0% found this document useful (0 votes)

31 views774 pages

Log Forwarding Schema Reference

Uploaded by

journal CFP

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

31 views774 pages

Log Forwarding Schema Reference

Uploaded by

journal CFP

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 774

Cortex Data Lake Schema Reference

January 2024

docs.paloaltonetworks.com
Contact Information
Corporate Headquarters:
Palo Alto Networks
3000 Tannery Way
Santa Clara, CA 95054
www.paloaltonetworks.com/company/contact-support

About the Documentation

• For the most recent version of this guide or for access to related documentation, visit the Technical
Documentation portal docs.paloaltonetworks.com.
• To search for a specific topic, go to our search page docs.paloaltonetworks.com/search.html.
• Have feedback or questions for us? Leave a comment on any page in the portal, or write to us at
documentation@paloaltonetworks.com.

© 2024-2024 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo
Alto Networks. A list of our trademarks can be found at www.paloaltonetworks.com/company/
trademarks.html. All other marks mentioned herein may be trademarks of their respective companies.

Last Revised
January 30, 2024

Cortex Data Lake Schema Reference January 2024 2 ©2024 Palo Alto Networks, Inc.
Table of Contents
Schema Overview...............................................................................................7
Common Logs......................................................................................................9
Audit............................................................................................................................................. 10
Audit CEF Fields............................................................................................................ 14
Audit EMAIL Fields........................................................................................................15
Audit HTTPS Fields....................................................................................................... 16
Audit LEEF Fields...........................................................................................................17
Configuration.............................................................................................................................. 19
Configuration Syslog Default Field Order............................................................... 28
Configuration CEF Fields............................................................................................. 29
Configuration EMAIL Fields........................................................................................ 33
Configuration HTTPS Fields........................................................................................36
Configuration LEEF Fields........................................................................................... 38
System.......................................................................................................................................... 41
System Syslog Default Field Order........................................................................... 52
System CEF Fields......................................................................................................... 53
System EMAIL Fields.................................................................................................... 58
System HTTPS Fields....................................................................................................61
System LEEF Fields....................................................................................................... 63

Endpoint Logs................................................................................................... 67
GlobalProtect App Troubleshooting..................................................................................... 68
GlobalProtect App Troubleshooting Syslog Default Field Order....................... 83
GlobalProtect App Troubleshooting CEF Fields.....................................................83
GlobalProtect App Troubleshooting EMAIL Fields................................................89
GlobalProtect App Troubleshooting HTTPS Fields............................................... 92
GlobalProtect App Troubleshooting LEEF Fields...................................................95

Network Logs................................................................................................. 101

Authentication......................................................................................................................... 102
Authentication Syslog Default Field Order...........................................................115
Authentication CEF Fields.........................................................................................116
Authentication EMAIL Fields....................................................................................122
Authentication HTTPS Fields................................................................................... 126
Authentication LEEF Fields.......................................................................................129
DNS Security............................................................................................................................133
DNS Security Syslog Default Field Order............................................................. 139
DNS Security CEF Fields...........................................................................................140

Cortex Data Lake Schema Reference January 2024 3 ©2024 Palo Alto Networks, Inc.
Table of Contents

DNS Security EMAIL Fields...................................................................................... 142

DNS Security HTTPS Fields......................................................................................143
DNS Security LEEF Fields......................................................................................... 145
Decryption................................................................................................................................ 147
Decryption Syslog Default Field Order................................................................. 182
Decryption CEF Fields............................................................................................... 183
Decryption EMAIL Fields.......................................................................................... 197
Decryption HTTPS Fields.......................................................................................... 207
Decryption LEEF Fields..............................................................................................215
File.............................................................................................................................................. 224
File Syslog Default Field Order............................................................................... 257
File CEF Fields............................................................................................................. 258
File EMAIL Fields.........................................................................................................273
File HTTPS Fields........................................................................................................ 282
File LEEF Fields............................................................................................................289
GlobalProtect........................................................................................................................... 298
GlobalProtect Syslog Default Field Order.............................................................312
GlobalProtect CEF Fields.......................................................................................... 312
GlobalProtect EMAIL Fields......................................................................................318
GlobalProtect HTTPS Fields..................................................................................... 322
GlobalProtect LEEF Fields.........................................................................................325
HIP Match.................................................................................................................................329
HIP Match Syslog Default Field Order.................................................................. 341
HIP Match CEF Fields................................................................................................341
HIP Match EMAIL Fields........................................................................................... 346
HIP Match HTTPS Fields...........................................................................................350
HIP Match LEEF Fields.............................................................................................. 352
IPtag............................................................................................................................................356
IPtag Syslog Default Field Order.............................................................................365
IPtag CEF Fields...........................................................................................................365
IPtag EMAIL Fields......................................................................................................369
IPtag HTTPS Fields..................................................................................................... 372
IPtag LEEF Fields.........................................................................................................373
Remote Browser Isolation.................................................................................................... 377
SCTP........................................................................................................................................... 381
SCTP Syslog Default Field Order............................................................................ 409
SCTP CEF Fields.......................................................................................................... 409
SCTP EMAIL Fields..................................................................................................... 422
SCTP HTTPS Fields.....................................................................................................429
SCTP LEEF Fields........................................................................................................ 435
Threat.........................................................................................................................................443

Cortex Data Lake Schema Reference January 2024 4 ©2024 Palo Alto Networks, Inc.
Table of Contents

Threat Syslog Default Field Order.......................................................................... 478

Threat CEF Fields........................................................................................................479
Threat EMAIL Fields................................................................................................... 494
Threat HTTPS Fields.................................................................................................. 503
Threat LEEF Fields...................................................................................................... 511
Traffic......................................................................................................................................... 520
Traffic Syslog Default Field Order.......................................................................... 555
Traffic CEF Fields........................................................................................................ 556
Traffic EMAIL Fields................................................................................................... 572
Traffic HTTPS Fields...................................................................................................581
Traffic LEEF Fields...................................................................................................... 589
Tunnel........................................................................................................................................ 598
Tunnel Syslog Default Field Order......................................................................... 632
Tunnel CEF Fields....................................................................................................... 633
Tunnel EMAIL Fields.................................................................................................. 647
Tunnel HTTPS Fields.................................................................................................. 656
Tunnel LEEF Fields......................................................................................................664
URL............................................................................................................................................. 673
URL Syslog Default Field Order.............................................................................. 707
URL CEF Fields............................................................................................................ 708
URL EMAIL Fields....................................................................................................... 724
URL HTTPS Fields.......................................................................................................733
URL LEEF Fields.......................................................................................................... 740
UserID........................................................................................................................................ 749
UserID Syslog Default Field Order......................................................................... 760
UserID CEF Fields....................................................................................................... 760
UserID EMAIL Fields.................................................................................................. 766
UserID HTTPS Fields..................................................................................................769
UserID LEEF Fields..................................................................................................... 771

Cortex Data Lake Schema Reference January 2024 5 ©2024 Palo Alto Networks, Inc.
Table of Contents

Cortex Data Lake Schema Reference January 2024 6 ©2024 Palo Alto Networks, Inc.
Schema Overview
You can query for log records stored in Palo Alto Networks Cortex Data Lake. Logs can be written
to the data lake by many different appliances and applications. This book describes the logs and
log fields that you can retrieve and forward.
In November 2020, Cortex Data Lake log forwarding underwent an upgrade. Log forwarding
profiles created before the upgrade were migrated to the new version. The default syslog field
order described in this guide applies only to log filters that were migrated from the previous
version. For log filters created since the migration, you specify field order using the columns when
you add a log filter.
For information on how to retrieve log records, see Explore Logs.
For information on how to forward logs, see Forwarding Logs from Cortex Data Lake.
You can work with log records in the following categories:
• Common Logs
• Endpoint Logs
• Network Logs

7
Schema Overview

Cortex Data Lake Schema Reference January 2024 8 ©2024 Palo Alto Networks, Inc.
Common Logs
Common logs are log types that can be written by any product, application, or service that is
writing logs to Cortex Data Lake. Use the log source fields to identify the entity that wrote any
given common log record.
Available common logs are:
• Audit
• Configuration
• System

9
Common Logs

Audit
Audit logs are written to Cortex Data Lake by specific products, applications, or services. These
are used to record changes made to the service writing the logs.
The products, applications, or services that write audit logs are:
• Prisma Access Integration with Cisco Meraki SD-WAN
See the following for information related to supported log formats:
• Audit CEF Fields
• Audit EMAIL Fields
• Audit HTTPS Fields
• Audit LEEF Fields

AUDIT Field Description

(Display Name)

event_category The category of the event.

(EVENT CATEGORY) • Prisma Access Integration with Cisco Meraki SD-
WAN: The HTTP method that Prisma Access used to
modify a Meraki resource.
Example: GET if Prisma Access made a GET call.
CEF field name: Event Category
EMAIL field name: Event Category
HTTPS field name: Event Category
LEEF field name: Event Category

event_description A description of the event.

(EVENT DESCRIPTION) • Prisma Access Integration with Cisco Meraki SD-
WAN: The modification that Prisma Access made to
the Meraki resource.
Example:

Update Non Meraki VPN Peer N_35435943

2522

CEF field name: Event Description

EMAIL field name: Event Description
HTTPS field name: Event Description
LEEF field name: Event Description

Cortex Data Lake Schema Reference January 2024 10 ©2024 Palo Alto Networks, Inc.
Common Logs

AUDIT Field Description

(Display Name)

event_dest_url The URL related to the destination.

(EVENT DESTINATION URL) CEF field name: Event Destination URL
EMAIL field name: Event Destination URL
HTTPS field name: Event Destination URL
LEEF field name: Event Destination URL

event_dest_vendor Name of the service that sent the log to Cortex Data
Lake.
(DESTINATION VENDOR)
CEF field name: Destination Vendor
EMAIL field name: Destination Vendor
HTTPS field name: Destination Vendor
LEEF field name: Destination Vendor

event_detail Details about the event.

(EVENT DETAILS) • Prisma Access Integration with Cisco Meraki SD-
WAN: The Event Category followed by details about
the kind of change made and the ID of the object
receiving the change. Example:

UPDATE performed on API set appliance

and objectID 1274905

CEF field name: Event Details

EMAIL field name: Event Details
HTTPS field name: Event Details
LEEF field name: Event Details

event_name The name associated with an event

(EVENT NAME) • Prisma Access Integration with Cisco Meraki SD-
WAN: The Meraki resource that Prisma Access acted
on.
Example: updateDevice if Prisma Access made an
API call to update a device.
CEF field name: Event Name
EMAIL field name: Event Name
HTTPS field name: Event Name

Cortex Data Lake Schema Reference January 2024 11 ©2024 Palo Alto Networks, Inc.
Common Logs

AUDIT Field Description

(Display Name)
LEEF field name: Event Name

event_result The result of an event.

(EVENT RESULT) • Prisma Access Integration with Cisco Meraki SD-
WAN: The response code returned from a Meraki
API.
Example: 200 if the request was successful.
CEF field name: Event Result
EMAIL field name: Event Result
HTTPS field name: Event Result
LEEF field name: Event Result

event_time Time when the log was generated.

(EVENT TIME) • Prisma Access Integration with Cisco Meraki SD-
WAN: The time, in UTC, when Prisma Access
invoked the Meraki API. Example:

2023-03-26 16:52:19

CEF field name: Event Time

EMAIL field name: Event Time
HTTPS field name: Event Time
LEEF field name: Event Time

log_source Identifies the origin of the data. That is, the system that
produced the data.
(LOG SOURCE)
CEF field name: Log Source
EMAIL field name: Log Source
HTTPS field name: Log Source
LEEF field name: Log Source

log_source_group_id ID that uniquely identifies the logSourceGroupId of the

log. That is, the log source Id of the group.
(LOG SOURCE GROUP ID)
CEF field name: LogSourceGroupID
EMAIL field name: LogSourceGroupID
HTTPS field name: LogSourceGroupID

Cortex Data Lake Schema Reference January 2024 12 ©2024 Palo Alto Networks, Inc.
Common Logs

AUDIT Field Description

(Display Name)
LEEF field name: LogSourceGroupID

log_source_id Unique identifier of the log source. For example, if

a firewall generated the log, this would be the serial
(LOG SOURCE ID)
number of the firewall.
CEF field name: Log Source ID
EMAIL field name: Log Source ID
HTTPS field name: Log Source ID
LEEF field name: Log Source ID

log_time Time the log was received in Cortex Data Lake. This is
populated by the platform.
(LOG TIME)
CEF field name: Log Time
EMAIL field name: Log Time
HTTPS field name: Log Time
LEEF field name: Log Time

log_type.value Identifies the log type.

(LOG TYPE) CEF field name: Log Type
EMAIL field name: Log Type
HTTPS field name: Log Type
LEEF field name: Log Type

platform_type The platform type (Valid types are VM, PA, NGFW,
CNGFW).
(PLATFORM TYPE)
CEF field name: PlatformType
EMAIL field name: PlatformType
HTTPS field name: PlatformType
LEEF field name: PlatformType

sub_type.value Identifies the log subtype.

(SUBTYPE) CEF field name: Subtype
EMAIL field name: Subtype
HTTPS field name: Subtype
LEEF field name: Subtype

Cortex Data Lake Schema Reference January 2024 13 ©2024 Palo Alto Networks, Inc.
Common Logs

AUDIT Field Description

(Display Name)

vendor_name Identifies the vendor that produced the data.

(VENDOR NAME) CEF field name: Vendor Name
EMAIL field name: Vendor Name
HTTPS field name: Vendor Name
LEEF field name: Vendor Name

vendor_severity.value Severity associated with the event.

(VENDOR SEVERITY) CEF field name: Vendor Severity
EMAIL field name: Vendor Severity
HTTPS field name: Vendor Severity
LEEF field name: Vendor Severity

Audit CEF Fields

The following table identifies the Audit field names that the Log Forwarding app uses when you
forward logs using the CEF log format.

CEF Name Field Details

Cortex Data Lake Schema Reference January 2024 14 ©2024 Palo Alto Networks, Inc.
Common Logs

CEF Name Field Details

Cortex Data Lake Schema Reference January 2024 15 ©2024 Palo Alto Networks, Inc.
Common Logs

EMAIL Name Query Name

Event Category event_category

Event Description event_description

Event Destination URL event_dest_url

Destination Vendor event_dest_vendor

Event Details event_detail

Event Name event_name

Event Result event_result

Event Time event_time

Log Source log_source

LogSourceGroupID log_source_group_id

Log Source ID log_source_id

Log Time log_time

Log Type log_type.value

PlatformType platform_type

Subtype sub_type.value

Vendor Name vendor_name

Vendor Severity vendor_severity.value

Audit HTTPS Fields

The following table identifies the Audit field names that the Log Forwarding app uses when you
forward logs using the HTTPS log format.

HTTPS Name Query Name

Event Category event_category

Event Description event_description

Cortex Data Lake Schema Reference January 2024 16 ©2024 Palo Alto Networks, Inc.
Common Logs

HTTPS Name Query Name

Event Destination URL event_dest_url

Destination Vendor event_dest_vendor

Event Details event_detail

Event Name event_name

Event Result event_result

Event Time event_time

Log Source log_source

LogSourceGroupID log_source_group_id

Log Source ID log_source_id

Log Time log_time

Log Type log_type.value

PlatformType platform_type

Subtype sub_type.value

Vendor Name vendor_name

Vendor Severity vendor_severity.value

Audit LEEF Fields

The following table identifies the Audit field names that the Log Forwarding app uses when you
forward logs using the LEEF log format.

When you create a syslog forwarding profile , you can optionally create a profile token
that the Log Forwarding app uses when it sends logs to the syslog server. If you configure
a profile token, it appears in the log line immediately after the log type information (for
example, TRAFFIC, THREAT, HIPMATCH, and so forth). The token will appear on a
parameter called profileToken.

LEEF Name Query Name Field Type

Event Category event_category Custom

Cortex Data Lake Schema Reference January 2024 17 ©2024 Palo Alto Networks, Inc.
Common Logs

LEEF Name Query Name Field Type

Event Description event_description Custom

Event Destination URL event_dest_url Custom

Destination Vendor event_dest_vendor Custom

Event Details event_detail Custom

Event Name event_name Custom

Event Result event_result Custom

Event Time event_time Custom

Log Source log_source Custom

LogSourceGroupID log_source_group_id Custom

Log Source ID log_source_id Custom

Log Time log_time Custom

Log Type log_type.value Custom

PlatformType platform_type Custom

Subtype sub_type.value Custom

Vendor Name vendor_name Custom

Vendor Severity vendor_severity.value Custom

Cortex Data Lake Schema Reference January 2024 18 ©2024 Palo Alto Networks, Inc.
Common Logs

Configuration
Config logs are common to any product, application, or service that writes to Cortex Data Lake.
These are used to record changes made to the writing entity. Usually config logs are written
infrequently and it is possible that they will age-out of Cortex Data Lake, depending on quota
levels, so that none are available if you query for them.
For example, Cortex Data Lake quotas are defined by collections, or buckets, that encompass
many types of logs. Next-generation firewall config logs are placed in the Infrastructure
and Audit quota bucket. They share this bucket with system logs, which the firewall writes
considerably more frequently than config logs.
As a specific quota fills up in Cortex Data Lake, older logs are automatically removed to make
space for new logs (that is, they age-out). Consequently, as system logs are written and the
Infrastructure and Audit quota is met, older logs (including config logs) are automatically
removed. If the firewall's configuration is stable so that it is not changing very often, you might
not find any config logs in Cortex Data Lake, even if the firewall is forwarding them to the data
lake.
See the following for information related to supported log formats:
• Configuration Syslog Default Field Order
• Configuration CEF Fields
• Configuration EMAIL Fields
• Configuration HTTPS Fields
• Configuration LEEF Fields

CONFIGURATION Field Description

(Display Name)

admin_user Username of the administrator performing the

configuration.
(ADMIN USERNAME)
Syslog field name: Syslog Field Order
CEF field name: duser
EMAIL field name: AdminUsername
HTTPS field name: AdminUsername
LEEF field name: AdminUsername

admin_user_info.domain Domain to which the admin user belongs.

(ADMIN USER DOMAIN) CEF field name: dntdom
EMAIL field name: AdminUserDomain
HTTPS field name: AdminUserDomain
LEEF field name: AdminUserDomain

Cortex Data Lake Schema Reference January 2024 19 ©2024 Palo Alto Networks, Inc.
Common Logs

CONFIGURATION Field Description

(Display Name)

admin_user_info.name Name of the user who created the configuration

change.
(ADMIN USER)
CEF field name: duser
EMAIL field name: AdminUserName
HTTPS field name: AdminUserName
LEEF field name: AdminUserName

admin_user_info.uuid The admin user's unique ID.

(ADMIN USER UUID) CEF field name: duid
EMAIL field name: AdminUserUUID
HTTPS field name: AdminUserUUID
LEEF field name: AdminUserUUID

client.value Client used by the administrator who is performing the

configuration.
(CLIENT)
Syslog field name: Syslog Field Order
CEF field name: destinationServiceName
EMAIL field name: Client
HTTPS field name: Client
LEEF field name: Client

config_version.value Config version converted to string represented as

major.minor.patch.build in value and as hex in id.
(CONFIG VERSION)
Syslog field name: Syslog Field Order
CEF field name: PanOSConfigVersion
EMAIL field name: ConfigVersion
HTTPS field name: ConfigVersion
LEEF field name: ConfigVersion

customer_id The ID that uniquely identifies the Cortex Data Lake

instance which received this log record.
(TENANT ID)
CEF field name: PanOSTenantID
EMAIL field name: TenantID
HTTPS field name: TenantID

Cortex Data Lake Schema Reference January 2024 20 ©2024 Palo Alto Networks, Inc.
Common Logs

CONFIGURATION Field Description

(Display Name)
LEEF field name: TenantID

device_group.value The ID and the name of the device group the firewall is
in.
(DEVICE GROUP)
Syslog field name: Syslog Field Order
CEF field name: PanOSDeviceGroup
EMAIL field name: DeviceGroup
HTTPS field name: DeviceGroup
LEEF field name: DeviceGroup

dg_hier_level_1 A sequence of identification numbers that indicate the

device group’s location within a device group hierarchy.
(DG HIERARCHY LEVEL 1)
Syslog field name: Syslog Field Order
CEF field name: PanOSDGHierarchyLevel1
EMAIL field name: DGHierarchyLevel1
HTTPS field name: DGHierarchyLevel1
LEEF field name: DGHierarchyLevel1

dg_hier_level_2 A sequence of identification numbers that indicate the

device group’s location within a device group hierarchy.
(DG HIERARCHY LEVEL 2)
Syslog field name: Syslog Field Order
CEF field name: PanOSDGHierarchyLevel2
EMAIL field name: DGHierarchyLevel2
HTTPS field name: DGHierarchyLevel2
LEEF field name: DGHierarchyLevel2

dg_hier_level_3 A sequence of identification numbers that indicate the

device group’s location within a device group hierarchy.
(DG HIERARCHY LEVEL 3)
Syslog field name: Syslog Field Order
CEF field name: PanOSDGHierarchyLevel3
EMAIL field name: DGHierarchyLevel3
HTTPS field name: DGHierarchyLevel3
LEEF field name: DGHierarchyLevel3

dg_hier_level_4 A sequence of identification numbers that indicate the

device group’s location within a device group hierarchy.

Cortex Data Lake Schema Reference January 2024 21 ©2024 Palo Alto Networks, Inc.
Common Logs

CONFIGURATION Field Description

(Display Name)
(DG HIERARCHY LEVEL 4) Syslog field name: Syslog Field Order
CEF field name: PanOSDGHierarchyLevel4
EMAIL field name: DGHierarchyLevel4
HTTPS field name: DGHierarchyLevel4
LEEF field name: DGHierarchyLevel4

event_client_ip.value Hostname or IP address of the client.

(IP ADDRESS) Syslog field name: Syslog Field Order
CEF fields: src or c6a2 or shost
EMAIL field name: IPaddress
HTTPS field name: IPaddress
LEEF field name: IPaddress

event_description Description of the system event. If the source is a

firewall, this is opaque. If the source is TMS, this is the
(EVENT DESCRIPTION)
msgTextEn field.
Syslog field name: Syslog Field Order
CEF field name: PanOSEventDescription
EMAIL field name: EventDescription
HTTPS field name: EventDescription
LEEF field name: EventDescription

event_detail Identifies the firewall's configuration prior to and

immediately after the configuration change.
(EVENT DETAILS)
CEF field name: PanOSEventDetails
EMAIL field name: EventDetails
HTTPS field name: EventDetails
LEEF field name: EventDetails

event_name.value Name of the system event.

(EVENT NAME) Syslog field name: Syslog Field Order
CEF field name: act
EMAIL field name: EventName
HTTPS field name: EventName

Cortex Data Lake Schema Reference January 2024 22 ©2024 Palo Alto Networks, Inc.
Common Logs

CONFIGURATION Field Description

(Display Name)
LEEF field name: EventID

event_path The path of the configuration command issued.

(EVENT PATH) Syslog field name: Syslog Field Order
CEF field name: msg
EMAIL field name: EventPath
HTTPS field name: EventPath
LEEF field name: EventPath

event_result.value Result of the configuration action.

(EVENT RESULT) Syslog field name: Syslog Field Order
CEF field name: PanOSEventResult
EMAIL field name: EventResult
HTTPS field name: EventResult
LEEF field name: EventID

event_time Time when the log was generated on the firewall's data
plane. This string contains a timestamp value that is the
(EVENT TIME)
number of microseconds since the Unix epoch.
Syslog field name: Syslog Field Order
CEF field name: PanOSEventTime
EMAIL field name: EventTime
HTTPS field name: EventTime
LEEF field name: devTime

is_dup_log Indicates whether this log data is available in multiple

locations, such as from Cortex Data Lake as well as from
(IS DUPLICATE LOG)
an on-premise log collector.
CEF field name: PanOSIsDuplicateLog
EMAIL field name: IsDuplicateLog
HTTPS field name: IsDuplicateLog
LEEF field name: IsDuplicateLog

is_exported Indicates if this log was exported from the firewall using
the firewall's log export function.
(LOG EXPORTED)
CEF field name: PanOSLogExported

Cortex Data Lake Schema Reference January 2024 23 ©2024 Palo Alto Networks, Inc.
Common Logs

CONFIGURATION Field Description

(Display Name)
EMAIL field name: LogExported
HTTPS field name: LogExported
LEEF field name: LogExported

is_prisma_branch If set to 1, the log was generated on a cloud-based

firewall. If 0, the firewall was running on-premise.
(IS PRISMA NETWORK)
CEF field name: PanOSIsPrismaNetwork
EMAIL field name: IsPrismaNetwork
HTTPS field name: IsPrismaNetwork
LEEF field name: IsPrismaNetwork

is_prisma_mobile If set to 1, the log record was generated using a cloud-

based GlobalProtect instance. If 0, GlobalProtect was
(IS PRISMA USERS)
hosted on-premise.
CEF field name: PanOSIsPrismaUsers
EMAIL field name: IsPrismaUsers
HTTPS field name: IsPrismaUsers
LEEF field name: IsPrismaUsers

log_category.value The log category.

