if_details.unit
CaptivePortal	is_captive_portal
IsClienttoServer	is_client_to_server
IsContainer	is_container
IsDecryptMirror	is_decrypt_mirror
IsDecrypted	is_decrypted
IsDuplicateLog	is_dup_log
IsEncrypted	is_encrypted
LogExported	is_exported
LogForwarded	is_forwarded
IsIPV6	is_ipv6
IsMptcpOn	is_mptcp_on
NAT	is_nat
IsNonStandardDestinationPort	is_non_std_dest_port
IsPacketCapture	is_packet_capture
IsPhishing	is_phishing
IsPrismaNetwork	is_prisma_branch
IsPrismaUsers	is_prisma_mobile
IsProxy	is_proxy
IsReconExcluded	is_recon_excluded
IsSaaSApplication	is_saas_app
IsServertoClient	is_server_to_client
IsSourceXForwarded	is_source_x_fwded
IsSystemReturn	is_sym_return
IsTransaction	is_transaction
IsTunnelInspected	is_tunnel_inspected
IsURLDenied	is_url_denied
K8SClusterID	k8s_cluster_id
LocalDeepLearningAnalyzed	local_deep_learning
Location	location
LogSetting	log_set
LogSource	log_source
LogSourceGroupID	log_source_group_id
DeviceSN	log_source_id
DeviceName	log_source_name
LogSourceTimeZoneOffset	log_source_tz_offset
TimeReceived	log_time
LogType	log_type.value
IMEI	monitor_tag_imei
NATDestination	nat_dest.value
NATDestinationPort	nat_dest_port
NATSource	nat_source.value
NATSourcePort	nat_source_port
NonStandardDestinationPort	non_standard_dest_port
NSSAINetworkSliceType	nssai_network_slice_type.value
OutboundInterface	outbound_if.value
OutboundInterfaceDetailsPort	outbound_if_details.port
OutboundInterfaceDetailsSlot	outbound_if_details.slot
OutboundInterfaceDetailsType	outbound_if_details.type.value
OutboundInterfaceDetailsUnit	outbound_if_details.unit
PanoramaSN	panorama_serial
ParentSessionID	parent_session_id
ParentStarttime	parent_start_time
PartialHash	partial_hash
PayloadProtocolID	payload_protocol_id
Packet	pcap
PacketID	pcap_id
PlatformType	platform_type
ContainerName	pod_name
ContainerNameSpace	pod_namespace
Protocol	protocol.value
RecipientEmail	recipient_of_virus
ReportID	report_id
ApplicationRisk	risk_of_app
Rule	rule_matched
RuleUUID	rule_matched_uuid
SanctionedStateOfApp	sanctioned_state_of_app
SenderEmail	sender_of_virus
SequenceNo	sequence_no
SessionID	session_id
Severity	severity
SigFlags	sig_flags
SourceDeviceCategory	source_device_category
SourceDeviceClass	source_device_class
SourceDeviceHost	source_device_host
SourceDeviceMac	source_device_mac
SourceDeviceModel	source_device_model
SourceDeviceOS	source_device_os
SourceDeviceOSFamily	source_device_osfamily
SourceDeviceOSVersion	source_device_osversion
SourceDeviceProfile	source_device_profile
SourceDeviceVendor	source_device_vendor
SourceDynamicAddressGroup	source_dynamic_address_group
SourceEDL	source_edl
SourceAddress	source_ip.value
SourceLocation	source_location
SourcePort	source_port
SourceUser	source_user
SourceUserDomain	source_user_info.domain
SourceUserName	source_user_info.name
SourceUserUUID	source_user_info.uuid
SourceUUID	source_uuid
Subtype	sub_type.value
EmailSubject	subject_of_email
ApplicationTechnology	technology_of_app
ThreatCategory	threat_category.value
ThreatID	threat_id
ThreatName	threat_name
ThreatNameFirewall	threat_name_firewall
TimeGenerated	time_generated
TimeGeneratedHighResolution	time_generated_high_res
ToZone	to_zone
Tunnel	tunnel.value
TunneledApplication	tunneled_app
IMSI	tunnelid_imsi
URLDomain	url_domain
URLCounter	url_idx
Users	users
VendorName	vendor_name
VendorSeverity	vendor_severity.value
Verdict	verdict.value
VirtualLocation	vsys
VirtualSystemID	vsys_id
VirtualSystemName	vsys_name
X-Forwarded-ForIP	xff_ip.value

Threat CEF Fields

Threat HTTPS Fields

Strata Logging Service Docs

Threat EMAIL Fields

Strata Logging Service Docs

Threat EMAIL Fields

Activation & Onboarding

Next-Generation Firewalls

SASE

Cloud-Delivered Security Services

Endpoints

Visibility & Monitoring

Best Practices

Experts Corner