Threat LEEF Fields

Table of Contents

Threat LEEF Fields

Example Threat log in LEEF:

Sep 21 01:47:20 xxx.xx.x.xx 2368 <14>1 2021-09-21T01:47:20.990Z stream-logfwd20-b7167985--09201842-8zwj-harness-cc98 logforwarder - panwlogs - LEEF:2.0|Palo Alto Networks|Next Generation Firewall|10.1|2|	|TimeReceived=2021-09-21T01:47:20.000000Z	DeviceSN=xxxxxxxxxxxxx	cat=threat	SubType=packet	ConfigVersion=10.1	devTime=2021-09-21T01:47:18.000000Z	src=xxx.xx.x.xx	dst=xxx.xx.x.xx	srcPostNAT=xxx.xx.x.xx	dstPostNAT=xxx.xx.x.xx	Rule=allow-business-apps	usrName=paloaltonetwork\xxxxx	DestinationUser=paloaltonetwork\xxxxx	Application=websense	VirtualLocation=vsys1	FromZone=datacenter	ToZone=datacenter	InboundInterface=ethernet1/1	OutboundInterface=ethernet1/4	LogSetting=rs-logging	SessionID=366981	RepeatCount=1	srcPort=12023	dstPort=8466	srcPostNATPort=2374	dstPostNATPort=2463	proto=tcp	Action=drop-packet	FileName=0123456789012345678901234567890123456789012345678901234	VendorSeverity=Low	DirectionOfAttack=client to server	SequenceNo=7003061085140560926	SourceLocation=dallas	DestinationLocation=IN	PacketID=0	FileHash=	ApplianceOrCloud=	URLCounter=0	FileType=	SenderEmail=	EmailSubject=	RecipientEmail=	ReportID=0	DGHierarchyLevel1=11	DGHierarchyLevel2=0	DGHierarchyLevel3=0	DGHierarchyLevel4=0	VirtualSystemName=	DeviceName=xxxxx	SourceUUID=	DestinationUUID=	IMSI=35	IMEI=datacenter	ParentSessionID=5534	ParentStarttime=1970-01-01T00:00:00.000000Z	Tunnel=GTP-U-TCI	ThreatCategory=unknown	ContentVersion=50122SigFlags=0x0	RuleUUID=ec14df0b-c845-4435-87a2-d207730f5ae8	HTTP2Connection=0	DynamicUserGroupName=	X-Forwarded-ForIP=xxx.xx.x.xx	SourceDeviceCategory=A-Phone	SourceDeviceProfile=a-profile	SourceDeviceModel=720P/60	SourceDeviceVendor=Samsung	SourceDeviceOSFamily=M4500	SourceDeviceOSVersion=Android v8	SourceDeviceHost=pan-123	SourceDeviceMac=264989591511DestinationDeviceCategory=A-Phone	DestinationDeviceProfile=a-profile	DestinationDeviceModel=iPhone	DestinationDeviceVendor=Apple	DestinationDeviceOSFamily=9	DestinationDeviceOSVersion=iOS 9	DestinationDeviceHost=pan-233	DestinationDeviceMac=743514319696	ContainerID=1873cc5c-0d31	ContainerNameSpace=pns_default	ContainerName=pan-dp-77754f4	SourceEDL=	DestinationEDL=	HostID=1010101010	EndpointSerialNumber=xxxxxxxxxxxxxx	DomainEDL=	SourceDynamicAddressGroup=	DestinationDynamicAddressGroup=	PartialHash=0	TimeGeneratedHighResolution=2021-09-21T01:47:18.732000Z	NSSAINetworkSliceType=be	devTimeFormat=YYYY-MM-DD'T'HH:mm:ss.SSSZ

The following table identifies the Threat field names that the Log Forwarding app uses when you forward logs using the LEEF log format.

When you create a syslog forwarding profile , you can optionally create a profile token that the Log Forwarding app uses when it sends logs to the syslog server. If you configure a profile token, it appears in the log line immediately after the log type information (for example, TRAFFIC, THREAT, HIPMATCH, and so forth). The token will appear on a parameter called profileToken.