(LOG CATEGORY) CEF field name: cat
EMAIL field name: LogCategory
HTTPS field name: LogCategory
LEEF field name: LogCategory

log_source Identifies the origin of the data. That is, the system that
produced the data.
(LOG SOURCE)
CEF field name: PanOSLogSource
EMAIL field name: LogSource
HTTPS field name: LogSource
LEEF field name: LogSource

log_source_group_id ID that uniquely identifies the logSourceGroupId of the

log. That is, the log_source_id of the group.
(LOG SOURCE GROUP ID)
CEF field name: LogSourceGroupID
EMAIL field name: LogSourceGroupID

Cortex Data Lake Schema Reference January 2024 24 ©2024 Palo Alto Networks, Inc.
Common Logs

CONFIGURATION Field Description

(Display Name)
HTTPS field name: LogSourceGroupID
LEEF field name: LogSourceGroupID

log_source_id ID that uniquely identifies the source of the log. If the

source is a firewall, this is its serial number. If the source
(LOG SOURCE ID)
is TMS, this is the trapsId.
If the log is generated by Prisma Access, the serial
number is not displayed.
Syslog field name: Syslog Field Order
CEF field name: deviceExternalId
EMAIL field name: LogSourceID
HTTPS field name: LogSourceID
LEEF field name: LogSourceID

log_source_name Name of the source of the log. If the source is a firewall,

this is the device_name value. If the source is TMS, this
(LOG SOURCE NAME)
is either the customer or tenant name.
Syslog field name: Syslog Field Order
CEF field name: dvchost
EMAIL field name: LogSourceName
HTTPS field name: LogSourceName
LEEF field name: LogSourceName

log_source_tz_offset Time Zone offset from GMT of the source of the log.
(LOG SOURCE TIMEZONE OFFSET) CEF field name: PanOSLogSourceTimeZoneOffset
EMAIL field name: LogSourceTimeZoneOffset
HTTPS field name: LogSourceTimeZoneOffset
LEEF field name: LogSourceTimeZoneOffset

log_time Time the log was received in Cortex Data Lake. This is
populated by the platform.
(LOG TIME)
Syslog field name: Syslog Field Order
CEF field name: rt
EMAIL field name: LogTime
HTTPS field name: LogTime

Cortex Data Lake Schema Reference January 2024 25 ©2024 Palo Alto Networks, Inc.
Common Logs

CONFIGURATION Field Description

(Display Name)
LEEF field name: LogTime

log_type.value Specifies the log type. Possible field values are: traffic,
config, system, threat, appstat, trsum, thsum, event,
(LOG TYPE)
alarm, hipmatch, userid, iptag, mdm, extpcap, urlsum,
gtp, gtpsum, auth, panflex, extflex, sctp, sctpsum,
analytics, action, scan, sam.
Syslog field name: Syslog Field Order
CEF field name: Device Event Class ID
EMAIL field name: LogType
HTTPS field name: LogType
LEEF field name: cat

panorama_serial Panorama Serial associated with CDL.

(PANORAMA SN) CEF field name: PanOSPanoramaSN
EMAIL field name: PanoramaSN
HTTPS field name: PanoramaSN
LEEF field name: PanoramaSN

sequence_no The log entry identifier, which is incremented

sequentially. Each log type has a unique number space.
(SEQUENCE NO)
Syslog field name: Syslog Field Order
CEF field name: externalId
EMAIL field name: SequenceNo
HTTPS field name: SequenceNo
LEEF field name: SequenceNo

severity Severity as defined by the platform.

(SEVERITY) CEF field name: PanOSSeverity

Cortex Data Lake Schema Reference January 2024 26 ©2024 Palo Alto Networks, Inc.
Common Logs

CONFIGURATION Field Description

(Display Name)
EMAIL field name: Severity
HTTPS field name: Severity
LEEF field name: Severity

sub_type.value The log sub type. Possible values are: start, end, drop,
deny, netflow.
(SUB TYPE)
Syslog field name: Syslog Field Order
CEF field name: Name
EMAIL field name: Subtype
HTTPS field name: Subtype
LEEF field name: SubType

template.value The ID and name of the template/template stack

to which the firewall belonged where the log was
(TEMPLATE)
generated.
Syslog field name: Syslog Field Order
CEF field name: PanOSTemplate
EMAIL field name: Template
HTTPS field name: Template
LEEF field name: Template

time_generated_high_res Time the log was generated in data plane

with millisec granularity in format YYYY-MM-
(TIME GENERATED HIGH
DDTHH:MM:SS[.DDDDDD]Z.
RESOLUTION)
Syslog field name: Syslog Field Order
CEF field name: PanOSTimeGeneratedHighResolution
EMAIL field name: TimeGeneratedHighResolution
HTTPS field name: TimeGeneratedHighResolution
LEEF field name: TimeGeneratedHighResolution

vendor_name Identifies the vendor that produced the data.

(VENDOR NAME) CEF field name: Device Vendor
EMAIL field name: VendorName
HTTPS field name: VendorName
LEEF field name: Vendor

Cortex Data Lake Schema Reference January 2024 27 ©2024 Palo Alto Networks, Inc.
Common Logs

CONFIGURATION Field Description

(Display Name)

vendor_severity.value Severity associated with the event.

(VENDOR SEVERITY) CEF field name: PanOSVendorSeverity
EMAIL field name: VendorSeverity
HTTPS field name: VendorSeverity
LEEF field name: VendorSeverity

vsys String representation of the unique identifier for a

virtual system on a Palo Alto Networks firewall.
(VIRTUAL LOCATION)
Syslog field name: Syslog Field Order
CEF field name: cs3
EMAIL field name: VirtualLocation
HTTPS field name: VirtualLocation
LEEF field name: VirtualLocation

vsys_id A unique identifier for a virtual system on a Palo Alto

Networks firewall.
(VIRTUAL SYSTEM ID)
CEF field name: PanOSVirtualSystemID
EMAIL field name: VirtualSystemID
HTTPS field name: VirtualSystemID
LEEF field name: VirtualSystemID

vsys_name The name of the virtual system associated with the

network traffic.
(VIRTUAL SYSTEM NAME)
Syslog field name: Syslog Field Order
CEF field name: PanOSVirtualSystemName
EMAIL field name: VirtualSystemName
HTTPS field name: VirtualSystemName
LEEF field name: VirtualSystemName

Configuration Syslog Default Field Order

Example Configuration log in Syslog:

Oct 13 20:56:15 gke-standard-cluster-2-pool-1-6ea9f13a-

fnid 394 <142>1 2020-10-13T20:56:15.519Z stream-
logfwd20-156653024-10121421-eq28-harness-16kn logforwarder -

Cortex Data Lake Schema Reference January 2024 28 ©2024 Palo Alto Networks, Inc.
Common Logs

panwlogs - 1,2020-10-13T20:56:03.000000Z,007051000113358,CONFIG,
config,,2020-10-13T20:56:00.000000Z,xxx.xx.x.xx,,rename,admin,,
submitted,/config/shared/log-settings/globalprotect/match-list/
entry[@name='rs-globalprotect'],150,-9223372036854775808,0,0,0,0,,PA-
VM,,,,2020-10-13T20:56:00.284000Z

Configuration CEF Fields

Example Configuration log in CEF:

Mar 1 20:35:56 xxx.xx.x.xx 928 <14>1 2021-03-01T20:35:56.500Z

stream-logfwd20-587718190-02280003-lvod-harness-mjdh
logforwarder - panwlogs - CEF:0|Palo Alto Networks|LF|2.0|
CONFIG|config|3|ProfileToken=xxxxx dtz=UTC rt=Mar 01 2021
20:35:54 deviceExternalId=xxxxxxxxxxxxx PanOSEventTime=Jul
25 2019 23:30:12 duser= dntdom= duid= PanOSEventDetails=
PanOSIsDuplicateLog=false PanOSIsPrismaNetwork=false
PanOSIsPrismaUsers=false cat=xxxxx PanOSLogExported=false
PanOSLogSource=firewall PanOSLogSourceTimeZoneOffset=
PanOSSeverity= PanOSTenantID=xxxxxxxxxxxxx PanOSVirtualSystemID=0
src=xxx.xx.x.xx cs3= cs3Label=VirtualLocation act=commit-
all duser0=Panorama-admin destinationServiceName=
PanOSEventResult=submitted msg= externalId=xxxxxxxxxxxxx
PanOSDGHierarchyLevel1=0 PanOSDGHierarchyLevel2=0
PanOSDGHierarchyLevel3=0 PanOSDGHierarchyLevel4=0
PanOSVirtualSystemName=<{xwo X dvchost=PA-VM PanOSEventDescription=
\r_IYr0r PanOSTimeGeneratedHighResolution=Jul 25 2019 23:30:12

The following table identifies the Configuration field names that the Log Forwarding app uses
when you forward logs using the CEF log format.

CEF Name Field Details

duser Query Name: admin_user

Header Type: Predefined
Max Length: 1023

dntdom Query Name: admin_user_info.domain

Header Type: Predefined

Header Type: Predefined
Label: || c6a2Label ||
Label Text: || Source IPv6 Address ||

Cortex Data Lake Schema Reference January 2024 30 ©2024 Palo Alto Networks, Inc.
Common Logs

CEF Name Field Details

Cortex Data Lake Schema Reference January 2024 31 ©2024 Palo Alto Networks, Inc.
Common Logs

CEF Name Field Details

LogTime=2021-02-23T02:44:27.000000Z
LogSourceID=xxxxxxxxxxxxxx
LogType=CONFIG
Subtype=config
VirtualSystemID=0
VendorSeverity=
VendorName=Palo Alto Networks
TenantID=xxxxxxxxxxxxx
Severity=
LogSource=firewall
LogExported=false
LogSourceTimeZoneOffset=
LogCategory=xxxxx
IsPrismaUsers=false
IsPrismaNetwork=false
IsDuplicateLog=false
EventDetails=

Cortex Data Lake Schema Reference January 2024 33 ©2024 Palo Alto Networks, Inc.
Common Logs

AdminUserUUID=
AdminUserName=xxxxx
AdminUserDomain=
EventTime=2019-07-25T23:30:12.000000Z
IPaddress=xxx.xx.x.xx
VirtualLocation=
EventName=commit-all
AdminUsername=Panorama-admin
Client=
EventResult=submitted
EventPath=
SequenceNo=17
DGHierarchyLevel1=0
DGHierarchyLevel2=0
DGHierarchyLevel3=0
DGHierarchyLevel4=0
VirtualSystemName=<{xwo X
LogSourceName=PA-VM
EventDescription=
_ I Yr0r
TimeGeneratedHighResolution=2019-07-25T23:30:12.000000Z

The following table identifies the Configuration field names that the Log Forwarding app uses
when you forward logs using the EMAIL log format.

EMAIL Name Query Name

AdminUsername admin_user

AdminUserDomain admin_user_info.domain

AdminUserName admin_user_info.name

AdminUserUUID admin_user_info.uuid

Client client.value

ConfigVersion config_version.value

TenantID customer_id

DeviceGroup device_group.value

DGHierarchyLevel1 dg_hier_level_1

DGHierarchyLevel2 dg_hier_level_2

DGHierarchyLevel3 dg_hier_level_3

DGHierarchyLevel4 dg_hier_level_4

Cortex Data Lake Schema Reference January 2024 34 ©2024 Palo Alto Networks, Inc.
Common Logs

EMAIL Name Query Name

IPaddress event_client_ip.value

EventDescription event_description

EventDetails event_detail

EventName event_name.value

EventPath event_path

EventResult event_result.value

EventTime event_time

IsDuplicateLog is_dup_log

LogExported is_exported

IsPrismaNetwork is_prisma_branch

IsPrismaUsers is_prisma_mobile

LogCategory log_category.value

LogSource log_source

LogSourceGroupID log_source_group_id

LogSourceID log_source_id

LogSourceName log_source_name

LogSourceTimeZoneOffset log_source_tz_offset

LogTime log_time

LogType log_type.value

PanoramaSN panorama_serial

PlatformType platform_type

SequenceNo sequence_no

Severity severity

Cortex Data Lake Schema Reference January 2024 35 ©2024 Palo Alto Networks, Inc.
Common Logs

EMAIL Name Query Name

Subtype sub_type.value

Template template.value

TimeGeneratedHighResolution time_generated_high_res

VendorName vendor_name

VendorSeverity vendor_severity.value

VirtualLocation vsys

VirtualSystemID vsys_id

VirtualSystemName vsys_name

Configuration HTTPS Fields

The following table identifies the Configuration field names that the Log Forwarding app uses
when you forward logs using the HTTPS log format.

HTTPS Name Query Name

AdminUsername admin_user

AdminUserDomain admin_user_info.domain

AdminUserName admin_user_info.name

AdminUserUUID admin_user_info.uuid

Client client.value

ConfigVersion config_version.value

TenantID customer_id

DeviceGroup device_group.value

DGHierarchyLevel1 dg_hier_level_1

DGHierarchyLevel2 dg_hier_level_2

DGHierarchyLevel3 dg_hier_level_3

Cortex Data Lake Schema Reference January 2024 36 ©2024 Palo Alto Networks, Inc.
Common Logs

HTTPS Name Query Name

DGHierarchyLevel4 dg_hier_level_4

IPaddress event_client_ip.value

EventDescription event_description

EventDetails event_detail

EventName event_name.value

EventPath event_path

EventResult event_result.value

EventTime event_time

IsDuplicateLog is_dup_log

LogExported is_exported

IsPrismaNetwork is_prisma_branch

IsPrismaUsers is_prisma_mobile

LogCategory log_category.value

LogSource log_source

LogSourceGroupID log_source_group_id

LogSourceID log_source_id

LogSourceName log_source_name

LogSourceTimeZoneOffset log_source_tz_offset

LogTime log_time

LogType log_type.value

PanoramaSN panorama_serial

PlatformType platform_type

SequenceNo sequence_no

Cortex Data Lake Schema Reference January 2024 37 ©2024 Palo Alto Networks, Inc.
Common Logs

HTTPS Name Query Name

Severity severity

Subtype sub_type.value

Template template.value

TimeGeneratedHighResolution time_generated_high_res

VendorName vendor_name

VendorSeverity vendor_severity.value

VirtualLocation vsys

VirtualSystemID vsys_id

VirtualSystemName vsys_name

Configuration LEEF Fields

Example Configuration log in LEEF:

Sep 21 02:01:01 gke-standard-cluster-2-pool-3-f004381a-0gw6 732 <14>1

The following table identifies the Configuration field names that the Log Forwarding app uses
when you forward logs using the LEEF log format.

LEEF Name Query Name Field Type

AdminUsername admin_user Custom

AdminUserDomain admin_user_info.domain Custom

AdminUserName admin_user_info.name Custom

AdminUserUUID admin_user_info.uuid Custom

Cortex Data Lake Schema Reference January 2024 38 ©2024 Palo Alto Networks, Inc.
Common Logs

LEEF Name Query Name Field Type

Client client.value Custom

ConfigVersion config_version.value Custom

TenantID customer_id Custom

DeviceGroup device_group.value Custom

DGHierarchyLevel1 dg_hier_level_1 Custom

DGHierarchyLevel2 dg_hier_level_2 Custom

DGHierarchyLevel3 dg_hier_level_3 Custom

DGHierarchyLevel4 dg_hier_level_4 Custom

IPaddress event_client_ip.value Custom

EventDescription event_description Custom

EventDetails event_detail Custom

EventID event_name.value Header

EventPath event_path Custom

EventID event_result.value Header

devTime event_time Predefined

IsDuplicateLog is_dup_log Custom

LogExported is_exported Custom

IsPrismaNetwork is_prisma_branch Custom

IsPrismaUsers is_prisma_mobile Custom

LogCategory log_category.value Custom

LogSource log_source Custom

LogSourceGroupID log_source_group_id Custom

LogSourceID log_source_id Custom

Cortex Data Lake Schema Reference January 2024 39 ©2024 Palo Alto Networks, Inc.
Common Logs

LEEF Name Query Name Field Type

LogSourceName log_source_name Custom

LogSourceTimeZoneOffset log_source_tz_offset Custom

LogTime log_time Custom

cat log_type.value Predefined

PanoramaSN panorama_serial Custom

PlatformType platform_type Custom

SequenceNo sequence_no Custom

Severity severity Custom

SubType sub_type.value Custom

Template template.value Custom

TimeGeneratedHighResolution time_generated_high_res Custom

Vendor vendor_name Header

VendorSeverity vendor_severity.value Custom

VirtualLocation vsys Custom

VirtualSystemID vsys_id Custom

VirtualSystemName vsys_name Custom

Cortex Data Lake Schema Reference January 2024 40 ©2024 Palo Alto Networks, Inc.
Common Logs

System
System Logs are common to any product, application, or service that writes to Cortex Data Lake.
These are used to record system events that occur within the writing entity. The definition of
a system event will differ from one writing entity to the next, so to learn about the events that
causes a system log to be written, consult the documentation for the product, application, or
service that writes these logs.
For example, Palo Alto Networks next-generation firewalls write a system log any time the
firewall can't reach the syslog servers, any time WildFire is updated, any time an administrator
visits the Monitor tab, or whenever someone logs onto the firewall.
See the following for information related to supported log formats:
• System Syslog Default Field Order
• System CEF Fields
• System EMAIL Fields
• System HTTPS Fields
• System LEEF Fields

SYSTEM Field Description

(Display Name)

agent_content_version Version of the agent content that is installed on the

endpoint.
(AGENT CONTENT VERSION)
CEF field name: PanOSAgentContentVersion
EMAIL field name: AgentContentVersion
HTTPS field name: AgentContentVersion
LEEF field name: AgentContentVersion

agent_data_collection_status.value Indicates whether data related to another product (for

example, EDR) is being collected by the agent.
(AGENT DATA COLLECTION
STATUS) CEF field name: PanOSAgentDataCollectionStatus
EMAIL field name: AgentDataCollectionStatus
HTTPS field name: AgentDataCollectionStatus
LEEF field name: AgentDataCollectionStatus

agent_id Unique identifier for the agent at the endpoint.

(AGENT ID) CEF field name: PanOSAgentID
EMAIL field name: AgentID
HTTPS field name: AgentID

Cortex Data Lake Schema Reference January 2024 41 ©2024 Palo Alto Networks, Inc.
Common Logs

SYSTEM Field Description

(Display Name)
LEEF field name: AgentID

agent_isolation_status Indicates whether the agent is isolated. Usually, agents

are isolated if they have been compromised.
(AGENT ISOLATION STATUS)
CEF field name: PanOSAgentIsolationStatus
EMAIL field name: AgentIsolationStatus
HTTPS field name: AgentIsolationStatus
LEEF field name: AgentIsolationStatus

agent_protection_status The protection status set for the endpoint.

(AGENT STATUS) CEF field name: PanOSAgentStatus
EMAIL field name: AgentStatus
HTTPS field name: AgentStatus
LEEF field name: AgentStatus

agent_version Version of the agent at the endpoint.

(AGENT VERSION) CEF field name: PanOSAgentVersion
EMAIL field name: AgentVersion
HTTPS field name: AgentVersion
LEEF field name: AgentVersion

config_version.value Config version converted to string represented as

customer_id The ID that uniquely identifies the Cortex Data Lake

instance which received this log record.
(TENANT ID)
CEF field name: PanOSTenantID
EMAIL field name: TenantID
HTTPS field name: TenantID
LEEF field name: TenantID

Cortex Data Lake Schema Reference January 2024 42 ©2024 Palo Alto Networks, Inc.
Common Logs

SYSTEM Field Description

(Display Name)

dg_hier_level_1 A sequence of identification numbers that indicate the

dg_hier_level_2 A sequence of identification numbers that indicate the

dg_hier_level_3 A sequence of identification numbers that indicate the

dg_hier_level_4 A sequence of identification numbers that indicate the

device group’s location within a device group hierarchy.
(DG HIERARCHY LEVEL 4)
Syslog field name: Syslog Field Order

Cortex Data Lake Schema Reference January 2024 43 ©2024 Palo Alto Networks, Inc.
Common Logs

SYSTEM Field Description

(Display Name)
CEF field name: PanOSDGHierarchyLevel4
EMAIL field name: DGHierarchyLevel4
HTTPS field name: DGHierarchyLevel4
LEEF field name: DGHierarchyLevel4

endpoint_cpu_architecture.value The architecture of the OS type that the endpoint is

running.
(ENDPOINT CPU ARCHITECTURE)
CEF field name: PanOSEndpointCPUArchitecture
EMAIL field name: EndpointCPUArchitecture
HTTPS field name: EndpointCPUArchitecture
LEEF field name: EndpointCPUArchitecture

endpoint_device_domain Domain to which the endpoint belongs.

(ENDPOINT DEVICE DOMAIN) CEF field name: PanOSEndpointDeviceDomain
EMAIL field name: EndpointDeviceDomain
HTTPS field name: EndpointDeviceDomain
LEEF field name: EndpointDeviceDomain

endpoint_device_name Hostname of the endpoint on which the event was

logged.
(ENDPOINT DEVICE NAME)
CEF field name: PanOSEndpointDeviceName
EMAIL field name: EndpointDeviceName
HTTPS field name: EndpointDeviceName
LEEF field name: EndpointDeviceName

endpoint_ip.value IP address of the source of the event.

(ENDPOINT IP ADDRESS) CEF field name: PanOSEndpointIPaddress
EMAIL field name: EndpointIPaddress
HTTPS field name: EndpointIPaddress
LEEF field name: EndpointIPaddress

endpoint_is_vdi Indicates whether the endpoint is a virtual desktop

infrastructure (VDI). 0—The endpoint is not a VDI, 1—
(VDI ENDPOINT)
The endpoint is a VDI.
CEF field name: PanOSVDIEndpoint
EMAIL field name: VDIEndpoint

Cortex Data Lake Schema Reference January 2024 44 ©2024 Palo Alto Networks, Inc.
Common Logs

SYSTEM Field Description

(Display Name)
HTTPS field name: VDIEndpoint
LEEF field name: VDIEndpoint

endpoint_os_type.value The operating system on which the endpoint is running.

(ENDPOINT OS TYPE) CEF field name: PanOSEndpointOSType
EMAIL field name: EndpointOSType
HTTPS field name: EndpointOSType
LEEF field name: EndpointOSType

endpoint_os_version The version of the operating system running on the

endpoint.
(ENDPOINT OS VERSION)
CEF field name: PanOSEndpointOSVersion
EMAIL field name: EndpointOSVersion
HTTPS field name: EndpointOSVersion
LEEF field name: EndpointOSVersion

endpoint_tz_offset Effective endpoint time zone offset from UTC, in

minutes.
(AGENT TIME ZONE OFFSET)
CEF field name: PanOSAgentTimeZoneOffset
EMAIL field name: AgentTimeZoneOffset
HTTPS field name: AgentTimeZoneOffset
LEEF field name: AgentTimeZoneOffset

endpoint_user.domain Domain of the user who was logged into the endpoint
at the time of the system event.
(ENDPOINT USER DOMAIN)
CEF field name: PanOSEndpointUserDomain
EMAIL field name: EndpointUserDomain
HTTPS field name: EndpointUserDomain
LEEF field name: EndpointUserDomain

endpoint_user.name The name of the user logged into the endpoint at the
time of the system event.
(ENDPOINT USER NAME)
CEF field name: PanOSEndpointUserName
EMAIL field name: EndpointUserName
HTTPS field name: EndpointUserName

Cortex Data Lake Schema Reference January 2024 45 ©2024 Palo Alto Networks, Inc.
Common Logs

SYSTEM Field Description

(Display Name)
LEEF field name: EndpointUserName

endpoint_user.uuid The endpoint user's unique ID.

(ENDPOINT USER UUID) CEF field name: PanOSEndpointUserUUID
EMAIL field name: EndpointUserUUID
HTTPS field name: EndpointUserUUID
LEEF field name: EndpointUserUUID

event_component The component associated with the event. For example,

the object from a firewall.
(EVENT COMPONENT)
Syslog field name: Syslog Field Order
CEF field name: fname
EMAIL field name: EventComponent
HTTPS field name: EventComponent
LEEF field name: EventComponent

event_description Description of the system event.

