Version:

Vendor Field Map

For the Palo Alto Network Firewall v8.1

Traffic Log Fields

FUTURE_USE, receive_ts, serial_number, event_category, sub_category, FUTURE_USE, log_ts, source_address, destination_address, nat_source_address, nat_destination_address, rule, user, target_user, application, virtual_system, source_zone, destination_zone, source_interface, destination_interface, log_profile, FUTURE_USE, session_id, repeat_count, source_port, destination_port, nat_source_port, nat_destination_port, flag, protocol, action, datasize, sent_datasize, received_datasize, packet, start_ts, duration, category, FUTURE_USE, sequence_number, action_flag, source_location, destination_location, FUTURE_USE, sent_packet, received_packet, reason, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system_name, host, action_source, source_vm_uuid, destination_vm_uuid, tunnel_id_imsi, imei, parent_session_id, parent_start_ts, tunnel_type, sctp_association_id, chunk_count, sent_chunk, received_chunk

Mapping the Traffic Log Fields

Palo Alto Network Firewall Fields

Logpoint Fields

Receive Time

receive_ts

Serial Number

serial_number

Type

event_category

Threat/Content Type

sub_category

Generated Time

log_ts

Source IP

source_address

Destination IP

destination_address

NAT Source IP

nat_source_address

NAT Destination IP

nat_destination_address

Rule Name

rule

Source User

user

Destination User

target_user

Application

application

Virtual System

virtual_system

Source Zone

source_zone

Destination Zone

destination_zone

Inbound Interface

source_interface

Outbound Interface

destination_interface

Log Action

log_profile

Session ID

session_id

Repeat Count

repeat_count

Source Port

source_port

Destination Port

destination_port

NAT Source Port

nat_source_port

NAT Destination Port

nat_destination_port

Flags

flag

Protocol

protocol

Action

action

Bytes

datasize

Bytes Sent

sent_datasize

Bytes Received

received_datasize

Packets

packet

Start Time

start_ts

Elapsed Time

duration

Category

category

Sequence Number

sequence_number

Action Flags

action_flag

Source Location

source_location

Destination Location

destination_location

Packets Sent

sent_packet

Packets Received

received_packet

Session End Reason

reason

Device Group Hierarchy Level 1

device_group_hierarchy_1

Device Group Hierarchy Level 2

device_group_hierarchy_2

Device Group Hierarchy Level 3

device_group_hierarchy_3

Device Group Hierarchy Level 4

device_group_hierarchy_4

Virtual System Name

virtual_system_name

Device Name

host

Action Source

action_source

Source VM UUID

source_vm_uuid

Destination VM UUID

destination_vm_uuid

Tunnel ID/IMSI

tunnel_id_imsi

Monitor Tag/IMEI

imei

Parent Session ID

parent_session_id

Parent Start Time

parent_start_ts

Tunnel Type

tunnel_type

SCTP Association ID

sctp_association_id

SCTP Chunks

chunk_count

SCTP Chunks Sent

sent_chunk

SCTP Chunks Received

received_chunk

Threat Log Fields

FUTURE_USE, receive_ts, serial_number, event_category, sub_category, FUTURE_USE, log_ts, source_address, destination_address, nat_source_address, nat_destination_address, rule, user, target_user, application, virtual_system, source_zone, destination_zone, source_interface, destination_interface, log_profile, FUTURE_USE, session_id, repeat_count, source_port, destination_port, nat_source_port, nat_destination_port, flag, protocol, action, url, threat_id, category, log_level, direction, sequence_number, action_flag, source_location, destination_location, FUTURE_USE, content_type, pcap_id, checksum, wildfire_cloud, url_index, user_agent, file_type, x_forwarded_for, referer, sender, subject, receiver, report_id, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system_name, host, FUTURE_USE, source_vm_uuid, destination_vm_uuid, request_method, tunnel_id_imsi, imei, parent_session_id, parent_start_ts, tunnel_type, threat_category, version, FUTURE_USE, sctp_association_id, payload_protocol_id, header

Mapping the Threat Log Fields

Palo Alto Network Firewall Fields

Logpoint Fields

Receive Time

receive_ts

Serial Number

serial_number

Type

event_category

Threat/Content Type

sub_category

Generated Time

log_ts

Source IP

source_address

Destination IP

destination_address

NAT Source IP

nat_source_address

NAT Destination IP

nat_destination_address

Rule Name

rule

Source User

user

Destination User

target_user

Application

application

Virtual System

virtual_system

Source Zone

source_zone

Destination Zone

destination_zone

Inbound Interface

source_interface

Outbound Interface

destination_interface

Log Action

log_profile

Session ID

session_id

Repeat Count

repeat_count

Source Port

source_port

Destination Port

destination_port

NAT Source Port

nat_source_port

NAT Destination Port

nat_destination_port

Flags

flag

Protocol

protocol

Action

action

URL/Filename

url

Threat ID

threat_id

Category

category

Severity

log_level

Direction

direction

Sequence Number

sequence_number

Action Flags

action_flag

Source Location

source_location

Destination Location

destination_location

Content Type

content_type

PCAP_ID

pcap_id

File Digest

checksum

Cloud

wildfire_cloud

URL Index

url_index

User Agent

user_agent

File Type

file_type

X-Forwarded-For

x_forwarded_for

Referer

referer

Sender

sender

Subject

subject

Recipient

receiver

Report ID

report_id

Device Group Hierarchy Level 1

device_group_hierarchy_1

Device Group Hierarchy Level 2

device_group_hierarchy_2

Device Group Hierarchy Level 3

device_group_hierarchy_3

Device Group Hierarchy Level 4

device_group_hierarchy_4

Virtual System Name

virtual_system_name

Device Name

host

Source VM UUID

source_vm_uuid

Destination VM UUID

destination_vm_uuid

HTTP Method

request_method

Tunnel ID/IMSI

tunnel_id_imsi

Monitor Tag/IMEI

imei

Parent Session ID

parent_session_id

Parent Start Time

parent_start_ts

Tunnel Type

tunnel_type

Threat Category

threat_category

Content Version

version

SCTP Association ID

sctp_association_id

Payload Protocol ID

payload_protocol_id

HTTP Headers

header

Config Log Fields

FUTURE_USE, receive_ts, serial_number, event_category, sub_category, FUTURE_USE, log_ts, source_host, virtual_system, command, admin, client, result, path, sequence_number, action_flag, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system_name, host

Mapping the Config Log Fields

Palo Alto Network Firewall Fields

Logpoint Fields

Receive Time

receive_ts

Serial Number

serial_number

Type

event_category

Subtype

sub_category

Generated Time

log_ts

Host

source_host

Virtual System

virtual_system

Command

command

Admin

admin

Client

client

Result

result

Configuration Path

path

Sequence Number

sequence_number

Action Flags

action_flag

Device Group Hierarchy Level 1

device_group_hierarchy_1

Device Group Hierarchy Level 2

device_group_hierarchy_2

Device Group Hierarchy Level 3

device_group_hierarchy_3

Device Group Hierarchy Level 4

device_group_hierarchy_4

Virtual System Name

virtual_system_name

Device Name

host

System Log Fields

FUTURE_USE, receive_ts, serial_number, event_category, sub_category, FUTURE_USE, log_ts, virtual_system, event_id, object, FUTURE_USE, FUTURE_USE, module, log_level, description, sequence_number, action_flag, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system_name, host

Mapping the System Log Fields

Palo Alto Network Firewall Fields

Logpoint Fields

Receive Time

receive_ts

Serial Number

serial_number

Type

event_category

Content/Threat Type

sub_category

Generated Time

log_ts

Virtual System

virtual_system

Event ID

event_id

Object

object

Module

module

Severity

log_level

Description

description

Sequence Number

sequence_number

Action Flags

action_flag

Device Group Hierarchy Level 1

device_group_hierarchy_1

Device Group Hierarchy Level 2

device_group_hierarchy_2

Device Group Hierarchy Level 3

device_group_hierarchy_3

Device Group Hierarchy Level 4

device_group_hierarchy_4

Virtual System Name

virtual_system_name

Device Name

host

HIP Match Log Fields

FUTURE_USE, receive_ts, serial_number, event_category, sub_category, FUTURE_USE, log_ts, user, virtual_system, machine, os, source_address, match, repeat_count, match_type, FUTURE_USE, FUTURE_USE, sequence_number, action_flag, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system, host, virtual_system_id, ipv6_source_address, host_id

Mapping the HIP Match Log Fields

Palo Alto Network Firewall Fields

Logpoint Fields

Receive Time

receive_ts

Serial Number

serial_number

Type

event_category

Threat/Content Type

sub_category

Generated Time

log_ts

Source User

user

Virtual System

virtual_system

Machine name

machine

OS

os

Source Address

source_address

HIP

match

Repeat Count

repeat_count

HIP Type

match_type

Sequence Number

sequence_number

Action Flags

action_flag

Device Group Hierarchy Level 1

device_group_hierarchy_1

Device Group Hierarchy Level 2

device_group_hierarchy_2

Device Group Hierarchy Level 3

device_group_hierarchy_3

Device Group Hierarchy Level 4

device_group_hierarchy_4

Virtual System Name

virtual_system

Device Name

host

Virtual System ID

virtual_system_id

IPv6 Source Address

ipv6_source_address

Host ID

host_id

Correlation Events Log Fields

FUTURE_USE, receive_ts, serial_number, event_category, sub_category, FUTURE_USE, log_ts, source_address, user, virtual_system, category, log_level, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system_name, host, virtual_system_id, object, object_id, description

Mapping the Correlation Events Log Fields

Palo Alto Network Firewall Fields

Logpoint Fields

Receive Time

receive_ts

Serial Number

serial_number

Type

event_category

Content/Threat Type

sub_category

Generated Time

log_ts

Source Address

source_address

Source User

user

Virtual System

virtual_system

Category

category

Severity

log_level

Group Hierarchy Level 1

device_group_hierarchy_1

Device Group Hierarchy Level 2

device_group_hierarchy_2

Device Group Hierarchy Level 3

device_group_hierarchy_3

Device Group Hierarchy Level 4

device_group_hierarchy_4

Virtual System Name

virtual_system_name

Device Name

host

Virtual System ID

virtual_system_id

Object Name

object

Object ID

object_id

Evidence

description

User-ID Log Fields

FUTURE_USER, receive_ts, serial_number, event_category, sub_category, FUTURE_USE, log_ts, virtual_system, source_address, user, user_id, event_id, repeat_count, timeout, source_port, destination_port, source, source_type, sequence_number, action_flag, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system_name, host, virtual_system_id, vendor, authentication_ts, factor_number, FUTURE_USE, FUTURE_USE, user_group_flag, source_user

Mapping the User-ID Log Fields

Palo Alto Network Firewall Fields

Logpoint Fields

Receive Time

receive_ts

Serial Number

serial_number

Type

event_category

Threat/Content Type

sub_category

Generated Time

log_ts

Virtual System

virtual_system

Source IP

source_address

User

user

Data Source Name

user_id

Event ID

event_id

Repeat Count

repeat_count

Time Out Threshold

timeout

Source Port

source_port

Destination Port

destination_port

Data Source

source

Data Source Type

source_type

Sequence Number

sequence_number

Action Flags

action_flag

Device Group Hierarchy Level 1

device_group_hierarchy_1

Device Group Hierarchy Level 2

device_group_hierarchy_2

Device Group Hierarchy Level 3

device_group_hierarchy_3

Device Group Hierarchy Level 4

device_group_hierarchy_4

Virtual System Name

virtual_system_name

Device Name

host

Virtual System ID

virtual_system_id

Factor Type

vendor

Factor Completion Time

authentication_ts

Factor Number

factor_number

User Group Flags

user_group_flag

Source by User

source_user

Tunnel Inspection Log Fields

FUTURE_USE, receive_ts, serial_number, event_category, sub_category, FUTURE_USE, log_ts, source_address, destination_address, nat_source_address, nat_destination_address, rule, user, target_user, application, virtual_system, source_zone, destination_zone, source_interface, destination_interface, log_profile, FUTURE_USE, session_id, repeat_count, source_port, destination_port, nat_source_port, nat_destination_port, flag, protocol, action, log_level, sequence_number, action_flag, source_location, destination_location, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system_name, host, tunnel_id_imsi, imei, parent_session_id, parent_start_ts, tunnel_type, datasize, sent_datasize, received_datasize, packet, sent_packet, maximum_encapsulation_count, unknown_protocol_count, strict_check_count, tunnel_fragment_count, create_session_count, closed_session_count, reason, action_source, start_ts, duration, tunnel_inspection_rule

Mapping the Tunnel Inspection Log Fields

Palo Alto Network Firewall Fields

Logpoint Fields

Receive Time

receive_ts

Serial Number

serial_number

Type

event_category

Subtype

sub_category

Generated Time

log_ts

Source IP

source_address

Destination IP

destination_address

NAT Source IP

nat_source_address

NAT Destination IP

nat_destination_address

Rule Name

rule

Source User

user

Destination User

target_user

Application

application

Virtual System

virtual_system

Source Zone

source_zone

Destination Zone

destination_zone

Inbound Interface

source_interface

Outbound Interface

destination_interface

Log Action

log_profile

Session ID

session_id

Repeat Count

repeat_count

Source Port

source_port

Destination Port

destination_port

NAT Source Port

nat_source_port

NAT Destination Port

nat_destination_port

Flags

flag

Protocol

protocol

Action

action

Severity

log_level

Sequence Number

sequence_number

Action Flags

action_flag

Source Location

source_location

Destination Location

destination_location

Device Group Hierarchy Level 1

device_group_hierarchy_1

Device Group Hierarchy Level 2

device_group_hierarchy_2

Device Group Hierarchy Level 3

device_group_hierarchy_3

Device Group Hierarchy Level 4

device_group_hierarchy_4

Virtual System Name

virtual_system_name

Device Name

host

Tunnel ID/IMS

tunnel_id_imsi

Monitor Tag/IMEI

imei

Parent Session ID

parent_session_id

Parent Start Time

parent_start_ts

Tunnel

tunnel_type

Bytes

datasize

Bytes Sent

sent_datasize

Bytes Received

received_datasize

Packets

packet

Packets Sent

sent_packet

Maximum Encapsulation

maximum_encapsulation_count

Unknown Protocol

unknown_protocol_count

Strict Check

strict_check_count

Tunnel Fragment

tunnel_fragment_count

Sessions Created

create_session_count

Sessions Closed

closed_session_count

Session End Reason

reason

Action Source

action_source

Start Time

start_ts

Elapsed Time

duration

Tunnel Inspection Rule

tunnel_inspection_rule

Authentication Log Fields

FUTURE_USE, receive_ts, serial_number, event_category, sub_category, FUTURE_USE, log_ts, virtual_system, source_address, user, normalized_user, object, authentication_policy, repeat_count, authentication_id, vendor, log_profile, server_profile, description, client_type, event_type, factor_number, sequence_number, action_flag, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system_name, host, virtual_system_id, authentication_protocol

