Page Contents

Vendor Field Map

Vendor Field Map¶

For the Palo Alto Network Firewall v8.1¶

Traffic Log Fields¶

FUTURE_USE, receive_ts, serial_number, event_category, sub_category, FUTURE_USE, log_ts, source_address, destination_address, nat_source_address, nat_destination_address, rule, user, target_user, application, virtual_system, source_zone, destination_zone, source_interface, destination_interface, log_profile, FUTURE_USE, session_id, repeat_count, source_port, destination_port, nat_source_port, nat_destination_port, flag, protocol, action, datasize, sent_datasize, received_datasize, packet, start_ts, duration, category, FUTURE_USE, sequence_number, action_flag, source_location, destination_location, FUTURE_USE, sent_packet, received_packet, reason, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system_name, host, action_source, source_vm_uuid, destination_vm_uuid, tunnel_id_imsi, imei, parent_session_id, parent_start_ts, tunnel_type, sctp_association_id, chunk_count, sent_chunk, received_chunk

Mapping the Traffic Log Fields¶

Palo Alto Network Firewall Fields	LogPoint Fields
Receive Time	receive_ts
Serial Number	serial_number
Type	event_category
Threat/Content Type	sub_category
Generated Time	log_ts
Source IP	source_address
Destination IP	destination_address
NAT Source IP	nat_source_address
NAT Destination IP	nat_destination_address
Rule Name	rule
Source User	user
Destination User	target_user
Application	application
Virtual System	virtual_system
Source Zone	source_zone
Destination Zone	destination_zone
Inbound Interface	source_interface
Outbound Interface	destination_interface
Log Action	log_profile
Session ID	session_id
Repeat Count	repeat_count
Source Port	source_port
Destination Port	destination_port
NAT Source Port	nat_source_port
NAT Destination Port	nat_destination_port
Flags	flag
Protocol	protocol
Action	action
Bytes	datasize
Bytes Sent	sent_datasize
Bytes Received	received_datasize
Packets	packet
Start Time	start_ts
Elapsed Time	duration
Category	category
Sequence Number	sequence_number
Action Flags	action_flag
Source Location	source_location
Destination Location	destination_location
Packets Sent	sent_packet
Packets Received	received_packet
Session End Reason	reason
Device Group Hierarchy Level 1	device_group_hierarchy_1
Device Group Hierarchy Level 2	device_group_hierarchy_2
Device Group Hierarchy Level 3	device_group_hierarchy_3
Device Group Hierarchy Level 4	device_group_hierarchy_4
Virtual System Name	virtual_system_name
Device Name	host
Action Source	action_source
Source VM UUID	source_vm_uuid
Destination VM UUID	destination_vm_uuid
Tunnel ID/IMSI	tunnel_id_imsi
Monitor Tag/IMEI	imei
Parent Session ID	parent_session_id
Parent Start Time	parent_start_ts
Tunnel Type	tunnel_type
SCTP Association ID	sctp_association_id
SCTP Chunks	chunk_count
SCTP Chunks Sent	sent_chunk
SCTP Chunks Received	received_chunk

Threat Log Fields¶

FUTURE_USE, receive_ts, serial_number, event_category, sub_category, FUTURE_USE, log_ts, source_address, destination_address, nat_source_address, nat_destination_address, rule, user, target_user, application, virtual_system, source_zone, destination_zone, source_interface, destination_interface, log_profile, FUTURE_USE, session_id, repeat_count, source_port, destination_port, nat_source_port, nat_destination_port, flag, protocol, action, url, threat_id, category, severity, direction, sequence_number, action_flag, source_location, destination_location, FUTURE_USE, content_type, pcap_id, checksum, wildfire_cloud, url_index, user_agent, file_type, x_forwarded_for, referer, sender, subject, receiver, report_id, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system_name, host, FUTURE_USE, source_vm_uuid, destination_vm_uuid, request_method, tunnel_id_imsi, imei, parent_session_id, parent_start_ts, tunnel_type, threat_category, version, FUTURE_USE, sctp_association_id, payload_protocol_id, header

Mapping the Threat Log Fields¶

Palo Alto Network Firewall Fields	LogPoint Fields
Receive Time	receive_ts
Serial Number	serial_number
Type	event_category
Threat/Content Type	sub_category
Generated Time	log_ts
Source IP	source_address
Destination IP	destination_address
NAT Source IP	nat_source_address
NAT Destination IP	nat_destination_address
Rule Name	rule
Source User	user
Destination User	target_user
Application	application
Virtual System	virtual_system
Source Zone	source_zone
Destination Zone	destination_zone
Inbound Interface	source_interface
Outbound Interface	destination_interface
Log Action	log_profile
Session ID	session_id
Repeat Count	repeat_count
Source Port	source_port
Destination Port	destination_port
NAT Source Port	nat_source_port
NAT Destination Port	nat_destination_port
Flags	flag
Protocol	protocol
Action	action
URL/Filename	url
Threat ID	threat_id
Category	category
Severity	severity
Direction	direction
Sequence Number	sequence_number
Action Flags	action_flag
Source Location	source_location
Destination Location	destination_location
Content Type	content_type
PCAP_ID	pcap_id
File Digest	checksum
Cloud	wildfire_cloud
URL Index	url_index
User Agent	user_agent
File Type	file_type
X-Forwarded-For	x_forwarded_for
Referer	referer
Sender	sender
Subject	subject
Recipient	receiver
Report ID	report_id
Device Group Hierarchy Level 1	device_group_hierarchy_1
Device Group Hierarchy Level 2	device_group_hierarchy_2
Device Group Hierarchy Level 3	device_group_hierarchy_3
Device Group Hierarchy Level 4	device_group_hierarchy_4
Virtual System Name	virtual_system_name
Device Name	host
Source VM UUID	source_vm_uuid
Destination VM UUID	destination_vm_uuid
HTTP Method	request_method
Tunnel ID/IMSI	tunnel_id_imsi
Monitor Tag/IMEI	imei
Parent Session ID	parent_session_id
Parent Start Time	parent_start_ts
Tunnel Type	tunnel_type
Threat Category	threat_category
Content Version	version
SCTP Association ID	sctp_association_id
Payload Protocol ID	payload_protocol_id
HTTP Headers	header

Config Log Fields¶

FUTURE_USE, receive_ts, serial_number, event_category, sub_category, FUTURE_USE, log_ts, source_host, virtual_system, command, admin, client, result, path, before_change_detail, after_change_detail, sequence_number, action_flag, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system_name, host

Mapping the Config Log Fields¶

Palo Alto Network Firewall Fields	LogPoint Fields
Receive Time	receive_ts
Serial Number	serial_number
Type	event_category
Subtype	sub_category
Generated Time	log_ts
Host	source_host
Virtual System	virtual_system
Command	command
Admin	admin
Client	client
Result	result
Configuration Path	path
Before Change Detail	before_change_detail
After Change Detail	after_change_detail
Sequence Number	sequence_number
Action Flags	action_flag
Device Group Hierarchy Level 1	device_group_hierarchy_1
Device Group Hierarchy Level 2	device_group_hierarchy_2
Device Group Hierarchy Level 3	device_group_hierarchy_3
Device Group Hierarchy Level 4	device_group_hierarchy_4
Virtual System Name	virtual_system_name
Device Name	host

System Log Fields¶

FUTURE_USE, receive_ts, serial_number, event_category, sub_category, FUTURE_USE, log_ts, virtual_system, event_id, object, FUTURE_USE, FUTURE_USE, module, severity, description, sequence_number, action_flag, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system_name, host

Mapping the System Log Fields¶

Palo Alto Network Firewall Fields	LogPoint Fields
Receive Time	receive_ts
Serial Number	serial_number
Type	event_category
Content/Threat Type	sub_category
Generated Time	log_ts
Virtual System	virtual_system
Event ID	event_id
Object	object
Module	module
Severity	severity
Description	description
Sequence Number	sequence_number
Action Flags	action_flag
Device Group Hierarchy Level 1	device_group_hierarchy_1
Device Group Hierarchy Level 2	device_group_hierarchy_2
Device Group Hierarchy Level 3	device_group_hierarchy_3
Device Group Hierarchy Level 4	device_group_hierarchy_4
Virtual System Name	virtual_system_name
Device Name	host

HIP Match Log Fields¶

FUTURE_USE, receive_ts, serial_number, event_category, sub_category, FUTURE_USE, log_ts, user, virtual_system, machine, os, source_address, match, repeat_count, match_type, FUTURE_USE, FUTURE_USE, sequence_number, action_flag, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system, host, virtual_system_id, ipv6_source_address, host_id

Mapping the HIP Match Log Fields¶

Palo Alto Network Firewall Fields	LogPoint Fields
Receive Time	receive_ts
Serial Number	serial_number
Type	event_category
Threat/Content Type	sub_category
Generated Time	log_ts
Source User	user
Virtual System	virtual_system
Machine name	machine
OS	os
Source Address	source_address
HIP	match
Repeat Count	repeat_count
HIP Type	match_type
Sequence Number	sequence_number
Action Flags	action_flag
Device Group Hierarchy Level 1	device_group_hierarchy_1
Device Group Hierarchy Level 2	device_group_hierarchy_2
Device Group Hierarchy Level 3	device_group_hierarchy_3
Device Group Hierarchy Level 4	device_group_hierarchy_4
Virtual System Name	virtual_system
Device Name	host
Virtual System ID	virtual_system_id
IPv6 Source Address	ipv6_source_address
Host ID	host_id

Correlation Events Log Fields¶

FUTURE_USE, receive_ts, serial_number, event_category, sub_category, FUTURE_USE, log_ts, source_address, user, virtual_system, category, severity, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system_name, host, virtual_system_id, object, object_id, description

Mapping the Correlation Events Log Fields¶

Palo Alto Network Firewall Fields	LogPoint Fields
Receive Time	receive_ts
Serial Number	serial_number
Type	event_category
Content/Threat Type	sub_category
Generated Time	log_ts
Source Address	source_address
Source User	user
Virtual System	virtual_system
Category	category
Severity	severity
Group Hierarchy Level 1	device_group_hierarchy_1
Device Group Hierarchy Level 2	device_group_hierarchy_2
Device Group Hierarchy Level 3	device_group_hierarchy_3
Device Group Hierarchy Level 4	device_group_hierarchy_4
Virtual System Name	virtual_system_name
Device Name	host
Virtual System ID	virtual_system_id
Object Name	object
Object ID	object_id
Evidence	description