(EVENT DESCRIPTION) Syslog field name: Syslog Field Order
CEF field name: msg
EMAIL field name: EventDescription
HTTPS field name: EventDescription
LEEF field name: EventDescription

event_name.value Name of the system event.

(EVENT NAME) Syslog field name: Syslog Field Order
CEF field name: act
EMAIL field name: EventName
HTTPS field name: EventName
LEEF field name: EventID

Cortex Data Lake Schema Reference January 2024 46 ©2024 Palo Alto Networks, Inc.
Common Logs

SYSTEM Field Description

(Display Name)
EMAIL field name: EventTime
HTTPS field name: EventTime
LEEF field name: devTime

is_dup_log Indicates whether this log data is available in multiple

is_exported Indicates if this log was exported from the firewall using
the firewall's log export function.
(LOG EXPORTED)
CEF field name: PanOSLogExported
EMAIL field name: LogExported
HTTPS field name: LogExported
LEEF field name: LogExported

is_forwarded Indicates if the log is being forwarded.

(LOG FORWARDED) CEF field name: PanOSLogForwarded
EMAIL field name: LogForwarded
HTTPS field name: LogForwarded
LEEF field name: LogForwarded

is_prisma_branch If set to 1, the log was generated on a cloud-based

is_prisma_mobile If set to 1, the log record was generated using a cloud-

based GlobalProtect instance. If 0, GlobalProtect was
(IS PRISMA USERS)
hosted on-premise.
CEF field name: PanOSIsPrismaUsers

Cortex Data Lake Schema Reference January 2024 47 ©2024 Palo Alto Networks, Inc.
Common Logs

SYSTEM Field Description

(Display Name)
EMAIL field name: IsPrismaUsers
HTTPS field name: IsPrismaUsers
LEEF field name: IsPrismaUsers

log_category.value The log category.

(LOG CATEGORY) CEF field name: cat
EMAIL field name: LogCategory
HTTPS field name: LogCategory
LEEF field name: LogCategory

log_source_group_id ID that uniquely identifies the logSourceGroupId of the

log. That is, the log_source_id of the group.
(LOG SOURCE GROUP ID)
CEF field name: LogSourceGroupID
EMAIL field name: LogSourceGroupID
HTTPS field name: LogSourceGroupID
LEEF field name: LogSourceGroupID

log_source_id ID that uniquely identifies the source of the log. If the

Cortex Data Lake Schema Reference January 2024 48 ©2024 Palo Alto Networks, Inc.
Common Logs

SYSTEM Field Description

(Display Name)

log_source_name Name of the source of the log. If the source is a firewall,

panorama_serial Panorama Serial associated with CDL.

CEF field name: PanOSPanoramaSN

Cortex Data Lake Schema Reference January 2024 49 ©2024 Palo Alto Networks, Inc.
Common Logs

SYSTEM Field Description

(Display Name)
(PANORAMA SN) EMAIL field name: PanoramaSN
HTTPS field name: PanoramaSN
LEEF field name: PanoramaSN

sequence_no The log entry identifier, which is incremented

severity Severity as defined by the platform.

(SEVERITY) CEF field name: PanOSSeverity
EMAIL field name: Severity
HTTPS field name: Severity
LEEF field name: Severity

template.value The ID and name of the template/template stack

to which the firewall belonged where the log was
(TEMPLATE)
generated.

Cortex Data Lake Schema Reference January 2024 50 ©2024 Palo Alto Networks, Inc.
Common Logs

SYSTEM Field Description

(Display Name)
Syslog field name: Syslog Field Order
CEF field name: PanOSTemplate
EMAIL field name: Template
HTTPS field name: Template
LEEF field name: Template

time_generated_high_res Time the log was generated in data plane

vendor_name Identifies the vendor that produced the data.

(VENDOR NAME) CEF field name: Device Vendor
EMAIL field name: VendorName
HTTPS field name: VendorName
LEEF field name: Vendor

vendor_severity.value Severity associated with the event.

(VENDOR SEVERITY) Syslog field name: Syslog Field Order
CEF field name: PanOSVendorSeverity
EMAIL field name: VendorSeverity
HTTPS field name: VendorSeverity
LEEF field name: VendorSeverity

vsys String representation of the unique identifier for a

virtual system on a Palo Alto Networks firewall.
(VIRTUAL LOCATION)
Syslog field name: Syslog Field Order
CEF field name: cs3
EMAIL field name: VirtualLocation
HTTPS field name: VirtualLocation

Cortex Data Lake Schema Reference January 2024 51 ©2024 Palo Alto Networks, Inc.
Common Logs

SYSTEM Field Description

(Display Name)
LEEF field name: VirtualLocation

vsys_id A unique identifier for a virtual system on a Palo Alto

Networks firewall.
(VIRTUAL SYSTEM ID)
CEF field name: PanOSVirtualSystemID
EMAIL field name: VirtualSystemID
HTTPS field name: VirtualSystemID
LEEF field name: VirtualSystemID

vsys_name The name of the virtual system associated with the

System Syslog Default Field Order

Example System log in Syslog:

Oct 13 01:17:01 xxx.xx.x.xx 344 <142>1 2020-10-13T01:17:01.322Z

stream-logfwd20-156653024-10121421-eq28-harness-16kn logforwarder
- panwlogs - 1,2020-10-13T01:16:46.000000Z,007051000113358,
SYSTEM,general,,2020-10-13T01:16:26.000000Z,vsys1,unknown,,,
0,,Informational,EDL(red_edl) No changes to list file,160444,
-9223372036854775808,0,0,0,0,,PA-VM,,,2020-10-13T01:16:26.000000Z

Cortex Data Lake Schema Reference January 2024 52 ©2024 Palo Alto Networks, Inc.
Common Logs

System CEF Fields

Example System log in CEF:

Feb 28 08:30:27 xxx.xx.x.xx 1442 <14>1 2021-02-28T08:30:27.339Z

stream-logfwd20-587718190-02280003-lvod-harness-mjdh logforwarder
- panwlogs - CEF:0|Palo Alto Networks|LF|2.0|SYSTEM|wildfire-
appliance|1|ProfileToken=xxxxx dtz=UTC rt=Feb 28 2021 08:30:26
deviceExternalId=xxxxxxxxxxxxx PanOSConfigVersion=0.0
PanOSAgentContentVersion= PanOSAgentDataCollectionStatus=
PanOSAgentID= PanOSAgentIsolationStatus= PanOSAgentStatus=
PanOSAgentTimeZoneOffset= PanOSAgentVersion=
PanOSEndpointCPUArchitecture= PanOSEndpointDeviceDomain=
PanOSEndpointDeviceName= PanOSEndpointIPaddress=
PanOSEndpointOSType= PanOSEndpointOSVersion=
PanOSEndpointUserDomain= PanOSEndpointUserName=xxxxx
PanOSEndpointUserUUID= PanOSIsDuplicateLog=false
PanOSIsPrismaNetwork=false PanOSIsPrismaUsers=false
cat= PanOSLogExported=false PanOSLogForwarded=true
PanOSLogSource=firewall PanOSLogSourceTimeZoneOffset=
PanOSSeverity=Informational PanOSTenantID=xxxxxxxxxxxxx
PanOSVDIEndpoint= PanOSVirtualSystemID=0 PanOSEventTime=Feb 28
2021 08:30:17 cs3= cs3Label=VirtualLocation act= fname= msg=gRPC
connection to f0d7d88a-0391-4899-a2e4-0938c4309e17.fei.lcaas-
qa.us.paloaltonetworks.com:443 is established, xxx.xx.x.xx:48558 ->
xxx.xx.x.xx:443 time: 2021-02-28 00:30:17 externalId=xxxxxxxxxxxxx
PanOSDGHierarchyLevel1=0 PanOSDGHierarchyLevel2=0
PanOSDGHierarchyLevel3=0 PanOSDGHierarchyLevel4=0
PanOSVirtualSystemName= dvchost=xxxxx PanOSDeviceGroup=
PanOSTemplate= PanOSTimeGeneratedHighResolution=Feb 28 2021 08:30:17

The following table identifies the System field names that the Log Forwarding app uses when you
forward logs using the CEF log format.

CEF Name Field Details

PanOSVDIEndpoint Query Name: endpoint_is_vdi

Header Type: Custom

Cortex Data Lake Schema Reference January 2024 54 ©2024 Palo Alto Networks, Inc.
Common Logs

CEF Name Field Details

Cortex Data Lake Schema Reference January 2024 55 ©2024 Palo Alto Networks, Inc.
Common Logs

CEF Name Field Details

Cortex Data Lake Schema Reference January 2024 57 ©2024 Palo Alto Networks, Inc.
Common Logs

System EMAIL Fields

Example System log in EMAIL:

LogTime=2021-02-22T06:00:54.000000Z
LogSourceID=xxxxxxxxxxxxxx
LogType=SYSTEM
Subtype=general
ConfigVersion=0.0
VirtualSystemID=0
AgentTimeZoneOffset=
AgentVersion=
EndpointCPUArchitecture=
EndpointDeviceDomain=
EndpointDeviceName=
EndpointIPaddress=
EndpointOSType=
EndpointOSVersion=
EndpointUserDomain=
EndpointUserName=xxxxx
EndpointUserUUID=
IsDuplicateLog=false
IsPrismaNetwork=false
IsPrismaUsers=false
LogCategory=
LogExported=false
LogForwarded=true
LogSource=firewall
LogSourceTimeZoneOffset=
Severity=Informational
TenantID=xxxxxxxxxxxxx
TimeGeneratedHighResolution=2021-02-22T06:00:46.000000Z
VDIEndpoint=
VendorName=Palo Alto Networks
AgentStatus=
AgentDataCollectionStatus=
AgentID=
AgentIsolationStatus=
AgentContentVersion=
EventTime=2021-02-22T06:00:46.000000Z
VirtualLocation=
EventName=general
EventComponent=
VendorSeverity=Informational
EventDescription=WildFire version 559357-566509 downloaded by Auto
update agent
SequenceNo=30904438
DGHierarchyLevel1=0
DGHierarchyLevel2=0
DGHierarchyLevel3=0
DGHierarchyLevel4=0
VirtualSystemName=
LogSourceName=xxxxx
DeviceGroup=
Template=

Cortex Data Lake Schema Reference January 2024 58 ©2024 Palo Alto Networks, Inc.
Common Logs

The following table identifies the System field names that the Log Forwarding app uses when you
forward logs using the EMAIL log format.

EMAIL Name Query Name

AgentContentVersion agent_content_version

AgentDataCollectionStatus agent_data_collection_status.value

AgentID agent_id

AgentIsolationStatus agent_isolation_status

AgentStatus agent_protection_status

AgentVersion agent_version

ConfigVersion config_version.value

TenantID customer_id

DeviceGroup device_group.value

DGHierarchyLevel1 dg_hier_level_1

DGHierarchyLevel2 dg_hier_level_2

DGHierarchyLevel3 dg_hier_level_3

DGHierarchyLevel4 dg_hier_level_4

EndpointCPUArchitecture endpoint_cpu_architecture.value

EndpointDeviceDomain endpoint_device_domain

EndpointDeviceName endpoint_device_name

EndpointIPaddress endpoint_ip.value

VDIEndpoint endpoint_is_vdi

EndpointOSType endpoint_os_type.value

EndpointOSVersion endpoint_os_version

AgentTimeZoneOffset endpoint_tz_offset

EndpointUserDomain endpoint_user.domain

Cortex Data Lake Schema Reference January 2024 59 ©2024 Palo Alto Networks, Inc.
Common Logs

EMAIL Name Query Name

EndpointUserName endpoint_user.name

EndpointUserUUID endpoint_user.uuid

EventComponent event_component

EventDescription event_description

EventName event_name.value

EventTime event_time

IsDuplicateLog is_dup_log

LogExported is_exported

LogForwarded is_forwarded

IsPrismaNetwork is_prisma_branch

IsPrismaUsers is_prisma_mobile

LogCategory log_category.value

LogSource log_source

LogSourceGroupID log_source_group_id

LogSourceID log_source_id

LogSourceName log_source_name

LogSourceTimeZoneOffset log_source_tz_offset

LogTime log_time

LogType log_type.value

PanoramaSN panorama_serial

PlatformType platform_type

SequenceNo sequence_no

Severity severity

Cortex Data Lake Schema Reference January 2024 60 ©2024 Palo Alto Networks, Inc.
Common Logs

EMAIL Name Query Name

Subtype sub_type.value

Template template.value

TimeGeneratedHighResolution time_generated_high_res

VendorName vendor_name

VendorSeverity vendor_severity.value

VirtualLocation vsys

VirtualSystemID vsys_id

VirtualSystemName vsys_name

System HTTPS Fields

The following table identifies the System field names that the Log Forwarding app uses when you
forward logs using the HTTPS log format.

HTTPS Name Query Name

AgentContentVersion agent_content_version

AgentDataCollectionStatus agent_data_collection_status.value

AgentID agent_id

AgentIsolationStatus agent_isolation_status

AgentStatus agent_protection_status

AgentVersion agent_version

ConfigVersion config_version.value

TenantID customer_id

DeviceGroup device_group.value

DGHierarchyLevel1 dg_hier_level_1

DGHierarchyLevel2 dg_hier_level_2

Cortex Data Lake Schema Reference January 2024 61 ©2024 Palo Alto Networks, Inc.
Common Logs

HTTPS Name Query Name

DGHierarchyLevel3 dg_hier_level_3

DGHierarchyLevel4 dg_hier_level_4

EndpointCPUArchitecture endpoint_cpu_architecture.value

EndpointDeviceDomain endpoint_device_domain

EndpointDeviceName endpoint_device_name

EndpointIPaddress endpoint_ip.value

VDIEndpoint endpoint_is_vdi

EndpointOSType endpoint_os_type.value

EndpointOSVersion endpoint_os_version

AgentTimeZoneOffset endpoint_tz_offset

EndpointUserDomain endpoint_user.domain

EndpointUserName endpoint_user.name

EndpointUserUUID endpoint_user.uuid

EventComponent event_component

EventDescription event_description

EventName event_name.value

EventTime event_time

IsDuplicateLog is_dup_log

LogExported is_exported

LogForwarded is_forwarded

IsPrismaNetwork is_prisma_branch

IsPrismaUsers is_prisma_mobile

LogCategory log_category.value

Cortex Data Lake Schema Reference January 2024 62 ©2024 Palo Alto Networks, Inc.
Common Logs

HTTPS Name Query Name

LogSource log_source

LogSourceGroupID log_source_group_id

LogSourceID log_source_id

LogSourceName log_source_name

LogSourceTimeZoneOffset log_source_tz_offset

LogTime log_time

LogType log_type.value

PanoramaSN panorama_serial

PlatformType platform_type

SequenceNo sequence_no

Severity severity

Subtype sub_type.value

Template template.value

TimeGeneratedHighResolution time_generated_high_res

VendorName vendor_name

VendorSeverity vendor_severity.value

VirtualLocation vsys

VirtualSystemID vsys_id

VirtualSystemName vsys_name

System LEEF Fields

Example System log in LEEF:

Sep 21 02:01:01 gke-standard-cluster-2-pool-3-f004381a-0gw6 732

Cortex Data Lake Schema Reference January 2024 63 ©2024 Palo Alto Networks, Inc.
Common Logs

cat=system SubType=general ConfigVersion=10.1

devTime=2021-09-21T02:00:56.000000ZVirtualLocation= EventComponent=
VendorSeverity=Informational EventDescription=WildFire
update job succeeded for user Auto update agent
SequenceNo=7003061162447265681 DGHierarchyLevel1=0
DGHierarchyLevel2=0 DGHierarchyLevel3=0 DGHierarchyLevel4=0
VirtualSystemName= LogSourceName=xxxxx DeviceGroup= Template=
TimeGeneratedHighResolution=2021-09-21T02:00:56.997000Z
devTimeFormat=YYYY-MM-DD'T'HH:mm:ss.SSSZ

The following table identifies the System field names that the Log Forwarding app uses when you
forward logs using the LEEF log format.

LEEF Name Query Name Field Type

AgentContentVersion agent_content_version Custom

AgentDataCollectionStatus agent_data_collection_status.value Custom

AgentID agent_id Custom

AgentIsolationStatus agent_isolation_status Custom

AgentStatus agent_protection_status Custom

AgentVersion agent_version Custom

ConfigVersion config_version.value Custom

TenantID customer_id Custom

DeviceGroup device_group.value Custom

DGHierarchyLevel1 dg_hier_level_1 Custom

DGHierarchyLevel2 dg_hier_level_2 Custom

DGHierarchyLevel3 dg_hier_level_3 Custom

DGHierarchyLevel4 dg_hier_level_4 Custom

EndpointCPUArchitecture endpoint_cpu_architecture.value Custom

Cortex Data Lake Schema Reference January 2024 64 ©2024 Palo Alto Networks, Inc.
Common Logs

LEEF Name Query Name Field Type

EndpointDeviceDomain endpoint_device_domain Custom

EndpointDeviceName endpoint_device_name Custom

EndpointIPaddress endpoint_ip.value Custom

VDIEndpoint endpoint_is_vdi Custom

EndpointOSType endpoint_os_type.value Custom

EndpointOSVersion endpoint_os_version Custom

AgentTimeZoneOffset endpoint_tz_offset Custom

EndpointUserDomain endpoint_user.domain Custom

EndpointUserName endpoint_user.name Custom

EndpointUserUUID endpoint_user.uuid Custom

EventComponent event_component Custom

EventDescription event_description Custom

EventID event_name.value Header

devTime event_time Predefined

IsDuplicateLog is_dup_log Custom

LogExported is_exported Custom

LogForwarded is_forwarded Custom

IsPrismaNetwork is_prisma_branch Custom

IsPrismaUsers is_prisma_mobile Custom

LogCategory log_category.value Custom

LogSource log_source Custom

LogSourceGroupID log_source_group_id Custom

LogSourceID log_source_id Custom

Cortex Data Lake Schema Reference January 2024 65 ©2024 Palo Alto Networks, Inc.
Common Logs

LEEF Name Query Name Field Type

LogSourceName log_source_name Custom

LogSourceTimeZoneOffset log_source_tz_offset Custom

LogTime log_time Custom

cat log_type.value Predefined

PanoramaSN panorama_serial Custom

PlatformType platform_type Custom

SequenceNo sequence_no Custom

Severity severity Custom

SubType sub_type.value Custom

Template template.value Custom

TimeGeneratedHighResolution time_generated_high_res Custom

Vendor vendor_name Header

VendorSeverity vendor_severity.value Custom

gw_dlsa_enabled Indicates whether local subnet access is enabled.

(DLSA STATUS) CEF field name: PanOSDLSAstatus
EMAIL field name: DLSAstatus
HTTPS field name: DLSAstatus
LEEF field name: DLSAstatus

gw_fall_back_to_ssl The reason why the GlobalProtect client fell back to SSL
to connect to the gateway.
(FALLBACK TO SSL REASON)
CEF field name: PanOSFallbacktoSSLReason
EMAIL field name: FallbacktoSSLReason
HTTPS field name: FallbacktoSSLReason
LEEF field name: FallbacktoSSLReason

Cortex Data Lake Schema Reference January 2024 72 ©2024 Palo Alto Networks, Inc.
Endpoint Logs

GLOBALPROTECT APP Description

TROUBLESHOOTING Field
(Display Name)

gw_ipsec_enabled Indicates whether IPsec tunnel mode s enabled.

(IPSEC ENABLED) CEF field name: PanOSIPSecEnabled
EMAIL field name: IPSecEnabled
HTTPS field name: IPSecEnabled
LEEF field name: IPSecEnabled

gw_ipsec_failure_reason The reason why the IPsec tunnel connection failed.

(IPSEC FAILURE REASON) CEF field name: PanOSIPSecFailureReason
EMAIL field name: IPSecFailureReason
HTTPS field name: IPSecFailureReason
LEEF field name: IPSecFailureReason

gw_jitter The gateway jitter in milliseconds.

(JITTER) CEF field name: PanOSJitter
EMAIL field name: Jitter
HTTPS field name: Jitter
LEEF field name: Jitter

gw_latency The gateway latency in milliseconds.

(LATENCY) CEF field name: PanOSLatency
EMAIL field name: Latency
HTTPS field name: Latency
LEEF field name: Latency

gw_location The geographic location of the gateway.

(LOCATION) CEF field name: PanOSLocation
EMAIL field name: Location
HTTPS field name: Location
LEEF field name: Location

gw_logout_time The UTC time in milliseconds when the GlobalProtect

client logged out from the gateway.
(LOGOUT TIME)
CEF field name: PanOSGatewayLogoutTime
EMAIL field name: GatewayLogoutTime

Cortex Data Lake Schema Reference January 2024 73 ©2024 Palo Alto Networks, Inc.
Endpoint Logs

GLOBALPROTECT APP Description

TROUBLESHOOTING Field
(Display Name)
HTTPS field name: GatewayLogoutTime
LEEF field name: GatewayLogoutTime

gw_packet_loss The percentage of packets lost from gateway traffic.

(PACKET LOSS) CEF field name: PanOSPacketLoss
EMAIL field name: PacketLoss
HTTPS field name: PacketLoss
LEEF field name: PacketLoss

gw_reachable Indicates whether the gateway is reachable.

(GATEWAY REACHABLE) CEF field name: PanOSGatewayReachable
EMAIL field name: GatewayReachable
HTTPS field name: GatewayReachable
LEEF field name: GatewayReachable

gw_server_cert Indicates whether the gateway server certificate is valid.

(GATEWAY SSL CERTIFICATE CEF field name: PanOSGatewaySSLCertificateValid
VALID)
EMAIL field name: GatewaySSLCertificateValid
HTTPS field name: GatewaySSLCertificateValid
LEEF field name: GatewaySSLCertificateValid

gw_ssl_failure_reason The reason why the SSL tunnel connection failed.

(SSL FAILURE REASON) CEF field name: PanOSSSLFailureReason
EMAIL field name: SSLFailureReason
HTTPS field name: SSLFailureReason
LEEF field name: SSLFailureReason

gw_status The status of the GlobalProtect gateway.

(GATEWAY STATUS) CEF field name: PanOSGatewayStatus
EMAIL field name: GatewayStatus
HTTPS field name: GatewayStatus
LEEF field name: GatewayStatus

gw_tunnel_renamed Indicates whether the pre-logon tunnel was renamed to

a user tunnel.

Cortex Data Lake Schema Reference January 2024 74 ©2024 Palo Alto Networks, Inc.
Endpoint Logs

GLOBALPROTECT APP Description

TROUBLESHOOTING Field
(Display Name)
(TUNNEL RENAME) CEF field name: PanOSTunnelRename
EMAIL field name: TunnelRename
HTTPS field name: TunnelRename
LEEF field name: TunnelRename

has_privileges Indicates whether GlobalProtect has the necessary

permissions on the endpoint to function.
(PRIVILEGES)
CEF field name: PanOSPrivileges
EMAIL field name: Privileges
HTTPS field name: Privileges
LEEF field name: Privileges

host_gmt_timeoffset The difference between the time zone of the endpoint

and GMT.
(HOST TIME OFFSET)
Syslog field name: Syslog Field Order
CEF field name: dtz
EMAIL field name: HostTimeOffset
HTTPS field name: HostTimeOffset
LEEF field name: HostTimeOffset

host_id The unique identifier created by GlobalProtect for the

endpoint.
(GLOBALPROTECT HOST ID)
Syslog field name: Syslog Field Order
CEF field name: PanOSHostID
EMAIL field name: HostID
HTTPS field name: HostID
LEEF field name: HostID

host_name The host name of the endpoint.

(HOSTNAME) Syslog field name: Syslog Field Order
CEF field name: dvchost
EMAIL field name: Hostname
HTTPS field name: Hostname
LEEF field name: identHostName

Cortex Data Lake Schema Reference January 2024 75 ©2024 Palo Alto Networks, Inc.
Endpoint Logs

GLOBALPROTECT APP Description

TROUBLESHOOTING Field
(Display Name)

install_history Indicates whether GlobalProtect is newly installed,

upgraded, or downgraded.
(INSTALL HISTORY)
CEF field name: PanOSInstallHistory
EMAIL field name: InstallHistory
HTTPS field name: InstallHistory
LEEF field name: InstallHistory

internal_network Indicates whether the endpoint is in an internal

network.
(INTERNAL NETWORK)
CEF field name: PanOSInternalNetwork
EMAIL field name: InternalNetwork
HTTPS field name: InternalNetwork
LEEF field name: InternalNetwork

internet_access Indicates whether the endpoint has internet access.