Mapping the Authentication Log Fields

Palo Alto Network Firewall Fields

Logpoint Fields

Receive Time

receive_ts

Serial Number

serial_number

Sequence Number

sequence_number

Action Flags

action_flag

Type

event_category

Threat/Content Type

sub_category

Generated Time

log_ts

Device Group Hierarchy 1

device_group_hierarchy_1

Device Group Hierarchy 2

device_group_hierarchy_2

Device Group Hierarchy 3

device_group_hierarchy_3

Device Group Hierarchy 4

device_group_hierarchy_4

Virtual System Name

virtual_system_name

Device Name

host

Virtual System ID

virtual_system_id

Virtual System

virtual_system

Source IP

source_address

User

user

Normalize User

normalized_user

Object

object

Authentication Policy

authentication_policy

Authentication ID

authentication_id

Vendor

vendor

Log Action

log_profile

Repeat Count

repeat_count

Server Profile

server_profile

Description

description

Client Type

client_type

Event Type

event_type

Factor Number

factor_number

Authentication Protocol

authentication_protocol

GTP Log Fields

FUTURE_USE, receive_ts, serial_number, FUTURE_USE, FUTURE_USE, FUTURE_USE, log_ts, source_address, destination_address, FUTURE_USE, FUTURE_USE, rule, FUTURE_USE, FUTURE_USE, application, virtual_system, source_zone, destination_zone, source_interface, destination_interface, log_profile, FUTURE_USE, session_id, FUTURE_USE, source_port, destination_port, FUTURE_USE, FUTURE_USE, FUTURE_USE, protocol, action, event_type, isdn, access_point, radio_access_technology, message_type, subscriber_address, tunnel_endpoint_identifier_1, tunnel_endpoint_identifier_2, gtp_interface, status_code, log_level, country_code, network_code, area_code, cell_id, event_code, FUTURE_USE, FUTURE_USE, source_location, destination_location, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, tunnel_id_imsi, imei, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, action_source, start_ts, duration, tunnel_inspection_rule

Mapping the GTP Log Fields

Palo Alto Network Firewall Fields

Logpoint Fields

Receive Time

receive_ts

Serial Number

serial_number

Generated Time

log_ts

Source Address

source_address

Destination Address

destination_address

Rule Name

rule

Application

application

Virtual System

virtual_system

Source Zone

source_zone

Destination Zone

destination_zone

Inbound Interface

source_interface

Outbound Interface

destination_interface

Log Action

log_profile

Session ID

session_id

Source Port

source_port

Destination Port

destination_port

Protocol

protocol

Action

action

GTP Event Type

event_type

MSISDN

isdn

Access Point

Name access_point

Radio Access Technology

radio_access_technology

GTP Message Type

message_type

End User IP Address

subscriber_address

Tunnel Endpoint Identifier1

tunnel_endpoint_identifier_1

Tunnel Endpoint Identifier2

tunnel_endpoint_identifier_2

GTP Interface

gtp_interface

GTP Cause

status_code

Severity

log_level

Serving Country MCC

country_code

Serving Network MNC

network_code

Area Code

area_code

Cell ID

cell_id

GTP Event Code

event_code

Source Location

source_location

Destination Location

destination_location

Tunnel ID/IMSI

tunnel_id_imsi

Monitor Tag/IMEI

imei

Action Source

action_source

Start Time

start_ts

Elapsed Time

duration

Tunnel Inspection Rule

tunnel_inspection_rule

SCTP Log Fields

FUTURE_USE, receive_ts, serial_number, event_category, FUTURE_USE, FUTURE_USE, log_ts, source_address, destination_address, FUTURE_USE, FUTURE_USE, rule, FUTURE_USE, FUTURE_USE, FUTURE_USE, virtual_system, source_zone, destination_zone, source_interface, destination_interface, log_profile, FUTURE_USE, session_id, repeat_count, source_port, destination_port, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, protocol, action, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system_name, host, sequence_number, FUTURE_USE, sctp_association_id, payload_protocol_id, log_level, chunk_type, FUTURE_USE, sctp_verification_tag_1, sctp_verification_tag_2, cause_code, diameter_application_id, diameter_command_code, diameter_avp_code, stream_id, reason, opcode, calling_party_ssn, calling_party_global_title, filter, chunk_count, sent_chunk, received_chunk, packet, sent_packet, received_packet

Mapping the SCTP Log Fields

Palo Alto Network Firewall Fields

Logpoint Fields

Receive Time

receive_ts

Serial Number

serial_number

Type

event_category

Generated Time

log_ts

Source Address

source_address

Destination Address

destination_address

Rule Name

rule

Virtual System

virtual_system

Source Zone

source_zone

Destination Zone

destination_zone

Inbound Interface

source_interface

Outbound Interface

destination_interface

Log Action

log_profile

Session ID

session_id

Repeat Count

repeat_count

Source Port

source_port

Destination Port

destination_port

IP Protocol

protocol

Action

action

Device Group Hierarchy Level 1

device_group_hierarchy_1

Device Group Hierarchy Level 2

device_group_hierarchy_2

Device Group Hierarchy Level 3

device_group_hierarchy_3

Device Group Hierarchy Level 4

device_group_hierarchy_4

Virtual System Name

virtual_system_name

Device Name

host

Sequence Number

sequence_number

SCTP Association ID

sctp_association-id

Payload Protocol ID

payload_protocol_id

Severity

log_level

SCTP Chunk Type

chunk_type

SCTP Verification Tag 1

sctp_verification_tag_1

SCTP Verification Tag 2

sctp_verification_tag_2

SCTP Cause Code

cause_code

Diameter App ID

diameter_application_id

Diameter Command Code

diameter_command_code

Diameter AVP Code

diameter_avp_code

SCTP Stream ID

stream_id

SCTP Association End Reason

reason

Op Code

opcode

SCCP Calling Party SSN

calling_party_ssn

SCCP Calling Party Global Title

calling_party_global_title

SCTP Filter

filter

SCTP Chunks

chunk_count

SCTP Chunks Sent

sent_chunk

SCTP Chunks Received

received_chunk

Packets

packet

Packets Sent

sent_packet

Packets Received

received_packet

For the Palo Alto Network Firewall v9.0

Traffic Log Fields

FUTURE_USE, receive_ts, serial_number, event_category, sub_category, FUTURE_USE, log_ts, source_address, destination_address, nat_source_address, nat_destination_address, rule, user, target_user, application, virtual_system, source_zone, destination_zone, source_interface, destination_interface, log_profile, FUTURE_USE, session_id, repeat_count, source_port, destination_port, nat_source_port, nat_destination_port, flag, protocol, action, datasize, sent_datasize, received_datasize, packet, start_ts, duration, category, FUTURE_USE, sequence_number, action_flag, source_location, destination_location, FUTURE_USE, sent_packet, received_packet, reason, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system_name, host, action_source, source_vm_uuid, destination_vm_uuid, tunnel_id_imsi, imei, parent_session_id, parent_start_ts, tunnel_type, sctp_association_id, chunk_count, sent_chunk, received_chunk, rule_uuid, http_connection

Mapping the Traffic Log Fields

Palo Alto Network Firewall Fields

Logpoint Fields

Receive Time

receive_ts

Serial Number

serial_number

Type

event_category

Threat/Content Type

sub_category

Generated Time

log_ts

Source IP

source_address

Destination IP

destination_address

NAT Source IP

nat_source_address

NAT Destination IP

nat_destination_address

Rule Name

rule

Source User

user

Destination User

target_user

Application

application

Virtual System

virtual_system

Source Zone

source_zone

Destination Zone

destination_zone

Inbound Interface

source_interface

Outbound Interface

destination_interface

Log Action

log_profile

Session ID

session_id

Repeat Count

repeat_count

Source Port

source_port

Destination Port

destination_port

NAT Source Port

nat_source_port

NAT Destination Port

nat_destination_port

Flags

flag

Protocol

protocol

Action

action

Bytes

datasize

Bytes Sent

sent_datasize

Bytes Received

received_datasize

Packets

packet

Start Time

start_ts

Elapsed Time

duration

Category

category

Sequence Number

sequence_number

Action Flags

action_flag

Source Location

source_location

Destination Location

destination_location

Packets Sent

sent_packet

Packets Received

received_packet

Session End Reason

reason

Device Group Hierarchy Level 1

device_group_hierarchy_1

Device Group Hierarchy Level 2

device_group_hierarchy_2

Device Group Hierarchy Level 3

device_group_hierarchy_3

Device Group Hierarchy Level 4

device_group_hierarchy_4

Virtual System Name

virtual_system_name

Device Name

host

Action Source

action_source

Source VM UUID

source_vm_uuid

Destination VM UUID

destination_vm_uuid

Tunnel ID/IMSI

tunnel_id_imsi

Monitor Tag/IMEI

imei

Parent Session ID

parent_session_id

Parent Start Time

parent_start_ts

Tunnel Type

tunnel_type

SCTP Association ID

sctp_association_id

SCTP Chunks

chunk_count

SCTP Chunks Sent

sent_chunk

SCTP Chunks Received

received_chunk

UUID for rule

rule_uuid

HTTP/2 Connection

http_connection

Threat Log Fields

FUTURE_USE, receive_ts, serial_number, event_category, sub_category, FUTURE_USE, log_ts, source_address, destination_address, nat_source_address, nat_destination_address, rule, user, target_user, application, virtual_system, source_zone, destination_zone, source_interface, destination_interface, log_profile, FUTURE_USE, session_id, repeat_count, source_port, destination_port, nat_source_port, nat_destination_port, flag, protocol, action, url, threat_id, category, log_level, direction, sequence_number, action_flag, source_location, destination_location, FUTURE_USE, content_type, pcap_id, checksum, wildfire_cloud, url_index, user_agent, file_type, x_forwarded_for, referer, sender, subject, receiver, report_id, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system_name, host, FUTURE_USE, source_vm_uuid, destination_vm_uuid, request_method, tunnel_id_imsi, imei, parent_session_id, parent_start_ts, tunnel_type, threat_category, version, FUTURE_USE, sctp_association_id, payload_protocol_id, header

Mapping the Threat Log Fields

Palo Alto Network Firewall Fields

Logpoint Fields

Receive Time

receive_ts

Serial Number

serial_number

Type

event_category

Threat/Content Type

sub_category

Generated Time

log_ts

Source IP

source_address

Destination IP

destination_address

NAT Source IP

nat_source_address

NAT Destination IP

nat_destination_address

Rule Name

rule

Source User

user

Destination User

target_user

Application

application

Virtual System

virtual_system

Source Zone

source_zone

Destination Zone

destination_zone

Inbound Interface

source_interface

Outbound Interface

destination_interface

Log Action

log_profile

Session ID

session_id

Repeat Count

repeat_count

Source Port

source_port

Destination Port

destination_port

NAT Source Port

nat_source_port

NAT Destination Port

nat_destination_port

Flags

flag

Protocol

protocol

Action

action

URL/Filename

url

Threat ID

threat_id

Category

category

Severity

log_level

Direction

direction

Sequence Number

sequence_number

Action Flags

action_flag

Source Location

source_location

Destination Location

destination_location

HIP Match Log Fields

FUTURE_USE, receive_ts, serial_number, event_category, sub_category, FUTURE_USE, log_ts, user, virtual_system, machine, os, source_address, match, repeat_count, match_type, FUTURE_USE, FUTURE_USE, sequence_number, action_flag, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system, host, virtual_system_id, ipv6_source_address, host_id

Mapping the HIP Match Log Fields

Palo Alto Network Firewall Fields

Logpoint Fields

Receive Time

receive_ts

Serial Number

serial_number

Type

event_category

Threat/Content Type

sub_category

Generated Time

log_ts

Source User

user

Virtual System

virtual_system

Machine name

machine

OS

os

Source Address

source_address

HIP

match

Repeat Count

repeat_count

HIP Type

match_type

Sequence Number

sequence_number

Action Flags

action_flag

Device Group Hierarchy Level 1

device_group_hierarchy_1

Device Group Hierarchy Level 2

device_group_hierarchy_2

Device Group Hierarchy Level 3

device_group_hierarchy_3

Device Group Hierarchy Level 4

device_group_hierarchy_4

Virtual System Name

virtual_system

Device Name

host

Virtual System ID

virtual_system_id

IPv6 Source Address

ipv6_source_address

Host ID

host_id

User-ID Log Fields

FUTURE_USER, receive_ts, serial_number, event_category, sub_category, FUTURE_USE, log_ts, virtual_system, source_address, user, user_id, event_id, repeat_count, timeout, source_port, destination_port, source, source_type, sequence_number, action_flag, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system_name, host, virtual_system_id, vendor, authentication_ts, factor_number, FUTURE_USE, FUTURE_USE, user_group_flag, source_user

Mapping the User-ID Log Fields

Palo Alto Network Firewall Fields

Logpoint Fields

Receive Time

receive_ts

Serial Number

serial_number

Type

event_category

Threat/Content Type

sub_category

Generated Time

log_ts

Virtual System

virtual_system

Source IP

source_address

User

user

Data Source Name

user_id

Event ID

event_id

Repeat Count

repeat_count

Time Out Threshold

timeout

Source Port

source_port

Destination Port

destination_port

Data Source

source

Data Source Type

source_type

Sequence Number

sequence_number

Action Flags

action_flag

Device Group Hierarchy Level 1

device_group_hierarchy_1

Device Group Hierarchy Level 2

device_group_hierarchy_2

Device Group Hierarchy Level 3

device_group_hierarchy_3

Device Group Hierarchy Level 4

device_group_hierarchy_4

Virtual System Name

virtual_system_name

Device Name

host

Virtual System ID

virtual_system_id

Factor Type

vendor

Factor Completion Time

authentication_ts

Factor Number

factor_number

User Group Flags

user_group_flag

Source by User

source_user

Tunnel Inspection Log Fields

FUTURE_USE, receive_ts, serial_number, event_category, sub_category, FUTURE_USE, log_ts, source_address, destination_address, nat_source_address, nat_destination_address, rule, user, target_user, application, virtual_system, source_zone, destination_zone, source_interface, destination_interface, log_profile, FUTURE_USE, session_id, repeat_count, source_port, destination_port, nat_source_port, nat_destination_port, flag, protocol, action, log_level, sequence_number, action_flag, source_location, destination_location, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system_name, host, tunnel_id_imsi, imei, parent_session_id, parent_start_ts, tunnel_type, datasize, sent_datasize, received_datasize, packet, sent_packet, maximum_encapsulation_count, unknown_protocol_count, strict_check_count, tunnel_fragment_count, create_session_count, closed_session_count, reason, action_source, start_ts, duration, tunnel_inspection_rule, rule_uuid

Mapping the Tunnel Inspection Log Fields

Palo Alto Network Firewall Fields

Logpoint Fields

Receive Time

receive_ts

Serial Number

serial_number

Type

event_category

Subtype

sub_category

Generated Time

log_ts

Source IP

source_address

Destination IP

destination_address

NAT Source IP

nat_source_address

NAT Destination IP

nat_destination_address

Rule Name

rule

Source User

user

Destination User

target_user

Application

application

Virtual System

virtual_system

Source Zone

source_zone

Destination Zone

destination_zone

Inbound Interface

source_interface

Outbound Interface

destination_interface

Log Action

log_profile

Session ID

session_id

Repeat Count

repeat_count

Source Port

source_port

Destination Port

destination_port

NAT Source Port

nat_source_port

NAT Destination Port

nat_destination_port

Flags

flag

Protocol

protocol

Action

action

Severity

log_level

Sequence Number

sequence_number

Action Flags

action_flag

Source Location

source_location

Destination Location

destination_location

Device Group Hierarchy Level 1

device_group_hierarchy_1

Device Group Hierarchy Level 2

device_group_hierarchy_2

Device Group Hierarchy Level 3

device_group_hierarchy_3

Device Group Hierarchy Level 4

device_group_hierarchy_4

Virtual System Name

virtual_system_name

Device Name

host

Tunnel ID/IMS

tunnel_id_imsi

Monitor Tag/IMEI

imei

Parent Session ID

parent_session_id

Parent Start Time

parent_start_ts

Tunnel

tunnel_type

Bytes

datasize

Bytes Sent

sent_datasize

Bytes Received

received_datasize

Packets

packet

Packets Sent

sent_packet

Maximum Encapsulation

maximum_encapsulation_count

Unknown Protocol

unknown_protocol_count

Strict Check

strict_check_count

Tunnel Fragment

tunnel_fragment_count

Sessions Created

create_session_count

Sessions Closed

closed_session_count

Session End Reason

reason

Action Source

action_source

Start Time

start_ts

Elapsed Time

duration

Tunnel Inspection Rule

tunnel_inspection_rule

UUID for rule

rule_uuid

SCTP Log Fields

FUTURE_USE, receive_ts, serial_number, event_category, FUTURE_USE, FUTURE_USE, log_ts, source_address, destination_address, FUTURE_USE, FUTURE_USE, rule, FUTURE_USE, FUTURE_USE, FUTURE_USE, virtual_system, source_zone, destination_zone, source_interface, destination_interface, log_profile, FUTURE_USE, session_id, repeat_count, source_port, destination_port, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, protocol, action, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system_name, host, sequence_number, FUTURE_USE, sctp_association_id, payload_protocol_id, log_level, chunk_type, FUTURE_USE, sctp_verification_tag_1, sctp_verification_tag_2, cause_code, diameter_application_id, diameter_command_code, diameter_avp_code, stream_id, reason, opcode, calling_party_ssn, calling_party_global_title, filter, chunk_count, sent_chunk, received_chunk, packet, sent_packet, received_packet, rule_uuid