User-ID Log Fields¶

FUTURE_USER, receive_ts, serial_number, event_category, sub_category, FUTURE_USE, log_ts, virtual_system, source_address, user, user_id, event_id, repeat_count, timeout, source_port, destination_port, source, source_type, sequence_number, action_flag, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system_name, host, virtual_system_id, vendor, authentication_ts, factor_number, FUTURE_USE, FUTURE_USE

Mapping the User-ID Log Fields¶

Palo Alto Network Firewall Fields	LogPoint Fields
Receive Time	receive_ts
Serial Number	serial_number
Type	event_category
Threat/Content Type	sub_category
Generated Time	log_ts
Virtual System	virtual_system
Source IP	source_address
User	user
Data Source Name	user_id
Event ID	event_id
Repeat Count	repeat_count
Time Out Threshold	timeout
Source Port	source_port
Destination Port	destination_port
Data Source	source
Data Source Type	source_type
Sequence Number	sequence_number
Action Flags	action_flag
Device Group Hierarchy Level 1	device_group_hierarchy_1
Device Group Hierarchy Level 2	device_group_hierarchy_2
Device Group Hierarchy Level 3	device_group_hierarchy_3
Device Group Hierarchy Level 4	device_group_hierarchy_4
Virtual System Name	virtual_system_name
Device Name	host
Virtual System ID	virtual_system_id
Factor Type	vendor
Factor Completion Time	authentication_ts
Factor Number	factor_number

Tunnel Inspection Log Fields¶

FUTURE_USE, receive_ts, serial_number, event_category, sub_category, FUTURE_USE, log_ts, source_address, destination_address, nat_source_address, nat_destination_address, rule, user, target_user, application, virtual_system, source_zone, destination_zone, source_interface, destination_interface, log_profile, FUTURE_USE, session_id, repeat_count, source_port, destination_port, nat_source_port, nat_destination_port, flag, protocol, action, severity, sequence_number, action_flag, source_location, destination_location, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system_name, host, tunnel_id_imsi, imei, parent_session_id, parent_start_ts, tunnel_type, datasize, sent_datasize, received_datasize, packet, sent_packet, maximum_encapsulation_count, unknown_protocol_count, strict_check_count, tunnel_fragment_count, create_session_count, closed_session_count, reason, action_source, start_ts, duration, tunnel_inspection_rule

Mapping the Tunnel Inspection Log Fields¶

Palo Alto Network Firewall Fields	LogPoint Fields
Receive Time	receive_ts
Serial Number	serial_number
Type	event_category
Subtype	sub_category
Generated Time	log_ts
Source IP	source_address
Destination IP	destination_address
NAT Source IP	nat_source_address
NAT Destination IP	nat_destination_address
Rule Name	rule
Source User	user
Destination User	target_user
Application	application
Virtual System	virtual_system
Source Zone	source_zone
Destination Zone	destination_zone
Inbound Interface	source_interface
Outbound Interface	destination_interface
Log Action	log_profile
Session ID	session_id
Repeat Count	repeat_count
Source Port	source_port
Destination Port	destination_port
NAT Source Port	nat_source_port
NAT Destination Port	nat_destination_port
Flags	flag
Protocol	protocol
Action	action
Severity	severity
Sequence Number	sequence_number
Action Flags	action_flag
Source Location	source_location
Destination Location	destination_location
Device Group Hierarchy Level 1	device_group_hierarchy_1
Device Group Hierarchy Level 2	device_group_hierarchy_2
Device Group Hierarchy Level 3	device_group_hierarchy_3
Device Group Hierarchy Level 4	device_group_hierarchy_4
Virtual System Name	virtual_system_name
Device Name	host
Tunnel ID/IMS	tunnel_id_imsi
Monitor Tag/IMEI	imei
Parent Session ID	parent_session_id
Parent Start Time	parent_start_ts
Tunnel	tunnel_type
Bytes	datasize
Bytes Sent	sent_datasize
Bytes Received	received_datasize
Packets	packet
Packets Sent	sent_packet
Maximum Encapsulation	maximum_encapsulation_count
Unknown Protocol	unknown_protocol_count
Strict Check	strict_check_count
Tunnel Fragment	tunnel_fragment_count
Sessions Created	create_session_count
Sessions Closed	closed_session_count
Session End Reason	reason
Action Source	action_source
Start Time	start_ts
Elapsed Time	duration
Tunnel Inspection Rule	tunnel_inspection_rule

Authentication Log Fields¶

FUTURE_USE, receive_ts, serial_number, event_category, sub_category, FUTURE_USE, log_ts, virtual_system, source_address, user, normalized_user, object, authentication_policy, repeat_count, authentication_id, vendor, log_profile, server_profile, description, client_type, event_type, factor_number, sequence_number, action_flag, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system_name, host, virtual_system_id, authentication_protocol

Mapping the Authentication Log Fields¶

Palo Alto Network Firewall Fields	LogPoint Fields
Receive Time	receive_ts
Serial Number	serial_number
Sequence Number	sequence_number
Action Flags	action_flag
Type	event_category
Threat/Content Type	sub_category
Generated Time	log_ts
Device Group Hierarchy 1	device_group_hierarchy_1
Device Group Hierarchy 2	device_group_hierarchy_2
Device Group Hierarchy 3	device_group_hierarchy_3
Device Group Hierarchy 4	device_group_hierarchy_4
Virtual System Name	virtual_system_name
Device Name	host
Virtual System ID	virtual_system_id
Virtual System	virtual_system
Source IP	source_address
User	user
Normalize User	normalized_user
Object	object
Authentication Policy	authentication_policy
Authentication ID	authentication_id
Vendor	vendor
Log Action	log_profile
Repeat Count	repeat_count
Server Profile	server_profile
Description	description
Client Type	client_type
Event Type	event_type
Factor Number	factor_number
Authentication Protocol	authentication_protocol

GTP Log Fields¶

FUTURE_USE, receive_ts, serial_number, FUTURE_USE, FUTURE_USE, FUTURE_USE, log_ts, source_address, destination_address, FUTURE_USE, FUTURE_USE, rule, FUTURE_USE, FUTURE_USE, application, virtual_system, source_zone, destination_zone, source_interface, destination_interface, log_profile, FUTURE_USE, session_id, FUTURE_USE, source_port, destination_port, FUTURE_USE, FUTURE_USE, FUTURE_USE, protocol, action, event_type, isdn, access_point, radio_access_technology, message_type, subscriber_address, tunnel_endpoint_identifier_1, tunnel_endpoint_identifier_2, gtp_interface, status_code, severity, country_code, network_code, area_code, cell_id, event_code, FUTURE_USE, FUTURE_USE, source_location, destination_location, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, tunnel_id_imsi, imei, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, action_source, start_ts, duration, tunnel_inspection_rule

Mapping the GTP Log Fields¶

Palo Alto Network Firewall Fields	LogPoint Fields
Receive Time	receive_ts
Serial Number	serial_number
Generated Time	log_ts
Source Address	source_address
Destination Address	destination_address
Rule Name	rule
Application	application
Virtual System	virtual_system
Source Zone	source_zone
Destination Zone	destination_zone
Inbound Interface	source_interface
Outbound Interface	destination_interface
Log Action	log_profile
Session ID	session_id
Source Port	source_port
Destination Port	destination_port
Protocol	protocol
Action	action
GTP Event Type	event_type
MSISDN	isdn
Access Point	Name access_point
Radio Access Technology	radio_access_technology
GTP Message Type	message_type
End User IP Address	subscriber_address
Tunnel Endpoint Identifier1	tunnel_endpoint_identifier_1
Tunnel Endpoint Identifier2	tunnel_endpoint_identifier_2
GTP Interface	gtp_interface
GTP Cause	status_code
Severity	severity
Serving Country MCC	country_code
Serving Network MNC	network_code
Area Code	area_code
Cell ID	cell_id
GTP Event Code	event_code
Source Location	source_location
Destination Location	destination_location
Tunnel ID/IMSI	tunnel_id_imsi
Monitor Tag/IMEI	imei
Action Source	action_source
Start Time	start_ts
Elapsed Time	duration
Tunnel Inspection Rule	tunnel_inspection_rule

SCTP Log Fields¶

FUTURE_USE, receive_ts, serial_number, event_category, FUTURE_USE, FUTURE_USE, log_ts, source_address, destination_address, FUTURE_USE, FUTURE_USE, rule, FUTURE_USE, FUTURE_USE, FUTURE_USE, virtual_system, source_zone, destination_zone, source_interface, destination_interface, log_profile, FUTURE_USE, session_id, repeat_count, source_port, destination_port, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, protocol, action, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system_name, host, sequence_number, FUTURE_USE, sctp_association_id, payload_protocol_id, severity,chunk_type, FUTURE_USE, sctp_verification_tag_1, sctp_verification_tag_2, cause_code, diameter_application_id, diameter_command_code, diameter_avp_code, stream_id, reason, opcode, calling_party_ssn, calling_party_global_title, filter, chunk_count, sent_chunk, received_chunk, packet, sent_packet, received_packet

Mapping the SCTP Log Fields¶

Palo Alto Network Firewall Fields	LogPoint Fields
Receive Time	receive_ts
Serial Number	serial_number
Type	event_category
Generated Time	log_ts
Source Address	source_address
Destination Address	destination_address
Rule Name	rule
Virtual System	virtual_system
Source Zone	source_zone
Destination Zone	destination_zone
Inbound Interface	source_interface
Outbound Interface	destination_interface
Log Action	log_profile
Session ID	session_id
Repeat Count	repeat_count
Source Port	source_port
Destination Port	destination_port
IP Protocol	protocol
Action	action
Device Group Hierarchy Level 1	device_group_hierarchy_1
Device Group Hierarchy Level 2	device_group_hierarchy_2
Device Group Hierarchy Level 3	device_group_hierarchy_3
Device Group Hierarchy Level 4	device_group_hierarchy_4
Virtual System Name	virtual_system_name
Device Name	host
Sequence Number	sequence_number
SCTP Association ID	sctp_association-id
Payload Protocol ID	payload_protocol_id
Severity	severity
SCTP Chunk Type	chunk_type
SCTP Verification Tag 1	sctp_verification_tag_1
SCTP Verification Tag 2	sctp_verification_tag_2
SCTP Cause Code	cause_code
Diameter App ID	diameter_application_id
Diameter Command Code	diameter_command_code
Diameter AVP Code	diameter_avp_code
SCTP Stream ID	stream_id
SCTP Association End Reason	reason
Op Code	opcode
SCCP Calling Party SSN	calling_party_ssn
SCCP Calling Party Global Title	calling_party_global_title
SCTP Filter	filter
SCTP Chunks	chunk_count
SCTP Chunks Sent	sent_chunk
SCTP Chunks Received	received_chunk
Packets	packet
Packets Sent	sent_packet
Packets Received	received_packet