(INTERNET ACCESS) CEF field name: PanOSInternetAccess
EMAIL field name: InternetAccess
HTTPS field name: InternetAccess
LEEF field name: InternetAccess

jail_broken Indicates whether the mobile device is jailbroken.

(JAILBROKEN STATUS) CEF field name: PanOSJailbrokenStatus
EMAIL field name: JailbrokenStatus
HTTPS field name: JailbrokenStatus
LEEF field name: JailbrokenStatus

last_hip_report_time The last time GlobalProtect sent a Host Information

Profile (HIP) report.
(LAST HIP REPORT TIME)
CEF field name: PanOSLastHIPReportTime
EMAIL field name: LastHIPReportTime
HTTPS field name: LastHIPReportTime
LEEF field name: LastHIPReportTime

last_logout_time The last time a user logged out of GlobalProtect in

millisecond UTC.

Cortex Data Lake Schema Reference January 2024 76 ©2024 Palo Alto Networks, Inc.
Endpoint Logs

GLOBALPROTECT APP Description

TROUBLESHOOTING Field
(Display Name)
(LAST LOGOUT TIME) CEF field name: PanOSLastLogoutTime
EMAIL field name: LastLogoutTime
HTTPS field name: LastLogoutTime
LEEF field name: LastLogoutTime

locale The language locale name. Example:

(LOCALE) en-us;English (United States)
Syslog field name: Syslog Field Order
CEF field name: PanOSLocale
EMAIL field name: Locale
HTTPS field name: Locale
LEEF field name: Locale

log_type.value A required LEEF header field that describes

the log type. In this case, GlobalProtect
(LOG TYPE)
Troubleshooting.
Syslog field name: Syslog Field Order
CEF field name: Device Event Class ID
EMAIL field name: LogType
HTTPS field name: LogType
LEEF field name: cat

memory_total The total memory on the endpoint.

(TOTAL MEMORY) CEF field name: PanOSTotalMemory
EMAIL field name: TotalMemory
HTTPS field name: TotalMemory
LEEF field name: TotalMemory

memory_usage The total memory usage on the endpoint.

(MEMORY USAGE) CEF field name: PanOSMemoryUsage
EMAIL field name: MemoryUsage
HTTPS field name: MemoryUsage
LEEF field name: MemoryUsage

Cortex Data Lake Schema Reference January 2024 77 ©2024 Palo Alto Networks, Inc.
Endpoint Logs

GLOBALPROTECT APP Description

TROUBLESHOOTING Field
(Display Name)

memory_usage_gp The memory resources used by GlobalProtect on the

endpoint.
(GLOBALPROTECT MEMORY
USAGE) CEF field name: PanOSGlobalProtectMemoryUsage
EMAIL field name: GlobalProtectMemoryUsage
HTTPS field name: GlobalProtectMemoryUsage
LEEF field name: GlobalProtectMemoryUsage

network_access Indicates whether the endpoint has network access.

(NETWORK ACCESS) CEF field name: PanOSNetworkAccess
EMAIL field name: NetworkAccess
HTTPS field name: NetworkAccess
LEEF field name: NetworkAccess

network_latency The network latency in milliseconds.

(PORTALGATEWAY LATENCY) CEF field name: PanOSPortalGatewayLatency
EMAIL field name: PortalGatewayLatency
HTTPS field name: PortalGatewayLatency
LEEF field name: PortalGatewayLatency

network_type The network type that the endpoint is accessing, such

as WiFi, Ethernet, or LTE.
(TYPE)
CEF field name: PanOSType
EMAIL field name: Type
HTTPS field name: Type
LEEF field name: Type

os The operating system of the device from which a user is

reporting an issue.
(OPERATING SYSTEM)
Syslog field name: Syslog Field Order
CEF field name: PanOSOperatingSystem
EMAIL field name: OperatingSystem
HTTPS field name: OperatingSystem
LEEF field name: OperatingSystem

Cortex Data Lake Schema Reference January 2024 78 ©2024 Palo Alto Networks, Inc.
Endpoint Logs

GLOBALPROTECT APP Description

TROUBLESHOOTING Field
(Display Name)

panorama_serial Panorama Serial associated with CDL.

(PANORAMA SN) CEF field name: PanOSPanoramaSN
EMAIL field name: PanoramaSN
HTTPS field name: PanoramaSN
LEEF field name: PanoramaSN

portal_address The IP address of the last connected GlobalProtect

portal.
(PORTAL ADDRESS)
CEF field name: PanOSPortalAddress
EMAIL field name: PortalAddress
HTTPS field name: PortalAddress
LEEF field name: PortalAddress

portal_auth The authentication methods used to connect to the

GlobalProtect portal.
(PORTAL AUTHENTICATION)
CEF field name: PanOSPortalAuthentication
EMAIL field name: PortalAuthentication
HTTPS field name: PortalAuthentication
LEEF field name: PortalAuthentication

portal_cached_config Indicates whether the client is using a cached

configuration to connect to the GlobalProtect portal.
(CACHED CONFIGURATION)
CEF field name: PanOSCachedConfiguration
EMAIL field name: CachedConfiguration
HTTPS field name: CachedConfiguration
LEEF field name: CachedConfiguration

portal_config_name The name of the GlobalProtect portal configuration if

the client is connected to a portal.
(PORTAL CONFIGURATION
NAME) CEF field name: PanOSPortalConfigurationName
EMAIL field name: PortalConfigurationName
HTTPS field name: PortalConfigurationName
LEEF field name: PortalConfigurationName

Cortex Data Lake Schema Reference January 2024 79 ©2024 Palo Alto Networks, Inc.
Endpoint Logs

GLOBALPROTECT APP Description

TROUBLESHOOTING Field
(Display Name)

portal_config_refresh Indicates whether the GlobalProtect portal

configuration has been refreshed.
(CONFIGURATION REFRESH)
CEF field name: PanOSConfigurationRefresh
EMAIL field name: ConfigurationRefresh
HTTPS field name: ConfigurationRefresh
LEEF field name: ConfigurationRefresh

portal_last_connect_time The last time the client connected to a GlobalProtect

portal.
(LAST CONNECT TIME)
CEF field name: flexDate1
EMAIL field name: LastConnectTime
HTTPS field name: LastConnectTime
LEEF field name: LastConnectTime

portal_reachable Indicates whether the GlobalProtect portal is reachable

and accepts a TCP connection.
(PORTAL REACHABLE)
CEF field name: PanOSPortalReachable
EMAIL field name: PortalReachable
HTTPS field name: PortalReachable
LEEF field name: PortalReachable

portal_server_cert Indicates whether the portal has a valid server

certificate.
(PORTAL SSL CERTIFICATE VALID)
CEF field name: PanOSPortalSSLCertificateValid
EMAIL field name: PortalSSLCertificateValid
HTTPS field name: PortalSSLCertificateValid
LEEF field name: PortalSSLCertificateValid

portal_status The status of the portal before the user reported an

issue.
(PORTAL STATUS)
CEF field name: PanOSPortalStatus
EMAIL field name: PortalStatus
HTTPS field name: PortalStatus
LEEF field name: PortalStatus

Cortex Data Lake Schema Reference January 2024 80 ©2024 Palo Alto Networks, Inc.
Endpoint Logs

GLOBALPROTECT APP Description

TROUBLESHOOTING Field
(Display Name)

proxy_server Indicates whether the endpoint is behind a proxy

server.
(PROXY SERVER)
CEF field name: PanOSProxyServer
EMAIL field name: ProxyServer
HTTPS field name: ProxyServer
LEEF field name: ProxyServer

report_id The unique identifier for each issue reported by a user

from the GlobalProtect app.
(REPORT ID)
Syslog field name: Syslog Field Order
CEF field name: rt
EMAIL field name: GeneratedTime
HTTPS field name: GeneratedTime
LEEF field name: devTime

report_time The UTC in milliseconds when GlobalProtect sent a

report.
(GENERATED TIME)
Syslog field name: Syslog Field Order
CEF field name: PanOSReportID
EMAIL field name: ReportID
HTTPS field name: ReportID
LEEF field name: ReportID

report_type Indicates the type of the report: troubleshooting or

diagnostic.
(REPORT TYPE)
Syslog field name: Syslog Field Order
CEF field name: Name
EMAIL field name: ReportType
HTTPS field name: ReportType
LEEF field name: EventID

serial_number The serial number of the device.

(ENDPOINT SERIAL NUMBER) Syslog field name: Syslog Field Order
CEF field name: deviceExternalId

Cortex Data Lake Schema Reference January 2024 81 ©2024 Palo Alto Networks, Inc.
Endpoint Logs

GLOBALPROTECT APP Description

TROUBLESHOOTING Field
(Display Name)
EMAIL field name: SerialNumber
HTTPS field name: SerialNumber
LEEF field name: SerialNumber

server_performance The network latency of various destination URLs

configured by an administrator on Panorama.
(SERVER PERFORMANCE)
CEF field name: PanOSServerPerformance
EMAIL field name: ServerPerformance
HTTPS field name: ServerPerformance
LEEF field name: ServerPerformance

split_tunnel_status Indicates the status of a split tunnel configured on

GlobalProtect.
(SPLIT-TUNNEL CONFIGURATION)
CEF field name: PanOSSplit-tunnelconfiguration
EMAIL field name: Split-tunnelconfiguration
HTTPS field name: Split-tunnelconfiguration
LEEF field name: Split-tunnelconfiguration

user_comment Comments that the user submitted with their issue

report.
(USER COMMENT)
CEF field name: PanOSUserComment
EMAIL field name: UserComment
HTTPS field name: UserComment
LEEF field name: UserComment

user_name The name of the user who reported an issue.

(USERNAME) Syslog field name: Syslog Field Order
CEF field name: PanOSUsername
EMAIL field name: Username
HTTPS field name: Username
LEEF field name: usrName

Cortex Data Lake Schema Reference January 2024 82 ©2024 Palo Alto Networks, Inc.
Endpoint Logs

GlobalProtect App Troubleshooting Syslog Default Field Order

GlobalProtect App Troubleshooting CEF Fields

The following table identifies the GlobalProtect App Troubleshooting field names that the Log
Forwarding app uses when you forward logs using the CEF log format.

CEF Name Field Details

PanOSTotalDiskSpace Query Name: disk_total

Header Type: Custom

Cortex Data Lake Schema Reference January 2024 83 ©2024 Palo Alto Networks, Inc.
Endpoint Logs

CEF Name Field Details

PanOSGatewayConfigurationName Query Name: gw_config_name

Header Type: Custom

Cortex Data Lake Schema Reference January 2024 84 ©2024 Palo Alto Networks, Inc.
Endpoint Logs

CEF Name Field Details

Device Event Class ID Query Name: log_type.value

Header Type: Custom

Cortex Data Lake Schema Reference January 2024 86 ©2024 Palo Alto Networks, Inc.
Endpoint Logs

CEF Name Field Details

CaptivePortal captive_portal

CPUUsage cpu_usage

GlobalProtectCPUUsage cpu_usage_gp

CrashHistory crash_history

DebugLogFile debug_log_file_name

DisableHistory disable_history

DiskAvailable disk_available

TotalDiskSpace disk_total

DNSReachable dns_reachable

DualStackTunnelInterface dual_stack_network

EnforcerStatus enforcer_status

ErrorMessage error

ErrorDetails error_details

ErrorStage error_stage

ErrorGeneratedTime error_time

GlobalProtectMTU gp_mtu

GlobalProtectVersion gp_version

Cortex Data Lake Schema Reference January 2024 89 ©2024 Palo Alto Networks, Inc.
Endpoint Logs

EMAIL Name Query Name

GatewayAddress gw_address

AttemptedGateways gw_attempted

GatewayAuthentication gw_auth

GatewayConfigurationName gw_config_name

DLSAstatus gw_dlsa_enabled

FallbacktoSSLReason gw_fall_back_to_ssl

IPSecEnabled gw_ipsec_enabled

IPSecFailureReason gw_ipsec_failure_reason

Jitter gw_jitter

Latency gw_latency

Location gw_location

GatewayLogoutTime gw_logout_time

PacketLoss gw_packet_loss

GatewayReachable gw_reachable

GatewaySSLCertificateValid gw_server_cert

SSLFailureReason gw_ssl_failure_reason

GatewayStatus gw_status

TunnelRename gw_tunnel_renamed

Privileges has_privileges

HostTimeOffset host_gmt_timeoffset

HostID host_id

Hostname host_name

InstallHistory install_history

Cortex Data Lake Schema Reference January 2024 90 ©2024 Palo Alto Networks, Inc.
Endpoint Logs

EMAIL Name Query Name

InternalNetwork internal_network

InternetAccess internet_access

JailbrokenStatus jail_broken

LastHIPReportTime last_hip_report_time

LastLogoutTime last_logout_time

Locale locale

LogType log_type.value

TotalMemory memory_total

MemoryUsage memory_usage

GlobalProtectMemoryUsage memory_usage_gp

NetworkAccess network_access

PortalGatewayLatency network_latency

Type network_type

OperatingSystem os

PanoramaSN panorama_serial

PortalAddress portal_address

PortalAuthentication portal_auth

CachedConfiguration portal_cached_config

PortalConfigurationName portal_config_name

ConfigurationRefresh portal_config_refresh

LastConnectTime portal_last_connect_time

PortalReachable portal_reachable

PortalSSLCertificateValid portal_server_cert

Cortex Data Lake Schema Reference January 2024 91 ©2024 Palo Alto Networks, Inc.
Endpoint Logs

EMAIL Name Query Name

PortalStatus portal_status

ProxyServer proxy_server

GeneratedTime report_id

ReportID report_time

ReportType report_type

SerialNumber serial_number

ServerPerformance server_performance

Split-tunnelconfiguration split_tunnel_status

UserComment user_comment

Username user_name

GlobalProtect App Troubleshooting HTTPS Fields

The following table identifies the GlobalProtect App Troubleshooting field names that the Log
Forwarding app uses when you forward logs using the HTTPS log format.

HTTPS Name Query Name

AppTampered app_tampered

CaptivePortal captive_portal

CPUUsage cpu_usage

GlobalProtectCPUUsage cpu_usage_gp

CrashHistory crash_history

DebugLogFile debug_log_file_name

DisableHistory disable_history

DiskAvailable disk_available

TotalDiskSpace disk_total

Cortex Data Lake Schema Reference January 2024 92 ©2024 Palo Alto Networks, Inc.
Endpoint Logs

HTTPS Name Query Name

DNSReachable dns_reachable

DualStackTunnelInterface dual_stack_network

EnforcerStatus enforcer_status

ErrorMessage error

ErrorDetails error_details

ErrorStage error_stage

ErrorGeneratedTime error_time

GlobalProtectMTU gp_mtu

GlobalProtectVersion gp_version

GatewayAddress gw_address

AttemptedGateways gw_attempted

GatewayAuthentication gw_auth

GatewayConfigurationName gw_config_name

DLSAstatus gw_dlsa_enabled

FallbacktoSSLReason gw_fall_back_to_ssl

IPSecEnabled gw_ipsec_enabled

IPSecFailureReason gw_ipsec_failure_reason

Jitter gw_jitter

Latency gw_latency

Location gw_location

GatewayLogoutTime gw_logout_time

PacketLoss gw_packet_loss

GatewayReachable gw_reachable

Cortex Data Lake Schema Reference January 2024 93 ©2024 Palo Alto Networks, Inc.
Endpoint Logs

HTTPS Name Query Name

GatewaySSLCertificateValid gw_server_cert

SSLFailureReason gw_ssl_failure_reason

GatewayStatus gw_status

TunnelRename gw_tunnel_renamed

Privileges has_privileges

HostTimeOffset host_gmt_timeoffset

HostID host_id

Hostname host_name

InstallHistory install_history

InternalNetwork internal_network

InternetAccess internet_access

JailbrokenStatus jail_broken

LastHIPReportTime last_hip_report_time

LastLogoutTime last_logout_time

Locale locale

LogType log_type.value

TotalMemory memory_total

MemoryUsage memory_usage

GlobalProtectMemoryUsage memory_usage_gp

NetworkAccess network_access

PortalGatewayLatency network_latency

Type network_type

OperatingSystem os

Cortex Data Lake Schema Reference January 2024 94 ©2024 Palo Alto Networks, Inc.
Endpoint Logs

HTTPS Name Query Name

PanoramaSN panorama_serial

PortalAddress portal_address

PortalAuthentication portal_auth

CachedConfiguration portal_cached_config

PortalConfigurationName portal_config_name

ConfigurationRefresh portal_config_refresh

LastConnectTime portal_last_connect_time

PortalReachable portal_reachable

PortalSSLCertificateValid portal_server_cert

PortalStatus portal_status

ProxyServer proxy_server

GeneratedTime report_id

ReportID report_time

ReportType report_type

SerialNumber serial_number

ServerPerformance server_performance

Split-tunnelconfiguration split_tunnel_status

UserComment user_comment

Username user_name

GlobalProtect App Troubleshooting LEEF Fields

The following table identifies the GlobalProtect App Troubleshooting field names that the Log
Forwarding app uses when you forward logs using the LEEF log format.

Cortex Data Lake Schema Reference January 2024 95 ©2024 Palo Alto Networks, Inc.
Endpoint Logs

LEEF Name Query Name Field Type

AppTampered app_tampered Custom

CaptivePortal captive_portal Custom

CPUUsage cpu_usage Custom

GlobalProtectCPUUsage cpu_usage_gp Custom

CrashHistory crash_history Custom

DebugLogFile debug_log_file_name Custom

DisableHistory disable_history Custom

DiskAvailable disk_available Custom

TotalDiskSpace disk_total Custom

DNSReachable dns_reachable Custom

DualStackTunnelInterface dual_stack_network Custom

EnforcerStatus enforcer_status Custom

ErrorMessage error Custom

ErrorDetails error_details Custom

ErrorStage error_stage Custom

ErrorGeneratedTime error_time Custom

GlobalProtectMTU gp_mtu Custom

GlobalProtectVersion gp_version Custom

GatewayAddress gw_address Custom

AttemptedGateways gw_attempted Custom

Cortex Data Lake Schema Reference January 2024 96 ©2024 Palo Alto Networks, Inc.
Endpoint Logs

LEEF Name Query Name Field Type

GatewayAuthentication gw_auth Custom

GatewayConfigurationName gw_config_name Custom

DLSAstatus gw_dlsa_enabled Custom

FallbacktoSSLReason gw_fall_back_to_ssl Custom

IPSecEnabled gw_ipsec_enabled Custom

IPSecFailureReason gw_ipsec_failure_reason Custom

Jitter gw_jitter Custom

Latency gw_latency Custom

Location gw_location Custom

GatewayLogoutTime gw_logout_time Custom

PacketLoss gw_packet_loss Custom

GatewayReachable gw_reachable Custom

GatewaySSLCertificateValid gw_server_cert Custom

SSLFailureReason gw_ssl_failure_reason Custom

GatewayStatus gw_status Custom

TunnelRename gw_tunnel_renamed Custom

Privileges has_privileges Custom

HostTimeOffset host_gmt_timeoffset Custom

HostID host_id Custom

identHostName host_name Predefined

InstallHistory install_history Custom

InternalNetwork internal_network Custom

InternetAccess internet_access Custom

Cortex Data Lake Schema Reference January 2024 97 ©2024 Palo Alto Networks, Inc.
Endpoint Logs

LEEF Name Query Name Field Type

JailbrokenStatus jail_broken Custom

LastHIPReportTime last_hip_report_time Custom

LastLogoutTime last_logout_time Custom

Locale locale Custom

cat log_type.value Predefined

TotalMemory memory_total Custom

MemoryUsage memory_usage Custom

GlobalProtectMemoryUsage memory_usage_gp Custom

NetworkAccess network_access Custom

PortalGatewayLatency network_latency Custom

Type network_type Custom

OperatingSystem os Custom

PanoramaSN panorama_serial Custom

PortalAddress portal_address Custom

PortalAuthentication portal_auth Custom

CachedConfiguration portal_cached_config Custom

PortalConfigurationName portal_config_name Custom

ConfigurationRefresh portal_config_refresh Custom

LastConnectTime portal_last_connect_time Custom

PortalReachable portal_reachable Custom

PortalSSLCertificateValid portal_server_cert Custom

PortalStatus portal_status Custom

ProxyServer proxy_server Custom

Cortex Data Lake Schema Reference January 2024 98 ©2024 Palo Alto Networks, Inc.
Endpoint Logs

LEEF Name Query Name Field Type

devTime report_id Predefined

ReportID report_time Custom

EventID report_type Header

SerialNumber serial_number Custom

ServerPerformance server_performance Custom

Split-tunnelconfiguration split_tunnel_status Custom

UserComment user_comment Custom

usrName user_name Predefined

Cortex Data Lake Schema Reference January 2024 99 ©2024 Palo Alto Networks, Inc.
Endpoint Logs

Cortex Data Lake Schema Reference January 2024 100 ©2024 Palo Alto Networks, Inc.
Network Logs
Firewall logs are written by Palo Alto Networks next-generation firewalls. By default, these
logs are not written to Cortex Data Lake. For information on how to configure next-generation
firewalls to write logs to the data lake, see the Cortex Data Lake Getting Started guide.
Next-generation firewalls write the following types of logs:
• Authentication
• DNS Security
• Decryption
• File
• GlobalProtect
• HIP Match
• IPtag
• Remote Browser Isolation
• SCTP
• Threat
• Traffic
• Tunnel
• URL
• UserID

101
Network Logs

Authentication
Auth logs contain information about authentication events seen by the next-generation firewall.
These occur when users access network resources which are controlled by authentication policy
rules. Authentication Logs will never appear in Cortex Data Lake if the associated firewalls are not
configured with authentication policies.
Authentication logs are most frequently written when the next-generation firewall is configured
as a Multi-Factor Authentication gateway, and an end-user is using it to perform authentication.
See the following for information related to supported log formats:
• Authentication Syslog Default Field Order
• Authentication CEF Fields
• Authentication EMAIL Fields
• Authentication HTTPS Fields
• Authentication LEEF Fields

AUTHENTICATION Field Description

(Display Name)

auth_description Additional authentication information.

(AUTHENTICATION DESCRIPTION) Syslog field name: Syslog Field Order
CEF field name: PanOSAuthenticationDescription
EMAIL field name: AuthenticationDescription
HTTPS field name: AuthenticationDescription
LEEF field name: AuthenticationDescription

auth_event_name.value The authentication event that caused the firewall to

create this log record.
(AUTH EVENT)
Syslog field name: Syslog Field Order
CEF field name: msg
EMAIL field name: AuthEvent
HTTPS field name: AuthEvent
LEEF field name: EventID

auth_factor_num Indicates the use of primary authentication (1) or

additional factors (2, 3).
(AUTH FACTOR NO)
Syslog field name: Syslog Field Order
CEF field name: cn1
EMAIL field name: AuthFactorNo

Cortex Data Lake Schema Reference January 2024 102 ©2024 Palo Alto Networks, Inc.
Network Logs

AUTHENTICATION Field Description

(Display Name)
HTTPS field name: AuthFactorNo
LEEF field name: AuthFactorNo

auth_policy Policy invoked for authentication before allowing access

to a protected resource.
(AUTHENTICATION POLICY)
Syslog field name: Syslog Field Order
CEF field name: cs4
EMAIL field name: AuthenticationPolicy
HTTPS field name: AuthenticationPolicy
LEEF field name: AuthenticationPolicy

auth_proto Indicates the authentication protocol used by the

server. For example, PEAP with GTC.
(AUTHENTICATION PROTOCOL)
Syslog field name: Syslog Field Order
CEF field name: PanOSAuthenticationProtocol
EMAIL field name: AuthenticationProtocol
HTTPS field name: AuthenticationProtocol
LEEF field name: AuthenticationProtocol

auth_server_profile Authentication server used for authentication.

(AUTH SERVER PROFILE) Syslog field name: Syslog Field Order
CEF field name: cs1
EMAIL field name: AuthServerProfile
HTTPS field name: AuthServerProfile
LEEF field name: AuthServerProfile

authenticated_user_info.domain Domain to which the user who is being authenticated

belongs.
(AUTHENTICATED USER DOMAIN)
CEF field name: PanOSAuthenticatedUserDomain
EMAIL field name: AuthenticatedUserDomain
HTTPS field name: AuthenticatedUserDomain
LEEF field name: AuthenticatedUserDomain

authenticated_user_info.name Name of the user who is being authenticated.