Mapping the SCTP Log Fields

Palo Alto Network Firewall Fields

Logpoint Fields

Receive Time

receive_ts

Serial Number

serial_number

Type

event_category

Subtype

sub_category

Generated Time

log_ts

Source IP

source_address

Destination IP

destination_address

NAT Source IP

nat_source_address

NAT Destination IP

nat_destination_address

Rule Name

rule

Source User

user

Destination User

target_user

Application

application

Virtual System

virtual_system

Source Zone

source_zone

Destination Zone

destination_zone

Inbound Interface

source_interface

Outbound Interface

destination_interface

Log Action

log_profile

Session ID

session_id

Repeat Count

repeat_count

Source Port

source_port

Destination Port

destination_port

NAT Source Port

nat_source_port

NAT Destination Port

nat_destination_port

Flags

flag

Protocol

protocol

Action

action

Severity

log_level

Sequence Number

sequence_number

Action Flags

action_flag

Source Location

source_location

Destination Location

destination_location

Device Group Hierarchy Level 1

device_group_hierarchy_1

Device Group Hierarchy Level 2

device_group_hierarchy_2

Device Group Hierarchy Level 3

device_group_hierarchy_3

Device Group Hierarchy Level 4

device_group_hierarchy_4

Virtual System Name

virtual_system_name

Device Name

host

Tunnel ID/IMS

tunnel_id_imsi

Monitor Tag/IMEI

imei

Parent Session ID

parent_session_id

Parent Start Time

parent_start_ts

Tunnel

tunnel_type

Bytes

datasize

Bytes Sent

sent_datasize

Bytes Received

received_datasize

Packets

packet

Packets Sent

sent_packet

Maximum Encapsulation

maximum_encapsulation_count

Unknown Protocol

unknown_protocol_count

Strict Check

strict_check_count

Tunnel Fragment

tunnel_fragment_count

Sessions Created

create_session_count

Sessions Closed

closed_session_count

Session End Reason

reason

Action Source

action_source

Start Time

start_ts

Elapsed Time

duration

Tunnel Inspection Rule

tunnel_inspection_rule

UUID for rule

rule_uuid

Config Log Fields

FUTURE_USE, receive_ts, serial_number, event_category, sub_category, FUTURE_USE, log_ts, source_host, virtual_system, command, admin, client, result, path, sequence_number, action_flag, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system_name, host

Mapping the Config Log Fields

Palo Alto Network Firewall Fields

Logpoint Fields

Receive Time

receive_ts

Serial Number

serial_number

Type

event_category

Subtype

sub_category

Generated Time

log_ts

Host

source_host

Virtual System

virtual_system

Command

command

Admin

admin

Client

client

Result

result

Configuration Path

path

Sequence Number

sequence_number

Action Flags

action_flag

Device Group Hierarchy Level 1

device_group_hierarchy_1

Device Group Hierarchy Level 2

device_group_hierarchy_2

Device Group Hierarchy Level 3

device_group_hierarchy_3

Device Group Hierarchy Level 4

device_group_hierarchy_4

Virtual System Name

virtual_system_name

Device Name

host

Authentication Log Fields

FUTURE_USE, receive_ts, serial_number, event_category, sub_category, FUTURE_USE, log_ts, virtual_system, source_address, user, normalized_user, object, authentication_policy, repeat_count, authentication_id, vendor, log_profile, server_profile, description, client_type, event_type, factor_number, sequence_number, action_flag, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system_name, host, virtual_system_id, authentication_protocol, rule_uuid

Mapping the Authentication Log Fields

Palo Alto Network Firewall Fields

Logpoint Fields

Receive Time receive_ts

Serial Number

serial_number

Sequence Number

sequence_number

Action Flags

action_flag

Type

event_category

Threat/Content Type

sub_category

Generated Time

log_ts

Device Group Hierarchy 1

device_group_hierarchy_1

Device Group Hierarchy 2

device_group_hierarchy_2

Device Group Hierarchy 3

device_group_hierarchy_3

Device Group Hierarchy 4

device_group_hierarchy_4

Virtual System Name

virtual_system_name

Device Name

host

Virtual System ID

virtual_system_id

Virtual System

virtual_system

Source IP

source_address

User

user

Normalize User

normalized_user

Object

object

Authentication Policy

authentication_policy

Authentication ID

authentication_id

Vendor

vendor

Log Action

log_profile

Repeat Count

repeat_count

Server Profile

server_profile

Description

description

Client Type

client_type

Event Type

event_type

Factor Number

factor_number

Authentication Protocol

authentication_protocol

UUID for rule

rule_uuid

System Log Fields

FUTURE_USE, receive_ts, serial_number, event_category, sub_category, FUTURE_USE, log_ts, virtual_system, event_id, object, FUTURE_USE, FUTURE_USE, module, log_level, description, sequence_number, action_flag, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system_name, host

Mapping the System Log Fields

Palo Alto Network Firewall Fields

Logpoint Fields

Receive Time

receive_ts

Serial Number

serial_number

Type

event_category

Content/Threat Type

sub_category

Generated Time

log_ts

Virtual System

virtual_system

Event ID

event_id

Object

object

Module

module

Severity

log_level

Description

description

Sequence Number

sequence_number

Action Flags

action_flag

Device Group Hierarchy Level 1

device_group_hierarchy_1

Device Group Hierarchy Level 2

device_group_hierarchy_2

Device Group Hierarchy Level 3

device_group_hierarchy_3

Device Group Hierarchy Level 4

device_group_hierarchy_4

Virtual System Name

virtual_system_name

Device Name

host

For the Palo Alto Network Firewall v9.1

Traffic Log Fields

FUTURE_USE, receive_ts, serial_number, event_category, sub_category, FUTURE_USE, log_ts, source_address, destination_address, nat_source_address, nat_destination_address, rule, user, target_user, application, virtual_system, source_zone, destination_zone, source_interface, destination_interface, log_profile, FUTURE_USE, session_id, repeat_count, source_port, destination_port, nat_source_port, nat_destination_port, flag, protocol, action, datasize, sent_datasize, received_datasize, packet,start_ts, duration, category, FUTURE_USE, sequence_number, action_flag, source_location, destination_location, FUTURE_USE, sent_packet, received_packet, reason, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system_name, host, action_source, source_vm_uuid, destination_vm_uuid, tunnel_id_imsi, imei, parent_session_id, parent_start_ts, tunnel_type, sctp_association_id, chunk_count, sent_chunk, received_chunk, rule_uuid, http_connection, link_count, policy_id, switch, cluster, device_type, cluster_type, site, group

Mapping the Traffic Log Fields

Palo Alto Network Firewall Fields

Logpoint Fields

Receive Time

receive_ts

Serial Number

serial_number

Type

event_category

Threat/Content Type

sub_category

Generated Time

log_ts

Source Address

source_address

Destination Address

destination_address

NAT Source IP

nat_source_address

NAT Destination IP

nat_destination_address

Rule Name

rule

Source User

user

Destination User

target_user

Application

application

Virtual System

virtual_system

Source Zone

source_zone

Destination Zone

destination_zone

Inbound Interface

source_interface

Outbound Interface

destination_interface

Log Action

log_profile

Session ID

session_id

Repeat Count

repeat_count

Source Port

source_port

Destination Port

destination_port

NAT Source Port

nat_source_port

NAT Destination Port

nat_destination_port

Flags

flag

Protocol

protocol

Action

action

Bytes

datasize

Bytes Sent

sent_datasize

Bytes Received

received_datasize

Packets

packet

Start Time

start_ts

Elapsed Time

duration

Category

category

Sequence Number

sequence_number

Action Flags

action_flag

Source Location

source_location

Destination Location

destination_location

Packets Sent

sent_packet

Packets Received

received_packet

Session End Reason

reason

Device Group Hierarchy Level 1

device_group_hierarchy_1

Device Group Hierarchy Level 2

device_group_hierarchy_2

Device Group Hierarchy Level 3

device_group_hierarchy_3

Device Group Hierarchy Level 4

device_group_hierarchy_4

Virtual System Name

virtual_system_name

Device Name

host

Action Source

action_source

Source VM UUID

source_vm_uuid

Destination VM UUID

destination_vm_uuid

Tunnel ID/IMSI

tunnel_id_imsi

Monitor Tag/IMEI

imei

Parent Session ID

parent_session_id

Parent Start Time

parent_start_ts

Tunnel Type

tunnel_type

SCTP Association ID

sctp_association_id

SCTP Chunks

chunk_count

SCTP Chunks Sent

sent_chunk

SCTP Chunks Received

received_chunk

Rule UUID

rule_uuid

HTTP/2 Connection

http_connection

Link Change Count

link_count

Policy ID

policy_id

Link Switches

switch

SD-WAN Cluster

cluster

SD-WAN Device Type

device_type

SD-WAN Cluster Type

cluster_type

SD-WAN Site

site

Dynamic User Group Name

group

Threat Log Fields

FUTURE_USE, receive_ts, serial_number, event_category, sub_category, FUTURE_USE, log_ts, source_address, destination_address, nat_source_address, nat_destination_address, rule, user, target_user, application, virtual_system, source_zone, destination_zone, source_interface, destination_interface, log_profile, FUTURE_USE, session_id, repeat_count, source_port, destination_port, nat_source_port, nat_destination_port, flag, protocol, action, url, threat_id, category, log_level, direction, sequence_number, action_flag, source_location, destination_location, FUTURE_USE, content_type, pcap_id, hash, wildfire_cloud, url_index, user_agent, file_type, x_forwarded_for, referer, sender, subject, receiver, report_id, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system_name, host, FUTURE_USE, source_vm_uuid, destination_vm_uuid, request_method, tunnel_id_imsi, imei, parent_session_id, parent_start_ts, tunnel_type, threat_category, version, FUTURE_USE, sctp_association_id, payload_protocol_id, header, url_category, rule_uuid, http_connection, group

Mapping the Threat Log Fields

Palo Alto Network Firewall Fields

Logpoint Fields

FUTURE_USE

FUTURE_USE

Receive Time

receive_ts

Serial Number

serial_number

Type

event_category

Threat/Content Type

sub_category

FUTURE_USE

FUTURE_USE

Generated Time

log_ts

Source Address

source_address

Destination Address

destination_address

NAT Source IP

nat_source_address

NAT Destination IP

nat_destination_address

Rule Name

rule

Source User

user

Destination User

target_user

Application

application

Virtual System

virtual_system

Source Zone

source_zone

Destination Zone

destination_zone

Inbound Interface

source_interface

Outbound Interface

destination_interface

Log Action

log_profile

FUTURE_USE

FUTURE_USE

Session ID

session_id

Repeat Count

repeat_count

Source Port

source_port

Destination Port

destination_port

NAT Source Port

nat_source_port

NAT Destination Port

nat_destination_port

Flags

flag

Protocol

protocol

Action

action

URL/Filename

url

Threat ID

threat_id

Category

category

Severity

log_level

Direction

direction

Sequence Number

sequence_number

Action Flags

action_flag

Source Location

source_location

Destination Location

destination_location

FUTURE_USE

FUTURE_USE

Content Type

content_type

PCAP_ID

pcap_id

File Digest

hash

Cloud

wildfire_cloud

URL Index

url_index

User Agent

user_agent

File Type

file_type

X-Forwarded-For

x_forwarded_for

Referer

referer

Sender

sender

Subject

subject

Recipient

receiver

Report ID

report_id

Device Group Hierarchy Level 1

device_group_hierarchy_1

Device Group Hierarchy Level 2

device_group_hierarchy_2

Device Group Hierarchy Level 3

device_group_hierarchy_3

Device Group Hierarchy Level 4

device_group_hierarchy_4

Virtual System Name

virtual_system_name

Device Name

host

FUTURE_USE

FUTURE_USE

Source VM UUID

source_vm_uuid

Destination VM UUID

destination_vm_uuid

HTTP Method

request_method

Tunnel ID/IMSI

tunnel_id_imsi

Monitor Tag/IMEI

imei

Parent Session ID

parent_session_id

Parent Start Time

parent_start_ts

Tunnel Type

tunnel_type

Threat Category

threat_category

Content Version

version

FUTURE_USE

FUTURE_USE

SCTP Association ID

sctp_association_id

Payload Protocol ID

payload_protocol_id

HTTP Headers

header

URL Category List

url_category

Rule UUID

rule_uuid

HTTP/2 Connection

http_connection

Dynamic User Group Name

group

Tunnel Log Fields

FUTURE_USE, receive_ts, serial_number, event_category, sub_category, FUTURE_USE, log_ts, source_address, destination_address, nat_source_address, nat_destination_address, rule, user, target_user, application, virtual_system, source_zone, destination_zone, source_interface,destination_interface,log_profile, FUTURE_USE, session_id, repeat_count, source_port, destination_port, nat_source_port, nat_destination_port, flag, protocol, action, log_level, sequence_number, action_flag, source_location, destination_location, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system_name, host, tunnel_id_imsi, imei, parent_session_id, parent_start_ts, tunnel_type, datasize, sent_datasize, received_datasize, packet, sent_packet, received_packet, maximum_encapsulation_count, unknown_protocol_count, strict_check_count, tunnel_fragment_count, create_session_count, closed_session_count, reason, action_source, start_ts, duration, tunnel_inspection_rule, remote_user_address, remote_user_id, rule_uuid, pcap_id, group