For the Palo Alto Network Firewall v9.0¶

Traffic Log Fields¶

FUTURE_USE, receive_ts, serial_number, event_category, sub_category, FUTURE_USE, log_ts, source_address, destination_address, nat_source_address, nat_destination_address, rule, user, target_user, application, virtual_system, source_zone, destination_zone, source_interface, destination_interface, log_profile, FUTURE_USE, session_id, repeat_count, source_port, destination_port, nat_source_port, nat_destination_port, flag, protocol, action, datasize, sent_datasize, received_datasize, packet, start_ts, duration, category, FUTURE_USE, sequence_number, action_flag, source_location, destination_location, FUTURE_USE, sent_packet, received_packet, reason, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system_name, host, action_source, source_vm_uuid, destination_vm_uuid, tunnel_id_imsi, imei, parent_session_id, parent_start_ts, tunnel_type, sctp_association_id, chunk_count, sent_chunk, received_chunk, rule_uuid, http_connection

Mapping the Traffic Log Fields¶

Palo Alto Network Firewall Fields	LogPoint Fields
Receive Time	receive_ts
Serial Number	serial_number
Type	event_category
Threat/Content Type	sub_category
Generated Time	log_ts
Source IP	source_address
Destination IP	destination_address
NAT Source IP	nat_source_address
NAT Destination IP	nat_destination_address
Rule Name	rule
Source User	user
Destination User	target_user
Application	application
Virtual System	virtual_system
Source Zone	source_zone
Destination Zone	destination_zone
Inbound Interface	source_interface
Outbound Interface	destination_interface
Log Action	log_profile
Session ID	session_id
Repeat Count	repeat_count
Source Port	source_port
Destination Port	destination_port
NAT Source Port	nat_source_port
NAT Destination Port	nat_destination_port
Flags	flag
Protocol	protocol
Action	action
Bytes	datasize
Bytes Sent	sent_datasize
Bytes Received	received_datasize
Packets	packet
Start Time	start_ts
Elapsed Time	duration
Category	category
Sequence Number	sequence_number
Action Flags	action_flag
Source Location	source_location
Destination Location	destination_location
Packets Sent	sent_packet
Packets Received	received_packet
Session End Reason	reason
Device Group Hierarchy Level 1	device_group_hierarchy_1
Device Group Hierarchy Level 2	device_group_hierarchy_2
Device Group Hierarchy Level 3	device_group_hierarchy_3
Device Group Hierarchy Level 4	device_group_hierarchy_4
Virtual System Name	virtual_system_name
Device Name	host
Action Source	action_source
Source VM UUID	source_vm_uuid
Destination VM UUID	destination_vm_uuid
Tunnel ID/IMSI	tunnel_id_imsi
Monitor Tag/IMEI	imei
Parent Session ID	parent_session_id
Parent Start Time	parent_start_ts
Tunnel Type	tunnel_type
SCTP Association ID	sctp_association_id
SCTP Chunks	chunk_count
SCTP Chunks Sent	sent_chunk
SCTP Chunks Received	received_chunk
UUID for rule	rule_uuid
HTTP/2 Connection	http_connection

Threat Log Fields¶

FUTURE_USE, receive_ts, serial_number, event_category, sub_category, FUTURE_USE, log_ts, source_address, destination_address, nat_source_address, nat_destination_address, rule, user, target_user, application, virtual_system, source_zone, destination_zone, source_interface, destination_interface, log_profile, FUTURE_USE, session_id, repeat_count, source_port, destination_port, nat_source_port, nat_destination_port, flag, protocol, action, url, threat_id, category, severity, direction, sequence_number, action_flag, source_location, destination_location, FUTURE_USE, content_type, pcap_id, checksum, wildfire_cloud, url_index, user_agent, file_type, x_forwarded_for, referer, sender, subject, receiver, report_id, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system_name, host, FUTURE_USE, source_vm_uuid, destination_vm_uuid, request_method, tunnel_id_imsi, imei, parent_session_id, parent_start_ts, tunnel_type, threat_category, version, FUTURE_USE, sctp_association_id, payload_protocol_id, header

Mapping the Threat Log Fields¶

Palo Alto Network Firewall Fields	LogPoint Fields
Receive Time	receive_ts
Serial Number	serial_number
Type	event_category
Threat/Content Type	sub_category
Generated Time	log_ts
Source IP	source_address
Destination IP	destination_address
NAT Source IP	nat_source_address
NAT Destination IP	nat_destination_address
Rule Name	rule
Source User	user
Destination User	target_user
Application	application
Virtual System	virtual_system
Source Zone	source_zone
Destination Zone	destination_zone
Inbound Interface	source_interface
Outbound Interface	destination_interface
Log Action	log_profile
Session ID	session_id
Repeat Count	repeat_count
Source Port	source_port
Destination Port	destination_port
NAT Source Port	nat_source_port
NAT Destination Port	nat_destination_port
Flags	flag
Protocol	protocol
Action	action
URL/Filename	url
Threat ID	threat_id
Category	category
Severity	severity
Direction	direction
Sequence Number	sequence_number
Action Flags	action_flag
Source Location	source_location
Destination Location	destination_location

HIP Match Log Fields¶

FUTURE_USE, receive_ts, serial_number, event_category, sub_category, FUTURE_USE, log_ts, user, virtual_system, machine, os, source_address, match, repeat_count, match_type, FUTURE_USE, FUTURE_USE, sequence_number, action_flag, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system, host, virtual_system_id, ipv6_source_address, host_id

Mapping the HIP Match Log Fields¶

Palo Alto Network Firewall Fields	LogPoint Fields
Receive Time	receive_ts
Serial Number	serial_number
Type	event_category
Threat/Content Type	sub_category
Generated Time	log_ts
Source User	user
Virtual System	virtual_system
Machine name	machine
OS	os
Source Address	source_address
HIP	match
Repeat Count	repeat_count
HIP Type	match_type
Sequence Number	sequence_number
Action Flags	action_flag
Device Group Hierarchy Level 1	device_group_hierarchy_1
Device Group Hierarchy Level 2	device_group_hierarchy_2
Device Group Hierarchy Level 3	device_group_hierarchy_3
Device Group Hierarchy Level 4	device_group_hierarchy_4
Virtual System Name	virtual_system
Device Name	host
Virtual System ID	virtual_system_id
IPv6 Source Address	ipv6_source_address
Host ID	host_id

User-ID Log Fields¶

FUTURE_USER, receive_ts, serial_number, event_category, sub_category, FUTURE_USE, log_ts, virtual_system, source_address, user, user_id, event_id, repeat_count, timeout, source_port, destination_port, source, source_type, sequence_number, action_flag, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system_name, host, virtual_system_id, vendor, authentication_ts, factor_number, FUTURE_USE, FUTURE_USE, user_group_flag, source_user

Mapping the User-ID Log Fields¶

Palo Alto Network Firewall Fields	LogPoint Fields
Receive Time	receive_ts
Serial Number	serial_number
Type	event_category
Threat/Content Type	sub_category
Generated Time	log_ts
Virtual System	virtual_system
Source IP	source_address
User	user
Data Source Name	user_id
Event ID	event_id
Repeat Count	repeat_count
Time Out Threshold	timeout
Source Port	source_port
Destination Port	destination_port
Data Source	source
Data Source Type	source_type
Sequence Number	sequence_number
Action Flags	action_flag
Device Group Hierarchy Level 1	device_group_hierarchy_1
Device Group Hierarchy Level 2	device_group_hierarchy_2
Device Group Hierarchy Level 3	device_group_hierarchy_3
Device Group Hierarchy Level 4	device_group_hierarchy_4
Virtual System Name	virtual_system_name
Device Name	host
Virtual System ID	virtual_system_id
Factor Type	vendor
Factor Completion Time	authentication_ts
Factor Number	factor_number
User Group Flags	user_group_flag
Source by User	source_user

Tunnel Inspection Log Fields¶

FUTURE_USE, receive_ts, serial_number, event_category, sub_category, FUTURE_USE, log_ts, source_address, destination_address, nat_source_address, nat_destination_address, rule, user, target_user, application, virtual_system, source_zone, destination_zone, source_interface, destination_interface, log_profile, FUTURE_USE, session_id, repeat_count, source_port, destination_port, nat_source_port, nat_destination_port, flag, protocol, action, severity, sequence_number, action_flag, source_location, destination_location, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system_name, host, tunnel_id_imsi, imei, parent_session_id, parent_start_ts, tunnel_type, datasize, sent_datasize, received_datasize, packet, sent_packet, maximum_encapsulation_count, unknown_protocol_count, strict_check_count, tunnel_fragment_count, create_session_count, closed_session_count, reason, action_source, start_ts, duration, tunnel_inspection_rule, rule_uuid