(AUTHENTICATED USER NAME) CEF field name: PanOSAuthenticatedUserName

Cortex Data Lake Schema Reference January 2024 103 ©2024 Palo Alto Networks, Inc.
Network Logs

AUTHENTICATION Field Description

(Display Name)
EMAIL field name: AuthenticatedUserName
HTTPS field name: AuthenticatedUserName
LEEF field name: AuthenticatedUserName

authenticated_user_info.uuid Unique identifier assigned to the user who is being

authenticated.
(AUTHENTICATED USER UUID)
CEF field name: PanOSAuthenticatedUserUUID
EMAIL field name: AuthenticatedUserUUID
HTTPS field name: AuthenticatedUserUUID
LEEF field name: AuthenticatedUserUUID

client_type Type of client used to complete authentication (such as

authentication portal).
(CLIENT TYPE)
Syslog field name: Syslog Field Order
CEF field name: cs5
EMAIL field name: ClientType
HTTPS field name: ClientType
LEEF field name: ClientType

client_type_name.value Type of client used to complete authentication.

(CLIENT TYPE NAME) CEF field name: PanOSClientTypeName
EMAIL field name: ClientTypeName
HTTPS field name: ClientTypeName
LEEF field name: ClientTypeName

config_version.value Version number of the firewall operating system that

wrote this log record.
(CONFIG VERSION)
Syslog field name: Syslog Field Order
CEF field name: PanOSConfigVersion
EMAIL field name: ConfigVersion
HTTPS field name: ConfigVersion
LEEF field name: ConfigVersion

count_of_repeats Number of sessions with same Source IP, Destination

IP, Application, and Content/Threat Type seen for the
(REPEAT COUNT)
summary interval.

Cortex Data Lake Schema Reference January 2024 104 ©2024 Palo Alto Networks, Inc.
Network Logs

AUTHENTICATION Field Description

(Display Name)
Syslog field name: Syslog Field Order
CEF field name: cnt
EMAIL field name: All of the following: RepeatCount,
CountOfRepeats
HTTPS field name: All of the following: RepeatCount,
CountOfRepeats
LEEF field name: CountOfRepeats

customer_id The ID that uniquely identifies the Cortex Data Lake

instance which received this log record.
(CORTEX DATA LAKE TENANT ID)
CEF field name: PanOSCortexDataLakeTenantID
EMAIL field name: CortexDataLakeTenantID
HTTPS field name: CortexDataLakeTenantID
LEEF field name: CortexDataLakeTenantID

dg_hier_level_1 A sequence of identification numbers that indicate the

dg_hier_level_2 A sequence of identification numbers that indicate the

dg_hier_level_3 A sequence of identification numbers that indicate the

device group’s location within a device group hierarchy.
(DG HIERARCHY LEVEL 3)
Syslog field name: Syslog Field Order
CEF field name: PanOSDGHierarchyLevel3
EMAIL field name: DGHierarchyLevel3

Cortex Data Lake Schema Reference January 2024 105 ©2024 Palo Alto Networks, Inc.
Network Logs

AUTHENTICATION Field Description

(Display Name)
HTTPS field name: DGHierarchyLevel3
LEEF field name: DGHierarchyLevel3

dg_hier_level_4 A sequence of identification numbers that indicate the

device group’s location within a device group hierarchy.
(DG HIERARCHY LEVEL 4)
Syslog field name: Syslog Field Order
CEF field name: PanOSDGHierarchyLevel4
EMAIL field name: DGHierarchyLevel4
HTTPS field name: DGHierarchyLevel4
LEEF field name: DGHierarchyLevel4

is_dup_log Indicates whether this log data is available in multiple

locations, such as from the Logging Service and also
(IS DUPLICATE LOG)
from an on-premise log collector.
CEF field name: PanOSIsDuplicateLog
EMAIL field name: IsDuplicateLog
HTTPS field name: IsDuplicateLog
LEEF field name: IsDuplicateLog

is_forwarded Internal-use field that indicates if the log is being

forwarded.
(LOG FORWARDED)
CEF field name: PanOSLogForwarded
EMAIL field name: LogForwarded
HTTPS field name: LogForwarded
LEEF field name: LogForwarded

is_prisma_branch Internal-use field. If set to 1, the log was generated on

a cloud-based firewall. If 0, the firewall was running on-
(IS PRISMA NETWORKS)
premise.
CEF field name: PanOSIsPrismaNetworks

Cortex Data Lake Schema Reference January 2024 106 ©2024 Palo Alto Networks, Inc.
Network Logs

AUTHENTICATION Field Description

(Display Name)
EMAIL field name: IsPrismaNetworks
HTTPS field name: IsPrismaNetworks
LEEF field name: IsPrismaNetworks

is_prisma_mobile Internal use field. If set to 1, the log record was

generated using a cloud-based GlobalProtect instance.
(IS PRISMA USERS)
If 0, GlobalProtect was hosted on-premise.
CEF field name: PanOSIsPrismaUsers
EMAIL field name: IsPrismaUsers
HTTPS field name: IsPrismaUsers
LEEF field name: IsPrismaUsers

location Prisma Access Region/Location.

(PRISMA ACCESS LOCATION) CEF field name: PanOSLocation
EMAIL field name: Location
HTTPS field name: Location
LEEF field name: Location

log_set Log forwarding profile name that was applied to

the session. This name was defined by the firewall's
(LOG SETTING)
administrator.
Syslog field name: Syslog Field Order
CEF field name: cs6
EMAIL field name: LogSetting
HTTPS field name: LogSetting
LEEF field name: LogSetting

log_source_group_id ID that uniquely identifies the logSourceGroupId of the

log. That is, the log_source_id of the group.
(LOG SOURCE GROUP ID)

Cortex Data Lake Schema Reference January 2024 107 ©2024 Palo Alto Networks, Inc.
Network Logs

AUTHENTICATION Field Description

(Display Name)
CEF field name: LogSourceGroupID
EMAIL field name: LogSourceGroupID
HTTPS field name: LogSourceGroupID
LEEF field name: LogSourceGroupID

log_source_id ID that uniquely identifies the source of the log. That is,
the serial number of the firewall that generated the log.
(DEVICE SN)
If the log is generated by Prisma Access, the serial
number is not displayed.
Syslog field name: Syslog Field Order
CEF field name: deviceExternalId
EMAIL field name: DeviceSN
HTTPS field name: DeviceSN
LEEF field name: DeviceSN

log_source_name Name of the source of the log. That is, the hostname of
the firewall that logged the network traffic.
(DEVICE NAME)
Syslog field name: Syslog Field Order
CEF field name: dvchost
EMAIL field name: DeviceName
HTTPS field name: DeviceName
LEEF field name: DeviceName

log_time Time the log was received in Cortex Data Lake. This
string contains a timestamp value that is the number of
(TIME RECEIVED)
microseconds since the Unix epoch.
Syslog field name: Syslog Field Order
CEF field name: rt
EMAIL field name: TimeReceived

Cortex Data Lake Schema Reference January 2024 108 ©2024 Palo Alto Networks, Inc.
Network Logs

AUTHENTICATION Field Description

(Display Name)
HTTPS field name: TimeReceived
LEEF field name: TimeReceived

log_type.value Identifies the log type.

(LOG TYPE) Syslog field name: Syslog Field Order
CEF field name: DeviceEventClassId
EMAIL field name: LogType
HTTPS field name: LogType
LEEF field name: cat

mfa_auth_id Unique ID given across primary authentication and

additional (multi-factor) authentication.
(MFA AUTHENTICATION ID)
Syslog field name: Syslog Field Order
CEF field name: cn2
EMAIL field name: MFAAuthenticationID
HTTPS field name: MFAAuthenticationID
LEEF field name: MFAAuthenticationID

mfa_vendor Vendor providing additional factor authentication.

(MFA VENDOR) Syslog field name: Syslog Field Order
CEF field name: PanOSMFAVendor
EMAIL field name: MFAVendor
HTTPS field name: MFAVendor
LEEF field name: MFAVendor

normalize_user Normalized version of the username being

authenticated (such as appending a domain name to the
(NORMALIZE USER)
username).
Syslog field name: Syslog Field Order
CEF field name: cs2
EMAIL field name: NormalizeUser
HTTPS field name: NormalizeUser
LEEF field name: usrName

object Name of the object associated with the system event.

Cortex Data Lake Schema Reference January 2024 109 ©2024 Palo Alto Networks, Inc.
Network Logs

AUTHENTICATION Field Description

(Display Name)
(OBJECT) Syslog field name: Syslog Field Order
CEF field name: fname
EMAIL field name: Object
HTTPS field name: Object
LEEF field name: Object

panorama_serial Panorama Serial associated with CDL.

(PANORAMA SN) CEF field name: PanOSPanoramaSN
EMAIL field name: PanoramaSN
HTTPS field name: PanoramaSN
LEEF field name: PanoramaSN

rule_matched Name of the security policy rule that the network traffic
matched.
(RULE)
CEF field name: PanOSRuleMatched
EMAIL field name: All of the following: Rule,
RuleMatched
HTTPS field name: All of the following: Rule,
RuleMatched
LEEF field name: RuleMatched

rule_matched_uuid Unique identifier for the security policy rule that the
network traffic matched.
(RULE UUID)
Syslog field name: Syslog Field Order
CEF field name: PanOSRuleMatchedUUID
EMAIL field name: All of the following: RuleUUID,
RuleMatchedUUID
HTTPS field name: All of the following: RuleUUID,
RuleMatchedUUID

Cortex Data Lake Schema Reference January 2024 110 ©2024 Palo Alto Networks, Inc.
Network Logs

AUTHENTICATION Field Description

(Display Name)
LEEF field name: RuleMatchedUUID

sequence_no The log entry identifier, which is incremented

service_region Region where the service is deployed.

(AUTH CACHE SERVICE REGION) Syslog field name: Syslog Field Order
CEF field name: PanOSAuthCacheServiceRegion
EMAIL field name: AuthCacheServiceRegion
HTTPS field name: AuthCacheServiceRegion
LEEF field name: AuthCacheServiceRegion

session_id Identifies the firewall's internal identifier for a specific

network session.
(SESSION ID)
Syslog field name: Syslog Field Order
CEF field name: PanOSSessionID
EMAIL field name: SessionID
HTTPS field name: SessionID
LEEF field name: SessionID

source_device_category Category of the device from which the session

originated.
(SOURCE DEVICE CATEGORY)
Syslog field name: Syslog Field Order
CEF field name: PanOSSourceDeviceCategory
EMAIL field name: SourceDeviceCategory
HTTPS field name: SourceDeviceCategory
LEEF field name: SourceDeviceCategory

source_device_host Hostname of the device from which the session

originated.
(SOURCE DEVICE HOST)
Syslog field name: Syslog Field Order

Cortex Data Lake Schema Reference January 2024 111 ©2024 Palo Alto Networks, Inc.
Network Logs

AUTHENTICATION Field Description

(Display Name)
CEF field name: PanOSSourceDeviceHost
EMAIL field name: SourceDeviceHost
HTTPS field name: SourceDeviceHost
LEEF field name: SourceDeviceHost

source_device_mac MAC Address of the device from which the session

originated.
(SOURCE DEVICE MAC)
Syslog field name: Syslog Field Order
CEF field name: PanOSSourceDeviceMac
EMAIL field name: SourceDeviceMac
HTTPS field name: SourceDeviceMac
LEEF field name: SourceDeviceMac

source_device_model Model of the device from which the session originated.

(SOURCE DEVICE MODEL) Syslog field name: Syslog Field Order
CEF field name: PanOSSourceDeviceModel
EMAIL field name: SourceDeviceModel
HTTPS field name: SourceDeviceModel
LEEF field name: SourceDeviceModel

source_device_osfamily OS family of the device from which the session

originated.
(SOURCE DEVICE OS FAMILY)
Syslog field name: Syslog Field Order
CEF field name: PanOSSourceDeviceOSFamily
EMAIL field name: SourceDeviceOSFamily
HTTPS field name: SourceDeviceOSFamily
LEEF field name: SourceDeviceOSFamily

source_device_osversion OS version of the device from which the session

originated.
(SOURCE DEVICE OS VERSION)
Syslog field name: Syslog Field Order
CEF field name: PanOSSourceDeviceOSVersion
EMAIL field name: SourceDeviceOSVersion
HTTPS field name: SourceDeviceOSVersion

Cortex Data Lake Schema Reference January 2024 112 ©2024 Palo Alto Networks, Inc.
Network Logs

AUTHENTICATION Field Description

(Display Name)
LEEF field name: SourceDeviceOSVersion

source_device_profile Profile of the device from which the session originated.

(SOURCE DEVICE PROFILE) Syslog field name: Syslog Field Order
CEF field name: PanOSSourceDeviceProfile
EMAIL field name: SourceDeviceProfile
HTTPS field name: SourceDeviceProfile
LEEF field name: SourceDeviceProfile

source_device_vendor Vendor of the device from which the session originated.

(SOURCE DEVICE VENDOR) Syslog field name: Syslog Field Order
CEF field name: PanOSSourceDeviceVendor
EMAIL field name: SourceDeviceVendor
HTTPS field name: SourceDeviceVendor
LEEF field name: SourceDeviceVendor

source_ip.value Original source IP address.

(SOURCE IP) Syslog field name: Syslog Field Order
CEF fields: src and dst, or c6a2 and c6a3
EMAIL field name: SourceIP
HTTPS field name: SourceIP
LEEF field name: src

sub_type.value Identifies the log subtype.

(SUBTYPE) Syslog field name: Syslog Field Order
CEF field name: Name
EMAIL field name: Subtype
HTTPS field name: Subtype
LEEF field name: SubType

time_generated Time when the log was generated on the firewall's data
plane. This string contains a timestamp value that is the
(TIME GENERATED)
number of microseconds since the Unix epoch.
Syslog field name: Syslog Field Order
CEF field name: start

Cortex Data Lake Schema Reference January 2024 113 ©2024 Palo Alto Networks, Inc.
Network Logs

AUTHENTICATION Field Description

(Display Name)
EMAIL field name: TimeGenerated
HTTPS field name: TimeGenerated
LEEF field name: devTime

time_generated_high_res Time the log was generated in data plane

user End user being authenticated.

(USER) Syslog field name: Syslog Field Order
CEF field name: duser
EMAIL field name: User
HTTPS field name: User
LEEF field name: User

user_agent The User Agent field specifies the web browser that the
user used to access the URL.
(USER AGENT STRING)
Syslog field name: Syslog Field Order
CEF field name: PanOSUserAgentString
EMAIL field name: UserAgentString
HTTPS field name: UserAgentString
LEEF field name: UserAgentString

vendor_name Identifies the vendor that produced the data.

(VENDOR NAME) CEF field name: Device Vendor
EMAIL field name: VendorName
HTTPS field name: VendorName
LEEF field name: Vendor

vsys String representation of the unique identifier for a

virtual system on a Palo Alto Networks firewall.

Cortex Data Lake Schema Reference January 2024 114 ©2024 Palo Alto Networks, Inc.
Network Logs

AUTHENTICATION Field Description

(Display Name)
(VIRTUAL LOCATION) Syslog field name: Syslog Field Order
CEF field name: cs3
EMAIL field name: VirtualLocation
HTTPS field name: VirtualLocation
LEEF field name: VirtualLocation

vsys_id A unique identifier for a virtual system on a Palo Alto

Networks firewall.
(VIRTUAL SYSTEM ID)
Syslog field name: Syslog Field Order
CEF field name: PanOSVirtualSystemID
EMAIL field name: VirtualSystemID
HTTPS field name: VirtualSystemID
LEEF field name: VirtualSystemID

vsys_name The name of the virtual system associated with the

Authentication Syslog Default Field Order

Example Authentication log in Syslog:

Oct 13 01:21:17 gke-standard-cluster-2-pool-1-6ea9f13a-

moqf 894 <142>1 2020-10-13T01:21:16.976Z stream-
logfwd20-156653024-10121421-eq28-harness-16kn logforwarder -
panwlogs - 1,2020-10-13T01:21:10.000000Z,007051000113358,AUTH,
Unknown,10.0,2020-10-13T01:21:01.000000Z,vsys1,::11e:a8c0:ffff:0,
paloaltonetwork\xxxxx,paloaltonetwork\xxxxx,Authentication object4,
Captive Portal,16777216,-1295066367845728256,xxxxx,rs-logging,
deny-attackers,www.test.com,1,user password failure,3,556392,
-9223372036854775808,0,0,0,0,,PA-VM,1,0,,2020-10-13T01:21:02.391000Z,
src_category_list-2,src_profile_list-0,src_model_list-2,
src_vendor_list-2,src_osfamily_list-2,src_osversion_list-2,
src_host_list-2,src_mac_list-0

Cortex Data Lake Schema Reference January 2024 115 ©2024 Palo Alto Networks, Inc.
Network Logs

Authentication CEF Fields

Example Authentication log in CEF:

Mar 1 21:05:25 xxx.xx.x.xx 2206 <14>1 2021-03-01T21:05:25.508Z

stream-logfwd20-587718190-03011255-ut6o-harness-5vlj
logforwarder - panwlogs - CEF:0|Palo Alto Networks|
LF|2.0|AUTH|Radius|3|ProfileToken=xxxxx dtz=UTC rt=Feb
28 2021 18:20:54 deviceExternalId=xxxxxxxxxxxxx
PanOSConfigVersion=10.0 PanOSAuthenticatedUserDomain=paloaltonetwork
PanOSAuthenticatedUserName=xxxxx PanOSAuthenticatedUserUUID=
PanOSClientTypeName= PanOSCortexDataLakeTenantID=xxxxxxxxxxxxx
PanOSIsDuplicateLog=false PanOSIsPrismaNetworks=false
PanOSIsPrismaUsers=false PanOSLogExported=false
PanOSLogForwarded=true PanOSLogSource=firewall
PanOSLogSourceTimeZoneOffset= PanOSRuleMatched= start=Feb
28 2021 18:20:40 cs3=vsys1 cs3Label=VirtualLocation
c6a2=::ffff:0 c6a2Label=Source IPv6 Address c6a3=::ffff:0
c6a3Label=Destination IPv6 Address duser=paloaltonetwork
\\xxxxx cs2=paloaltonetwork\\xxxxx cs2Label=NormalizeUser
fname=Authentication object2 cs4=DC cs4Label=AuthenticationPolicy
cnt=33554432 cn2=-5257671089978343424 cn2Label=MFAAuthenticationID
PanOSMFAVendor=Symantec VIP cs6=rs-logging cs6Label=LogSetting
cs1=deny-attackers cs1Label=AuthServerProfile
PanOSAuthenticationDescription=www.something cs5=Unknown
cs5Label=ClientType msg=Invalid Certificate cn1=0
cn1Label=AuthFactorNo externalId=xxxxxxxxxxxxx
PanOSDGHierarchyLevel1=11 PanOSDGHierarchyLevel2=0
PanOSDGHierarchyLevel3=0 PanOSDGHierarchyLevel4=0
PanOSVirtualSystemName= dvchost=xxxxx PanOSVirtualSystemID=1
PanOSAuthenticationProtocol=EAP-TTLS with PAP
PanOSRuleMatchedUUID= PanOSTimeGeneratedHighResolution=Feb 28
2021 18:20:41 PanOSSourceDeviceCategory=src_category_list-1
PanOSSourceDeviceProfile=src_profile_list-1
PanOSSourceDeviceModel=src_model_list-1
PanOSSourceDeviceVendor=src_vendor_list-1
PanOSSourceDeviceOSFamily=src_osfamily_list-0
PanOSSourceDeviceOSVersion=src_osversion_list-2
PanOSSourceDeviceHost=src_host_list-0

Cortex Data Lake Schema Reference January 2024 116 ©2024 Palo Alto Networks, Inc.
Network Logs

PanOSSourceDeviceMac=src_mac_list-2 PanOSAuthCacheServiceRegion=
PanOSUserAgentString= PanOSSessionID=

The following table identifies the Authentication field names that the Log Forwarding app uses
when you forward logs using the CEF log format.

CEF Name Field Details

Cortex Data Lake Schema Reference January 2024 117 ©2024 Palo Alto Networks, Inc.
Network Logs

CEF Name Field Details

Cortex Data Lake Schema Reference January 2024 118 ©2024 Palo Alto Networks, Inc.
Network Logs

CEF Name Field Details

rt Query Name: log_time

Header Type: Predefined

Cortex Data Lake Schema Reference January 2024 119 ©2024 Palo Alto Networks, Inc.
Network Logs

CEF Name Field Details

Cortex Data Lake Schema Reference January 2024 121 ©2024 Palo Alto Networks, Inc.
Network Logs

CEF Name Field Details

TimeReceived=2021-02-22T03:55:30.000000Z
DeviceSN=xxxxxxxxxxxxx
LogType=AUTH
Subtype=Unknown
ConfigVersion=10.0
TimeGenerated=2021-02-22T03:55:21.000000Z
VirtualLocation=vsys1
SourceIP=xxxxxxxxxxxx
User="paloaltonetwork\xxxxx"
NormalizeUser="paloaltonetwork\xxxxx"
Object=Authentication object3
AuthenticationPolicy=DC
CountOfRepeats=16777216
MFAAuthenticationID=-1725441607236321280

Cortex Data Lake Schema Reference January 2024 122 ©2024 Palo Alto Networks, Inc.
Network Logs

MFAVendor=Duo
LogSetting=rs-logging
AuthServerProfile=allow-all-employees
AuthenticationDescription=www.something
ClientType=Unknown
AuthEvent=User Password Failure
AuthFactorNo=2
SequenceNo=476277
DGHierarchyLevel1=11
DGHierarchyLevel2=0
DGHierarchyLevel3=0
DGHierarchyLevel4=0
VirtualSystemName=
DeviceName=xxxxx
VirtualSystemID=1
AuthenticationProtocol=PEAP-MSCHAPv2
RuleMatchedUUID=
TimeGeneratedHighResolution=2021-02-22T03:55:21.963000Z
SourceDeviceCategory=src_category_list-2
SourceDeviceProfile=src_profile_list-1
SourceDeviceModel=src_model_list-1
SourceDeviceVendor=src_vendor_list-1
SourceDeviceOSFamily=src_osfamily_list-2
SourceDeviceOSVersion=src_osversion_list-1
SourceDeviceHost=src_host_list-1
SourceDeviceMac=src_mac_list-1
AuthCacheServiceRegion=
UserAgentString=
SessionID=

The following table identifies the Authentication field names that the Log Forwarding app uses
when you forward logs using the EMAIL log format.

EMAIL Name Query Name

AuthenticationDescription auth_description

AuthEvent auth_event_name.value

AuthFactorNo auth_factor_num

AuthenticationPolicy auth_policy

AuthenticationProtocol auth_proto

AuthServerProfile auth_server_profile

AuthenticatedUserDomain authenticated_user_info.domain

AuthenticatedUserName authenticated_user_info.name

AuthenticatedUserUUID authenticated_user_info.uuid

Cortex Data Lake Schema Reference January 2024 123 ©2024 Palo Alto Networks, Inc.
Network Logs

EMAIL Name Query Name

ClientType client_type

ClientTypeName client_type_name.value

ConfigVersion config_version.value

RepeatCount, CountOfRepeats count_of_repeats

CortexDataLakeTenantID customer_id

DGHierarchyLevel1 dg_hier_level_1

DGHierarchyLevel2 dg_hier_level_2

DGHierarchyLevel3 dg_hier_level_3

DGHierarchyLevel4 dg_hier_level_4

IsDuplicateLog is_dup_log

LogExported is_exported

LogForwarded is_forwarded

IsPrismaNetworks is_prisma_branch

IsPrismaUsers is_prisma_mobile

Location location

LogSetting log_set

LogSource log_source

LogSourceGroupID log_source_group_id

DeviceSN log_source_id

DeviceName log_source_name

LogSourceTimeZoneOffset log_source_tz_offset

TimeReceived log_time

LogType log_type.value

Cortex Data Lake Schema Reference January 2024 124 ©2024 Palo Alto Networks, Inc.
Network Logs

EMAIL Name Query Name

MFAAuthenticationID mfa_auth_id

MFAVendor mfa_vendor

NormalizeUser normalize_user

Object object

PanoramaSN panorama_serial

PlatformType platform_type

Rule, RuleMatched rule_matched

RuleUUID, RuleMatchedUUID rule_matched_uuid

SequenceNo sequence_no

AuthCacheServiceRegion service_region

SessionID session_id

SourceDeviceCategory source_device_category

SourceDeviceHost source_device_host

SourceDeviceMac source_device_mac

SourceDeviceModel source_device_model

SourceDeviceOSFamily source_device_osfamily

SourceDeviceOSVersion source_device_osversion

SourceDeviceProfile source_device_profile

SourceDeviceVendor source_device_vendor

SourceIP source_ip.value

Subtype sub_type.value

TimeGenerated time_generated

TimeGeneratedHighResolution time_generated_high_res

Cortex Data Lake Schema Reference January 2024 125 ©2024 Palo Alto Networks, Inc.
Network Logs

EMAIL Name Query Name

User user

UserAgentString user_agent

VendorName vendor_name

VirtualLocation vsys

VirtualSystemID vsys_id

VirtualSystemName vsys_name

Authentication HTTPS Fields

The following table identifies the Authentication field names that the Log Forwarding app uses
when you forward logs using the HTTPS log format.