Mapping the Tunnel Log Fields

Palo Alto Network Firewall Fields

Logpoint Fields

FUTURE_USE

FUTURE_USE

Receive Time

receive_ts

Serial Number

serial_number

Type

event_category

Subtype

sub_category

FUTURE_USE

FUTURE_USE

Generated Time

log_ts

Source Address

source_address

Destination Address

destination_address

NAT Source IP

nat_source_address

NAT Destination IP

nat_destination_address

Rule Name

rule

Source User

user

Destination User

target_user

Application

application

Virtual System

virtual_system

Source Zone

source_zone

Destination Zone

destination_zone

Inbound Interface

source_interface

Outbound Interface

destination_interface

Log Action

log_profile

FUTURE_USE

FUTURE_USE

Session ID

session_id

Repeat Count

repeat_count

Source Port

source_port

Destination Port

destination_port

NAT Source Port

nat_source_port

NAT Destination Port

nat_destination_port

Flags

flag

Protocol

protocol

Action

action

Severity

log_level

Sequence Number

sequence_number

Action Flags

action_flag

Source Location

source_location

Destination Location

destination_location

Device Group Hierarchy Level 1

device_group_hierarchy_1

Device Group Hierarchy Level 2

device_group_hierarchy_2

Device Group Hierarchy Level 3

device_group_hierarchy_3

Device Group Hierarchy Level 4

device_group_hierarchy_4

Virtual System Name

virtual_system_name

Device Name

host

Tunnel ID/IMSI

tunnel_id_imsi

Monitor Tag/IMEI

imei

Parent Session ID

parent_session_id

Parent Start Time

parent_start_ts

Tunnel

tunnel_type

Bytes

datasize

Bytes Sent

sent_datasize

Bytes Received

received_datasize

Packets

packet

Packets Sent

sent_packet

Packets Received

received_packet

Maximum Encapsulation

maximum_encapsulation_count

Unknown Protocol

unknown_protocol_count

Strict Check

strict_check_count

Tunnel Fragment

tunnel_fragment_count

Sessions Created

create_session_count

Sessions Closed

closed_session_count

Session End Reason

reason

Action Source

action_source

Start Time

start_ts

Elapsed Time

duration

Tunnel Inspection Rule

tunnel_inspection_rule

Remote User IP

remote_user_address

Remote User ID

remote_user_id

Rule UUID

rule_uuid

PCAP ID

pcap_id

Dynamic User Group

group

Config Log Fields

FUTURE_USE, receive_ts, serial_number, event_category, sub_category, FUTURE_USE, log_ts, source_host, virtual_system, command, admin, client, result, path, sequence_number, action_flag, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system_name, host, device_group, comment

Mapping the Config Log Fields

Palo Alto Network Firewall Fields

Logpoint Fields

FUTURE_USE

FUTURE_USE

Receive Time

receive_ts

Serial Number

serial_number

Type

event_category

Subtype

sub_category

FUTURE_USE

FUTURE_USE

Generated Time

log_ts

Host

source_host

Virtual System

virtual_system

Command

command

Admin

admin

Client

client

Result

result

Configuration Path

path

Before Change Detail

before_change_detail

After Change Detail

after_change_detail

Sequence Number

sequence_number

Action Flags

action_flag

Device Group Hierarchy Level 1

device_group_hierarchy_1

Device Group Hierarchy Level 2

device_group_hierarchy_2

Device Group Hierarchy Level 3

device_group_hierarchy_3

Device Group Hierarchy Level 4

device_group_hierarchy_4

Virtual System Name

virtual_system_name

Device Name

host

Device Group

device_group

Audit Comment

comment

System Log Fields

FUTURE_USE, receive_ts, serial_number, event_category, sub_category, FUTURE_USE, log_ts, virtual_system, event_id, object, FUTURE_USE, FUTURE_USE, module, log_level, description, sequence_number, action_flag, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system_name, host

Mapping the System Log Fields

Palo Alto Network Firewall Fields

Logpoint Fields

Receive Time

receive_ts

Serial Number

serial_number

Type

event_category

Content/Threat Type

sub_category

Generated Time

log_ts

Virtual System

virtual_system

Event ID

event_id

Object

object

Module

module

Severity

log_level

Description

description

Sequence Number

sequence_number

Action Flags

action_flag

Device Group Hierarchy Level 1

device_group_hierarchy_1

Device Group Hierarchy Level 2

device_group_hierarchy_2

Device Group Hierarchy Level 3

device_group_hierarchy_3

Device Group Hierarchy Level 4

device_group_hierarchy_4

Virtual System Name

virtual_system_name

Device Name

host

HIP Match Log Fields

FUTURE_USE, receive_ts, serial_number, event_category, sub_category, FUTURE_USE, log_ts, user, virtual_system, machine, os, source_address, match, repeat_count, match_type, FUTURE_USE, FUTURE_USE, sequence_number, action_flag, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system, host, virtual_system_id, ipv6_source_address, host_id

Mapping the HIP Match Log Fields

Palo Alto Network Firewall Fields

Logpoint Fields

Receive Time

receive_ts

Serial Number

serial_number

Type

event_category

Threat/Content Type

sub_category

Generated Time

log_ts

Source User

user

Virtual System

virtual_system

Machine name

machine

OS

os

Source Address

source_address

HIP

match

Repeat Count

repeat_count

HIP Type

match_type

Sequence Number

sequence_number

Action Flags

action_flag

Device Group Hierarchy Level 1

device_group_hierarchy_1

Device Group Hierarchy Level 2

device_group_hierarchy_2

Device Group Hierarchy Level 3

device_group_hierarchy_3

Device Group Hierarchy Level 4

device_group_hierarchy_4

Virtual System Name

virtual_system

Device Name

host

Virtual System ID

virtual_system_id

IPv6 Source Address

ipv6_source_address

Host ID

host_id

Correlation Events Log Fields

FUTURE_USE, receive_ts, serial_number, event_category, sub_category, FUTURE_USE, log_ts, source_address, user, virtual_system, category, log_level, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system_name, host, virtual_system_id, object, object_id, description

Mapping the Correlation Events Log Fields

Palo Alto Network Firewall Fields

Logpoint Fields

Receive Time

receive_ts

Serial Number

serial_number

Type

event_category

Content/Threat Type

sub_category

Generated Time

log_ts

Source Address

source_address

Source User

user

Virtual System

virtual_system

Category

category

Severity

log_level

Group Hierarchy Level 1

device_group_hierarchy_1

Device Group Hierarchy Level 2

device_group_hierarchy_2

Device Group Hierarchy Level 3

device_group_hierarchy_3

Device Group Hierarchy Level 4

device_group_hierarchy_4

Virtual System Name

virtual_system_name

Device Name

host

Virtual System ID

virtual_system_id

Object Name

object

Object ID

object_id

Evidence

description

User ID Log Fields

FUTURE_USER, receive_ts, serial_number, event_category, sub_category, FUTURE_USE, log_ts, virtual_system, source_address, user, user_id, event_id, repeat_count, timeout, source_port, destination_port, source, source_type, sequence_number, action_flag, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system_name, host, virtual_system_id, vendor,authentication_ts, factor_number, FUTURE_USE, FUTURE_USE, user_group_flag, source_user

Mapping the User ID Log Fields

Palo Alto Network Firewall Fields

Logpoint Fields

FUTURE_USER

FUTURE_USER

Receive Time

receive_ts

Serial Number

serial_number

Type

event_category

Threat/Content Type

sub_category

FUTURE_USE

FUTURE_USE

Generated Time

log_ts

Virtual System

virtual_system

Source IP

source_address

User

user

Data Source Name

user_id

Event ID

event_id

Repeat Count

repeat_count

Time Out Threshold

timeout

Source Port

source_port

Destination Port

destination_port

Data Source

source

Data Source Type

source_type

Sequence Number

sequence_number

Action Flags

action_flag

Device Group Hierarchy Level 1

device_group_hierarchy_1

Device Group Hierarchy Level 2

device_group_hierarchy_2

Authentication Log Fields

FUTURE_USE, receive_ts, serial_number, event_category, sub_category, FUTURE_USE, log_ts, virtual_system, source_address, user, normalized_user, object, authentication_policy, repeat_count, authentication_id, vendor, log_profile, server_profile, description, client_type, event_type, factor_number, sequence_number, action_flag, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system_name, host, virtual_system_id, authentication_protocol, rule_uuid

Mapping the Authentication Log Fields

Palo Alto Network Firewall Fields

Logpoint Fields

Receive Time receive_ts

Serial Number

serial_number

Sequence Number

sequence_number

Action Flags

action_flag

Type

event_category

Threat/Content Type

sub_category

Generated Time

log_ts

Device Group Hierarchy 1

device_group_hierarchy_1

Device Group Hierarchy 2

device_group_hierarchy_2

Device Group Hierarchy 3

device_group_hierarchy_3

Device Group Hierarchy 4

device_group_hierarchy_4

Virtual System Name

virtual_system_name

Device Name

host

Virtual System ID

virtual_system_id

Virtual System

virtual_system

Source IP

source_address

User

user

Normalize User

normalized_user

Object

object

Authentication Policy

authentication_policy

Authentication ID

authentication_id

Vendor

vendor

Log Action

log_profile

Repeat Count

repeat_count

Server Profile

server_profile

Description

description

Client Type

client_type

Event Type

event_type

Factor Number

factor_number

Authentication Protocol

authentication_protocol

UUID for rule

rule_uuid

GTP Log Fields

FUTURE_USE, receive_ts, serial_number, event_category, sub_category, FUTURE_USE, log_ts, source_address, destination_address, FUTURE_USE, FUTURE_USE, rule, FUTURE_USE, FUTURE_USE, application, virtual_system, source_zone, destination_zone, source_interface, destination_interface, log_profile, FUTURE_USE, session_id, FUTURE_USE, source_port, destination_port, FUTURE_USE, FUTURE_USE, FUTURE_USE, protocol, action, event_type, isdn, access_point, radio_access_technology, message_type, subscriber_address, tunnel_endpoint_identifier_1, tunnel_endpoint_identifier_2, gtp_interface, status_code, country_code, network_code, area_code, cell_id, event_code, FUTURE_USE, FUTURE_USE, source_location, destination_location, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, tunnel_id_imsi, imei, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, start_ts, duration, tunnel_inspection_rule, remote_user_address, remote_user_id, rule_uuid, pcap_id

Mapping the GTP Log Fields

Palo Alto Network Firewall Fields

Logpoint Fields

FUTURE_USE

FUTURE_USE

Receive Time

receive_ts

Serial Number

serial_number

Type

event_category

Threat/Content Type

sub_category

FUTURE_USE

FUTURE_USE

Generated Time

log_ts

Source Address

source_address

Destination Address

destination_address

FUTURE_USE

FUTURE_USE

FUTURE_USE

FUTURE_USE

Rule Name

rule

FUTURE_USE

FUTURE_USE

FUTURE_USE

FUTURE_USE

Application

application

Virtual System

virtual_system

Source Zone

source_zone

Destination Zone

destination_zone

Inbound Interface

source_interface

Outbound Interface

destination_interface

Log Action

log_profile

FUTURE_USE

FUTURE_USE

Session ID

session_id

FUTURE_USE

FUTURE_USE

Source Port

source_port

Destination Port

destination_port

FUTURE_USE

FUTURE_USE

FUTURE_USE

FUTURE_USE

FUTURE_USE

FUTURE_USE

Protocol

protocol

Action

action

GTP Event Type

event_type

MSISDN

isdn

Access Point Name

access_point

Radio Access Technology

radio_access_technology

GTP Message Type

message_type

End User IP Address

subscriber_address

Tunnel Endpoint Identifier1

tunnel_endpoint_identifier_1

Tunnel Endpoint Identifier2

tunnel_endpoint_identifier_2

GTP Interface

gtp_interface

GTP Cause

status_code

Severity

log_level

Serving Country MCC

country_code

Serving Network MNC

network_code

Area Code

area_code

Cell ID

cell_id

GTP Event Code

event_code

FUTURE_USE

FUTURE_USE

FUTURE_USE

FUTURE_USE

Source Location

source_location

Destination Location

destination_location

FUTURE_USE

FUTURE_USE

FUTURE_USE

FUTURE_USE

FUTURE_USE

FUTURE_USE

FUTURE_USE

FUTURE_USE

FUTURE_USE

FUTURE_USE

FUTURE_USE

FUTURE_USE

FUTURE_USE

FUTURE_USE

Tunnel ID/IMSI

tunnel_id_imsi

Monitor Tag/IMEI

imei

FUTURE_USE

FUTURE_USE

FUTURE_USE

FUTURE_USE

FUTURE_USE

FUTURE_USE

FUTURE_USE

FUTURE_USE

FUTURE_USE

FUTURE_USE

FUTURE_USE

FUTURE_USE

FUTURE_USE

FUTURE_USE

FUTURE_USE

FUTURE_USE

FUTURE_USE

FUTURE_USE

FUTURE_USE

FUTURE_USE

FUTURE_USE

FUTURE_USE

FUTURE_USE

FUTURE_USE

FUTURE_USE

FUTURE_USE

FUTURE_USE

FUTURE_USE

FUTURE_USE

FUTURE_USE

FUTURE_USE

FUTURE_USE

Start Time

start_ts

Elapsed Time

duration

Tunnel Inspection Rule

tunnel_inspection_rule

Remote User IP

remote_user_address

Remote User ID

remote_user_id

UUID for rule

rule_uuid

PCAP ID

pcap_id

SCTP Log Fields

FUTURE_USE, receive_ts, serial_number, event_category, FUTURE_USE, FUTURE_USE, log_ts, source_address, destination_address, FUTURE_USE, FUTURE_USE, rule, FUTURE_USE, FUTURE_USE, FUTURE_USE, virtual_system, source_zone, destination_zone, source_interface, destination_interface, log_profile, FUTURE_USE, session_id, repeat_count, source_port, destination_port, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, protocol, action, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system_name, host, sequence_number, FUTURE_USE, sctp_association_id, payload_protocol_id, log_level, chunk_type, FUTURE_USE, sctp_verification_tag_1, sctp_verification_tag_2, cause_code, diameter_application_id, diameter_command_code, diameter_avp_code, stream_id, reason, opcode, calling_party_ssn, calling_party_global_title, filter, chunk_count, sent_chunk, received_chunk, packet, sent_packet, received_packet, rule_uuid

Mapping the SCTP Log Fields

Palo Alto Network Firewall Fields

Logpoint Fields

Receive Time

receive_ts

Serial Number

serial_number

Type

event_category

Subtype

sub_category

Generated Time

log_ts

Source IP

source_address

Destination IP

destination_address

NAT Source IP

nat_source_address

NAT Destination IP

nat_destination_address

Rule Name

rule

Source User

user

Destination User

target_user

Application

application

Virtual System

virtual_system

Source Zone

source_zone

Destination Zone

destination_zone

Inbound Interface

source_interface

Outbound Interface

destination_interface

Log Action

log_profile

Session ID

session_id

Repeat Count

repeat_count

Source Port

source_port

Destination Port

destination_port

NAT Source Port

nat_source_port

NAT Destination Port

nat_destination_port

Flags

flag

Protocol

protocol

Action

action

Severity

log_level

Sequence Number

sequence_number

Action Flags

action_flag

Source Location

source_location

Destination Location

destination_location

Device Group Hierarchy Level 1

device_group_hierarchy_1

Device Group Hierarchy Level 2

device_group_hierarchy_2

Device Group Hierarchy Level 3

device_group_hierarchy_3

Device Group Hierarchy Level 4

device_group_hierarchy_4

Virtual System Name

virtual_system_name

Device Name

host

Tunnel ID/IMS

tunnel_id_imsi

Monitor Tag/IMEI

imei

Parent Session ID

parent_session_id

Parent Start Time

parent_start_ts

Tunnel

tunnel_type

Bytes

datasize

Bytes Sent

sent_datasize

Bytes Received

received_datasize

Packets

packet

Packets Sent

sent_packet

Maximum Encapsulation

maximum_encapsulation_count

Unknown Protocol

unknown_protocol_count

Strict Check

strict_check_count

Tunnel Fragment

tunnel_fragment_count

Sessions Created

create_session_count

Sessions Closed

closed_session_count

Session End Reason

reason

Action Source

action_source

Start Time

start_ts

Elapsed Time

duration

Tunnel Inspection Rule

tunnel_inspection_rule

UUID for rule

rule_uuid

Global Protect Log Fields

FUTURE_USE, receive_ts, serial_number, event_category, sub_category, FUTURE_USE, log_ts, virtual_system, event_id, connection_status, authentication_method, tunnel_type, user, source_location, machine, source_address, ipv6_source_address, nat_source_address, nat_ipv6_source_address, host_id, serial_number, application_version, os, os_version, repeat_count, reason, error, description, status, portal_location, login_duration, connect_method, status_code, portal, sequence_number, action_flag