Mapping the Tunnel Inspection Log Fields¶

Palo Alto Network Firewall Fields	LogPoint Fields
Receive Time	receive_ts
Serial Number	serial_number
Type	event_category
Subtype	sub_category
Generated Time	log_ts
Source IP	source_address
Destination IP	destination_address
NAT Source IP	nat_source_address
NAT Destination IP	nat_destination_address
Rule Name	rule
Source User	user
Destination User	target_user
Application	application
Virtual System	virtual_system
Source Zone	source_zone
Destination Zone	destination_zone
Inbound Interface	source_interface
Outbound Interface	destination_interface
Log Action	log_profile
Session ID	session_id
Repeat Count	repeat_count
Source Port	source_port
Destination Port	destination_port
NAT Source Port	nat_source_port
NAT Destination Port	nat_destination_port
Flags	flag
Protocol	protocol
Action	action
Severity	severity
Sequence Number	sequence_number
Action Flags	action_flag
Source Location	source_location
Destination Location	destination_location
Device Group Hierarchy Level 1	device_group_hierarchy_1
Device Group Hierarchy Level 2	device_group_hierarchy_2
Device Group Hierarchy Level 3	device_group_hierarchy_3
Device Group Hierarchy Level 4	device_group_hierarchy_4
Virtual System Name	virtual_system_name
Device Name	host
Tunnel ID/IMS	tunnel_id_imsi
Monitor Tag/IMEI	imei
Parent Session ID	parent_session_id
Parent Start Time	parent_start_ts
Tunnel	tunnel_type
Bytes	datasize
Bytes Sent	sent_datasize
Bytes Received	received_datasize
Packets	packet
Packets Sent	sent_packet
Maximum Encapsulation	maximum_encapsulation_count
Unknown Protocol	unknown_protocol_count
Strict Check	strict_check_count
Tunnel Fragment	tunnel_fragment_count
Sessions Created	create_session_count
Sessions Closed	closed_session_count
Session End Reason	reason
Action Source	action_source
Start Time	start_ts
Elapsed Time	duration
Tunnel Inspection Rule	tunnel_inspection_rule
UUID for rule	rule_uuid

SCTP Log Fields¶

FUTURE_USE, receive_ts, serial_number, event_category, FUTURE_USE, FUTURE_USE, log_ts, source_address, destination_address, FUTURE_USE, FUTURE_USE, rule, FUTURE_USE, FUTURE_USE, FUTURE_USE, virtual_system, source_zone, destination_zone, source_interface, destination_interface, log_profile, FUTURE_USE, session_id, repeat_count, source_port, destination_port, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, protocol, action, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system_name, host, sequence_number, FUTURE_USE, sctp_association_id, payload_protocol_id, severity,chunk_type, FUTURE_USE, sctp_verification_tag_1, sctp_verification_tag_2, cause_code, diameter_application_id, diameter_command_code, diameter_avp_code, stream_id, reason, opcode, calling_party_ssn, calling_party_global_title, filter, chunk_count, sent_chunk, received_chunk, packet, sent_packet, received_packet, rule_uuid

Mapping the SCTP Log Fields¶

Palo Alto Network Firewall Fields	LogPoint Fields
Receive Time	receive_ts
Serial Number	serial_number
Type	event_category
Subtype	sub_category
Generated Time	log_ts
Source IP	source_address
Destination IP	destination_address
NAT Source IP	nat_source_address
NAT Destination IP	nat_destination_address
Rule Name	rule
Source User	user
Destination User	target_user
Application	application
Virtual System	virtual_system
Source Zone	source_zone
Destination Zone	destination_zone
Inbound Interface	source_interface
Outbound Interface	destination_interface
Log Action	log_profile
Session ID	session_id
Repeat Count	repeat_count
Source Port	source_port
Destination Port	destination_port
NAT Source Port	nat_source_port
NAT Destination Port	nat_destination_port
Flags	flag
Protocol	protocol
Action	action
Severity	severity
Sequence Number	sequence_number
Action Flags	action_flag
Source Location	source_location
Destination Location	destination_location
Device Group Hierarchy Level 1	device_group_hierarchy_1
Device Group Hierarchy Level 2	device_group_hierarchy_2
Device Group Hierarchy Level 3	device_group_hierarchy_3
Device Group Hierarchy Level 4	device_group_hierarchy_4
Virtual System Name	virtual_system_name
Device Name	host
Tunnel ID/IMS	tunnel_id_imsi
Monitor Tag/IMEI	imei
Parent Session ID	parent_session_id
Parent Start Time	parent_start_ts
Tunnel	tunnel_type
Bytes	datasize
Bytes Sent	sent_datasize
Bytes Received	received_datasize
Packets	packet
Packets Sent	sent_packet
Maximum Encapsulation	maximum_encapsulation_count
Unknown Protocol	unknown_protocol_count
Strict Check	strict_check_count
Tunnel Fragment	tunnel_fragment_count
Sessions Created	create_session_count
Sessions Closed	closed_session_count
Session End Reason	reason
Action Source	action_source
Start Time	start_ts
Elapsed Time	duration
Tunnel Inspection Rule	tunnel_inspection_rule
UUID for rule	rule_uuid

Config Log Fields¶

FUTURE_USE, receive_ts, serial_number, event_category, sub_category, FUTURE_USE, log_ts, source_host, virtual_system, command, admin, client, result, path, before_change_detail, after_change_detail, sequence_number, action_flag, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system_name, host

Mapping the Config Log Fields¶

Palo Alto Network Firewall Fields	LogPoint Fields
RReceive Time	receive_ts
Serial Number	serial_number
Type	event_category
Subtype	sub_category
Generated Time	log_ts
Host	source_host
Virtual System	virtual_system
Command	command
Admin	admin
Client	client
Result	result
Configuration Path	path
Before Change Detail	before_change_detail
After Change Detail	after_change_detail
Sequence Number	sequence_number
Action Flags	action_flag
Device Group Hierarchy Level 1	device_group_hierarchy_1
Device Group Hierarchy Level 2	device_group_hierarchy_2
Device Group Hierarchy Level 3	device_group_hierarchy_3
Device Group Hierarchy Level 4	device_group_hierarchy_4
Virtual System Name	virtual_system_name
Device Name	host

Authentication Log Fields¶

FUTURE_USE, receive_ts, serial_number, event_category, sub_category, FUTURE_USE, log_ts, virtual_system, source_address, user, normalized_user, object, authentication_policy, repeat_count, authentication_id, vendor, log_profile, server_profile, description, client_type, event_type, factor_number, sequence_number, action_flag, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system_name, host, virtual_system_id, authentication_protocol, rule_uuid

Mapping the Authentication Log Fields¶

Palo Alto Network Firewall Fields	LogPoint Fields
Receive Time receive_ts
Serial Number	serial_number
Sequence Number	sequence_number
Action Flags	action_flag
Type	event_category
Threat/Content Type	sub_category
Generated Time	log_ts
Device Group Hierarchy 1	device_group_hierarchy_1
Device Group Hierarchy 2	device_group_hierarchy_2
Device Group Hierarchy 3	device_group_hierarchy_3
Device Group Hierarchy 4	device_group_hierarchy_4
Virtual System Name	virtual_system_name
Device Name	host
Virtual System ID	virtual_system_id
Virtual System	virtual_system
Source IP	source_address
User	user
Normalize User	normalized_user
Object	object
Authentication Policy	authentication_policy
Authentication ID	authentication_id
Vendor	vendor
Log Action	log_profile
Repeat Count	repeat_count
Server Profile	server_profile
Description	description
Client Type	client_type
Event Type	event_type
Factor Number	factor_number
Authentication Protocol	authentication_protocol
UUID for rule	rule_uuid

For the Palo Alto Network Firewall v9.1¶

Traffic Log Fields¶

FUTURE_USE, receive_ts, serial_number, event_category, sub_category, FUTURE_USE, log_ts, source_address, destination_address, nat_source_address, nat_destination_address, rule, user, target_user, application, virtual_system, source_zone, destination_zone, source_interface, destination_interface, log_profile, FUTURE_USE, session_id, repeat_count, source_port, destination_port, nat_source_port, nat_destination_port, flag, protocol, action, datasize, sent_datasize, received_datasize, packet,start_ts, duration, category, FUTURE_USE, sequence_number, action_flag, source_location, destination_location, FUTURE_USE, sent_packet, received_packet, reason, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system_name, host, action_source, source_vm_uuid, destination_vm_uuid, tunnel_id_imsi, imei, parent_session_id, parent_start_ts, tunnel_type, sctp_association_id, chunk_count, sent_chunk, received_chunk, rule_uuid, http_connection, link_count, policy_id, switch, cluster, device_type, site, group, FUTURE_USE

Mapping the Traffic Log Fields¶

Palo Alto Network Firewall Fields	LogPoint Fields
Receive Time	receive_ts
Serial Number	serial_number
Type	event_category
Threat/Content Type	sub_category
Generated Time	log_ts
Source Address	source_address
Destination Address	destination_address
NAT Source IP	nat_source_address
NAT Destination IP	nat_destination_address
Rule Name	rule
Source User	user
Destination User	target_user
Application	application
Virtual System	virtual_system
Source Zone	source_zone
Destination Zone	destination_zone
Inbound Interface	source_interface
Outbound Interface	destination_interface
Log Action	log_profile
Session ID	session_id
Repeat Count	repeat_count
Source Port	source_port
Destination Port	destination_port
NAT Source Port	nat_source_port
NAT Destination Port	nat_destination_port
Flags	flag
Protocol	protocol
Action	action
Bytes	datasize
Bytes Sent	sent_datasize
Bytes Received	received_datasize
Packets	packet
Start Time	start_ts
Elapsed Time	duration
Category	category
Sequence Number	sequence_number
Action Flags	action_flag
Source Location	source_location
Destination Location	destination_location
Packets Sent	sent_packet
Packets Received	received_packet
Session End Reason	reason
Device Group Hierarchy Level 1	device_group_hierarchy_1
Device Group Hierarchy Level 2	device_group_hierarchy_2
Device Group Hierarchy Level 3	device_group_hierarchy_3
Device Group Hierarchy Level 4	device_group_hierarchy_4
Virtual System Name	virtual_system_name
Device Name	host
Action Source	action_source
Source VM UUID	source_vm_uuid
Destination VM UUID	destination_vm_uuid
Tunnel ID/IMSI	tunnel_id_imsi
Monitor Tag/IMEI	imei
Parent Session ID	parent_session_id
Parent Start Time	parent_start_ts
Tunnel Type	tunnel_type
SCTP Association ID	sctp_association_id
SCTP Chunks	chunk_count
SCTP Chunks Sent	sent_chunk
SCTP Chunks Received	received_chunk
Rule UUID	rule_uuid
HTTP/2 Connection	http_connection
Link Change Count	link_count
Policy ID	policy_id
Link Switches	switch
SD-WAN Cluster	cluster
SD-WAN Device Type	device_type
SD-WAN Site	site
Dynamic User Group Name	group