HTTPS Name Query Name

AuthenticationDescription auth_description

AuthEvent auth_event_name.value

AuthFactorNo auth_factor_num

AuthenticationPolicy auth_policy

AuthenticationProtocol auth_proto

AuthServerProfile auth_server_profile

AuthenticatedUserDomain authenticated_user_info.domain

AuthenticatedUserName authenticated_user_info.name

AuthenticatedUserUUID authenticated_user_info.uuid

ClientType client_type

ClientTypeName client_type_name.value

ConfigVersion config_version.value

RepeatCount, CountOfRepeats count_of_repeats

Cortex Data Lake Schema Reference January 2024 126 ©2024 Palo Alto Networks, Inc.
Network Logs

HTTPS Name Query Name

CortexDataLakeTenantID customer_id

DGHierarchyLevel1 dg_hier_level_1

DGHierarchyLevel2 dg_hier_level_2

DGHierarchyLevel3 dg_hier_level_3

DGHierarchyLevel4 dg_hier_level_4

IsDuplicateLog is_dup_log

LogExported is_exported

LogForwarded is_forwarded

IsPrismaNetworks is_prisma_branch

IsPrismaUsers is_prisma_mobile

Location location

LogSetting log_set

LogSource log_source

LogSourceGroupID log_source_group_id

DeviceSN log_source_id

DeviceName log_source_name

LogSourceTimeZoneOffset log_source_tz_offset

TimeReceived log_time

LogType log_type.value

MFAAuthenticationID mfa_auth_id

MFAVendor mfa_vendor

NormalizeUser normalize_user

Object object

Cortex Data Lake Schema Reference January 2024 127 ©2024 Palo Alto Networks, Inc.
Network Logs

HTTPS Name Query Name

PanoramaSN panorama_serial

PlatformType platform_type

Rule, RuleMatched rule_matched

RuleUUID, RuleMatchedUUID rule_matched_uuid

SequenceNo sequence_no

AuthCacheServiceRegion service_region

SessionID session_id

SourceDeviceCategory source_device_category

SourceDeviceHost source_device_host

SourceDeviceMac source_device_mac

SourceDeviceModel source_device_model

SourceDeviceOSFamily source_device_osfamily

SourceDeviceOSVersion source_device_osversion

SourceDeviceProfile source_device_profile

SourceDeviceVendor source_device_vendor

SourceIP source_ip.value

Subtype sub_type.value

TimeGenerated time_generated

TimeGeneratedHighResolution time_generated_high_res

User user

UserAgentString user_agent

VendorName vendor_name

VirtualLocation vsys

Cortex Data Lake Schema Reference January 2024 128 ©2024 Palo Alto Networks, Inc.
Network Logs

HTTPS Name Query Name

VirtualSystemID vsys_id

VirtualSystemName vsys_name

Authentication LEEF Fields

Example Authentication log in LEEF:

Sep 21 07:25:05 gke-standard-cluster-2-pool-3-f004381a-0gw6

1412 <14>1 2021-09-21T07:25:05.173Z stream-logfwd20-
b7167985--09201842-8zwj-harness-cc98 logforwarder - panwlogs
- LEEF:2.0|Palo Alto Networks|Next Generation Firewall|null|
authentication success| |TimeReceived=2021-09-21 07:25:01.057423
DeviceSN=xxxxxxxxxxxxx cat=auth SubType=Unknown ConfigVersion=
devTime=2021-09-21 07:25:01.057449 VirtualLocation=vsys1
src=xxx.xx.x.xx User= usrName=paloaltonetworkxxxxx
Object=Authentication object5 AuthenticationPolicy=Captive
Portal CountOfRepeats=1 MFAAuthenticationID=1112 MFAVendor=xxxxx
LogSetting=test AuthServerProfile=deny-time-wasters
AuthenticationDescription=www.this.is.another.wannabe.long.url.com/
and/it/is/getting/there/by/adding/some/junk/at/the/end/of/the/url/
dsakjhfskdjhfksjdhfkhk235hk2jh2kjhkhk23jhk5jh2435kjh45k3jh5k3j4h5k3h45kjh34kj5hk
ClientType=Unknown AuthFactorNo=0 SequenceNo=6711379990526558227
DGHierarchyLevel1=12 DGHierarchyLevel2=0 DGHierarchyLevel3=0
DGHierarchyLevel4=0 VirtualSystemName= DeviceName=PA-5220
VirtualSystemID=1 AuthenticationProtocol=PAP RuleMatchedUUID=
TimeGeneratedHighResolution= SourceDeviceCategory=
SourceDeviceProfile= SourceDeviceModel= SourceDeviceVendor=
SourceDeviceOSFamily= SourceDeviceOSVersion= SourceDeviceHost=
SourceDeviceMac= AuthCacheServiceRegion= UserAgentString= SessionID=
devTimeFormat=YYYY-MM-DD'T'HH:mm:ss.SSSZ

The following table identifies the Authentication field names that the Log Forwarding app uses
when you forward logs using the LEEF log format.

LEEF Name Query Name Field Type

AuthenticationDescription auth_description Custom

EventID auth_event_name.value Header

AuthFactorNo auth_factor_num Custom

Cortex Data Lake Schema Reference January 2024 129 ©2024 Palo Alto Networks, Inc.
Network Logs

LEEF Name Query Name Field Type

AuthenticationPolicy auth_policy Custom

AuthenticationProtocol auth_proto Custom

AuthServerProfile auth_server_profile Custom

AuthenticatedUserDomain authenticated_user_info.domain Custom

AuthenticatedUserName authenticated_user_info.name Custom

AuthenticatedUserUUID authenticated_user_info.uuid Custom

ClientType client_type Custom

ClientTypeName client_type_name.value Custom

ConfigVersion config_version.value Custom

CountOfRepeats count_of_repeats Custom

CortexDataLakeTenantID customer_id Custom

DGHierarchyLevel1 dg_hier_level_1 Custom

DGHierarchyLevel2 dg_hier_level_2 Custom

DGHierarchyLevel3 dg_hier_level_3 Custom

DGHierarchyLevel4 dg_hier_level_4 Custom

IsDuplicateLog is_dup_log Custom

LogExported is_exported Custom

LogForwarded is_forwarded Custom

IsPrismaNetworks is_prisma_branch Custom

IsPrismaUsers is_prisma_mobile Custom

Location location Custom

LogSetting log_set Custom

LogSource log_source Custom

Cortex Data Lake Schema Reference January 2024 130 ©2024 Palo Alto Networks, Inc.
Network Logs

LEEF Name Query Name Field Type

LogSourceGroupID log_source_group_id Custom

DeviceSN log_source_id Custom

DeviceName log_source_name Custom

LogSourceTimeZoneOffset log_source_tz_offset Custom

TimeReceived log_time Custom

cat log_type.value Predefined

MFAAuthenticationID mfa_auth_id Custom

MFAVendor mfa_vendor Custom

usrName normalize_user Predefined

Object object Custom

PanoramaSN panorama_serial Custom

PlatformType platform_type Custom

RuleMatched rule_matched Custom

RuleMatchedUUID rule_matched_uuid Custom

SequenceNo sequence_no Custom

AuthCacheServiceRegion service_region Custom

SessionID session_id Custom

SourceDeviceCategory source_device_category Custom

SourceDeviceHost source_device_host Custom

SourceDeviceMac source_device_mac Custom

SourceDeviceModel source_device_model Custom

SourceDeviceOSFamily source_device_osfamily Custom

SourceDeviceOSVersion source_device_osversion Custom

Cortex Data Lake Schema Reference January 2024 131 ©2024 Palo Alto Networks, Inc.
Network Logs

LEEF Name Query Name Field Type

SourceDeviceProfile source_device_profile Custom

SourceDeviceVendor source_device_vendor Custom

src source_ip.value Predefined

SubType sub_type.value Custom

devTime time_generated Predefined

TimeGeneratedHighResolution time_generated_high_res Custom

User user Custom

UserAgentString user_agent Custom

Vendor vendor_name Header

VirtualLocation vsys Custom

VirtualSystemID vsys_id Custom

VirtualSystemName vsys_name Custom

Cortex Data Lake Schema Reference January 2024 132 ©2024 Palo Alto Networks, Inc.
Network Logs

DNS Security
DNS Security logs contain information that the DNS Security service collects, such as server
response and request information based on your firewall security policy rules, associated action,
and the DNS query details when performing domain lookups.
See the following for information related to supported log formats:
• DNS Security Syslog Default Field Order
• DNS Security CEF Fields
• DNS Security EMAIL Fields
• DNS Security HTTPS Fields
• DNS Security LEEF Fields

DNS SECURITY Field Description

(Display Name)

action.value Identifies the action that the firewall took for the
network traffic.
(ACTION)
Syslog field name: Syslog Field Order
CEF field name: act
EMAIL field name: Action
HTTPS field name: Action
LEEF field name: Action

customer_id The ID that uniquely identifies the Cortex Data Lake

instance which received this log record.
(CORTEX DATA LAKE TENANT ID)
CEF field name: PanOSCortexDataLakeTenantID
EMAIL field name: All of the following:
CortexDataLakeTenantID, CortexDataLakeTenantId
HTTPS field name: All of the following:
CortexDataLakeTenantID, CortexDataLakeTenantId
LEEF field name: CortexDataLakeTenantId

dest_ip.value The IP address of the DNS resolver.

(DNS RESOLVER IP) Syslog field name: Syslog Field Order
CEF field name: PanOSDNSResolverIP
EMAIL field name: DNSResolverIP
HTTPS field name: DNSResolverIP

Cortex Data Lake Schema Reference January 2024 133 ©2024 Palo Alto Networks, Inc.
Network Logs

DNS SECURITY Field Description

(Display Name)
LEEF field name: DNSResolverIP

dns_response The IP address that the domain in the DNS query got
resolved to.
(DNS RESPONSE)
Syslog field name: Syslog Field Order
CEF field name: PanOSDNSResponse
EMAIL field name: DNSResponse
HTTPS field name: DNSResponse
LEEF field name: DNSResponse

dns_response_code The IP address that the domain in the DNS query got
resolved to.
(DNS RESPONSE CODE)
CEF field name: PanOSDNSResponseCode
EMAIL field name: DNSResponseCode
HTTPS field name: DNSResponseCode
LEEF field name: DNSResponseCode

dst_user The username of the user to which the session was

destined.
(DESTINATION USER)
Syslog field name: Syslog Field Order
CEF field name: duser
EMAIL field name: DestinationUser
HTTPS field name: DestinationUser
LEEF field name: DestinationUser

dst_zone The networking zone the session was destined to.

(TO ZONE) Syslog field name: Syslog Field Order
CEF field name: cs5
EMAIL field name: ToZone
HTTPS field name: ToZone
LEEF field name: ToZone

fqdn The FQDN of the requested domain.

(FQDN) CEF field name: request
EMAIL field name: FQDN

Cortex Data Lake Schema Reference January 2024 134 ©2024 Palo Alto Networks, Inc.
Network Logs

DNS SECURITY Field Description

(Display Name)
HTTPS field name: FQDN
LEEF field name: url

from_zone The networking zone from which the traffic originated.

(FROM ZONE) Syslog field name: Syslog Field Order
CEF field name: cs4
EMAIL field name: FromZone
HTTPS field name: FromZone
LEEF field name: FromZone

gtid The Global Threat ID of the requested domain. If there

is a threat signature associated with the DNS request,
(THREAT ID)
this is a Palo Alto Networks threat ID.
Syslog field name: Syslog Field Order
CEF field name: PanOSThreatID
EMAIL field name: ThreatID
HTTPS field name: ThreatID
LEEF field name: ThreatID

log_source_group_id ID that uniquely identifies the logSourceGroupId of the

threat_name The name of the threat against which the verdict was
made.
(THREAT NAME)
Syslog field name: Syslog Field Order
CEF field name: cat
EMAIL field name: ThreatName
HTTPS field name: ThreatName
LEEF field name: ThreatName

total_time_elapsed The total duration of the network session.

(SESSION DURATION) CEF field name: cn3
EMAIL field name: SessionDuration
HTTPS field name: SessionDuration
LEEF field name: SessionDuration

vendor_name Identifies the vendor that produced the data.

(VENDOR NAME) Syslog field name: Syslog Field Order
CEF field name: Device Vendor
EMAIL field name: VendorName

Cortex Data Lake Schema Reference January 2024 138 ©2024 Palo Alto Networks, Inc.
Network Logs

DNS SECURITY Field Description

(Display Name)
HTTPS field name: VendorName
LEEF field name: Vendor

verdict.value The DNS category verdict for the requested domain,

represented by an integer. The integer represents
(DNS CATEGORY)
different categories depending on the value of the
protocol field.
If protocol is 1:
• 0 - benign/unknown
• 1 - malware
• 2 - command and control
• 3-8 - benign
• 9 - allowlist
If protocol is 2:
• 0 - benign/unknown
• 1 - malware
• 2 - command and control
• 3 - phishing
• 4 - dynamicDNS
• 5 - newly registered domain
• 6 - grayware
• 7 - parked
• 8 - proxy
• 9 - allowlist
Syslog field name: Syslog Field Order
CEF field name: PanOSDNSCategory
EMAIL field name: DNSCategory
HTTPS field name: DNSCategory
LEEF field name: EventID

DNS Security Syslog Default Field Order

Cortex Data Lake Schema Reference January 2024 139 ©2024 Palo Alto Networks, Inc.
Network Logs

The fields are identified in the default order that they appear in each log line.
HEADER, vendor_name, log_source_id, log_time, log_type.value, sub_type.value, time_generated,
record_type, cloud_dns_client_ip.value, dest_ip.value, gtid, verdict.value, threat_name, source_ip.
value, from_zone, action.value, dns_response, dst_zone, dst_user, dns_parse_fqdn

DNS Security CEF Fields

The following table identifies the DNS Security field names that the Log Forwarding app uses
when you forward logs using the CEF log format.

CEF Name Field Details

cs4 Query Name: from_zone

Header Type: Predefined

CortexDataLakeTenantID, customer_id
CortexDataLakeTenantId

DNSResolverIP dest_ip.value

DNSResponse dns_response

DNSResponseCode dns_response_code

DestinationUser dst_user

ToZone dst_zone

Cortex Data Lake Schema Reference January 2024 142 ©2024 Palo Alto Networks, Inc.
Network Logs

EMAIL Name Query Name

FQDN fqdn

FromZone from_zone

ThreatID gtid

LogSource log_source

LogSourceGroupID log_source_group_id

DeviceSN log_source_id

TimeReceived log_time

LogType log_type.value

PanoramaSN panorama_serial

PlatformType platform_type

DNSSecurityVersion protocol

RecordType record_type

SourceAddress source_ip.value

SourceUser source_user

Subtype, SubType sub_type.value

ThreatName threat_name

TimeGenerated time_generated

SessionDuration total_time_elapsed

VendorName vendor_name

DNSCategory verdict.value

DNS Security HTTPS Fields

The following table identifies the DNS Security field names that the Log Forwarding app uses
when you forward logs using the HTTPS log format.

Cortex Data Lake Schema Reference January 2024 143 ©2024 Palo Alto Networks, Inc.
Network Logs

HTTPS Name Query Name

Action action.value

CortexDataLakeTenantID, customer_id
CortexDataLakeTenantId

DNSResolverIP dest_ip.value

DNSResponse dns_response

DNSResponseCode dns_response_code

DestinationUser dst_user

ToZone dst_zone

FQDN fqdn

FromZone from_zone

ThreatID gtid

LogSource log_source

LogSourceGroupID log_source_group_id

DeviceSN log_source_id

TimeReceived log_time

LogType log_type.value

PanoramaSN panorama_serial

PlatformType platform_type

DNSSecurityVersion protocol

RecordType record_type

SourceAddress source_ip.value

SourceUser source_user

Subtype, SubType sub_type.value

ThreatName threat_name

Cortex Data Lake Schema Reference January 2024 144 ©2024 Palo Alto Networks, Inc.
Network Logs

HTTPS Name Query Name

TimeGenerated time_generated

SessionDuration total_time_elapsed

VendorName vendor_name

DNSCategory verdict.value

DNS Security LEEF Fields

The following table identifies the DNS Security field names that the Log Forwarding app uses
when you forward logs using the LEEF log format.

LEEF Name Query Name Field Type

Action action.value Custom

CortexDataLakeTenantId customer_id Custom

DNSResolverIP dest_ip.value Custom

DNSResponse dns_response Custom

DNSResponseCode dns_response_code Custom

DestinationUser dst_user Custom

ToZone dst_zone Custom

url fqdn Predefined

FromZone from_zone Custom

ThreatID gtid Custom

LogSource log_source Custom

LogSourceGroupID log_source_group_id Custom

Cortex Data Lake Schema Reference January 2024 145 ©2024 Palo Alto Networks, Inc.
Network Logs

LEEF Name Query Name Field Type

DeviceSN log_source_id Custom

TimeReceived log_time Custom

cat log_type.value Predefined

PanoramaSN panorama_serial Custom

PlatformType platform_type Custom

DNSSecurityVersion protocol Custom

RecordType record_type Custom

src source_ip.value Predefined

UsrName source_user Custom

SubType sub_type.value Custom

ThreatName threat_name Custom

devTime time_generated Predefined

SessionDuration total_time_elapsed Custom

Vendor vendor_name Header

EventID verdict.value Header

Cortex Data Lake Schema Reference January 2024 146 ©2024 Palo Alto Networks, Inc.
Network Logs

Decryption
By default, decryption logs display entries for unsuccessful TLS handshakes. In addition, they can
display entries for successful TLS handshakes, but the firewall administrator must first enable
successful TLS handshake logging in a Decryption policy.
See the following for information related to supported log formats:
• Decryption Syslog Default Field Order
• Decryption CEF Fields
• Decryption EMAIL Fields
• Decryption HTTPS Fields
• Decryption LEEF Fields

DECRYPTION Field Description

(Display Name)

app Application associated with the network traffic.

(APPLICATION) Syslog field name: Syslog Field Order
CEF field name: app
EMAIL field name: Application
HTTPS field name: Application
LEEF field name: Application

app_category Identifies the high-level family of the application.

(APPLICATION CATEGORY) CEF field name: PanOSApplicationCategory
EMAIL field name: ApplicationCategory
HTTPS field name: ApplicationCategory
LEEF field name: ApplicationCategory

Cortex Data Lake Schema Reference January 2024 147 ©2024 Palo Alto Networks, Inc.
Network Logs

application associated with this network traffic.
(APPLICATION CONTAINER)
CEF field name: PanOSApplicationContainer
EMAIL field name: ApplicationContainer
HTTPS field name: ApplicationContainer
LEEF field name: ApplicationContainer

Cortex Data Lake Schema Reference January 2024 150 ©2024 Palo Alto Networks, Inc.
Network Logs

DECRYPTION Field Description

(Display Name)

count_of_repeats Number of sessions with same Source IP, Destination

IP, Application, and Content/Threat Type seen for the
(REPEAT COUNT)
summary interval.
Syslog field name: Syslog Field Order
CEF field name: cnt
EMAIL field name: All of the following: RepeatCount,
CountOfRepeat
HTTPS field name: All of the following: RepeatCount,
CountOfRepeat
LEEF field name: CountOfRepeat

cpadding For internal use only.

(CPADDING) CEF field name: PanOSCpadding
EMAIL field name: Cpadding
HTTPS field name: Cpadding
LEEF field name: Cpadding

customer_id The ID that uniquely identifies the Cortex Data Lake

dest_device_category Category of the device to which the session was

directed.
(DESTINATION DEVICE
CATEGORY) Syslog field name: Syslog Field Order
CEF field name: PanOSDestinationDeviceCategory
EMAIL field name: DestinationDeviceCategory
HTTPS field name: DestinationDeviceCategory
LEEF field name: DestinationDeviceCategory

dest_device_class Destination device class.

(DESTINATION DEVICE CLASS) CEF field name: PanOSDestinationDeviceClass
EMAIL field name: DestinationDeviceClass

Cortex Data Lake Schema Reference January 2024 151 ©2024 Palo Alto Networks, Inc.
Network Logs

DECRYPTION Field Description

(Display Name)
HTTPS field name: DestinationDeviceClass
LEEF field name: DestinationDeviceClass

dest_device_host Hostname of the device to which the session was

directed.
(DESTINATION DEVICE HOST)
Syslog field name: Syslog Field Order
CEF field name: PanOSDestinationDeviceHost
EMAIL field name: DestinationDeviceHost
HTTPS field name: DestinationDeviceHost
LEEF field name: DestinationDeviceHost

dest_device_mac MAC Address of the device to which the session was

directed.
(DESTINATION DEVICE MAC)
Syslog field name: Syslog Field Order
CEF field name: PanOSDestinationDeviceMac
EMAIL field name: DestinationDeviceMac
HTTPS field name: DestinationDeviceMac
LEEF field name: DestinationDeviceMac

dest_device_model Model of the device to which the session was directed.

(DESTINATION DEVICE MODEL) Syslog field name: Syslog Field Order
CEF field name: PanOSDestinationDeviceModel
EMAIL field name: DestinationDeviceModel
HTTPS field name: DestinationDeviceModel
LEEF field name: DestinationDeviceModel

dest_device_os Destination device OS type.

(DESTINATION DEVICE OS) CEF field name: PanOSDestinationDeviceOS
EMAIL field name: DestinationDeviceOS
HTTPS field name: DestinationDeviceOS
LEEF field name: DestinationDeviceOS

dest_device_osfamily OS family of the device to which the session was

directed.
(DESTINATION DEVICE OS
FAMILY) Syslog field name: Syslog Field Order

Cortex Data Lake Schema Reference January 2024 152 ©2024 Palo Alto Networks, Inc.
Network Logs

DECRYPTION Field Description

(Display Name)
CEF field name: PanOSDestinationDeviceOSFamily
EMAIL field name: DestinationDeviceOSFamily
HTTPS field name: DestinationDeviceOSFamily
LEEF field name: DestinationDeviceOSFamily

dest_device_osversion OS version of the device to which the session was

directed.
(DESTINATION DEVICE OS
VERSION) Syslog field name: Syslog Field Order
CEF field name: PanOSDestinationDeviceOSVersion
EMAIL field name: DestinationDeviceOSVersion
HTTPS field name: DestinationDeviceOSVersion
LEEF field name: DestinationDeviceOSVersion

dest_device_profile Profile of the device to which the session was directed.

(DESTINATION DEVICE PROFILE) Syslog field name: Syslog Field Order
CEF field name: PanOSDestinationDeviceProfile
EMAIL field name: DestinationDeviceProfile
HTTPS field name: DestinationDeviceProfile
LEEF field name: DestinationDeviceProfile

dest_device_vendor Vendor of the device to which the session was directed.

(DESTINATION DEVICE VENDOR) Syslog field name: Syslog Field Order
CEF field name: PanOSDestinationDeviceVendor
EMAIL field name: DestinationDeviceVendor
HTTPS field name: DestinationDeviceVendor
LEEF field name: DestinationDeviceVendor

dest_dynamic_address_group The dynamic address group that Device-ID identifies as

the destination for the traffic.
(DESTINATION DYNAMIC
ADDRESS GROUP) Syslog field name: Syslog Field Order
CEF field name:
PanOSDestinationDynamicAddressGroup
EMAIL field name: DestinationDynamicAddressGroup
HTTPS field name: DestinationDynamicAddressGroup

Cortex Data Lake Schema Reference January 2024 153 ©2024 Palo Alto Networks, Inc.
Network Logs

DECRYPTION Field Description

(Display Name)
LEEF field name: DestinationDynamicAddressGroup

dest_edl The name of the external dynamic list that contains the
destination IP address of the traffic.
(DESTINATION EDL)
Syslog field name: Syslog Field Order
CEF field name: PanOSDestinationEDL
EMAIL field name: DestinationEDL
HTTPS field name: DestinationEDL
LEEF field name: DestinationEDL

dest_ip.value Original destination IP address.