User-ID Log Fields

FUTURE_USER, receive_ts, serial_number, event_category, sub_category, FUTURE_USE, log_ts, virtual_system, source_address, user, user_id, event_id, repeat_count, timeout, source_port, destination_port, source, source_type, sequence_number, action_flag, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system_name, host, virtual_system_id, vendor, authentication_ts, factor_number, FUTURE_USE, FUTURE_USE, user_group_flag, source_user

Mapping the User-ID Log Fields

Palo Alto Network Firewall Fields

Logpoint Fields

Receive Time

receive_ts

Serial Number

serial_number

Type

event_category

Threat/Content Type

sub_category

Generated Time

log_ts

Virtual System

virtual_system

Source IP

source_address

User

user

Data Source Name

user_id

Event ID

event_id

Repeat Count

repeat_count

Time Out Threshold

timeout

Source Port

source_port

Destination Port

destination_port

Data Source

source

Data Source Type

source_type

Sequence Number

sequence_number

Action Flags

action_flag

Device Group Hierarchy Level 1

device_group_hierarchy_1

Device Group Hierarchy Level 2

device_group_hierarchy_2

Device Group Hierarchy Level 3

device_group_hierarchy_3

Device Group Hierarchy Level 4

device_group_hierarchy_4

Virtual System Name

virtual_system_name

Device Name

host

Virtual System ID

virtual_system_id

Factor Type

vendor

Factor Completion Time

authentication_ts

Factor Number

factor_number

User Group Flags

user_group_flag

Source by User

source_user

For the Palo Alto Network Firewall v10.0

Traffic Log Fields

FUTURE_USE, receive_ts, serial_number, event_category, sub_category, FUTURE_USE, log_ts, source_address, destination_address, nat_source_address, nat_destination_address, rule, user, target_user, application, virtual_system, source_zone, destination_zone, source_interface, destination_interface, log_profile, FUTURE_USE, session_id, repeat_count, source_port, destination_port, nat_source_port, nat_destination_port, flag, protocol, action, datasize, sent_datasize, received_datasize, packet, start_ts, duration, category, FUTURE_USE, sequence_number, action_flag, source_location, destination_location, FUTURE_USE, sent_packet, received_packet, reason, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system_name, host, action_source, source_vm_uuid, destination_vm_uuid, tunnel_id_imsi, imei, parent_session_id, parent_start_ts, tunnel_type, sctp_association_id, chunk_count, sent_chunk, received_chunk, rule_uuid, http_connection, link_count, policy_id, switch, cluster, device_type, cluster_type, site, group, xff_address, source_device_category, source_device_profile, source_device_model, source_device_vendor, source_device_os_family, source_device_os_version, source_host, source_hardware_address, destination_device_category, destination_device_profile, destination_device_model, destination_device_vendor, destination_device_os_family, destination_device_os_version, destination_host, destination_hardware_address, container_id, pod_namespace, pod, source_list, destination_list, host_id, device_serial_number, source_policy_group, destination_policy_group, event_ts, network_slice_service, network_slice_differentiator

Threat Log Fields

FUTURE_USE, receive_ts, serial_number, event_category, sub_category, FUTURE_USE, log_ts, source_address, destination_address, nat_source_address, nat_destination_address, rule, user, target_user, application, virtual_system, source_zone, destination_zone, source_interface, destination_interface, log_profile, FUTURE_USE, session_id, repeat_count, source_port, destination_port, nat_source_port, nat_destination_port, flag,protocol, action, url, threat_id, category, log_level, direction, sequence_number, action_flag, source_location, destination_location, FUTURE_USE, content_type, pcap_id, hash, wildfire_cloud, url_index, user_agent, file_type, x_forwarded_for, referrer, sender, subject, receiver, report_id, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system_name, host, FUTURE_USE, source_vm_uuid, destination_vm_uuid, request_method, tunnel_id_imsi, imei, parent_session_id, parent_start_ts, tunnel_type, threat_category, version, FUTURE_USE, sctp_association_id, payload_protocol_id, header, url_category, rule_uuid, http_connection, group, xff_address, source_device_category, source_device_profile, source_device_model, source_device_vendor, source_device_os_family, source_device_os_version, source_host, source_hardware_address, destination_device_category, destination_device_profile, destination_device_model, destination_device_vendor, destination_device_os_family, destination_device_os_version, destination_host, destination_hardware_address, container_id, pod_namespace, pod, source_list, destination_list, host_id, device_serial_number, domain_list, source_policy_group, destination_policy_group, partial_hash, event_ts, reason, description, network_slice_service

HIP Match Log Fields

FUTURE_USE, receive_ts, serial_number, event_category, sub_category, FUTURE_USE, log_ts, user, virtual_system_name, machine, os, source_address, match, repeat_count, match_type,FUTURE_USE, FUTURE_USE, sequence_number, action_flag, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system_name, host, virtual_system_id, ipv6_source_address, host_id, device_serial_number, hardware_address, event_ts

Global Protect Log Fields

FUTURE_USE, receive_ts, device_serial_number, event_category, sub_category, FUTURE_USE, log_ts, virtual_system, event_id, connection_status, authentication_method, tunnel_type, user, source_location, machine, source_address, ipv6_source_address, nat_source_address, nat_ipv6_source_address, host_id, serial_number, application_version, os, os_version, repeat_count, reason, error, description, status, portal_location, login_duration, connect_method, status_code, portal, sequence_number, action_flag, event_ts, selection_type, response_duration, gateway_priority, attempted_gateway, gateway

IPTAG Log Fields

FUTURE_USE, receive_ts, serial_number, event_category, sub_category, FUTURE_USE, log_ts, virtual_system, source_address, tag, event_id, repeat_count, duration, data_source, data_source_type, data_source_subtype, sequence_number, action_flag, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system_name, host, virtual_system_id, event_ts

SCTP Log Fields

FUTURE_USE, receive_ts, serial_number, event_category, FUTURE_USE, FUTURE_USE, log_ts, source_address, destination_address, FUTURE_USE, FUTURE_USE, rule, FUTURE_USE, FUTURE_USE, FUTURE_USE, virtual_system, source_zone, destination_zone, source_interface, destination_interface, log_profile, FUTURE_USE, session_id, repeat_count, source_port, destination_port, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, protocol, action, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system_name, host, sequence_number, FUTURE_USE, sctp_association_id, payload_protocol_id, log_level,chunk_type, FUTURE_USE, sctp_verification_tag_1, sctp_verification_tag_2, cause_code, diameter_application_id, diameter_command_code, diameter_avp_code, stream_id, reason, opcode, calling_party_ssn, calling_party_global_title, filter, chunk_count, sent_chunk, received_chunk, packet, sent_packet, received_packet, rule_uuid, event_ts

GTP Log Fields

FUTURE_USE, receive_ts, serial_number, event_category, sub_category, FUTURE_USE, log_ts, source_address, destination_address, FUTURE_USE, FUTURE_USE, rule, FUTURE_USE, FUTURE_USE, application, virtual_system, source_zone, destination_zone, source_interface, destination_interface, log_profile, FUTURE_USE, session_id, FUTURE_USE, source_port, destination_port, FUTURE_USE, FUTURE_USE, FUTURE_USE, protocol, action, event_type, isdn, access_point, radio_access_technology, message_type, subscriber_address, tunnel_endpoint_identifier_1, tunnel_endpoint_identifier_2, gtp_interface, status_code, log_level, country_code, network_code, area_code, cell_id, event_code, FUTURE_USE, FUTURE_USE, source_location, destination_location, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, tunnel_id_imsi, imei, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, start_ts, duration, tunnel_inspection_rule, remote_user_address, remote_user_id, rule_uuid, pcap_id, event_ts

Authentication Log Fields

FUTURE_USE, receive_ts, serial_number, event_category, sub_category, FUTURE_USE, log_ts, virtual_system, source_address, user,normalized_user, object,authentication_policy, repeat_count, authentication_id, vendor, log_profile, server_profile, description, client_type, event_type, factor_number, sequence_number, action_flag, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system_name, host, virtual_system_id, authentication_protocol, rule_uuid, event_ts, source_device_category, source_device_profile, source_device_model, source_device_vendor, source_device_os_family, source_device_os_version, source_host, source_hardware_address, source_location, FUTURE_USE,user_agent, session_id

Tunnel Log Fields

FUTURE_USE, receive_ts, serial_number, event_category, sub_category, FUTURE_USE, log_ts, source_address, destination_address, nat_source_address, nat_destination_address, rule, user, target_user, application, virtual_system, source_zone, destination_zone, source_interface, destination_interface, log_profile, FUTURE_USE, session_id, repeat_count, source_port, destination_port, nat_source_port, nat_destination_port, flag, protocol, action, log_level, sequence_number, action_flag, source_location, destination_location, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system_name, host, tunnel_id_imsi, imei, parent_session_id, parent_start_ts, tunnel_type, datasize, sent_datasize, received_datasize, packet, sent_packet, received_packet, maximum_encapsulation_count, unknown_protocol_count, strict_check_count, tunnel_fragment_count, create_session_count, closed_session_count, reason,action_source, start_ts, duration, tunnel_inspection_rule, remote_user_address, remote_user_id, rule_uuid, pcap_id, group, source_list, destination_list, event_ts, network_slice_differentiator, network_slice_service, pdu_session_id

User ID Log Fields

FUTURE_USER, receive_ts, serial_number, event_category, sub_category, FUTURE_USE, log_ts, virtual_system, source_address, user, user_id, event_id, repeat_count, timeout, source_port, destination_port, source, source_type, sequence_number, action_flag, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system_name, host, virtual_system_id, vendor, authentication_ts, factor_number, FUTURE_USE, FUTURE_USE, user_group_flag, source_user, event_ts

System Log Fields

FUTURE_USE, receive_ts, serial_number, event_category, sub_category, FUTURE_USE, log_ts, virtual_system, event_id, object, FUTURE_USE, FUTURE_USE, module, log_level, description, sequence_number, action_flag, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system_name, host, FUTURE_USE, FUTURE_USE, event_ts

Decryption Log Fields

FUTURE_USE, receive_ts, serial_number, event_category, sub_category, configuration_version, log_ts, source_address, destination_address, nat_source_address, nat_destination_address, rule, user, target_user, application, virtual_system, source_zone, destination_zone, source_interface, destination_interface, log_profile, created_ts, session_id, repeat_count, source_port, destination_port, nat_source_port, nat_destination_port, flag, protocol, action, tunnel_type, FUTURE_USE, FUTURE_USE, source_vm_uuid, destination_vm_uuid, rule_uuid, client_to_firewall_state, firewall_to_server_state, tls_version, key_exchange, cipher, algorithm, policy, ec_curve, error_index, status, chain_status, proxy, certificate_uid, certificate_hash, certificate_start_ts, certificate_end_ts, certificate_version, certificate_key_size, subject_length, issuer_length, root_length, server_length, certificate_flag, domain, issuer, root, client_host, error, container_id, pod_namespace, pod, source_list, destination_list, source_policy_group, destination_policy_group, event_ts, source_device_category, source_device_profile, source_device_model, source_device_vendor, source_device_os_family, source_device_os_version, source_host, source_hardware_address, destination_device_category, destination_device_profile, destination_device_model, destination_device_vendor, destination_device_os_family, destination_device_os_version, destination_host, destination_hardware_address, sequence_number, action_flagSIG_ID=4310011

Config Log Fields

FUTURE_USE, receive_ts, serial_number, event_category, sub_category, FUTURE_USE, log_ts, source_host, virtual_system, command, admin, client, result, path, sequence_number, action_flag, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system_name, host, device_group, comment

Mapping the Config Log Fields

Palo Alto Network Firewall Fields

Logpoint Fields

FUTURE_USE

FUTURE_USE

Receive Time

receive_ts

Serial Number

serial_number

Type

event_category

Subtype

sub_category

FUTURE_USE

FUTURE_USE

Generated Time

log_ts

Host

source_host

Virtual System

virtual_system

Command

command

Admin

admin

Client

client

Result

result

Configuration Path

path

Before Change Detail

before_change_detail

After Change Detail

after_change_detail

Sequence Number

sequence_number

Action Flags

action_flag

Device Group Hierarchy Level 1

device_group_hierarchy_1

Device Group Hierarchy Level 2

device_group_hierarchy_2

Device Group Hierarchy Level 3

device_group_hierarchy_3

Device Group Hierarchy Level 4

device_group_hierarchy_4

Virtual System Name

virtual_system_name

Device Name

host

Device Group

device_group

Audit Comment

comment

Correlation Events Log Fields

FUTURE_USE, receive_ts, serial_number, event_category, sub_category, FUTURE_USE, log_ts, source_address, user, virtual_system, category, log_level, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system_name, host, virtual_system_id, object, object_id, description

Mapping the Correlation Events Log Fields

Palo Alto Network Firewall Fields

Logpoint Fields

Receive Time

receive_ts

Serial Number

serial_number

Type

event_category

Content/Threat Type

sub_category

Generated Time

log_ts

Source Address

source_address

Source User

user

Virtual System

virtual_system

Category

category

Severity

log_level

Group Hierarchy Level 1

device_group_hierarchy_1

Device Group Hierarchy Level 2

device_group_hierarchy_2

Device Group Hierarchy Level 3

device_group_hierarchy_3

Device Group Hierarchy Level 4

device_group_hierarchy_4

Virtual System Name

virtual_system_name

Device Name

host

Virtual System ID

virtual_system_id

Object Name

object

Object ID

object_id

Evidence

description

For the Palo Alto Network Firewall v10.1

Traffic Log Fields

FUTURE_USE, receive_ts, serial_number, event_category, sub_category, FUTURE_USE, log_ts, source_address, destination_address, nat_source_address, nat_destination_address, rule, user, target_user, application, virtual_system, source_zone, destination_zone, source_interface, destination_interface, log_profile, FUTURE_USE, session_id, repeat_count, source_port, destination_port, nat_source_port, nat_destination_port, flag, protocol, action, datasize, sent_datasize, received_datasize, packet, start_ts, duration, category, FUTURE_USE, sequence_number, action_flag, source_location, destination_location, FUTURE_USE, sent_packet, received_packet, reason, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system_name, host, action_source, source_vm_uuid, destination_vm_uuid, tunnel_id_imsi, imei, parent_session_id, parent_start_ts, tunnel_type, sctp_association_id, chunk_count, sent_chunk, received_chunk, rule_uuid, http_connection, link_count, policy_id, switch, cluster, device_type, cluster_type, site, group, xff_address, source_device_category, source_device_profile, source_device_model, source_device_vendor, source_device_os_family, source_device_os_version, source_host, source_hardware_address, destination_device_category, destination_device_profile, destination_device_model, destination_device_vendor, destination_device_os_family, destination_device_os_version, destination_host, destination_hardware_address, container_id, pod_namespace, pod, source_list, destination_list, host_id, device_serial_number, source_policy_group, destination_policy_group, session_owner, event_ts, network_slice_service, network_slice_differentiator, application_subcategory, application_category, application_technology, application_risk, application_characteristic, application_container, tunneled_application, is_saas_application, is_application_sanctioned, is_flow_offloaded