Threat Log Fields¶

FUTURE_USE, receive_ts, serial_number, event_category, sub_category, FUTURE_USE, log_ts, source_address, destination_address, nat_source_address, nat_destination_address, rule, user, target_user, application, virtual_system, source_zone, destination_zone, source_interface, destination_interface, log_profile, FUTURE_USE, session_id, repeat_count, source_port, destination_port, nat_source_port, nat_destination_port, flag, protocol, action, url, threat_id, category, severity, direction, sequence_number, action_flag, source_location, destination_location, FUTURE_USE, content_type, pcap_id, hash, wildfire_cloud, url_index, user_agent, file_type, x_forwarded_for, referer, sender, subject, receiver, report_id, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system_name, host, FUTURE_USE, source_vm_uuid, destination_vm_uuid, request_method, tunnel_id_imsi, imei, parent_session_id, parent_start_ts, tunnel_type, threat_category, version, FUTURE_USE, sctp_association_id, payload_protocol_id, header, url_category, rule_uuid, http_connection, group

Mapping the Threat Log Fields¶

Palo Alto Network Firewall Fields	LogPoint Fields
FUTURE_USE	FUTURE_USE
Receive Time	receive_ts
Serial Number	serial_number
Type	event_category
Threat/Content Type	sub_category
FUTURE_USE	FUTURE_USE
Generated Time	log_ts
Source Address	source_address
Destination Address	destination_address
NAT Source IP	nat_source_address
NAT Destination IP	nat_destination_address
Rule Name	rule
Source User	user
Destination User	target_user
Application	application
Virtual System	virtual_system
Source Zone	source_zone
Destination Zone	destination_zone
Inbound Interface	source_interface
Outbound Interface	destination_interface
Log Action	log_profile
FUTURE_USE	FUTURE_USE
Session ID	session_id
Repeat Count	repeat_count
Source Port	source_port
Destination Port	destination_port
NAT Source Port	nat_source_port
NAT Destination Port	nat_destination_port
Flags	flag
Protocol	protocol
Action	action
URL/Filename	url
Threat ID	threat_id
Category	category
Severity	severity
Direction	direction
Sequence Number	sequence_number
Action Flags	action_flag
Source Location	source_location
Destination Location	destination_location
FUTURE_USE	FUTURE_USE
Content Type	content_type
PCAP_ID	pcap_id
File Digest	hash
Cloud	wildfire_cloud
URL Index	url_index
User Agent	user_agent
File Type	file_type
X-Forwarded-For	x_forwarded_for
Referer	referer
Sender	sender
Subject	subject
Recipient	receiver
Report ID	report_id
Device Group Hierarchy Level 1	device_group_hierarchy_1
Device Group Hierarchy Level 2	device_group_hierarchy_2
Device Group Hierarchy Level 3	device_group_hierarchy_3
Device Group Hierarchy Level 4	device_group_hierarchy_4
Virtual System Name	virtual_system_name
Device Name	host
FUTURE_USE	FUTURE_USE
Source VM UUID	source_vm_uuid
Destination VM UUID	destination_vm_uuid
HTTP Method	request_method
Tunnel ID/IMSI	tunnel_id_imsi
Monitor Tag/IMEI	imei
Parent Session ID	parent_session_id
Parent Start Time	parent_start_ts
Tunnel Type	tunnel_type
Threat Category	threat_category
Content Version	version
FUTURE_USE	FUTURE_USE
SCTP Association ID	sctp_association_id
Payload Protocol ID	payload_protocol_id
HTTP Headers	header
URL Category List	url_category
Rule UUID	rule_uuid
HTTP/2 Connection	http_connection
Dynamic User Group Name	group

Tunnel Log Fields¶

FUTURE_USE, receive_ts, serial_number, event_category, sub_category, FUTURE_USE, log_ts, source_address, destination_address, nat_source_address, nat_destination_address, rule, user, target_user, application, virtual_system, source_zone, destination_zone, source_interface,destination_interface,log_profile, FUTURE_USE, session_id, repeat_count, source_port, destination_port, nat_source_port, nat_destination_port, flag, protocol, action, severity, sequence_number, action_flag, source_location, destination_location, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system_name, host, tunnel_id_imsi, imei, parent_session_id, parent_start_ts, tunnel_type, datasize, sent_datasize, received_datasize, packet, sent_packet, received_packet, maximum_encapsulation_count, unknown_protocol_count, strict_check_count, tunnel_fragment_count, create_session_count, closed_session_count, reason, action_source, start_ts, duration, tunnel_inspection_rule, remote_user_address, remote_user_id, rule_uuid, pcap_id, group

Mapping the Tunnel Log Fields¶

Palo Alto Network Firewall Fields	LogPoint Fields
FUTURE_USE	FUTURE_USE
Receive Time	receive_ts
Serial Number	serial_number
Type	event_category
Subtype	sub_category
FUTURE_USE	FUTURE_USE
Generated Time	log_ts
Source Address	source_address
Destination Address	destination_address
NAT Source IP	nat_source_address
NAT Destination IP	nat_destination_address
Rule Name	rule
Source User	user
Destination User	target_user
Application	application
Virtual System	virtual_system
Source Zone	source_zone
Destination Zone	destination_zone
Inbound Interface	source_interface
Outbound Interface	destination_interface
Log Action	log_profile
FUTURE_USE	FUTURE_USE
Session ID	session_id
Repeat Count	repeat_count
Source Port	source_port
Destination Port	destination_port
NAT Source Port	nat_source_port
NAT Destination Port	nat_destination_port
Flags	flag
Protocol	protocol
Action	action
Severity	severity
Sequence Number	sequence_number
Action Flags	action_flag
Source Location	source_location
Destination Location	destination_location
Device Group Hierarchy Level 1	device_group_hierarchy_1
Device Group Hierarchy Level 2	device_group_hierarchy_2
Device Group Hierarchy Level 3	device_group_hierarchy_3
Device Group Hierarchy Level 4	device_group_hierarchy_4
Virtual System Name	virtual_system_name
Device Name	host
Tunnel ID/IMSI	tunnel_id_imsi
Monitor Tag/IMEI	imei
Parent Session ID	parent_session_id
Parent Start Time	parent_start_ts
Tunnel	tunnel_type
Bytes	datasize
Bytes Sent	sent_datasize
Bytes Received	received_datasize
Packets	packet
Packets Sent	sent_packet
Packets Received	received_packet
Maximum Encapsulation	maximum_encapsulation_count
Unknown Protocol	unknown_protocol_count
Strict Check	strict_check_count
Tunnel Fragment	tunnel_fragment_count
Sessions Created	create_session_count
Sessions Closed	closed_session_count
Session End Reason	reason
Action Source	action_source
Start Time	start_ts
Elapsed Time	duration
Tunnel Inspection Rule	tunnel_inspection_rule
Remote User IP	remote_user_address
Remote User ID	remote_user_id
Rule UUID	rule_uuid
PCAP ID	pcap_id
Dynamic User Group	group

Config Log Fields¶

FUTURE_USE, receive_ts, serial_number, event_category, sub_category, FUTURE_USE, log_ts, source_host, virtual_system, command, admin, client, result, path, sequence_number, action_flag, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system_name, host

Mapping the Config Log Fields¶

Palo Alto Network Firewall Fields	LogPoint Fields
FUTURE_USE	FUTURE_USE
Receive Time	receive_ts
Serial Number	serial_number
Type	event_category
Subtype	sub_category
FUTURE_USE	FUTURE_USE
Generated Time	log_ts
Host	source_host
Virtual System	virtual_system
Command	command
Admin	admin
Client	client
Result	result
Configuration Path	path
Before Change Detail	before_change_detail
After Change Detail	after_change_detail
Sequence Number	sequence_number
Action Flags	action_flag
Device Group Hierarchy Level 1	device_group_hierarchy_1
Device Group Hierarchy Level 2	device_group_hierarchy_2
Device Group Hierarchy Level 3	device_group_hierarchy_3
Device Group Hierarchy Level 4	device_group_hierarchy_4
Virtual System Name	virtual_system_name
Device Name	host

System Log Fields¶

FUTURE_USE, receive_ts, serial_number, event_category, sub_category, FUTURE_USE, log_ts, virtual_system, event_id, object, FUTURE_USE, FUTURE_USE, module, severity, description, sequence_number, action_flag, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system_name, host

Mapping the System Log Fields¶

Palo Alto Network Firewall Fields	LogPoint Fields
FUTURE_USE	FUTURE_USE
Receive Time	receive_ts
Serial Number	serial_number
Type	event_category
Content/Threat Type	sub_category
FUTURE_USE	FUTURE_USE
Generated Time	log_ts
Virtual System	virtual_system
Event ID	event_id
Object	object
FUTURE_USE	FUTURE_USE
FUTURE_USE	FUTURE_USE
Module	module
Severity	severity
Description	description
Sequence Number	sequence_number
Action Flags	action_flag
Device Group Hierarchy Level 1	device_group_hierarchy_1
Device Group Hierarchy Level 2	device_group_hierarchy_2
Device Group Hierarchy Level 3	device_group_hierarchy_3
Device Group Hierarchy Level 4	device_group_hierarchy_4
Virtual System Name	virtual_system_name
Device Name	host

HIP Match Log Fields¶

FUTURE_USE, receive_ts, serial_number, event_category, sub_category, FUTURE_USE, log_ts, user, virtual_system, machine, os, source_address, match, repeat_count, match_type, FUTURE_USE, FUTURE_USE, sequence_number, action_flag, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system, host, virtual_system_id, ipv6_source_address, host_id, device_serial_number

Mapping the HIP Match Log Fields¶

Palo Alto Network Firewall Fields	LogPoint Fields
FUTURE_USE	FUTURE_USE
Receive Time	receive_ts
Serial Number	serial_number
Type	event_category
Threat/Content Type	sub_category
FUTURE_USE	FUTURE_USE
Generated Time	log_ts
Source User	user
Virtual System	virtual_system
Machine name	machine
OS	os
Source Address	source_address
HIP	match
Repeat Count	repeat_count
HIP Type	match_type
FUTURE_USE	FUTURE_USE
FUTURE_USE	FUTURE_USE
Sequence Number	sequence_number
Action Flags	action_flag
Device Group Hierarchy Level 1	device_group_hierarchy_1
Device Group Hierarchy Level 2	device_group_hierarchy_2
Device Group Hierarchy Level 3	device_group_hierarchy_3
Device Group Hierarchy Level 4	device_group_hierarchy_4
Virtual System Name	virtual_system
Device Name	host
Virtual System ID	virtual_system_id
IPv6 Source Address	ipv6_source_address
Host ID	host_id
User Device Serial Number	device_serial_number