(DESTINATION ADDRESS) Syslog field name: Syslog Field Order
CEF fields: dst or c6a3
EMAIL field name: DestinationAddress
HTTPS field name: DestinationAddress
LEEF field name: dst

dest_location Destination country or internal region for private

addresses.
(DESTINATION LOCATION)
CEF field name: PanOSDestinationLocation
EMAIL field name: DestinationLocation
HTTPS field name: DestinationLocation
LEEF field name: DestinationLocation

dest_port Network traffic's destination port. If this value is 0, then

the app is using its standard port.
(DESTINATION PORT)
Syslog field name: Syslog Field Order
CEF field name: dpt
EMAIL field name: DestinationPort
HTTPS field name: DestinationPort
LEEF field name: dstPort

dest_user The username to which the network traffic was

destined.
(DESTINATION USER)
Syslog field name: Syslog Field Order
CEF field name: duser

Cortex Data Lake Schema Reference January 2024 154 ©2024 Palo Alto Networks, Inc.
Network Logs

DECRYPTION Field Description

(Display Name)
EMAIL field name: DestinationUser
HTTPS field name: DestinationUser
LEEF field name: DestinationUser

dest_user_info.domain Domain to which the Destination User belongs.

(DESTINATION USER DOMAIN) CEF field name: dntdom
EMAIL field name: DestinationUserDomain
HTTPS field name: DestinationUserDomain
LEEF field name: DestinationUserDomain

dest_user_info.name The Destination User. That is, the username to which

the network traffic was destined.
(DESTINATION USER NAME)
CEF field name: dusername, duser
EMAIL field name: DestinationUserName
HTTPS field name: DestinationUserName
LEEF field name: DestinationUserName

dest_user_info.uuid Unique identifier assigned to the Destination User.

(DESTINATION USER UUID) CEF field name: duid
EMAIL field name: DestinationUserUUID
HTTPS field name: DestinationUserUUID
LEEF field name: DestinationUserUUID

dest_uuid Identifies the destination universal unique identifier

for a guest virtual machine in the VMware NSX
(DESTINATION UUID)
environment.
Syslog field name: Syslog Field Order
CEF field name: PanOSDestinationUUID
EMAIL field name: DestinationUUID
HTTPS field name: DestinationUUID
LEEF field name: DestinationUUID

dg_hier_level_1 A sequence of identification numbers that indicate the

device group’s location within a device group hierarchy.
(DG HIERARCHY LEVEL 1)
CEF field name: PanOSDGHierarchyLevel1
EMAIL field name: DGHierarchyLevel1

Cortex Data Lake Schema Reference January 2024 155 ©2024 Palo Alto Networks, Inc.
Network Logs

DECRYPTION Field Description

(Display Name)
HTTPS field name: DGHierarchyLevel1
LEEF field name: DGHierarchyLevel1

dg_hier_level_2 A sequence of identification numbers that indicate the

device group’s location within a device group hierarchy.
(DG HIERARCHY LEVEL 2)
CEF field name: PanOSDGHierarchyLevel2
EMAIL field name: DGHierarchyLevel2
HTTPS field name: DGHierarchyLevel2
LEEF field name: DGHierarchyLevel2

dg_hier_level_3 A sequence of identification numbers that indicate the

device group’s location within a device group hierarchy.
(DG HIERARCHY LEVEL 3)
CEF field name: PanOSDGHierarchyLevel3
EMAIL field name: DGHierarchyLevel3
HTTPS field name: DGHierarchyLevel3
LEEF field name: DGHierarchyLevel3

dg_hier_level_4 A sequence of identification numbers that indicate the

device group’s location within a device group hierarchy.
(DG HIERARCHY LEVEL 4)
CEF field name: PanOSDGHierarchyLevel4
EMAIL field name: DGHierarchyLevel4
HTTPS field name: DGHierarchyLevel4
LEEF field name: DGHierarchyLevel4

domain The subject common name; that is, the name of the
server that the certificate protects.
(DOMAIN)
CEF field name: PanOSDomain
EMAIL field name: Domain
HTTPS field name: Domain
LEEF field name: Domain

elliptic_curve.value The elliptic cryptography curve that the client and

server negotiate and use for connections that use
(ELLIPTIC CURVE)
ECDHE cipher suites.
Syslog field name: Syslog Field Order
CEF field name: PanOSEllipticCurve

Cortex Data Lake Schema Reference January 2024 156 ©2024 Palo Alto Networks, Inc.
Network Logs

DECRYPTION Field Description

(Display Name)
EMAIL field name: EllipticCurve
HTTPS field name: EllipticCurve
LEEF field name: EllipticCurve

error_index.value The elliptic cryptography curve that the client and

server negotiate and use for connections that use
(ERROR INDEX)
ECDHE cipher suites.
Syslog field name: Syslog Field Order
CEF field name: PanOSErrorIndex
EMAIL field name: ErrorIndex
HTTPS field name: ErrorIndex
LEEF field name: ErrorIndex

error_message The error message content.

(ERROR MESSAGE) Syslog field name: Syslog Field Order
CEF field name: PanOSErrorMessage
EMAIL field name: ErrorMessage
HTTPS field name: ErrorMessage
LEEF field name: ErrorMessage

fingerprint A hash of the certificate in x509 binary format.

(FINGERPRINT) Syslog field name: Syslog Field Order
CEF field name: PanOSFingerprint
EMAIL field name: Fingerprint
HTTPS field name: Fingerprint
LEEF field name: Fingerprint

firewall_to_client.value The direction of the SSL/TLS connection is from the

firewall to the client.
(FIREWALL TO CLIENT)
Syslog field name: Syslog Field Order
CEF field name: PanOSFirewallToClient
EMAIL field name: FirewallToClient
HTTPS field name: FirewallToClient
LEEF field name: FirewallToClient

Cortex Data Lake Schema Reference January 2024 157 ©2024 Palo Alto Networks, Inc.
Network Logs

DECRYPTION Field Description

(Display Name)

from_zone The networking zone from which the traffic originated.

(FROM ZONE) Syslog field name: Syslog Field Order
CEF field name: cs4
EMAIL field name: FromZone
HTTPS field name: FromZone
LEEF field name: FromZone

inbound_if.value Interface from which the network traffic was sourced.

(INBOUND INTERFACE) Syslog field name: Syslog Field Order
CEF field name: deviceInboundInterface
EMAIL field name: InboundInterface
HTTPS field name: InboundInterface
LEEF field name: InboundInterface

inbound_if_details.port Hardware port or socket from which the network traffic

was sourced.
(INBOUND INTERFACE DETAILS
PORT) CEF field name: PanOSInboundInterfaceDetailsPort
EMAIL field name: InboundInterfaceDetailsPort
HTTPS field name: InboundInterfaceDetailsPort
LEEF field name: InboundInterfaceDetailsPort

inbound_if_details.slot Interface slot from which the network traffic was

sourced.
(INBOUND INTERFACE DETAILS
SLOT) CEF field name: PanOSInboundInterfaceDetailsSlot
EMAIL field name: InboundInterfaceDetailsSlot
HTTPS field name: InboundInterfaceDetailsSlot
LEEF field name: InboundInterfaceDetailsSlot

inbound_if_details.type.value The type of interface from which the network traffic

was sourced.
(INBOUND INTERFACE DETAILS
TYPE) CEF field name: PanOSInboundInterfaceDetailsType
EMAIL field name: InboundInterfaceDetailsType
HTTPS field name: InboundInterfaceDetailsType
LEEF field name: InboundInterfaceDetailsType

Cortex Data Lake Schema Reference January 2024 158 ©2024 Palo Alto Networks, Inc.
Network Logs

Cortex Data Lake Schema Reference January 2024 161 ©2024 Palo Alto Networks, Inc.
Network Logs

DECRYPTION Field Description

(Display Name)
HTTPS field name: IsMptcpOn
LEEF field name: IsMptcpOn

is_nat Indicates if the firewall is performing network address

translation (NAT) for the logged traffic.
(IS NAT)
CEF field name: PanOSIsNAT
EMAIL field name: IsNAT
HTTPS field name: IsNAT
LEEF field name: IsNAT

is_non_std_dest_port Indicates if the destination port is non-standard.

(IS NON STANDARD CEF field name: PanOSIsNonStandardDestinationPort
DESTINATION PORT)
EMAIL field name: IsNonStandardDestinationPort
HTTPS field name: IsNonStandardDestinationPort
LEEF field name: IsNonStandardDestinationPort

is_packet_capture Indicates whether the session has a packet capture

(PCAP).
(PACKET CAPTURE)
CEF field name: PanOSPacketCapture
EMAIL field name: PacketCapture
HTTPS field name: PacketCapture
LEEF field name: PacketCapture

is_phishing Indicates whether enterprise credentials were

submitted by an end user.
(IS PHISHING)
CEF field name: PanOSIsPhishing
EMAIL field name: IsPhishing
HTTPS field name: IsPhishing
LEEF field name: IsPhishing

is_prisma_branch Internal-use field. If set to 1, the log was generated on

a cloud-based firewall. If 0, the firewall was running on-
(IS PRISMA NETWORK)
premise.
CEF field name: PanOSIsPrismaNetwork
EMAIL field name: IsPrismaNetwork
HTTPS field name: IsPrismaNetwork

Cortex Data Lake Schema Reference January 2024 162 ©2024 Palo Alto Networks, Inc.
Network Logs

DECRYPTION Field Description

(Display Name)
LEEF field name: IsPrismaNetwork

is_prisma_mobile Internal use field. If set to 1, the log record was

is_proxy Indicates whether the SSL session is decrypted (SSL

Proxy).
(IS PROXY)
CEF field name: PanOSIsProxy
EMAIL field name: IsProxy
HTTPS field name: IsProxy
LEEF field name: IsProxy

is_recon_excluded Indicates whether source for the flow is on the firewall

allow list and not subject to recon protection.
(IS RECON EXCLUDED)
CEF field name: PanOSIsReconExcluded
EMAIL field name: IsReconExcluded
HTTPS field name: IsReconExcluded
LEEF field name: IsReconExcluded

is_resume_session Indicates that the decryption session was previously

interrupted and is now resuming.
(IS RESUME SESSION)
CEF field name: PanOSIsResumeSession
EMAIL field name: IsResumeSession
HTTPS field name: IsResumeSession
LEEF field name: IsResumeSession

is_root_cn_truncated Indicates whether the common name used for the root
CA has been truncated due to buffer limits.
(IS ROOT CN TRUNCATED)
CEF field name: PanOSIsRootCNTruncated
EMAIL field name: IsRootCNTruncated
HTTPS field name: IsRootCNTruncated

Cortex Data Lake Schema Reference January 2024 163 ©2024 Palo Alto Networks, Inc.
Network Logs

DECRYPTION Field Description

(Display Name)
LEEF field name: IsRootCNTruncated

is_saas_app Internal use field. Indicates whether the application

associated with this network traffic is a SAAS
(IS SAAS APPLICATION)
application.
CEF field name: PanOSIsSaaSApplication
EMAIL field name: IsSaaSApplication
HTTPS field name: IsSaaSApplication
LEEF field name: IsSaaSApplication

is_server_to_client Indicates if direction of traffic is from server to client.

(IS SERVER TO CLIENT) CEF field name: PanOSIsServertoClient
EMAIL field name: IsServertoClient
HTTPS field name: IsServertoClient
LEEF field name: IsServertoClient

is_sni_truncated Indicates whether the server name indication (SNI),

which is the hostname of the server that the client is
(IS SNI TRUNCATED)
trying to reach, has been truncated due to buffer limits.
CEF field name: PanOSIsSNITruncated
EMAIL field name: IsSNITruncated
HTTPS field name: IsSNITruncated
LEEF field name: IsSNITruncated

is_source_x_fwded Indicates whether the X-Forwarded-For value from a

proxy is in the source user field.
(IS SOURCE X FORWARDED)
CEF field name: PanOSIsSourceXForwarded
EMAIL field name: IsSourceXForwarded
HTTPS field name: IsSourceXForwarded
LEEF field name: IsSourceXForwarded

is_sym_return Indicates whether symmetric return was used to

forward traffic for this session.
(IS SYSTEM RETURN)
CEF field name: PanOSIsSystemReturn
EMAIL field name: IsSystemReturn
HTTPS field name: IsSystemReturn

Cortex Data Lake Schema Reference January 2024 164 ©2024 Palo Alto Networks, Inc.
Network Logs

DECRYPTION Field Description

(Display Name)
LEEF field name: IsSystemReturn

is_transaction Indicates whether the log corresponds to a transaction

within an HTTP proxy session (Proxy Transaction).
(IS TRANSACTION)
CEF field name: PanOSIsTransaction
EMAIL field name: IsTransaction
HTTPS field name: IsTransaction
LEEF field name: IsTransaction

is_tunnel_inspected Indicates whether the payload for the outer tunnel was
inspected.
(IS TUNNEL INSPECTED)
CEF field name: PanOSIsTunnelInspected
EMAIL field name: IsTunnelInspected
HTTPS field name: IsTunnelInspected
LEEF field name: IsTunnelInspected

is_url_denied Indicates whether the session was denied due to a URL

filtering rule.
(IS URL DENIED)
CEF field name: PanOSIsURLDenied
EMAIL field name: IsURLDenied
HTTPS field name: IsURLDenied
LEEF field name: IsURLDenied

issuer_cn The name of the organization that verified the

certificate’s contents.
(ISSUER COMMON NAME)
Syslog field name: Syslog Field Order
CEF field name: PanOSIssuerCommonName
EMAIL field name: IssuerCommonName
HTTPS field name: IssuerCommonName
LEEF field name: IssuerCommonName

issuer_len The length of the issuer's common name before

truncation (if any).
(ISSUER NAME LENGTH)
Syslog field name: Syslog Field Order
CEF field name: PanOSIssuerNameLength
EMAIL field name: IssuerNameLength

Cortex Data Lake Schema Reference January 2024 165 ©2024 Palo Alto Networks, Inc.
Network Logs

DECRYPTION Field Description

(Display Name)
HTTPS field name: IssuerNameLength
LEEF field name: IssuerNameLength

log_set Log forwarding profile name that was applied to

log_source_group_id ID that uniquely identifies the logSourceGroupId of the

log_source_id ID that uniquely identifies the source of the log. That is,
the serial number of the firewall that generated the log.
(DEVICE SN)
If the log is generated by Prisma Access, the serial
number is not displayed.
Syslog field name: Syslog Field Order
CEF field name: PanOSDeviceSN
EMAIL field name: DeviceSN
HTTPS field name: DeviceSN
LEEF field name: DeviceSN

Cortex Data Lake Schema Reference January 2024 166 ©2024 Palo Alto Networks, Inc.
Network Logs

DECRYPTION Field Description

(Display Name)

log_source_name Name of the source of the log. That is, the hostname of
the firewall that logged the network traffic.
(DEVICE NAME)
CEF field name: PanOSDeviceName
EMAIL field name: DeviceName
HTTPS field name: DeviceName
LEEF field name: DeviceName

log_type.value Identifies the log type.

(LOG TYPE) Syslog field name: Syslog Field Order
CEF field name: Device Event Class ID
EMAIL field name: LogType
HTTPS field name: LogType
LEEF field name: cat

nat_dest.value If destination NAT was performed, the post-NAT

destination IP address.
(NAT DESTINATION)
Syslog field name: Syslog Field Order
CEF field name: destinationTranslatedAddress
EMAIL field name: NATDestination
HTTPS field name: NATDestination

Cortex Data Lake Schema Reference January 2024 167 ©2024 Palo Alto Networks, Inc.
Network Logs

DECRYPTION Field Description

(Display Name)
LEEF field name: dstPostNAT

nat_dest_port Post-NAT destination port.

(NAT DESTINATION PORT) Syslog field name: Syslog Field Order
CEF field name: destinationTranslatedPort
EMAIL field name: NATDestinationPort
HTTPS field name: NATDestinationPort
LEEF field name: dstPostNATPort

nat_source.value If source NAT was performed, the post-NAT source IP

address.
(NAT SOURCE)
Syslog field name: Syslog Field Order
CEF field name: sourceTranslatedAddress
EMAIL field name: NATSource
HTTPS field name: NATSource
LEEF field name: srcPostNAT

nat_source_port Post-NAT source port.

(NAT SOURCE PORT) Syslog field name: Syslog Field Order
CEF field name: sourceTranslatedPort
EMAIL field name: NATSourcePort
HTTPS field name: NATSourcePort
LEEF field name: srcPostNATPort

not_after Timestamp date after which the certificate is no longer

valid.
(TIME NOT AFTER)
Syslog field name: Syslog Field Order
CEF field name: PanOSTimeNotAfter
EMAIL field name: TimeNotAfter
HTTPS field name: TimeNotAfter
LEEF field name: TimeNotAfter

not_before Timestamp date before which the certificate is not yet

valid.
(TIME NOT BEFORE)
Syslog field name: Syslog Field Order

Cortex Data Lake Schema Reference January 2024 168 ©2024 Palo Alto Networks, Inc.
Network Logs

Forward Proxy, Inbound for Inbound Inspection, No
(PROXY TYPE)
Decrypt for undecrypted traffic, Decryption Broker,
GlobalProtect, and so forth.
Syslog field name: Syslog Field Order
CEF field name: PanOSProxyType
EMAIL field name: ProxyType
HTTPS field name: ProxyType
LEEF field name: EventID

risk_of_app Indicates how risky the application is from a network

security perspective.
(APPLICATION RISK)
CEF field name: PanOSApplicationRisk

Cortex Data Lake Schema Reference January 2024 171 ©2024 Palo Alto Networks, Inc.
Network Logs

DECRYPTION Field Description

(Display Name)
EMAIL field name: ApplicationRisk
HTTPS field name: ApplicationRisk
LEEF field name: ApplicationRisk

root_cn The name of the root certificate authority.

(ROOT COMMON NAME) Syslog field name: Syslog Field Order
CEF field name: PanOSRootCommonName
EMAIL field name: RootCommonName
HTTPS field name: RootCommonName
LEEF field name: RootCommonName

root_cn_len The length of the root CA's common name before

truncation (if any).
(ROOT CN LENGTH)
Syslog field name: Syslog Field Order
CEF field name: PanOSRootCNLength
EMAIL field name: RootCNLength
HTTPS field name: RootCNLength
LEEF field name: RootCNLength

root_status.value The status of the root certificate, for example, trusted,

untrusted, or uninspected.
(ROOT STATUS)
Syslog field name: Syslog Field Order
CEF field name: PanOSRootStatus
EMAIL field name: RootStatus
HTTPS field name: RootStatus
LEEF field name: RootStatus

rule_matched Name of the security policy rule that the network traffic
matched.
(RULE)
Syslog field name: Syslog Field Order
CEF field name: cs1
EMAIL field name: Rule
HTTPS field name: Rule
LEEF field name: Rule

Cortex Data Lake Schema Reference January 2024 172 ©2024 Palo Alto Networks, Inc.
Network Logs

DECRYPTION Field Description

(Display Name)

rule_matched_uuid Unique identifier for the security policy rule that the
network traffic matched.
(RULE UUID)
Syslog field name: Syslog Field Order
CEF field name: PanOSRuleUUID
EMAIL field name: RuleUUID
HTTPS field name: RuleUUID
LEEF field name: RuleUUID

sanctioned_state_of_app Indicates whether the application has been flagged as

sanctioned by the firewall administrator.
(SANCTIONED STATE OF APP)
CEF field name: PanOSSanctionedStateOfApp
EMAIL field name: SanctionedStateOfApp
HTTPS field name: SanctionedStateOfApp
LEEF field name: SanctionedStateOfApp

sequence_no The log entry identifier, which is incremented

session_id Identifies the firewall's internal identifier for a specific

network session.
(SESSION ID)
Syslog field name: Syslog Field Order
CEF field name: cn1
EMAIL field name: SessionID
HTTPS field name: SessionID
LEEF field name: SessionID

sni The hostname of the server that the client is trying to

contact.
(SERVER NAME INDICATION)
Syslog field name: Syslog Field Order
CEF field name: PanOSServerNameIndication

Cortex Data Lake Schema Reference January 2024 173 ©2024 Palo Alto Networks, Inc.
Network Logs

DECRYPTION Field Description

(Display Name)
EMAIL field name: ServerNameIndication
HTTPS field name: ServerNameIndication
LEEF field name: ServerNameIndication

sni_len The length of the server name indication (SNI), which

is the hostname of the server that the client is trying
(SNI LENGTH)
to reach. This is the full length of the SNI before any
truncation might have occurred.
Syslog field name: Syslog Field Order
CEF field name: PanOSSNILength
EMAIL field name: SNILength
HTTPS field name: SNILength
LEEF field name: SNILength

source_device_category Category of the device from which the session

source_device_class Source device class.

source_user The username that initiated the network traffic.

(SOURCE USER) Syslog field name: Syslog Field Order
CEF field name: suser
EMAIL field name: SourceUser
HTTPS field name: SourceUser
LEEF field name: usrName

source_user_info.domain Domain to which the Source User belongs.

(SOURCE USER DOMAIN) CEF field name: sntdom
EMAIL field name: SourceUserDomain
HTTPS field name: SourceUserDomain
LEEF field name: SourceUserDomain

source_user_info.name The Source User. That is, the username that initiated
the network traffic.
(SOURCE USER NAME)
CEF field name: All of the following: susername, suser
EMAIL field name: SourceUserName

Cortex Data Lake Schema Reference January 2024 177 ©2024 Palo Alto Networks, Inc.
Network Logs

DECRYPTION Field Description

(Display Name)
HTTPS field name: SourceUserName
LEEF field name: SourceUserName

source_user_info.uuid Unique identifier assigned to the Source User.

(SOURCE USER UUID) CEF field name: suid
EMAIL field name: SourceUserUUID
HTTPS field name: SourceUserUUID
LEEF field name: SourceUserUUID

source_uuid Identifies the source universal unique identifier for a

guest virtual machine in the VMware NSX environment.
(SOURCE UUID)
Syslog field name: Syslog Field Order
CEF field name: PanOSSourceUUID
EMAIL field name: SourceUUID
HTTPS field name: SourceUUID
LEEF field name: SourceUUID

sub_type.value Identifies the log subtype.

(SUB TYPE) Syslog field name: Syslog Field Order
CEF field name: Name
EMAIL field name: All of the following: Subtype,
SubType
HTTPS field name: All of the following: Subtype,
SubType
LEEF field name: SubType

technology_of_app The networking technology used by the identified

application.
(APPLICATION TECHNOLOGY)
CEF field name: PanOSApplicationTechnology
EMAIL field name: ApplicationTechnology
HTTPS field name: ApplicationTechnology
LEEF field name: ApplicationTechnology

time_generated Time when the log was generated on the firewall's data
plane. This string contains a timestamp value that is the
(TIME GENERATED)
number of microseconds since the Unix epoch.

Cortex Data Lake Schema Reference January 2024 178 ©2024 Palo Alto Networks, Inc.
Network Logs

DECRYPTION Field Description

(Display Name)
Syslog field name: Syslog Field Order
CEF field name: start
EMAIL field name: TimeGenerated
HTTPS field name: TimeGenerated
LEEF field name: devTime

time_generated_high_res Time the log was generated in data plane

time_received_mp Time the log was received in the management plane in

format YYYY-MM-DDTHH:MM:SS[.DDDDDD]Z.
(TIME RECEIVED MANAGEMENT
PLANE) Syslog field name: Syslog Field Order
CEF field name: PanOSTimeReceivedManagementPlane
EMAIL field name: TimeReceivedManagementPlane
HTTPS field name: TimeReceivedManagementPlane
LEEF field name: TimeReceivedManagementPlane

tls_auth.value TLS hash algorithm.

(TLS AUTH) Syslog field name: Syslog Field Order
CEF field name: PanOSTLSAuth
EMAIL field name: TLSAuth
HTTPS field name: TLSAuth
LEEF field name: TLSAuth

tls_enc_algorithm.value The algorithm used to encrypt the session data, such as

AES-128-CBC, AES-256-GCM, and so forth.
(TLS ENCRYPTION ALGORITHM)
Syslog field name: Syslog Field Order
CEF field name: PanOSTLSEncryptionAlgorithm
EMAIL field name: TLSEncryptionAlgorithm

Cortex Data Lake Schema Reference January 2024 179 ©2024 Palo Alto Networks, Inc.
Network Logs

DECRYPTION Field Description

(Display Name)
HTTPS field name: TLSEncryptionAlgorithm
LEEF field name: TLSEncryptionAlgorithm

tls_keyxchange.value Algorithm used to perform the key exchange. Possible

values are:
(TLS KEY EXCHANGE)
• RSA
• DHE
• ECDHE
• TLS1.3
Syslog field name: Syslog Field Order
CEF field name: PanOSTLSKeyExchange
EMAIL field name: TLSKeyExchange
HTTPS field name: TLSKeyExchange
LEEF field name: TLSKeyExchange

tls_version.value Version of TLS used for the encrypted session

represented as major.minor.patch.build.
(TLS VERSION)
Syslog field name: Syslog Field Order
CEF field name: PanOSTLSVersion
EMAIL field name: TLSVersion
HTTPS field name: TLSVersion
LEEF field name: TLSVersion

to_zone Networking zone to which the traffic was sent.