Threat Log Fields

FUTURE_USE, receive_ts, serial_number, event_category, sub_category, FUTURE_USE, log_ts, source_address, destination_address, nat_source_address, nat_destination_address, rule, user, target_user, application, virtual_system, source_zone, destination_zone, source_interface, destination_interface, log_profile, FUTURE_USE, session_id, repeat_count, source_port, destination_port, nat_source_port, nat_destination_port, flag, protocol, action, url, threat_id, category, log_level, direction, sequence_number, action_flag, source_location, destination_location, FUTURE_USE, content_type, pcap_id, hash, wildfire_cloud, url_index, user_agent, file_type, x_forwarded_for, referer, sender, subject, receiver, report_id, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system_name, host, FUTURE_USE, source_vm_uuid, destination_vm_uuid, request_method, tunnel_id_imsi, imei, parent_session_id, parent_start_ts, tunnel_type, threat_category, version, FUTURE_USE, sctp_association_id, payload_protocol_id, header, url_category, rule_uuid, http_connection, group, xff_address, source_device_category, source_device_profile, source_device_model, source_device_vendor, source_device_os_family, source_device_os_version, source_host, source_hardware_address, destination_device_category, destination_device_profile, destination_device_model, destination_device_vendor, destination_device_os_family, destination_device_os_version, destination_host, destination_hardware_address, container_id, pod_namespace, pod, source_list, destination_list, host_id, device_serial_number, domain_list, source_policy_group, destination_policy_group, partial_hash, event_ts, reason, description, network_slice_service, application_subcategory, application_category, application_technology, application_risk, application_characteristic, application_container, tunneled_application, is_saas_application, is_application_sanctioned

Config Log Fields

FUTURE_USE, receive_ts, serial_number, event_category, sub_category, FUTURE_USE, log_ts, source_host, virtual_system, command, admin, client, result, path, sequence_number, action_flag, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system_name, host, device_group, comment, FUTURE_USE, event_ts

GTP Log Fields

FUTURE_USE, receive_ts, serial_number, event_category, sub_category, FUTURE_USE, log_ts, source_address, destination_address, FUTURE_USE, FUTURE_USE, rule, FUTURE_USE, FUTURE_USE, application, virtual_system, source_zone, destination_zone, source_interface, destination_interface, log_profile, FUTURE_USE, session_id, FUTURE_USE, source_port, destination_port, FUTURE_USE, FUTURE_USE, FUTURE_USE, protocol, action, event_type, isdn, access_point, radio_access_technology, message_type, subscriber_address, tunnel_endpoint_identifier_1, tunnel_endpoint_identifier_2, gtp_interface, status_code, log_level, country_code, network_code, area_code, cell_id, event_code, FUTURE_USE, FUTURE_USE, source_location, destination_location, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, tunnel_id_imsi, imei, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, start_ts, duration, tunnel_inspection_rule, remote_user_address, remote_user_id, rule_uuid, pcap_id, event_ts, network_slice_service, network_slice_differentiator, application_subcategory, application_category, application_technology, application_risk, application_characteristic, application_container, application_saas, application_sanctioned_state

Authentication Log Fields

FUTURE_USE, receive_ts, serial_number, event_category, sub_category, FUTURE_USE, log_ts, virtual_system, source_address, user, normalized_user, object, authentication_policy, repeat_count, authentication_id, vendor, log_profile, server_profile, description, client_type, event_type, factor_number, sequence_number, action_flag, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system_name, host, virtual_system_id, authentication_protocol, rule_uuid, event_ts, source_device_category, source_device_profile, source_device_model, source_device_vendor, source_device_os_family, source_device_os_version, source_host, source_hardware_address, source_location, FUTURE_USE, user_agent, session_id

Tunnel Log Fields

FUTURE_USE, receive_ts, serial_number, event_category, sub_category, FUTURE_USE, log_ts, source_address, destination_address, nat_source_address, nat_destination_address, rule,user, target_user, application, virtual_system, source_zone, destination_zone, source_interface, destination_interface, log_profile, FUTURE_USE, session_id, repeat_count, source_port, destination_port, nat_source_port, nat_destination_port, flag, protocol, action, log_level, sequence_number, action_flag, source_location, destination_location, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system_name, host, tunnel_id_imsi, imei, parent_session_id, parent_start_ts, tunnel_type, datasize, sent_datasize, received_datasize, packet, sent_packet, received_packet, maximum_encapsulation_count, unknown_protocol_count, strict_check_count, tunnel_fragment_count, create_session_count, closed_session_count, reason, action_source, start_ts, duration, tunnel_inspection_rule, remote_user_address, remote_user_id, rule_uuid, pcap_id, group, source_list, destination_list, event_ts, network_slice_differentiator, network_slice_service, pdu_session_id, application_subcategory, application_category, application_technology, application_risk, application_characteristic, application_container, application_saas, application_sanctioned_state

Global Protect Log Fields

FUTURE_USE, receive_ts, serial_number, event_category, sub_category, FUTURE_USE, log_ts, virtual_system, event_id, connection_status, authentication_method, tunnel_type, user, source_location, machine, source_address, ipv6_source_address, nat_source_address, nat_ipv6_source_address, host_id, device_serial_number, application_version, os, os_version, repeat_count, reason, error, description, status, portal_location, login_duration, connect_method, status_code, portal, sequence_number, action_flag, event_ts, selection_type, response_duration, gateway_priority, attempted_gateway, gateway, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system_name, host, virtual_system_id

Decryption Log Fields

FUTURE_USE, receive_ts, serial_number, event_category, sub_category, configuration_version, log_ts, source_address, destination_address, nat_source_address, nat_destination_address, rule, user, target_user, application, virtual_system, source_zone, destination_zone, source_interface, destination_interface, log_profile, created_ts, session_id, repeat_count, source_port, destination_port, nat_source_port, nat_destination_port, flag, protocol, action, tunnel_type, FUTURE_USE, FUTURE_USE, source_vm_uuid, destination_vm_uuid, rule_uuid, client_to_firewall_state, firewall_to_server_state, tls_version, key_exchange, cipher, algorithm, policy, ec_curve, error_index, status, chain_status, proxy, certificate_uid, certificate_hash, certificate_start_ts, certificate_end_ts, certificate_version, certificate_key_size, subject_length, issuer_length, root_length, server_length, certificate_flag, domain, issuer, root, client_host, error, container_id, pod_namespace, pod, source_list, destination_list, source_policy_group, destination_policy_group, event_ts, source_device_category, source_device_profile, source_device_model, source_device_vendor, source_device_os_family, source_device_os_version, source_host, source_hardware_address, destination_device_category, destination_device_profile, destination_device_model, destination_device_vendor, destination_device_os_family, destination_device_os_version, destination_host, destination_hardware_address, sequence_number, action_flag, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system_name, host, virtual_system_id,a pplication_subcategory, application_category, application_technology, application_risk, application_characteristic, application_container, application_saas, application_sanctioned_state

HIP Match Log Fields

FUTURE_USE, receive_ts, serial_number, event_category, sub_category, FUTURE_USE, log_ts, user, virtual_system_name, machine, os, source_address, match, repeat_count, match_type,FUTURE_USE, FUTURE_USE, sequence_number, action_flag, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system_name, host, virtual_system_id, ipv6_source_address, host_id, device_serial_number, hardware_address, event_ts

Global Protect Log Fields

FUTURE_USE, receive_ts, device_serial_number, event_category, sub_category, FUTURE_USE, log_ts, virtual_system, event_id, connection_status, authentication_method, tunnel_type, user, source_location, machine, source_address, ipv6_source_address, nat_source_address, nat_ipv6_source_address, host_id, serial_number, application_version, os, os_version, repeat_count, reason, error, description, status, portal_location, login_duration, connect_method, status_code, portal, sequence_number, action_flag, event_ts, selection_type, response_duration, gateway_priority, attempted_gateway, gateway

IPTAG Log Fields

FUTURE_USE, receive_ts, serial_number, event_category, sub_category, FUTURE_USE, log_ts, virtual_system, source_address, tag, event_id, repeat_count, duration, data_source, data_source_type, data_source_subtype, sequence_number, action_flag, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system_name, host, virtual_system_id, event_ts

SCTP Log Fields

FUTURE_USE, receive_ts, serial_number, event_category, FUTURE_USE, FUTURE_USE, log_ts, source_address, destination_address, FUTURE_USE, FUTURE_USE, rule, FUTURE_USE, FUTURE_USE, FUTURE_USE, virtual_system, source_zone, destination_zone, source_interface, destination_interface, log_profile, FUTURE_USE, session_id, repeat_count, source_port, destination_port, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, protocol, action, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system_name, host, sequence_number, FUTURE_USE, sctp_association_id, payload_protocol_id, log_level,chunk_type, FUTURE_USE, sctp_verification_tag_1, sctp_verification_tag_2, cause_code, diameter_application_id, diameter_command_code, diameter_avp_code, stream_id, reason, opcode, calling_party_ssn, calling_party_global_title, filter, chunk_count, sent_chunk, received_chunk, packet, sent_packet, received_packet, rule_uuid, event_ts

Authentication Log Fields

FUTURE_USE, receive_ts, serial_number, event_category, sub_category, FUTURE_USE, log_ts, virtual_system, source_address, user,normalized_user, object,authentication_policy, repeat_count, authentication_id, vendor, log_profile, server_profile, description, client_type, event_type, factor_number, sequence_number, action_flag, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system_name, host, virtual_system_id, authentication_protocol, rule_uuid, event_ts, source_device_category, source_device_profile, source_device_model, source_device_vendor, source_device_os_family, source_device_os_version, source_host, source_hardware_address, source_location, FUTURE_USE,user_agent, session_id

System Log Fields

FUTURE_USE, receive_ts, serial_number, event_category, sub_category, FUTURE_USE, log_ts, virtual_system, event_id, object, FUTURE_USE, FUTURE_USE, module, log_level, description, sequence_number, action_flag, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system_name, host, FUTURE_USE, FUTURE_USE, event_ts

Correlation Events Log Fields

FUTURE_USE, receive_ts, serial_number, event_category, sub_category, FUTURE_USE, log_ts, source_address, user, virtual_system, category, log_level, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system_name, host, virtual_system_id, object, object_id, description

Mapping the Correlation Events Log Fields

Palo Alto Network Firewall Fields

Logpoint Fields

Receive Time

receive_ts

Serial Number

serial_number

Type

event_category

Content/Threat Type

sub_category

Generated Time

log_ts

Source Address

source_address

Source User

user

Virtual System

virtual_system

Category

category

Severity

log_level

Group Hierarchy Level 1

device_group_hierarchy_1

Device Group Hierarchy Level 2

device_group_hierarchy_2

Device Group Hierarchy Level 3

device_group_hierarchy_3

Device Group Hierarchy Level 4

device_group_hierarchy_4

Virtual System Name

virtual_system_name

Device Name

host

Virtual System ID

virtual_system_id

Object Name

object

Object ID

object_id

Evidence

description

Audit Log Fields

Serial Number, Generate Time, Threat/Content Type, FUTURE_USE, Event ID, Object, CLI Command, Severity

Mapping the Audit Log Fields

Palo Alto Network Firewall Fields

Logpoint Fields

Serial Number

serial_number

Generate Time

log_ts

Threat/Content Type

sub_category

FUTURE_USE

FUTURE_USE

Event ID

event_id

Object

object

CLI Command

command

Severity

status

For the Palo Alto Network Firewall v10.2

Traffic Log Fields

FUTURE_USE, receive_ts, serial_number, event_category, sub_category, FUTURE_USE, log_ts, source_address, destination_address, nat_source_address, nat_destination_address, rule, user, target_user, application, virtual_system, source_zone, destination_zone, source_interface, destination_interface, log_profile, FUTURE_USE, session_id, repeat_count, source_port, destination_port, nat_source_port, nat_destination_port, flag, protocol, action, datasize, sent_datasize, received_datasize, packet, start_ts, duration, category, FUTURE_USE, sequence_number, action_flag, source_location, destination_location, FUTURE_USE, sent_packet, received_packet, reason, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system_name, host, action_source, source_vm_uuid, destination_vm_uuid, tunnel_id_imsi, imei, parent_session_id, parent_start_ts, tunnel_type, sctp_association_id, chunk_count, sent_chunk, received_chunk, rule_uuid, http_connection, link_count, policy_id, switch, cluster, device_type, cluster_type, site, group, xff_address, source_device_category, source_device_profile, source_device_model, source_device_vendor, source_device_os_family, source_device_os_version, source_host, source_hardware_address, destination_device_category, destination_device_profile, destination_device_model, destination_device_vendor, destination_device_os_family, destination_device_os_version, destination_host, destination_hardware_address, container_id, pod_namespace, pod, source_list, destination_list, host_id, device_serial_number, source_policy_group, destination_policy_group, session_owner, event_ts, network_slice_service, network_slice_differentiator, application_subcategory, application_category, application_technology, application_risk, application_characteristic, application_container, tunneled_application, is_saas_application, is_application_sanctioned, is_flow_offloaded

Threat Log Fields

FUTURE_USE, receive_ts, serial_number, event_category, sub_category, FUTURE_USE, log_ts, source_address, destination_address, nat_source_address, nat_destination_address, rule, user, target_user, application, virtual_system,  source_zone, destination_zone, source_interface, destination_interface, log_profile, FUTURE_USE, session_id, repeat_count, source_port, destination_port, nat_source_port, nat_destination_port, flag, protocol, action, url, threat_id, category, log_level, direction, sequence_number, action_flag, source_location, destination_location, FUTURE_USE, content_type, pcap_id, hash, wildfire_cloud, url_index, user_agent, file_type, x_forwarded_for, referer, sender, subject, receiver, report_id, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system_name, host, FUTURE_USE, source_vm_uuid, destination_vm_uuid, request_method, tunnel_id_imsi, imei, parent_session_id, parent_start_ts, tunnel_type, threat_category, version, FUTURE_USE, sctp_association_id, payload_protocol_id, header, url_category, rule_uuid, http_connection, group, xff_address, source_device_category, source_device_profile, source_device_model, source_device_vendor, source_device_os_family, source_device_os_version, source_host, source_hardware_address, destination_device_category, destination_device_profile, destination_device_model, destination_device_vendor, destination_device_os_family, destination_device_os_version, destination_host, destination_hardware_address, container_id, pod_namespace, pod, source_list, destination_list, host_id, device_serial_number, domain_list, source_policy_group, destination_policy_group, partial_hash, event_ts, reason, description, network_slice_service, application_subcategory, application_category, application_technology,  application_risk, application_characteristic, application_container, tunneled_application, is_saas_application, is_application_sanctioned, cloud_report_id

HIP Match Log Fields

FUTURE_USE, receive_ts, serial_number, event_category, sub_category, FUTURE_USE, log_ts, user, virtual_system_name, machine, os, source_address, match, repeat_count, match_type,FUTURE_USE, FUTURE_USE, sequence_number, action_flag, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system_name, host, virtual_system_id, ipv6_source_address, host_id, device_serial_number, hardware_address, event_ts

Global Protect Log Fields

FUTURE_USE, receive_ts, serial_number, event_category, sub_category, FUTURE_USE, log_ts, virtual_system, event_id, connection_status, authentication_method, tunnel_type, user, source_location, machine, source_address, ipv6_source_address, nat_source_address, nat_ipv6_source_address, host_id, device_serial_number, application_version, os, os_version, repeat_count, reason, error, description, status, portal_location, login_duration, connect_method, status_code, portal, sequence_number, action_flag, event_ts, selection_type, response_duration, gateway_priority, attempted_gateway, gateway, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system_name, host, virtual_system_id

IPTAG Log Fields

FUTURE_USE, receive_ts, serial_number, event_category, sub_category, FUTURE_USE, log_ts, virtual_system, source_address, tag, event_id, repeat_count, duration, data_source, data_source_type, data_source_subtype, sequence_number, action_flag, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system_name, host, virtual_system_id, event_ts