Correlated Event Log Fields¶

FUTURE_USE, receive_ts, serial_number, event_category, sub_category, FUTURE_USE, log_ts, source_address, user, virtual_system, category, severity, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system_name, host, virtual_system_id, object, object_id, description

Mapping the Correlated Event Log Fields¶

Palo Alto Network Firewall Fields	LogPoint Fields
FUTURE_USE	FUTURE_USE
Receive Time	receive_ts
Serial Number	serial_number
Type	event_category
Content/Threat Type	sub_category
FUTURE_USE	FUTURE_USE
Generated Time	log_ts
Source Address	source_address
Source User	user
Virtual System	virtual_system
Category	category
Severity	severity
Device Group Hierarchy Level 1	device_group_hierarchy_1
Device Group Hierarchy Level 2	device_group_hierarchy_2
Device Group Hierarchy Level 3	device_group_hierarchy_3
Device Group Hierarchy Level 4	device_group_hierarchy_4
Virtual System Name	virtual_system_name
Device Name	host
Virtual System ID	virtual_system_id
Object Name	object
Object ID	object_id
Evidence	description

User ID Log Fields¶

FUTURE_USER, receive_ts, serial_number, event_category, sub_category, FUTURE_USE, log_ts, virtual_system, source_address, user, user_id, event_id, repeat_count, timeout, source_port, destination_port, source, source_type, sequence_number, action_flag, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system_name, host, virtual_system_id, vendor,authentication_ts, factor_number, FUTURE_USE, FUTURE_USE, user_group_flag, source_user

Mapping the User ID Log Fields¶

Palo Alto Network Firewall Fields	LogPoint Fields
FUTURE_USER	FUTURE_USER
Receive Time	receive_ts
Serial Number	serial_number
Type	event_category
Threat/Content Type	sub_category
FUTURE_USE	FUTURE_USE
Generated Time	log_ts
Virtual System	virtual_system
Source IP	source_address
User	user
Data Source Name	user_id
Event ID	event_id
Repeat Count	repeat_count
Time Out Threshold	timeout
Source Port	source_port
Destination Port	destination_port
Data Source	source
Data Source Type	source_type
Sequence Number	sequence_number
Action Flags	action_flag
Device Group Hierarchy Level 1	device_group_hierarchy_1
Device Group Hierarchy Level 2	device_group_hierarchy_2

Authentication Log Fields¶

FUTURE_USE, receive_ts, serial_number, event_category, sub_category, FUTURE_USE, log_ts, virtual_system, source_address, user,normalized_user, object, authentication_policy, repeat_count, authentication_id, vendor, log_profile, server_profile, description, client_type, event_type, factor_number, sequence_number, action_flag, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system_name, host, virtual_system_id, authentication_protocol, rule_uuid

Mapping the Authentication Log Fields¶

Palo Alto Network Firewall Fields	LogPoint Fields
FUTURE_USE	FUTURE_USE
Receive Time	receive_ts
Serial Number	serial_number
Type	event_category
Threat/Content Type	sub_category
FUTURE_USE	FUTURE_USE
Generated Time	log_ts
Virtual System	virtual_system
Source IP	source_address
User	user
Normalize User	normalized_user
Object	object
Authentication Policy	authentication_policy
Repeat Count	repeat_count
Authentication ID	authentication_id
Vendor	vendor
Log Action	log_profile
Server Profile	server_profile
Description	description
Client Type	client_type
Event Type	event_type
Factor Number	factor_number
Sequence Number	sequence_number
Action Flags	action_flag
Device Group Hierarchy 1	device_group_hierarchy_1
Device Group Hierarchy 2	device_group_hierarchy_2
Device Group Hierarchy 3	device_group_hierarchy_3
Device Group Hierarchy 4	device_group_hierarchy_4
Virtual System Name	virtual_system_name
Device Name	host
Virtual System ID	virtual_system_id
Authentication Protocol	authentication_protocol
UUID for rule	rule_uuid

GTP Log Fields¶

FUTURE_USE, receive_ts, serial_number, FUTURE_USE, FUTURE_USE, FUTURE_USE, log_ts, source_address, destination_address, FUTURE_USE, FUTURE_USE, rule, FUTURE_USE, FUTURE_USE, application, virtual_system, source_zone, destination_zone, source_interface, destination_interface, log_profile, FUTURE_USE, session_id, FUTURE_USE, source_port, destination_port, FUTURE_USE, FUTURE_USE, FUTURE_USE, protocol, action, event_type, isdn, access_point, radio_access_technology, message_type, subscriber_address, tunnel_endpoint_identifier_1, tunnel_endpoint_identifier_2, gtp_interface, status_code, severity, country_code, network_code, area_code, cell_id, event_code, FUTURE_USE, FUTURE_USE, source_location, destination_location, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, tunnel_id_imsi, imei, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, start_ts, duration, tunnel_inspection_rule, remote_user_address, remote_user_id, rule_uuid, pcap_id

Mapping the GTP Log Fields¶

Palo Alto Network Firewall Fields	LogPoint Fields
FUTURE_USE	FUTURE_USE
Receive Time	receive_ts
Serial Number	serial_number
FUTURE_USE	FUTURE_USE
FUTURE_USE	FUTURE_USE
FUTURE_USE	FUTURE_USE
Generated Time	log_ts
Source Address	source_address
Destination Address	destination_address
FUTURE_USE	FUTURE_USE
FUTURE_USE	FUTURE_USE
Rule Name	rule
FUTURE_USE	FUTURE_USE
FUTURE_USE	FUTURE_USE
Application	application
Virtual System	virtual_system
Source Zone	source_zone
Destination Zone	destination_zone
Inbound Interface	source_interface
Outbound Interface	destination_interface
Log Action	log_profile
FUTURE_USE	FUTURE_USE
Session ID	session_id
FUTURE_USE	FUTURE_USE
Source Port	source_port
Destination Port	destination_port
FUTURE_USE	FUTURE_USE
FUTURE_USE	FUTURE_USE
FUTURE_USE	FUTURE_USE
Protocol	protocol
Action	action
GTP Event Type	event_type
MSISDN	isdn
Access Point Name	access_point
Radio Access Technology	radio_access_technology
GTP Message Type	message_type
End User IP Address	subscriber_address
Tunnel Endpoint Identifier1	tunnel_endpoint_identifier_1
Tunnel Endpoint Identifier2	tunnel_endpoint_identifier_2
GTP Interface	gtp_interface
GTP Cause	status_code
Severity	severity
Serving Country MCC	country_code
Serving Network MNC	network_code
Area Code	area_code
Cell ID	cell_id
GTP Event Code	event_code
FUTURE_USE	FUTURE_USE
FUTURE_USE	FUTURE_USE
Source Location	source_location
Destination Location	destination_location
FUTURE_USE	FUTURE_USE
FUTURE_USE	FUTURE_USE
FUTURE_USE	FUTURE_USE
FUTURE_USE	FUTURE_USE
FUTURE_USE	FUTURE_USE
FUTURE_USE	FUTURE_USE
FUTURE_USE	FUTURE_USE
Tunnel ID/IMSI	tunnel_id_imsi
Monitor Tag/IMEI	imei
FUTURE_USE	FUTURE_USE
FUTURE_USE	FUTURE_USE
FUTURE_USE	FUTURE_USE
FUTURE_USE	FUTURE_USE
FUTURE_USE	FUTURE_USE
FUTURE_USE	FUTURE_USE
FUTURE_USE	FUTURE_USE
FUTURE_USE	FUTURE_USE
FUTURE_USE	FUTURE_USE
FUTURE_USE	FUTURE_USE
FUTURE_USE	FUTURE_USE
FUTURE_USE	FUTURE_USE
FUTURE_USE	FUTURE_USE
FUTURE_USE	FUTURE_USE
FUTURE_USE	FUTURE_USE
FUTURE_USE	FUTURE_USE
Start Time	start_ts
Elapsed Time	duration
Tunnel Inspection Rule	tunnel_inspection_rule
Remote User IP	remote_user_address
Remote User ID	remote_user_id
UUID for rule	rule_uuid
PCAP ID	pcap_id

SCTP Log Fields¶

FUTURE_USE, receive_ts, serial_number, event_category, FUTURE_USE, FUTURE_USE, log_ts, source_address, destination_address, FUTURE_USE, FUTURE_USE, rule, FUTURE_USE, FUTURE_USE, FUTURE_USE, virtual_system, source_zone, destination_zone, source_interface, destination_interface, log_profile, FUTURE_USE, session_id, repeat_count, source_port, destination_port, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, protocol, action, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system_name, host, sequence_number, FUTURE_USE, sctp_association-id, payload_protocol_id, severity, chunk_type, FUTURE_USE, sctp_verification_tag_1, sctp_verification_tag_2, cause_code, diameter_application_id, diameter_command_code, diameter_avp_code, stream_id, reason, opcode, calling_party_ssn, calling_party_global_title, filter, chunk_count, sent_chunk, received_chunk, packet_count, sent_packet, received_packet, rule_uuid