LEEF Name	Query Name	Field Type
Action	action.value	Custom
Application	app	Custom
ApplicationCategory	app_category	Custom
ApplicationSubcategory	app_sub_category	Custom
ApplianceOrCloud	cloud	Custom
CloudHostname	cloud_hostname	Custom
CloudReportID	cloud_reportid	Custom
ConfigVersion	config_version.value	Custom
ContainerID	container_id	Custom
ApplicationContainer	container_of_app	Custom
ContentVersion	content_version	Custom
RepeatCount	count_of_repeats	Custom
CortexDataLakeTenantID	customer_id	Custom
DestinationDeviceCategory	dest_device_category	Custom
DestinationDeviceClass	dest_device_class	Custom
DestinationDeviceHost	dest_device_host	Custom
DestinationDeviceMac	dest_device_mac	Custom
DestinationDeviceModel	dest_device_model	Custom
DestinationDeviceOS	dest_device_os	Custom
DestinationDeviceOSFamily	dest_device_osfamily	Custom
DestinationDeviceOSVersion	dest_device_osversion	Custom
DestinationDeviceProfile	dest_device_profile	Custom
DestinationDeviceVendor	dest_device_vendor	Custom
DestinationDynamicAddressGroup	dest_dynamic_address_group	Custom
DestinationEDL	dest_edl	Custom
dst	dest_ip.value	Predefined
DestinationLocation	dest_location	Custom
dstPort	dest_port	Predefined
DestinationUser	dest_user	Custom
DestinationUserDomain	dest_user_info.domain	Custom
DestinationUserName	dest_user_info.name	Custom
DestinationUserUUID	dest_user_info.uuid	Custom
DestinationUUID	dest_uuid	Custom
DGHierarchyLevel1	dg_hier_level_1	Custom
DGHierarchyLevel2	dg_hier_level_2	Custom
DGHierarchyLevel3	dg_hier_level_3	Custom
DGHierarchyLevel4	dg_hier_level_4	Custom
DirectionOfAttack	direction_of_attack.value	Custom
DomainEDL	domain_edl	Custom
DynamicUserGroupName	dynusergroup_name	Custom
EndpointSerialNumber	endpoint_serial_number	Custom
FileName	file_name	Custom
FileHash	file_sha_256	Custom
FileType	file_type	Custom
FileURL	file_url	Custom
FlowType	flow_type.value	Custom
FromZone	from_zone	Custom
HostID	host_id	Custom
HTTP2Connection	http2_connection	Custom
HTTPMethod	http_method.value	Custom
InboundInterface	inbound_if.value	Custom
InboundInterfaceDetailsPort	inbound_if_details.port	Custom
InboundInterfaceDetailsSlot	inbound_if_details.slot	Custom
InboundInterfaceDetailsType	inbound_if_details.type.value	Custom
InboundInterfaceDetailsUnit	inbound_if_details.unit	Custom
CaptivePortal	is_captive_portal	Custom
IsClienttoServer	is_client_to_server	Custom
IsContainer	is_container	Custom
IsDecryptMirror	is_decrypt_mirror	Custom
IsDecrypted	is_decrypted	Custom
IsDuplicateLog	is_dup_log	Custom
IsEncrypted	is_encrypted	Custom
LogExported	is_exported	Custom
LogForwarded	is_forwarded	Custom
IsIPV6	is_ipv6	Custom
IsMptcpOn	is_mptcp_on	Custom
NAT	is_nat	Custom
IsNonStandardDestinationPort	is_non_std_dest_port	Custom
IsPacketCapture	is_packet_capture	Custom
IsPhishing	is_phishing	Custom
IsPrismaNetwork	is_prisma_branch	Custom
IsPrismaUsers	is_prisma_mobile	Custom
IsProxy	is_proxy	Custom
IsReconExcluded	is_recon_excluded	Custom
IsSaaSApplication	is_saas_app	Custom
IsServertoClient	is_server_to_client	Custom
IsSourceXForwarded	is_source_x_fwded	Custom
IsSystemReturn	is_sym_return	Custom
IsTransaction	is_transaction	Custom
IsTunnelInspected	is_tunnel_inspected	Custom
IsURLDenied	is_url_denied	Custom
K8SClusterID	k8s_cluster_id	Custom
LocalDeepLearningAnalyzed	local_deep_learning	Custom
Location	location	Custom
LogSetting	log_set	Custom
LogSource	log_source	Custom
LogSourceGroupID	log_source_group_id	Custom