User-ID Log Fields

FUTURE_USER, receive_ts, serial_number, event_category, sub_category, FUTURE_USE, log_ts, virtual_system, source_address, user, user_id, event_id, repeat_count, timeout, source_port, destination_port, source, source_type, sequence_number, action_flag, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system_name, host, virtual_system_id, vendor, authentication_ts, factor_number, FUTURE_USE, FUTURE_USE, user_group_flag, source_user

Mapping the User-ID Log Fields

Palo Alto Network Firewall Fields

Logpoint Fields

Receive Time

receive_ts

Serial Number

serial_number

Type

event_category

Threat/Content Type

sub_category

Generated Time

log_ts

Virtual System

virtual_system

Source IP

source_address

User

user

Data Source Name

user_id

Event ID

event_id

Repeat Count

repeat_count

Time Out Threshold

timeout

Source Port

source_port

Destination Port

destination_port

Data Source

source

Data Source Type

source_type

Sequence Number

sequence_number

Action Flags

action_flag

Device Group Hierarchy Level 1

device_group_hierarchy_1

Device Group Hierarchy Level 2

device_group_hierarchy_2

Device Group Hierarchy Level 3

device_group_hierarchy_3

Device Group Hierarchy Level 4

device_group_hierarchy_4

Virtual System Name

virtual_system_name

Device Name

host

Virtual System ID

virtual_system_id

Factor Type

vendor

Factor Completion Time

authentication_ts

Factor Number

factor_number

User Group Flags

user_group_flag

Source by User

source_user

Decryption Log Fields

FUTURE_USE, receive_ts, serial_number, event_category, sub_category, configuration_version, log_ts, source_address, destination_address, nat_source_address, nat_destination_address, rule, user, target_user, application, virtual_system, source_zone, destination_zone, source_interface, destination_interface, log_profile, created_ts, session_id, repeat_count, source_port, destination_port, nat_source_port, nat_destination_port, flag, protocol, action, tunnel_type, FUTURE_USE, FUTURE_USE, source_vm_uuid, destination_vm_uuid, rule_uuid, client_to_firewall_state, firewall_to_server_state, tls_version, key_exchange, cipher, algorithm, policy, ec_curve, error_index, status, chain_status, proxy, certificate_uid, certificate_hash, certificate_start_ts, certificate_end_ts, certificate_version, certificate_key_size, subject_length, issuer_length, root_length, server_length, certificate_flag, domain, issuer, root, client_host, error, container_id, pod_namespace, pod, source_list, destination_list, source_policy_group, destination_policy_group, event_ts, source_device_category, source_device_profile, source_device_model, source_device_vendor, source_device_os_family, source_device_os_version, source_host, source_hardware_address, destination_device_category, destination_device_profile, destination_device_model, destination_device_vendor, destination_device_os_family, destination_device_os_version, destination_host, destination_hardware_address, sequence_number, action_flag, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system_name, host, virtual_system_id,a pplication_subcategory, application_category, application_technology, application_risk, application_characteristic, application_container, application_saas, application_sanctioned_state

Tunnel Log Fields

FUTURE_USE, receive_ts, serial_number, event_category, sub_category, FUTURE_USE, log_ts, source_address, destination_address, nat_source_address, nat_destination_address, rule,user, target_user, application, virtual_system, source_zone, destination_zone, source_interface, destination_interface, log_profile, FUTURE_USE, session_id, repeat_count, source_port, destination_port, nat_source_port, nat_destination_port, flag, protocol, action, log_level, sequence_number, action_flag, source_location, destination_location, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system_name, host, tunnel_id_imsi, imei, parent_session_id, parent_start_ts, tunnel_type, datasize, sent_datasize, received_datasize, packet, sent_packet, received_packet, maximum_encapsulation_count, unknown_protocol_count, strict_check_count, tunnel_fragment_count, create_session_count, closed_session_count, reason, action_source, start_ts, duration, tunnel_inspection_rule, remote_user_address, remote_user_id, rule_uuid, pcap_id, group, source_list, destination_list, event_ts, network_slice_differentiator, network_slice_service, pdu_session_id, application_subcategory, application_category, application_technology, application_risk, application_characteristic, application_container, application_saas, application_sanctioned_state

SCTP Log Fields

FUTURE_USE, receive_ts, serial_number, event_category, FUTURE_USE, FUTURE_USE, log_ts, source_address, destination_address, FUTURE_USE, FUTURE_USE, rule, FUTURE_USE, FUTURE_USE, FUTURE_USE, virtual_system, source_zone, destination_zone, source_interface, destination_interface, log_profile, FUTURE_USE, session_id, repeat_count, source_port, destination_port, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, protocol, action, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system_name, host, sequence_number, FUTURE_USE, sctp_association_id, payload_protocol_id, log_level,chunk_type, FUTURE_USE, sctp_verification_tag_1, sctp_verification_tag_2, cause_code, diameter_application_id, diameter_command_code, diameter_avp_code, stream_id, reason, opcode, calling_party_ssn, calling_party_global_title, filter, chunk_count, sent_chunk, received_chunk, packet, sent_packet, received_packet, rule_uuid, event_ts

Authentication Log Fields

FUTURE_USE, receive_ts, serial_number, event_category, sub_category, FUTURE_USE, log_ts, virtual_system, source_address, user,normalized_user, object,authentication_policy, repeat_count, authentication_id, vendor, log_profile, server_profile, description, client_type, event_type, factor_number, sequence_number, action_flag, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system_name, host, virtual_system_id, authentication_protocol, rule_uuid, event_ts, source_device_category, source_device_profile, source_device_model, source_device_vendor, source_device_os_family, source_device_os_version, source_host, source_hardware_address, source_location, FUTURE_USE,user_agent, session_id

Config Log Fields

FUTURE_USE, receive_ts, serial_number, event_category, sub_category, FUTURE_USE, log_ts, source_host, virtual_system, command, admin, client, result, path, sequence_number, action_flag, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system_name, host, device_group, comment, FUTURE_USE, event_ts

System Log Fields

FUTURE_USE, receive_ts, serial_number, event_category, sub_category, FUTURE_USE, log_ts, virtual_system, event_id, object, FUTURE_USE, FUTURE_USE, module, log_level, description, sequence_number, action_flag, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system_name, host, FUTURE_USE, FUTURE_USE, event_ts

Correlation Events Log Fields

FUTURE_USE, receive_ts, serial_number, event_category, sub_category, FUTURE_USE, log_ts, source_address, user, virtual_system, category, log_level, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system_name, host, virtual_system_id, object, object_id, description

Mapping the Correlation Events Log Fields

Palo Alto Network Firewall Fields

Logpoint Fields

Receive Time

receive_ts

Serial Number

serial_number

Type

event_category

Content/Threat Type

sub_category

Generated Time

log_ts

Source Address

source_address

Source User

user

Virtual System

virtual_system

Category

category

Severity

log_level

Group Hierarchy Level 1

device_group_hierarchy_1

Device Group Hierarchy Level 2

device_group_hierarchy_2

Device Group Hierarchy Level 3

device_group_hierarchy_3

Device Group Hierarchy Level 4

device_group_hierarchy_4

Virtual System Name

virtual_system_name

Device Name

host

Virtual System ID

virtual_system_id

Object Name

object

Object ID

object_id

Evidence

description

Audit Log Fields

Serial Number, Generate Time, Threat/Content Type, FUTURE_USE, Event ID, Object, CLI Command, Severity

Mapping the Audit Log Fields

Palo Alto Network Firewall Fields

Logpoint Fields

Serial Number

serial_number

Generate Time

log_ts

Threat/Content Type

sub_category

FUTURE_USE

FUTURE_USE

Event ID

event_id

Object

object

CLI Command

command

Severity

status

For the Palo Alto Network Firewall v11.0

Traffic Log Fields

FUTURE_USE, receive_ts, serial_number, event_category, sub_category, FUTURE_USE, log_ts, source_address, destination_address, nat_source_address, nat_destination_address, rule, user, target_user, application, virtual_system, source_zone, destination_zone, source_interface, destination_interface, log_profile, FUTURE_USE, session_id, repeat_count, source_port, destination_port, nat_source_port, nat_destination_port, flag, protocol, action, datasize, sent_datasize, received_datasize, packet, start_ts, duration, category, FUTURE_USE, sequence_number, action_flag, source_location, destination_location, FUTURE_USE, sent_packet, received_packet, reason, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system_name, host, action_source, source_vm_uuid, destination_vm_uuid, tunnel_id_imsi, imei, parent_session_id, parent_start_ts, tunnel_type, sctp_association_id, chunk_count, sent_chunk, received_chunk, rule_uuid, http_connection, link_count, policy_id, switch, cluster, device_type, cluster_type, site, group, xff_address, source_device_category, source_device_profile, source_device_model, source_device_vendor, source_device_os_family, source_device_os_version, source_host, source_hardware_address, destination_device_category, destination_device_profile, destination_device_model, destination_device_vendor, destination_device_os_family, destination_device_os_version, destination_host, destination_hardware_address, container_id, pod_namespace, pod, source_list, destination_list, host_id, device_serial_number, source_policy_group, destination_policy_group, session_owner, event_ts, network_slice_service, network_slice_differentiator, application_subcategory, application_category, application_technology, application_risk, application_characteristic, application_container, tunneled_application, is_saas_application, is_application_sanctioned, is_flow_offloaded, flow_type, firewall_cluster

Threat Log Fields

FUTURE_USE, receive_ts, serial_number, event_category, sub_category, FUTURE_USE, log_ts, source_address, destination_address, nat_source_address, nat_destination_address, rule, user, target_user, application, virtual_system, source_zone, destination_zone, source_interface, destination_interface, log_profile, FUTURE_USE, session_id, repeat_count, source_port, destination_port, nat_source_port, nat_destination_port, flag, protocol, action, url, threat_id, category, log_level, direction, sequence_number, action_flag, source_location, destination_location, FUTURE_USE, content_type, pcap_id, hash, wildfire_cloud, url_index, user_agent, file_type, x_forwarded_for, referer, sender, subject, receiver, report_id, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system_name, host, FUTURE_USE, source_vm_uuid, destination_vm_uuid, request_method, tunnel_id_imsi, imei, parent_session_id, parent_start_ts, tunnel_type, threat_category, version, FUTURE_USE, sctp_association_id, payload_protocol_id, header, url_category, rule_uuid, http_connection, group, xff_address, source_device_category, source_device_profile, source_device_model, source_device_vendor, source_device_os_family, source_device_os_version, source_host, source_hardware_address, destination_device_category, destination_device_profile, destination_device_model, destination_device_vendor, destination_device_os_family, destination_device_os_version, destination_host, destination_hardware_address, container_id, pod_namespace, pod, source_list, destination_list, host_id, device_serial_number, domain_list, source_policy_group, destination_policy_group, partial_hash, event_ts, reason, description, network_slice_service, application_subcategory, application_category, application_technology, application_risk, application_characteristic, application_container, tunneled_application, is_saas_application, is_application_sanctioned, cloud_report_id, firewall_cluster, flow_type

HIP Match Log Fields

FUTURE_USE, receive_ts, serial_number, event_category, sub_category, FUTURE_USE, log_ts, user, virtual_system, machine, os, source_address, match, repeat_count, match_type, FUTURE_USE, FUTURE_USE, sequence_number, action_flag, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system_name, host, virtual_system_id, ipv6_source_address, host_id, device_serial_number, hardware_address, event_ts, firewall_cluster

Global Protect Log Fields

FUTURE_USE, receive_ts, serial_number, event_category, sub_category, FUTURE_USE, log_ts, virtual_system, event_id, connection_status, authentication_method, tunnel_type, user, source_location, machine, source_address, ipv6_source_address, nat_source_address, nat_ipv6_source_address, host_id, device_serial_number, application_version, os, os_version, repeat_count, reason, error, description, status, portal_location, login_duration, connect_method, status_code, portal, sequence_number, action_flag, event_ts, selection_type, response_duration, gateway_priority, attempted_gateway, gateway, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system_name, host, virtual_system_id, firewall_cluster

IPTAG Log Fields

FUTURE_USE, receive_ts, serial_number, event_category, sub_category, FUTURE_USE, log_ts, virtual_system, source_address, tag, event_id, repeat_count, duration, data_source, data_source_type, data_source_subtype, sequence_number, action_flag, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system_name, host, virtual_system_id, event_ts, firewall_cluster

User ID Log Fields

FUTURE_USER, receive_ts, serial_number, event_category, sub_category, FUTURE_USE, log_ts, virtual_system, source_address, user, user_id, event_id, repeat_count, timeout, source_port, destination_port, source, source_type, sequence_number, action_flag, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system_name, host, virtual_system_id, vendor, authentication_ts, factor_number, user_group_flag, source_user, tag, event_ts, data_source, FUTURE_USE, firewall_cluster

Decryption Log Fields

FUTURE_USE, receive_ts, serial_number, event_category, sub_category, configuration_version, log_ts, source_address, destination_address, nat_source_address, nat_destination_address, rule, user, target_user, application, virtual_system, source_zone, destination_zone, source_interface, destination_interface, log_profile, created_ts, session_id, repeat_count, source_port, destination_port, nat_source_port, nat_destination_port, flag, protocol, action, tunnel_type, FUTURE_USE, FUTURE_USE, source_vm_uuid, destination_vm_uuid, rule_uuid, client_to_firewall_state, firewall_to_server_state, tls_version, key_exchange, cipher, algorithm, policy, ec_curve, error_index, status, chain_status, proxy, certificate_uid, certificate_hash, certificate_start_ts, certificate_end_ts, certificate_version, certificate_key_size, subject_length, issuer_length, root_length, server_length, certificate_flag, domain, issuer, root, client_host, error, container_id, pod_namespace, pod, source_list, destination_list, source_policy_group, destination_policy_group, event_ts, source_device_category, source_device_profile, source_device_model, source_device_vendor, source_device_os_family, source_device_os_version, source_host, source_hardware_address, destination_device_category, destination_device_profile, destination_device_model, destination_device_vendor, destination_device_os_family, destination_device_os_version, destination_host, destination_hardware_address, sequence_number, action_flag, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system_name, host, virtual_system_id, application_subcategory, application_category, application_technology, application_risk, application_characteristic, application_container, is_saas_application, is_application_sanctioned, firewall_cluster

Tunnel Log Fields

FUTURE_USE, receive_ts, serial_number, event_category, sub_category, FUTURE_USE, log_ts, source_address, destination_address, nat_source_address, nat_destination_address, rule, user, target_user, application, virtual_system, source_zone, destination_zone, source_interface, destination_interface, log_profile, FUTURE_USE, session_id, repeat_count, source_port, destination_port, nat_source_port, nat_destination_port, flag, protocol, action, log_level, sequence_number, action_flag, source_location, destination_location, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system_name, host, tunnel_id_imsi, imei, parent_session_id, parent_start_ts, tunnel_type, datasize, sent_datasize, received_datasize, packet, sent_packet, received_packet, maximum_encapsulation_count, unknown_protocol_count, strict_check_count, tunnel_fragment_count, create_session_count, closed_session_count, reason, action_source, start_ts, duration, tunnel_inspection_rule, remote_user_address, remote_user_id, rule_uuid, pcap_id, group, source_list, destination_list, event_ts, network_slice_differentiator, network_slice_service, pdu_session_id, application_subcategory, application_category, application_technology, application_risk, application_characteristic, application_container, is_saas_application, is_application_sanctioned, firewall_cluster