Mapping the SCTP Log Fields¶

Palo Alto Network Firewall Fields	LogPoint Fields
FUTURE_USE	FUTURE_USE
Receive Time	receive_ts
Serial Number	serial_number
Type	event_category
FUTURE_USE	FUTURE_USE
FUTURE_USE	FUTURE_USE
Generated Time	log_ts
Source Address	source_address
Destination Address	destination_address
FUTURE_USE	FUTURE_USE
FUTURE_USE	FUTURE_USE
Rule Name	rule
FUTURE_USE	FUTURE_USE
FUTURE_USE	FUTURE_USE
FUTURE_USE	FUTURE_USE
Virtual System	virtual_system
Source Zone	source_zone
Destination Zone	destination_zone
Inbound Interface	source_interface
Outbound Interface	destination_interface
Log Action	log_profile
FUTURE_USE	FUTURE_USE
Session ID	session_id
Repeat Count	repeat_count
Source Port	source_port
Destination Port	destination_port
FUTURE_USE	FUTURE_USE
FUTURE_USE	FUTURE_USE
FUTURE_USE	FUTURE_USE
FUTURE_USE	FUTURE_USE
IP Protocol	protocol
Action	action
Device Group Hierarchy Level 1	device_group_hierarchy_1
Device Group Hierarchy Level 2	device_group_hierarchy_2
Device Group Hierarchy Level 3	device_group_hierarchy_3
Device Group Hierarchy Level 4	device_group_hierarchy_4
Virtual System Name	virtual_system_name
Device Name	host
Sequence Number	sequence_number
FUTURE_USE	FUTURE_USE
SCTP Association ID	sctp_association-id
Payload Protocol ID	payload_protocol_id
Severity	severity
SCTP Chunk Type	chunk_type
FUTURE_USE	FUTURE_USE
SCTP Verification Tag 1	sctp_verification_tag_1
SCTP Verification Tag 2	sctp_verification_tag_2
SCTP Cause Code	cause_code
Diameter App ID	diameter_application_id
Diameter Command Code	diameter_command_code
Diameter AVP Code	diameter_avp_code
SCTP Stream ID	stream_id
SCTP Association End Reason	reason
Op Code	opcode
SCCP Calling Party SSN	calling_party_ssn
SCCP Calling Party Global Title	calling_party_global_title
SCTP Filter	filter
SCTP Chunks	chunk_count
SCTP Chunks Sent	sent_chunk
SCTP Chunks Received	received_chunk
Packets	packet_count
Packets Sent	sent_packet
Packets Received	received_packet
UUID for rule	rule_uuid

Global Protect Log Fields¶

FUTURE_USE, receive_ts, serial_number, event_category, sub_category, FUTURE_USE, log_ts, virtual_system, event_id, connection_status, authentication_method, tunnel_type, user, source_location, machine, source_address, ipv6_source_address, nat_source_address, nat_ipv6_source_address, host_id, serial_number, application_version, os, os_version, repeat_count, reason, error, description, status, portal_location, login_duration, connect_method, status_code, portal, sequence_number, action_flag

For the Palo Alto Network Firewall v10.0¶

Traffic Log Fields¶

FUTURE_USE, receive_ts, serial_number, event_category, sub_category, FUTURE_USE, log_ts, source_address, destination_address, nat_source_address, nat_destination_address, rule, user, target_user, application, virtual_system, source_zone, destination_zone, source_interface, destination_interface, log_profile, FUTURE_USE, session_id, repeat_count, source_port, destination_port, nat_source_port, nat_destination_port, flag, protocol, action, datasize, sent_datasize, received_datasize, packet, start_ts, duration, category, FUTURE_USE, sequence_number, action_flag, source_location, destination_location, FUTURE_USE, sent_packet, received_packet, reason, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system_name, host, action_source, source_vm_uuid, destination_vm_uuid, tunnel_id_imsi, imei, parent_session_id, parent_start_ts, tunnel_type, sctp_association_id, chunk_count, sent_chunk, received_chunk, rule_uuid, http_connection, link_count, policy_id, switch, cluster, device_type, cluster_type, site, group, xff_address, source_device_category, source_device_profile, source_device_model, source_device_vendor, source_device_os_family, source_device_os_version, source_host, source_hardware_address, destination_device_category, destination_device_profile, destination_device_model, destination_device_vendor, destination_device_os_family, destination_device_os_version, destination_host, destination_hardware_address, container_id, pod_namespace, pod, source_list, destination_list, host_id, device_serial_number, source_policy_group, destination_policy_group, session_owner, event_ts, network_slice_service, network_slice_differentiator

Threat Log Fields¶

FUTURE_USE, receive_ts, serial_number, event_category, sub_category, FUTURE_USE, log_ts, source_address, destination_address, nat_source_address, nat_destination_address, rule, user, target_user, application, virtual_system, source_zone, destination_zone, source_interface, destination_interface, log_profile, FUTURE_USE, session_id, repeat_count, source_port, destination_port, nat_source_port, nat_destination_port, flag,protocol, action, url, threat_id, category, log_level, direction, sequence_number, action_flag, source_location, destination_location, FUTURE_USE, content_type, pcap_id, hash, wildfire_cloud, url_index, user_agent, file_type, x_forwarded_for, referrer, sender, subject, receiver, report_id, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system_name, host, FUTURE_USE, source_vm_uuid, destination_vm_uuid, request_method, tunnel_id_imsi, imei, parent_session_id, parent_start_ts, tunnel_type, threat_category, version, FUTURE_USE, sctp_association_id, payload_protocol_id, header, url_category, rule_uuid, http_connection, group, xff_address, source_device_category, source_device_profile, source_device_model, source_device_vendor, source_device_os_family, source_device_os_version, source_host, source_hardware_address, destination_device_category, destination_device_profile, destination_device_model, destination_device_vendor, destination_device_os_family, destination_device_os_version, destination_host, destination_hardware_address, container_id, pod_namespace, pod, source_list, destination_list, host_id, device_serial_number, domain_list, source_policy_group, destination_policy_group, partial_hash, event_ts, reason, description, network_slice_service

HIP Match Log Fields¶

FUTURE_USE, receive_ts, serial_number, event_category, sub_category, FUTURE_USE, log_ts, user, virtual_system_name, machine, os, source_address, match, repeat_count, match_type,FUTURE_USE, FUTURE_USE, sequence_number, action_flag, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system_name, host, virtual_system_id, ipv6_source_address, host_id, device_serial_number, hardware_address, event_ts

Global Protect Log Fields¶

FUTURE_USE, receive_ts, device_serial_number, event_category, sub_category, FUTURE_USE, log_ts, virtual_system, event_id, connection_status, authentication_method, tunnel_type, user, source_location, machine, source_address, ipv6_source_address, nat_source_address, nat_ipv6_source_address, host_id, serial_number, application_version, os, os_version, repeat_count, reason, error, description, status, portal_location, login_duration, connect_method, status_code, portal, sequence_number, action_flag, event_ts, selection_type, response_duration, gateway_priority, attempted_gateway, gateway

IPTAG Log Fields¶

FUTURE_USE, receive_ts, serial_number, event_category, sub_category, FUTURE_USE, log_ts, virtual_system, source_address, tag, event_id, repeat_count, duration, data_source, data_source_type, data_source_subtype, sequence_number, action_flag, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system_name, host, virtual_system_id, event_ts

SCTP Log Fields¶

FUTURE_USE, receive_ts, serial_number, event_category, FUTURE_USE, FUTURE_USE, log_ts, source_address, destination_address, FUTURE_USE, FUTURE_USE, rule, FUTURE_USE, FUTURE_USE, FUTURE_USE, virtual_system, source_zone, destination_zone, source_interface, destination_interface, log_profile, FUTURE_USE, session_id, repeat_count, source_port, destination_port, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, protocol, action, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system_name, host, sequence_number, FUTURE_USE, sctp_association_id, payload_protocol_id, log_level,chunk_type, FUTURE_USE, sctp_verification_tag_1, sctp_verification_tag_2, cause_code, diameter_application_id, diameter_command_code, diameter_avp_code, stream_id, reason, opcode, calling_party_ssn, calling_party_global_title, filter, chunk_count, sent_chunk, received_chunk, packet, sent_packet, received_packet, rule_uuid, event_ts

GTP Log Fields¶

FUTURE_USE, receive_ts, serial_number, FUTURE_USE, FUTURE_USE, FUTURE_USE, log_ts, source_address, destination_address, FUTURE_USE, FUTURE_USE, rule, FUTURE_USE, FUTURE_USE, application, virtual_system, source_zone, destination_zone, source_interface, destination_interface, log_profile, FUTURE_USE, session_id, FUTURE_USE, source_port, destination_port, FUTURE_USE, FUTURE_USE, FUTURE_USE, protocol, action, event_type, isdn, access_point, radio_access_technology, message_type, subscriber_address, tunnel_endpoint_identifier_1, tunnel_endpoint_identifier_2, gtp_interface, status_code, log_level, country_code, network_code, area_code, cell_id, event_code, FUTURE_USE, FUTURE_USE, source_location, destination_location, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, tunnel_id_imsi, imei, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, start_ts, duration, tunnel_inspection_rule, remote_user_address, remote_user_id, rule_uuid, pcap_id, event_ts

Authentication Log Fields¶

FUTURE_USE, receive_ts, serial_number, event_category, sub_category, FUTURE_USE, log_ts, virtual_system, source_address, user,normalized_user, object,authentication_policy, repeat_count, authentication_id, vendor, log_profile, server_profile, description, client_type, event_type, factor_number, sequence_number, action_flag, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system_name, host, virtual_system_id, authentication_protocol, rule_uuid, event_ts, source_device_category, source_device_profile, source_device_model, source_device_vendor, source_device_os_family, source_device_os_version, source_host, source_hardware_address

Tunnel Log Fields¶

FUTURE_USE, receive_ts, serial_number, event_category, sub_category, FUTURE_USE, log_ts, source_address, destination_address, nat_source_address, nat_destination_address, rule, user, target_user, application, virtual_system, source_zone, destination_zone, source_interface, destination_interface, log_profile, FUTURE_USE, session_id, repeat_count, source_port, destination_port, nat_source_port, nat_destination_port, flag, protocol, action, log_level, sequence_number, action_flag, source_location, destination_location, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system_name, host, tunnel_id_imsi, imei, parent_session_id, parent_start_ts, tunnel_type, datasize, sent_datasize, received_datasize, packet, sent_packet, received_packet, maximum_encapsulation_count, unknown_protocol_count, strict_check_count, tunnel_fragment_count, create_session_count, closed_session_count, reason,action_source, start_ts, duration, tunnel_inspection_rule, remote_user_address, remote_user_id, rule_uuid, pcap_id, group, source_list, destination_list, event_ts

User ID Log Fields¶

FUTURE_USER, receive_ts, serial_number, event_category, sub_category, FUTURE_USE, log_ts, virtual_system, source_address, user, user_id, event_id, repeat_count, timeout, source_port, destination_port, source, source_type, sequence_number, action_flag, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system_name, host, virtual_system_id, vendor, authentication_ts, factor_number, FUTURE_USE, FUTURE_USE, user_group_flag, source_user, event_ts