DeviceSN	log_source_id	Custom
DeviceName	log_source_name	Custom
LogSourceTimeZoneOffset	log_source_tz_offset	Custom
TimeReceived	log_time	Custom
cat	log_type.value	Predefined
IMEI	monitor_tag_imei	Custom
dstPostNAT	nat_dest.value	Predefined
dstPostNATPort	nat_dest_port	Predefined
srcPostNAT	nat_source.value	Predefined
srcPostNATPort	nat_source_port	Predefined
NonStandardDestinationPort	non_standard_dest_port	Custom
NSSAINetworkSliceType	nssai_network_slice_type.value	Custom
OutboundInterface	outbound_if.value	Custom
OutboundInterfaceDetailsPort	outbound_if_details.port	Custom
OutboundInterfaceDetailsSlot	outbound_if_details.slot	Custom
OutboundInterfaceDetailsType	outbound_if_details.type.value	Custom
OutboundInterfaceDetailsUnit	outbound_if_details.unit	Custom
PanoramaSN	panorama_serial	Custom
ParentSessionID	parent_session_id	Custom
ParentStarttime	parent_start_time	Custom
PartialHash	partial_hash	Custom
PayloadProtocolID	payload_protocol_id	Custom
Packet	pcap	Custom
PacketID	pcap_id	Custom
PlatformType	platform_type	Custom
ContainerName	pod_name	Custom
ContainerNameSpace	pod_namespace	Custom
proto	protocol.value	Predefined
RecipientEmail	recipient_of_virus	Custom
ReportID	report_id	Custom
ApplicationRisk	risk_of_app	Custom
Rule	rule_matched	Custom
RuleUUID	rule_matched_uuid	Custom
SanctionedStateOfApp	sanctioned_state_of_app	Custom
SenderEmail	sender_of_virus	Custom
SequenceNo	sequence_no	Custom
SessionID	session_id	Custom
Severity	severity	Custom
SigFlags	sig_flags	Custom
SourceDeviceCategory	source_device_category	Custom
SourceDeviceClass	source_device_class	Custom
SourceDeviceHost	source_device_host	Custom
SourceDeviceMac	source_device_mac	Custom
SourceDeviceModel	source_device_model	Custom
SourceDeviceOS	source_device_os	Custom
SourceDeviceOSFamily	source_device_osfamily	Custom
SourceDeviceOSVersion	source_device_osversion	Custom
SourceDeviceProfile	source_device_profile	Custom
SourceDeviceVendor	source_device_vendor	Custom
SourceDynamicAddressGroup	source_dynamic_address_group	Custom
SourceEDL	source_edl	Custom
src	source_ip.value	Predefined
SourceLocation	source_location	Custom
srcPort	source_port	Predefined
usrName	source_user	Predefined
SourceUserDomain	source_user_info.domain	Custom
SourceUserName	source_user_info.name	Custom
SourceUserUUID	source_user_info.uuid	Custom
SourceUUID	source_uuid	Custom
SubType	sub_type.value	Custom
EmailSubject	subject_of_email	Custom
ApplicationTechnology	technology_of_app	Custom
ThreatCategory	threat_category.value	Custom
EventID	threat_id	Header
ThreatName	threat_name	Custom
ThreatNameFirewall	threat_name_firewall	Custom
devTime	time_generated	Predefined
TimeGeneratedHighResolution	time_generated_high_res	Custom
ToZone	to_zone	Custom
Tunnel	tunnel.value	Custom
TunneledApplication	tunneled_app	Custom
IMSI	tunnelid_imsi	Custom
URLDomain	url_domain	Custom
URLCounter	url_idx	Custom
Users	users	Custom
Vendor	vendor_name	Header
VendorSeverity	vendor_severity.value	Custom
Verdict	verdict.value	Custom
VirtualLocation	vsys	Custom
VirtualSystemID	vsys_id	Custom
VirtualSystemName	vsys_name	Custom
X-Forwarded-ForIP	xff_ip.value	Custom

Threat HTTPS Fields

Traffic

Strata Logging Service Docs

Threat LEEF Fields

Strata Logging Service Docs

Threat LEEF Fields

Activation & Onboarding

Next-Generation Firewalls

SASE

Cloud-Delivered Security Services

Endpoints

Visibility & Monitoring

Best Practices

Experts Corner