SCTP Log Fields

FUTURE_USE, receive_ts, serial_number, event_category, FUTURE_USE, FUTURE_USE, log_ts, source_address, destination_address, FUTURE_USE, FUTURE_USE, rule, FUTURE_USE, FUTURE_USE, FUTURE_USE, virtual_system, source_zone, destination_zone, source_interface, destination_interface, log_profile, FUTURE_USE, session_id, repeat_count, source_port, destination_port, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, protocol, action, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system_name, host, sequence_number, FUTURE_USE, sctp_association_id, payload_protocol_id, log_level,chunk_type, FUTURE_USE, sctp_verification_tag_1, sctp_verification_tag_2, cause_code, diameter_application_id, diameter_command_code, diameter_avp_code, stream_id, reason, opcode, calling_party_ssn, calling_party_global_title, filter, chunk_count, sent_chunk, received_chunk, packet, sent_packet, received_packet, rule_uuid, event_ts

Authentication Log Fields

FUTURE_USE, receive_ts, serial_number, event_category, sub_category, FUTURE_USE, log_ts, virtual_system, source_address, user, normalized_user, object, authentication_policy, repeat_count, authentication_id, vendor, log_profile, server_profile, description, client_type, event_type, factor_number, sequence_number, action_flag, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system_name, host, virtual_system_id, authentication_protocol, rule_uuid, event_ts, source_device_category, source_device_profile, source_device_model, source_device_vendor, source_device_os_family, source_device_os_version, source_host, source_hardware_address, source_location, FUTURE_USE, user_agent, session_id, firewall_cluster

Config Log Fields

FUTURE_USE, receive_ts, serial_number, event_category, sub_category, FUTURE_USE, log_ts, source_host, virtual_system, command, admin, client, result, path, sequence_number, action_flag, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system_name, host, device_group, comment, FUTURE_USE, event_ts

System Log Fields

FUTURE_USE, receive_ts, serial_number, event_category, sub_category, FUTURE_USE, log_ts, virtual_system, event_id, object, FUTURE_USE, FUTURE_USE, module, log_level, description, sequence_number, action_flag, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system_name, host, FUTURE_USE, FUTURE_USE, event_ts

Correlation Events Log Fields

FUTURE_USE, receive_ts, serial_number, event_category, sub_category, FUTURE_USE, log_ts, source_address, destination_address, FUTURE_USE,FUTURE_USE, rule, FUTURE_USE, FUTURE_USE,  application, virtual_system, source_zone, destination_zone, source_interface, destination_interface, log_profile, FUTURE_USE, session_id, FUTURE_USE, source_port, destination_port,FUTURE_USE, FUTURE_USE, FUTURE_USE, protocol, action, event_type, isdn, access_point, radio_access_technology, message_type,subscriber_address, tunnel_endpoint_identifier_1, tunnel_endpoint_identifier_2, gtp_interface,status_code, log_level, country_code, network_code, area_code, cell_id, event_code, FUTURE_USE, FUTURE_USE, source_location, destination_location, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, tunnel_id_imsi, imei, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE,FUTURE_USE, FUTURE_USE,FUTURE_USE, start_ts, duration, tunnel_inspection_rule, remote_user_address, remote_user_id, rule_uuid, pcap_id

Audit Log Fields

serial_number,log_ts,sub_category,FUTURE_USE,event_id,object,command,status

GTP Log Fields

FUTURE_USE, receive_ts, serial_number, event_category, sub_category, FUTURE_USE, log_ts, source_address, destination_address, FUTURE_USE, FUTURE_USE, rule, FUTURE_USE, FUTURE_USE, application, virtual_system, source_zone, destination_zone, source_interface, destination_interface, log_profile, FUTURE_USE, session_id, FUTURE_USE, source_port, destination_port, FUTURE_USE, FUTURE_USE, FUTURE_USE, protocol, action, event_type, isdn, access_point, radio_access_technology, message_type, subscriber_address, tunnel_endpoint_identifier_1, tunnel_endpoint_identifier_2, gtp_interface, status_code, log_level, country_code, network_code, area_code, cell_id, event_code, FUTURE_USE, FUTURE_USE, source_location, destination_location, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, tunnel_id_imsi, imei, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, start_ts, duration, tunnel_inspection_rule, remote_user_address, remote_user_id, rule_uuid, pcap_id, event_ts, network_slice_service, network_slice_differentiator, application_subcategory, application_category, application_technology, application_risk, application_characteristic, application_container, application_saas, application_sanctioned_state

For the Palo Alto Network Firewall v11.1 or later

Traffic Log Fields

FUTURE_USE, receive_ts, serial_number, event_category, sub_category, FUTURE_USE, log_ts, source_address, destination_address, nat_source_address, nat_destination_address, rule, user, target_user, application, virtual_system, source_zone, destination_zone, source_interface, destination_interface, log_profile, FUTURE_USE, session_id, repeat_count, source_port, destination_port, nat_source_port, nat_destination_port, flag, protocol, action, datasize, sent_datasize, received_datasize, packet, start_ts, duration, category, FUTURE_USE, sequence_number, action_flag, source_location, destination_location, FUTURE_USE, sent_packet, received_packet, reason, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system_name, host, action_source, source_vm_uuid, destination_vm_uuid, tunnel_id_imsi, imei, parent_session_id, parent_start_ts, tunnel_type, sctp_association_id, chunk_count, sent_chunk, received_chunk, rule_uuid, http_connection, link_count, policy_id, switch, cluster, device_type, cluster_type, site, group, xff_address, source_device_category, source_device_profile, source_device_model, source_device_vendor, source_device_os_family, source_device_os_version, source_host, source_hardware_address, destination_device_category, destination_device_profile, destination_device_model, destination_device_vendor, destination_device_os_family, destination_device_os_version, destination_host, destination_hardware_address, container_id, pod_namespace, pod, source_list, destination_list, host_id, device_serial_number, source_policy_group, destination_policy_group, session_owner, event_ts, network_slice_service, network_slice_differentiator, application_subcategory, application_category, application_technology, application_risk, application_characteristic, application_container, tunneled_application, is_saas_application, is_application_sanctioned, is_flow_offloaded, flow_type, firewall_cluster

Threat Log Fields

FUTURE_USE, receive_ts, serial_number, event_category, sub_category, FUTURE_USE, log_ts, source_address, destination_address, nat_source_address, nat_destination_address, rule, user, target_user, application, virtual_system, source_zone, destination_zone, source_interface, destination_interface, log_profile, FUTURE_USE, session_id, repeat_count, source_port, destination_port, nat_source_port, nat_destination_port, flag, protocol, action, url, threat_id, category, log_level, direction, sequence_number, action_flag, source_location, destination_location, FUTURE_USE, content_type, pcap_id, hash, wildfire_cloud, url_index, user_agent, file_type, x_forwarded_for, referer, sender, subject, receiver, report_id, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system_name, host, FUTURE_USE, source_vm_uuid, destination_vm_uuid, request_method, tunnel_id_imsi, imei, parent_session_id, parent_start_ts, tunnel_type, threat_category, version, FUTURE_USE, sctp_association_id, payload_protocol_id, header, url_category, rule_uuid, http_connection, group, xff_address, source_device_category, source_device_profile, source_device_model, source_device_vendor, source_device_os_family, source_device_os_version, source_host, source_hardware_address, destination_device_category, destination_device_profile, destination_device_model, destination_device_vendor, destination_device_os_family, destination_device_os_version, destination_host, destination_hardware_address, container_id, pod_namespace, pod, source_list, destination_list, host_id, device_serial_number, domain_list, source_policy_group, destination_policy_group, partial_hash, event_ts, reason, description, network_slice_service, application_subcategory, application_category, application_technology, application_risk, application_characteristic, application_container, tunneled_application, is_saas_application, is_application_sanctioned, cloud_report_id, firewall_cluster, flow_type

HIP Match Log Fields

FUTURE_USE, receive_ts, serial_number, event_category, sub_category, FUTURE_USE, log_ts, user, virtual_system, machine, os, source_address, match, repeat_count, match_type, FUTURE_USE, FUTURE_USE, sequence_number, action_flag, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system_name, host, virtual_system_id, ipv6_source_address, host_id, device_serial_number, hardware_address, event_ts, firewall_cluster

Global Protect Log Fields

FUTURE_USE, receive_ts, serial_number, event_category, sub_category, FUTURE_USE, log_ts, virtual_system, event_id, connection_status, authentication_method, tunnel_type, user, source_location, machine, source_address, ipv6_source_address, nat_source_address, nat_ipv6_source_address, host_id, device_serial_number, application_version, os, os_version, repeat_count, reason, error, description, status, portal_location, login_duration, connect_method, status_code, portal, sequence_number, action_flag, event_ts, selection_type, response_duration, gateway_priority, attempted_gateway, gateway, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system_name, host, virtual_system_id, firewall_cluster

IPTAG Log Fields

FUTURE_USE, receive_ts, serial_number, event_category, sub_category, FUTURE_USE, log_ts, virtual_system, source_address, tag, event_id, repeat_count, duration, data_source, data_source_type, data_source_subtype, sequence_number, action_flag, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system_name, host, virtual_system_id, event_ts, firewall_cluster

User ID Log Fields

FUTURE_USER, receive_ts, serial_number, event_category, sub_category, FUTURE_USE, log_ts, virtual_system, source_address, user, user_id, event_id, repeat_count, timeout, source_port, destination_port, source, source_type, sequence_number, action_flag, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system_name, host, virtual_system_id, vendor, authentication_ts, factor_number, user_group_flag, source_user, tag, event_ts, data_source, FUTURE_USE, firewall_cluster

Decryption Log Fields

FUTURE_USE, receive_ts, serial_number, event_category, sub_category, configuration_version, log_ts, source_address, destination_address, nat_source_address, nat_destination_address, rule, user, target_user, application, virtual_system, source_zone, destination_zone, source_interface, destination_interface, log_profile, created_ts, session_id, repeat_count, source_port, destination_port, nat_source_port, nat_destination_port, flag, protocol, action, tunnel_type, FUTURE_USE, FUTURE_USE, source_vm_uuid, destination_vm_uuid, rule_uuid, client_to_firewall_state, firewall_to_server_state, tls_version, key_exchange, cipher, algorithm, policy, ec_curve, error_index, status, chain_status, proxy, certificate_uid, certificate_hash, certificate_start_ts, certificate_end_ts, certificate_version, certificate_key_size, subject_length, issuer_length, root_length, server_length, certificate_flag, domain, issuer, root, client_host, error, container_id, pod_namespace, pod, source_list, destination_list, source_policy_group, destination_policy_group, event_ts, source_device_category, source_device_profile, source_device_model, source_device_vendor, source_device_os_family, source_device_os_version, source_host, source_hardware_address, destination_device_category, destination_device_profile, destination_device_model, destination_device_vendor, destination_device_os_family, destination_device_os_version, destination_host, destination_hardware_address, sequence_number, action_flag, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system_name, host, virtual_system_id, application_subcategory, application_category, application_technology, application_risk, application_characteristic, application_container, is_saas_application, is_application_sanctioned, firewall_cluster

Tunnel Log Fields

FUTURE_USE, receive_ts, serial_number, event_category, sub_category, FUTURE_USE, log_ts, source_address, destination_address, nat_source_address, nat_destination_address, rule, user, target_user, application, virtual_system, source_zone, destination_zone, source_interface, destination_interface, log_profile, FUTURE_USE, session_id, repeat_count, source_port, destination_port, nat_source_port, nat_destination_port, flag, protocol, action, log_level, sequence_number, action_flag, source_location, destination_location, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system_name, host, tunnel_id_imsi, imei, parent_session_id, parent_start_ts, tunnel_type, datasize, sent_datasize, received_datasize, packet, sent_packet, received_packet, maximum_encapsulation_count, unknown_protocol_count, strict_check_count, tunnel_fragment_count, create_session_count, closed_session_count, reason, action_source, start_ts, duration, tunnel_inspection_rule, remote_user_address, remote_user_id, rule_uuid, pcap_id, group, source_list, destination_list, event_ts, network_slice_differentiator, network_slice_service, pdu_session_id, application_subcategory, application_category, application_technology, application_risk, application_characteristic, application_container, is_saas_application, is_application_sanctioned, firewall_cluster

SCTP Log Fields

FUTURE_USE, receive_ts, serial_number, event_category, FUTURE_USE, FUTURE_USE, log_ts, source_address, destination_address, FUTURE_USE, FUTURE_USE, rule, FUTURE_USE, FUTURE_USE, FUTURE_USE, virtual_system, source_zone, destination_zone, source_interface, destination_interface, log_profile, FUTURE_USE, session_id, repeat_count, source_port, destination_port, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, protocol, action, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system_name, host, sequence_number, FUTURE_USE, sctp_association_id, payload_protocol_id, log_level,chunk_type, FUTURE_USE, sctp_verification_tag_1, sctp_verification_tag_2, cause_code, diameter_application_id, diameter_command_code, diameter_avp_code, stream_id, reason, opcode, calling_party_ssn, calling_party_global_title, filter, chunk_count, sent_chunk, received_chunk, packet, sent_packet, received_packet, rule_uuid, event_ts

Authentication Log Fields

FUTURE_USE, receive_ts, serial_number, event_category, sub_category, FUTURE_USE, log_ts, virtual_system, source_address, user, normalized_user, object, authentication_policy, repeat_count, authentication_id, vendor, log_profile, server_profile, description, client_type, event_type, factor_number, sequence_number, action_flag, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system_name, host, virtual_system_id, authentication_protocol, rule_uuid, event_ts, source_device_category, source_device_profile, source_device_model, source_device_vendor, source_device_os_family, source_device_os_version, source_host, source_hardware_address, source_location, FUTURE_USE, user_agent, session_id, firewall_cluster

Config Log Fields

FUTURE_USE, receive_ts, serial_number, event_category, sub_category, FUTURE_USE, log_ts, source_host, virtual_system, command, admin, client, result, path, sequence_number, action_flag, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system_name, host, device_group, comment, FUTURE_USE, event_ts

System Log Fields

FUTURE_USE, receive_ts, serial_number, event_category, sub_category, FUTURE_USE, log_ts, virtual_system, event_id, object, FUTURE_USE, FUTURE_USE, module, log_level, description, sequence_number, action_flag, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system_name, host, FUTURE_USE, FUTURE_USE, event_ts

Correlation Events Log Fields

FUTURE_USE, receive_ts, serial_number, event_category, sub_category, FUTURE_USE, log_ts, source_address, user, virtual_system, category, log_level, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system_name, host, virtual_system_id, object, object_id, description

GTP Log Fields

FUTURE_USE, receive_ts, serial_number, event_category, sub_category, FUTURE_USE, log_ts, source_address, destination_address, FUTURE_USE, FUTURE_USE, rule, FUTURE_USE, FUTURE_USE, application, virtual_system, source_zone, destination_zone, source_interface, destination_interface, log_profile, FUTURE_USE, session_id, FUTURE_USE, source_port, destination_port, FUTURE_USE, FUTURE_USE, FUTURE_USE, protocol, action, event_type, isdn, access_point, radio_access_technology, message_type, subscriber_address, tunnel_endpoint_identifier_1, tunnel_endpoint_identifier_2, gtp_interface, status_code, log_level, country_code, network_code, area_code, cell_id, event_code, FUTURE_USE, FUTURE_USE, source_location, destination_location, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, tunnel_id_imsi, imei, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, start_ts, duration, tunnel_inspection_rule, remote_user_address, remote_user_id, rule_uuid, pcap_id, event_ts, network_slice_service, network_slice_differentiator, application_subcategory, application_category, application_technology, application_risk, application_characteristic, application_container, application_saas, application_sanctioned_state

Audit Log Fields

serial_number,log_ts,sub_category,FUTURE_USE,event_id,object,command,status

Helpful?

We are glad this guide helped.


Please don't include any personal information in your comment

Contact Support