System Log Fields¶

FUTURE_USE, receive_ts, serial_number, event_category, sub_category, FUTURE_USE, log_ts, virtual_system, event_id, object, FUTURE_USE, FUTURE_USE, module, log_level, description, sequence_number, action_flag, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system_name, host, FUTURE_USE, FUTURE_USE, event_ts

Decryption Log Fields¶

FUTURE_USE, receive_ts, serial_number, event_category, sub_category, FUTURE_USE, log_ts, source_address, destination_address, nat_source_address, nat_destination_address, rule, user, target_user, application, virtual_system, source_zone, destination_zone, source_interface, destination_interface, log_profile, FUTURE_USE, session_id, repeat_count, source_port, destination_port, nat_source_port, nat_destination_port, flag, protocol, action, tunnel_type, FUTURE_USE, FUTURE_USE, source_vm_uuid, destination_vm_uuid, rule_uuid, client_to_firewall_state, firewall_to_server_state, tls_version, key_exchange, cipher, algorithm, policy, ec_curve, error_index, status, chain_status, proxy, certificate_uid, certificate_hash, certificate_start_ts, certificate_end_ts, certificate_version, certificate_key_size, subject_length, issuer_length, root_length, server_length, certificate_flag, domain, issuer, root, client_host, error, container_id, pod_namespace, pod, source_list, destination_list, source_policy_group, destination_policy_group, event_ts, source_device_category, source_device_profile, source_device_model, source_device_vendor, source_device_os_family, source_device_os_version, source_host, source_hardware_address, destination_device_category, destination_device_profile, destination_device_model, destination_device_vendor, destination_device_os_family, destination_device_os_version, destination_host, destination_hardware_address, sequence_number, action_flagSIG_ID=4310011

For the Palo Alto Network Firewall v10.1¶

Traffic Log Fields¶

FUTURE_USE, receive_ts, serial_number, event_category, sub_category, FUTURE_USE, log_ts, source_address, destination_address, nat_source_address, nat_destination_address, rule, user, target_user, application, virtual_system, source_zone, destination_zone, source_interface, destination_interface, log_profile, FUTURE_USE, session_id, repeat_count, source_port, destination_port, nat_source_port, nat_destination_port, flag, protocol, action, datasize, sent_datasize, received_datasize, packet, start_ts, duration, category, FUTURE_USE, sequence_number, action_flag, source_location, destination_location, FUTURE_USE, sent_packet, received_packet, reason, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system_name, host, action_source, source_vm_uuid, destination_vm_uuid, tunnel_id_imsi, imei, parent_session_id, parent_start_ts, tunnel_type, sctp_association_id, chunk_count, sent_chunk, received_chunk, rule_uuid, http_connection, link_count, policy_id, switch, cluster, device_type, cluster_type, site, group, xff_address, source_device_category, source_device_profile, source_device_model, source_device_vendor, source_device_os_family, source_device_os_version, source_host, source_hardware_address, destination_device_category, destination_device_profile, destination_device_model, destination_device_vendor, destination_device_os_family, destination_device_os_version, destination_host, destination_hardware_address, container_id, pod_namespace, pod, source_list, destination_list, host_id, device_serial_number, source_policy_group, destination_policy_group, session_owner, event_ts, network_slice_service, network_slice_differentiator, application_subcategory, application_category, application_technology, application_risk, application_characteristic, application_container, is_saas_application, is_application_sanctioned, is_flow_offloaded

Threat Log Fields¶

FUTURE_USE, receive_ts, serial_number, event_category, sub_category, FUTURE_USE, log_ts, source_address, destination_address, nat_source_address, nat_destination_address, rule, user, target_user, application, virtual_system, source_zone, destination_zone, source_interface, destination_interface, log_profile, FUTURE_USE, session_id, repeat_count, source_port, destination_port, nat_source_port, nat_destination_port, flag, protocol, action, url, threat_id, category, log_level, direction, sequence_number, action_flag, source_location, destination_location, FUTURE_USE, content_type, pcap_id, hash, wildfire_cloud, url_index, user_agent, file_type, x_forwarded_for, referer, sender, subject, receiver, report_id, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system_name, host, FUTURE_USE, source_vm_uuid, destination_vm_uuid, request_method, tunnel_id_imsi, imei, parent_session_id, parent_start_ts, tunnel_type, threat_category, version, FUTURE_USE, sctp_association_id, payload_protocol_id, header, url_category, rule_uuid, http_connection, group, xff_address, source_device_category, source_device_profile, source_device_model, source_device_vendor, source_device_os_family, source_device_os_version, source_host, source_hardware_address, destination_device_category, destination_device_profile, destination_device_model, destination_device_vendor, destination_device_os_family, destination_device_os_version, destination_host, destination_hardware_address, container_id, pod_namespace, pod, source_list, destination_list, host_id, device_serial_number, domain_list, source_policy_group, destination_policy_group, partial_hash, event_ts, reason, description, network_slice_service, application_subcategory, application_category, application_technology, application_risk, application_characteristic, application_container, application_saas, application_sanctioned_state

Config Log Fields¶

FUTURE_USE, receive_ts, serial_number, event_category, sub_category, FUTURE_USE, log_ts, source_host, virtual_system, command, admin, client, result, path, before_change_detail, after_change_detail, sequence_number, action_flag, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system_name, host, device_group, comment

GTP Log Fields¶

FUTURE_USE, receive_ts, serial_number, event_category, sub_category, FUTURE_USE, log_ts, source_address, destination_address, FUTURE_USE, FUTURE_USE, rule, FUTURE_USE, FUTURE_USE, application, virtual_system, source_zone, destination_zone, source_interface, destination_interface, log_profile, FUTURE_USE, session_id, FUTURE_USE, source_port, destination_port, FUTURE_USE, FUTURE_USE, FUTURE_USE, protocol, action, event_type, isdn, access_point, radio_access_technology, message_type, subscriber_address, tunnel_endpoint_identifier_1, tunnel_endpoint_identifier_2, gtp_interface, status_code, log_level, country_code, network_code, area_code, cell_id, event_code, FUTURE_USE, FUTURE_USE, source_location, destination_location, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, tunnel_id_imsi, imei, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, start_ts, duration, tunnel_inspection_rule, remote_user_address, remote_user_id, rule_uuid, pcap_id, event_ts, network_slice_service, network_slice_differentiator, application_subcategory, application_category, application_technology, application_risk, application_characteristic, application_container, application_saas, application_sanctioned_state

Authentication Log Fields¶

FUTURE_USE, receive_ts, serial_number, event_category, sub_category, FUTURE_USE, log_ts, virtual_system, source_address, user, normalized_user, object, authentication_policy, repeat_count, authentication_id, vendor, log_profile, server_profile, description, client_type, event_type, factor_number, sequence_number, action_flag, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system_name, host, virtual_system_id, authentication_protocol, rule_uuid, event_ts, source_device_category, source_device_profile, source_device_model, source_device_vendor, source_device_os_family, source_device_os_version, source_host, source_hardware_address, source_location, FUTURE_USE, user_agent, session_id

Tunnel Log Fields¶

FUTURE_USE, receive_ts, serial_number, event_category, sub_category, FUTURE_USE, log_ts, source_address, destination_address, nat_source_address, nat_destination_address, rule,user, target_user, application, virtual_system, source_zone, destination_zone, source_interface, destination_interface, log_profile, FUTURE_USE, session_id, repeat_count, source_port, destination_port, nat_source_port, nat_destination_port, flag, protocol, action, severity, sequence_number, action_flag, source_location, destination_location, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system_name, host, tunnel_id_imsi, imei, parent_session_id, parent_start_ts, tunnel_type, datasize, sent_datasize, received_datasize, packet, sent_packet, received_packet, maximum_encapsulation_count, unknown_protocol_count, strict_check_count, tunnel_fragment_count, create_session_count, closed_session_count, reason, action_source, start_ts, duration, tunnel_inspection_rule, remote_user_address, remote_user_id, rule_uuid, pcap_id, group, source_list, destination_list, event_ts, network_slice_differentiator, network_slice_service, pdu_session_id, application_subcategory, application_category, application_technology, application_risk, application_characteristic, application_container, application_saas, application_sanctioned_state

Global Protect Log Fields¶

FUTURE_USE, receive_ts, serial_number, event_category, sub_category, FUTURE_USE, log_ts, virtual_system, event_id, connection_status, authentication_method, tunnel_type, user, source_location, machine, source_address, ipv6_source_address, nat_source_address, nat_ipv6_source_address, host_id, device_serial_number, application_version, os, os_version, repeat_count, reason, error, description, status, portal_location, login_duration, connect_method, status_code, portal, sequence_number, action_flag, event_ts, selection_type, response_duration, gateway_priority, attempted_gateway, gateway, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system_name, host, virtual_system_id

Decryption Log Fields¶

FUTURE_USE, receive_ts, serial_number, event_category, sub_category, configuration_version, log_ts, source_address, destination_address, nat_source_address, nat_destination_address, rule, user, target_user, application, virtual_system, source_zone, destination_zone, source_interface, destination_interface, log_profile, created_ts, session_id, repeat_count, source_port, destination_port, nat_source_port, nat_destination_port, flag, protocol, action, tunnel_type, FUTURE_USE, FUTURE_USE, source_vm_uuid, destination_vm_uuid, rule_uuid, client_to_firewall_state, firewall_to_server_state, tls_version, key_exchange, cipher, algorithm, policy, ec_curve, error_index, status, chain_status, proxy, certificate_uid, certificate_hash, certificate_start_ts, certificate_end_ts, certificate_version, certificate_key_size, subject_length, issuer_length, root_length, server_length, certificate_flag, domain, issuer, root, client_host, error, container_id, pod_namespace, pod, source_list, destination_list, source_policy_group, destination_policy_group, event_ts, source_device_category, source_device_profile, source_device_model, source_device_vendor, source_device_os_family, source_device_os_version, source_host, source_hardware_address, destination_device_category, destination_device_profile, destination_device_model, destination_device_vendor, destination_device_os_family, destination_device_os_version, destination_host, destination_hardware_address, sequence_number, action_flag, device_group_hierarchy_1, device_group_hierarchy_2, device_group_hierarchy_3, device_group_hierarchy_4, virtual_system_name, host, virtual_system_id,a pplication_subcategory, application_category, application_technology, application_risk, application_characteristic, application_container, application_saas, application_sanctioned_state

Helpful?