(TO ZONE) Syslog field name: Syslog Field Order
CEF field name: cs5
EMAIL field name: ToZone
HTTPS field name: ToZone
LEEF field name: ToZone

tpadding For internal use only.

(TPADDING) CEF field name: PanOSTpadding
EMAIL field name: Tpadding
HTTPS field name: Tpadding

Cortex Data Lake Schema Reference January 2024 180 ©2024 Palo Alto Networks, Inc.
Network Logs

DECRYPTION Field Description

(Display Name)
LEEF field name: Tpadding

tunnel.value Type of tunnel.

(TUNNEL) Syslog field name: Syslog Field Order
CEF field name: PanOSTunnel
EMAIL field name: Tunnel
HTTPS field name: Tunnel
LEEF field name: Tunnel

tunneled_app For internal use only.

(TUNNELED APPLICATION) CEF field name: PanOSTunneledApplication
EMAIL field name: TunneledApplication
HTTPS field name: TunneledApplication
LEEF field name: TunneledApplication

vendor_name Identifies the vendor that produced the data.

(VENDOR NAME) CEF field name: Device Vendor
EMAIL field name: VendorName
HTTPS field name: VendorName
LEEF field name: Vendor

vpadding For internal use only.

(VPADDING) CEF field name: PanOSVpadding
EMAIL field name: Vpadding
HTTPS field name: Vpadding
LEEF field name: Vpadding

vsys String representation of the unique identifier for a

Cortex Data Lake Schema Reference January 2024 181 ©2024 Palo Alto Networks, Inc.
Network Logs

DECRYPTION Field Description

(Display Name)

vsys_id A unique identifier for a virtual system on a Palo Alto

Networks firewall.
(VIRTUAL SYSTEM ID)
CEF field name: PanOSVirtualSystemID
EMAIL field name: VirtualSystemID
HTTPS field name: VirtualSystemID
LEEF field name: VirtualSystemID

vsys_name The name of the virtual system associated with the

network traffic.
(VIRTUAL SYSTEM NAME)
CEF field name: PanOSVirtualSystemName
EMAIL field name: VirtualSystemName
HTTPS field name: VirtualSystemName
LEEF field name: VirtualSystemName

Decryption Syslog Default Field Order

Example Decryption log in Syslog:

Oct 13 01:11:28 gke-standard-cluster-2-pool-1-6ea9f13a-

moqf 1124 <142>1 2020-10-13T01:11:28.247Z stream-
logfwd20-156653024-10121421-eq28-harness-16kn logforwarder - panwlogs
- 1,2020-10-13T01:11:23.000000Z,007051000113358,,DECRYPTION,10.0,
2020-10-13T01:11:05.000000Z,xxx.xx.x.xx,xxx.xx.x.xx,xxx.xx.x.xx,
xxx.xx.x.xx,deny-attackers,00000000000000000000ffff05050505,
paloaltonetwork\xxxxx,mcafee-endpoint-encryption,vsys1,ethernet4Zone-
test3,datacenter,,,rs-logging,2020-10-13T01:11:05.000000Z,
999250,1,28790,18368,31621,27853,3072,tcp,allow,GRE,,,
,,85c1488d-5bbd-42e7-8f28-a19256972c32,unknown,unknown,
TLS1.3,ECDHE,AES_128_GCM,SHA256,,sect409k1,None,Untrusted,
Uninspected,Broker,14ff0117d825393ebcad2bbfb94bc282da926a7a,
6263d82e0ec3d57c209151526dc1240cc19ec2e685fbae4c81f394e9819a7699,
1602551466,1605143466,V2,192,23,32,32,21,64,CN = MGMT-GROUP-MGMT-
CA,CN = Thawte Premium Server CA1,CN = Thawte Premium Server CA1,
devop-host.panw.local,,1873cc5c-0d31,pns_default,pan-dp-77754f4,
,,,,2020-10-13T01:11:06.359000Z,H-Phone,h-profile,Pro,Huawei,
Mate 10,Android v6.1,pan-411,264754728121,H-Phone,h-profile,ANE-
LX3,Huawei,P20 Lite,Android v7.1,pan-431,496310767571,111291,
-9223372036854775808

Cortex Data Lake Schema Reference January 2024 182 ©2024 Palo Alto Networks, Inc.
Network Logs

HEADER, log_time, log_source_id, log_type.value, sub_type.value, config_version.value,

time_generated, source_ip.value, dest_ip.value, nat_source.value, nat_dest.value, rule_matched,
source_user, dest_user, app, vsys, from_zone, to_zone, inbound_if.value, outbound_if.value,
log_set, time_received_mp, session_id, count_of_repeats, source_port, dest_port, nat_source_port,
nat_dest_port, flags, protocol.value, action.value, tunnel.value, EMPTY, EMPTY, source_uuid,
dest_uuid, rule_matched_uuid, client_to_firewall.value, firewall_to_client.value, tls_version.value,
tls_keyxchange.value, tls_enc_algorithm.value, tls_auth.value, policy_name, elliptic_curve.value,
error_index.value, root_status.value, chain_status.value, proxy_type.value, cert_serial, fingerprint,
not_before, not_after, certificate_version.value, certificate_size, cn_len, issuer_len, root_cn_len,
sni_len, cert_flags, cn, issuer_cn, root_cn, sni, error_message, container_id, pod_namespace,
pod_name, source_edl, dest_edl, source_dynamic_address_group, dest_dynamic_address_group,
time_generated_high_res, source_device_category, source_device_profile, source_device_model,
source_device_vendor, source_device_osfamily, source_device_osversion, source_device_host,
source_device_mac, dest_device_category, dest_device_profile, dest_device_model,
dest_device_vendor, dest_device_osfamily, dest_device_osversion, dest_device_host,
dest_device_mac, sequence_no, action_flags

Decryption CEF Fields

Example Decryption log in CEF:

Mar 1 20:35:56 xxx.xx.x.xx 2341 <14>1 2021-03-01T20:35:56.343Z

stream-logfwd20-587718190-02280003-lvod-harness-mjdh
logforwarder - panwlogs - CEF:0|Palo Alto Networks|
LF|2.0|DECRYPTION|end|3|ProfileToken=xxxxx dtz=UTC
rt=Mar 01 2021 20:35:54 PanOSDeviceSN=xxxxxxxxxxxxx
PanOSConfigVersion=null start=Mar 01 2021 20:35:54 src=xxx.xx.x.xx
dst=xxx.xx.x.xx sourceTranslatedAddress=xxx.xx.x.xx
destinationTranslatedAddress=xxx.xx.x.xx cs1=allow-all-employees
cs1Label=Rule suser=paloaltonetwork\\\\xxxxx duser=paloaltonetwork
\\\\xxxxx app=gmail-base cs3=vsys1 cs3Label=VirtualLocation
cs4=datacenter cs4Label=FromZone cs5=ethernet4Zone-
test1 cs5Label=ToZone deviceInboundInterface=ethernet1/1
deviceOutboundInterface=tunnel.901 cs6=test cs6Label=LogSetting
PanOSTimeReceivedManagementPlane=Dec 12 2019 22:16:48
cn1=106112 cn1Label=SessionID cnt=1 spt=16524 dpt=20122
sourceTranslatedPort=15856 destinationTranslatedPort=10128 proto=tcp
act=deny PanOSTunnel=N/A PanOSSourceUUID= PanOSDestinationUUID=
PanOSRuleUUID=fnullacnullnulle1-2c69-4f2b-8293-46ee4c73737e
PanOSClientToFirewall=null PanOSFirewallToClient=null
PanOSTLSVersion=null PanOSTLSKeyExchange=null
PanOSTLSEncryptionAlgorithm=null PanOSTLSAuth=null PanOSPolicyName=
PanOSEllipticCurve= PanOSErrorIndex=null PanOSRootStatus=null
PanOSChainStatus=null PanOSProxyType=null PanOSCertificateSerial=
PanOSFingerprint= PanOSTimeNotBefore=0 PanOSTimeNotAfter=0
PanOSCertificateVersion=null PanOSCertificateSize=0
PanOSCommonNameLength=0 PanOSIssuerNameLength=0
PanOSRootCNLength=0 PanOSSNILength=0 PanOSCertificateFlags=0
PanOSCommonName= PanOSIssuerCommonName= PanOSRootCommonName=
PanOSServerNameIndication= PanOSErrorMessage= PanOSContainerID=
PanOSContainerNameSpace= PanOSContainerName= PanOSSourceEDL=
PanOSDestinationEDL= PanOSSourceDynamicAddressGroup=
PanOSDestinationDynamicAddressGroup=test
PanOSTimeGeneratedHighResolution=Jul 25 2019 23:30:12

Cortex Data Lake Schema Reference January 2024 183 ©2024 Palo Alto Networks, Inc.
Network Logs

PanOSSourceDeviceCategory= PanOSSourceDeviceProfile=
PanOSSourceDeviceModel= PanOSSourceDeviceVendor=
PanOSSourceDeviceOSFamily= PanOSSourceDeviceOSVersion=
PanOSSourceDeviceHost= PanOSSourceDeviceMac=
PanOSDestinationDeviceCategory= PanOSDestinationDeviceProfile=
PanOSDestinationDeviceModel= PanOSDestinationDeviceVendor=
PanOSDestinationDeviceOSFamily= PanOSDestinationDeviceOSVersion=
PanOSDestinationDeviceHost= PanOSDestinationDeviceMac=
externalId=xxxxxxxxxxxxx

The following table identifies the Decryption field names that the Log Forwarding app uses when
you forward logs using the CEF log format.

CEF Name Field Details

PanOSChainStatus Query Name: chain_status.value

Header Type: Custom

Cortex Data Lake Schema Reference January 2024 184 ©2024 Palo Alto Networks, Inc.
Network Logs

CEF Name Field Details

duser Query Name: dest_user

Header Type: Predefined

Header Type: Custom

Cortex Data Lake Schema Reference January 2024 190 ©2024 Palo Alto Networks, Inc.
Network Logs

CEF Name Field Details

sntdom Query Name: source_user_info.domain

Header Type: Predefined

Example Decryption log in EMAIL:

TimeReceived=2021-02-23T02:43:57.000000Z
DeviceSN=xxxxxxxxxxxxx

Cortex Data Lake Schema Reference January 2024 197 ©2024 Palo Alto Networks, Inc.
Network Logs

SubType=end
ConfigVersion=null
TimeGenerated=2021-02-23T02:43:57.000000Z
CaptivePortal=false
CortexDataLakeTenantID=xxxxxxxxxxxxx-ingest
Cpadding=0
DGHierarchyLevel1=12
DGHierarchyLevel2=0
DGHierarchyLevel3=0
DGHierarchyLevel4=0
DestinationDeviceClass=
DestinationDeviceOS=
DestinationLocation=IN
DestinationUserDomain=paloaltonetwork
DestinationUserName=xxxxx
DestinationUserUUID=0
DeviceName=PA-VM
Domain=0
InboundInterfaceDetailsPort=1
InboundInterfaceDetailsSlot=1
InboundInterfaceDetailsType=ethernet
InboundInterfaceDetailsUnit=0
IsCertCNTruncated=false
IsCertECDSA=false
IsCertRSA=false
IsClienttoServer=false
IsContainer=false
IsDecryptMirror=false
IsDecrypted=
IsDuplicateLog=false
IsEncrypted=
IsForwarded=true
IsIPV6=
IsIssuerCNTruncated=false
IsMptcpOn=false
IsNAT=false
IsNonStandardDestinationPort=true
IsPhishing=false
IsPrismaNetwork=false
IsPrismaUsers=false
IsProxy=false
IsReconExcluded=false
IsResumeSession=false
IsRootCNTruncated=false
IsSNITruncated=false
IsServertoClient=false
IsSourceXForwarded=
IsSystemReturn=false
SourceAddress=xxx.xx.x.xx
DestinationAddress=xxx.xx.x.xx
NATSource=xxx.xx.x.xx
NATDestination=xxx.xx.x.xx
Rule=allow-all-employees
SourceUser="paloaltonetwork\\xxxxx"
DestinationUser="paloaltonetwork\\xxxxx"
Application=gmail-base

Cortex Data Lake Schema Reference January 2024 198 ©2024 Palo Alto Networks, Inc.
Network Logs

VirtualLocation=vsys1
FromZone=datacenter
ToZone=ethernet4Zone-test1
InboundInterface=ethernet1/1
OutboundInterface=tunnel.901
LogSetting=test
TimeReceivedManagementPlane=2019-12-12T22:16:48.000000Z
SessionID=106112
CountOfRepeat=1
SourcePort=16524
DestinationPort=20122
NATSourcePort=15856
NATDestinationPort=10128
Protocol=tcp
Action=deny
Tunnel=N/A
SourceUUID=
DestinationUUID=
RuleUUID=fnullacnullnulle1-2c69-4f2b-8293-46ee4c73737e
ClientToFirewall=null
FirewallToClient=null
TLSVersion=null
TLSKeyExchange=null
TLSEncryptionAlgorithm=null
TLSAuth=null
PolicyName=
EllipticCurve=
ErrorIndex=null
RootStatus=null
ChainStatus=null
ProxyType=null
CertificateSerial=
Fingerprint=
TimeNotBefore=0
TimeNotAfter=0
CertificateVersion=null
CertificateSize=0
CommonNameLength=0
IssuerNameLength=0
RootCNLength=0
SNILength=0
CertificateFlags=0
CommonName=
IssuerCommonName=
RootCommonName=
ServerNameIndication=
ErrorMessage=
ContainerID=
ContainerNameSpace=
ContainerName=
SourceEDL=
DestinationEDL=
SourceDynamicAddressGroup=
DestinationDynamicAddressGroup=test
TimeGeneratedHighResolution=2019-07-25T23:30:12.000000Z
SourceDeviceCategory=

Cortex Data Lake Schema Reference January 2024 199 ©2024 Palo Alto Networks, Inc.
Network Logs

SourceDeviceProfile=
SourceDeviceModel=
SourceDeviceVendor=
SourceDeviceOSFamily=
SourceDeviceOSVersion=
SourceDeviceHost=
SourceDeviceMac=
DestinationDeviceCategory=
DestinationDeviceProfile=
DestinationDeviceModel=
DestinationDeviceVendor=
DestinationDeviceOSFamily=
DestinationDeviceOSVersion=
DestinationDeviceHost=
DestinationDeviceMac=
SequenceNo=8026543790

The following table identifies the Decryption field names that the Log Forwarding app uses when
you forward logs using the EMAIL log format.

EMAIL Name Query Name

Action action.value

Application app

ApplicationCategory app_category

ApplicationSubcategory app_sub_category

CertificateFlags cert_flags

CertificateSerial cert_serial

CertificateSize certificate_size

CertificateVersion certificate_version.value

ChainStatus chain_status.value

ApplicationCharacteristics characteristics_of_app

ClientToFirewall client_to_firewall.value

CommonName cn

CommonNameLength cn_len

ConfigVersion config_version.value

Cortex Data Lake Schema Reference January 2024 200 ©2024 Palo Alto Networks, Inc.
Network Logs

EMAIL Name Query Name

ContainerID container_id

ApplicationContainer container_of_app

RepeatCount, CountOfRepeat count_of_repeats

Cpadding cpadding

CortexDataLakeTenantID customer_id

DestinationDeviceCategory dest_device_category

DestinationDeviceClass dest_device_class

DestinationDeviceHost dest_device_host

DestinationDeviceMac dest_device_mac

DestinationDeviceModel dest_device_model

DestinationDeviceOS dest_device_os

DestinationDeviceOSFamily dest_device_osfamily

DestinationDeviceOSVersion dest_device_osversion

DestinationDeviceProfile dest_device_profile

DestinationDeviceVendor dest_device_vendor

DestinationDynamicAddressGroup dest_dynamic_address_group

DestinationEDL dest_edl

DestinationAddress dest_ip.value

DestinationLocation dest_location

DestinationPort dest_port

DestinationUser dest_user

DestinationUserDomain dest_user_info.domain

DestinationUserName dest_user_info.name

Cortex Data Lake Schema Reference January 2024 201 ©2024 Palo Alto Networks, Inc.
Network Logs

EMAIL Name Query Name

DestinationUserUUID dest_user_info.uuid

DestinationUUID dest_uuid

DGHierarchyLevel1 dg_hier_level_1

DGHierarchyLevel2 dg_hier_level_2

DGHierarchyLevel3 dg_hier_level_3

DGHierarchyLevel4 dg_hier_level_4

Domain domain

EllipticCurve elliptic_curve.value

ErrorIndex error_index.value

ErrorMessage error_message

Fingerprint fingerprint

FirewallToClient firewall_to_client.value

FromZone from_zone

InboundInterface inbound_if.value

InboundInterfaceDetailsPort inbound_if_details.port

InboundInterfaceDetailsSlot inbound_if_details.slot

InboundInterfaceDetailsType inbound_if_details.type.value

InboundInterfaceDetailsUnit inbound_if_details.unit

CaptivePortal is_captive_portal

IsCertECDSA is_cert_ECDSA

IsCertRSA is_cert_RSA

IsCertCNTruncated is_cert_cn_truncated

IsClienttoServer is_client_to_server

Cortex Data Lake Schema Reference January 2024 202 ©2024 Palo Alto Networks, Inc.
Network Logs

EMAIL Name Query Name

IsContainer is_container

IsDecryptMirror is_decrypt_mirror

IsDecrypted is_decrypted

IsDuplicateLog is_dup_log

IsEncrypted is_encrypted

LogExported is_exported

IsForwarded is_forwarded

IsIPV6 is_ipv6

IsIssuerCNTruncated is_issuer_cn_truncated

IsMptcpOn is_mptcp_on

IsNAT is_nat

IsNonStandardDestinationPort is_non_std_dest_port

PacketCapture is_packet_capture

IsPhishing is_phishing

IsPrismaNetwork is_prisma_branch

IsPrismaUsers is_prisma_mobile

IsProxy is_proxy

IsReconExcluded is_recon_excluded

IsResumeSession is_resume_session

IsRootCNTruncated is_root_cn_truncated

IsSaaSApplication is_saas_app

IsServertoClient is_server_to_client

IsSNITruncated is_sni_truncated

Cortex Data Lake Schema Reference January 2024 203 ©2024 Palo Alto Networks, Inc.
Network Logs

EMAIL Name Query Name

IsSourceXForwarded is_source_x_fwded

IsSystemReturn is_sym_return

IsTransaction is_transaction

IsTunnelInspected is_tunnel_inspected

IsURLDenied is_url_denied

IssuerCommonName issuer_cn

IssuerNameLength issuer_len

LogSetting log_set

LogSource log_source

LogSourceGroupID log_source_group_id

DeviceSN log_source_id

DeviceName log_source_name

LogSourceTimeZoneOffset log_source_tz_offset

TimeReceived log_time

LogType log_type.value

NATDestination nat_dest.value

NATDestinationPort nat_dest_port

NATSource nat_source.value

NATSourcePort nat_source_port

TimeNotAfter not_after

TimeNotBefore not_before

OutboundInterface outbound_if.value

OutboundInterfaceDetailsPort outbound_if_details.port

Cortex Data Lake Schema Reference January 2024 204 ©2024 Palo Alto Networks, Inc.
Network Logs

EMAIL Name Query Name

OutboundInterfaceDetailsSlot outbound_if_details.slot

OutboundInterfaceDetailsType outbound_if_details.type.value

OutboundInterfaceDetailsUnit outbound_if_details.unit

Padding padding

Padding3 padding3

PanoramaSN panorama_serial

PlatformType platform_type

ContainerName pod_name

ContainerNameSpace pod_namespace

PolicyName policy_name

Protocol protocol.value

ProxyType proxy_type.value

ApplicationRisk risk_of_app

RootCommonName root_cn

RootCNLength root_cn_len

RootStatus root_status.value

Rule rule_matched

RuleUUID rule_matched_uuid

SanctionedStateOfApp sanctioned_state_of_app

SequenceNo sequence_no

SessionID session_id

ServerNameIndication sni

SNILength sni_len

Cortex Data Lake Schema Reference January 2024 205 ©2024 Palo Alto Networks, Inc.
Network Logs

EMAIL Name Query Name

SourceDeviceCategory source_device_category

SourceDeviceClass source_device_class

SourceDeviceHost source_device_host

SourceDeviceMac source_device_mac

SourceDeviceModel source_device_model

SourceDeviceOS source_device_os

SourceDeviceOSFamily source_device_osfamily

SourceDeviceOSVersion source_device_osversion

SourceDeviceProfile source_device_profile

SourceDeviceVendor source_device_vendor

SourceDynamicAddressGroup source_dynamic_address_group

SourceEDL source_edl

SourceAddress source_ip.value

SourceLocation source_location

SourcePort source_port

SourceUser source_user

SourceUserDomain source_user_info.domain

SourceUserName source_user_info.name

SourceUserUUID source_user_info.uuid

SourceUUID source_uuid

Subtype, SubType sub_type.value

ApplicationTechnology technology_of_app

TimeGenerated time_generated

Cortex Data Lake Schema Reference January 2024 206 ©2024 Palo Alto Networks, Inc.
Network Logs

EMAIL Name Query Name

TimeGeneratedHighResolution time_generated_high_res

TimeReceivedManagementPlane time_received_mp

TLSAuth tls_auth.value

TLSEncryptionAlgorithm tls_enc_algorithm.value

TLSKeyExchange tls_keyxchange.value

TLSVersion tls_version.value

ToZone to_zone

Tpadding tpadding

Tunnel tunnel.value

TunneledApplication tunneled_app

VendorName vendor_name

Vpadding vpadding

VirtualLocation vsys

VirtualSystemID vsys_id

VirtualSystemName vsys_name

Decryption HTTPS Fields

The following table identifies the Decryption field names that the Log Forwarding app uses when
you forward logs using the HTTPS log format.

HTTPS Name Query Name

Action action.value

Application app

ApplicationCategory app_category

ApplicationSubcategory app_sub_category

Cortex Data Lake Schema Reference January 2024 207 ©2024 Palo Alto Networks, Inc.
Network Logs

HTTPS Name Query Name

CertificateFlags cert_flags

CertificateSerial cert_serial

CertificateSize certificate_size

CertificateVersion certificate_version.value

ChainStatus chain_status.value

ApplicationCharacteristics characteristics_of_app

ClientToFirewall client_to_firewall.value

CommonName cn

CommonNameLength cn_len

ConfigVersion config_version.value

ContainerID container_id

ApplicationContainer container_of_app

RepeatCount, CountOfRepeat count_of_repeats

Cpadding cpadding

CortexDataLakeTenantID customer_id

DestinationDeviceCategory dest_device_category

DestinationDeviceClass dest_device_class

DestinationDeviceHost dest_device_host

DestinationDeviceMac dest_device_mac

DestinationDeviceModel dest_device_model

DestinationDeviceOS dest_device_os

DestinationDeviceOSFamily dest_device_osfamily

DestinationDeviceOSVersion dest_device_osversion

Cortex Data Lake Schema Reference January 2024 208 ©2024 Palo Alto Networks, Inc.
Network Logs

HTTPS Name Query Name

DestinationDeviceProfile dest_device_profile

DestinationDeviceVendor dest_device_vendor

DestinationDynamicAddressGroup dest_dynamic_address_group

DestinationEDL dest_edl

DestinationAddress dest_ip.value

DestinationLocation dest_location

DestinationPort dest_port

DestinationUser dest_user

DestinationUserDomain dest_user_info.domain

DestinationUserName dest_user_info.name

DestinationUserUUID dest_user_info.uuid

DestinationUUID dest_uuid

DGHierarchyLevel1 dg_hier_level_1

DGHierarchyLevel2 dg_hier_level_2

DGHierarchyLevel3 dg_hier_level_3

DGHierarchyLevel4 dg_hier_level_4

Domain domain

EllipticCurve elliptic_curve.value

ErrorIndex error_index.value

ErrorMessage error_message

Fingerprint fingerprint

FirewallToClient firewall_to_client.value

FromZone from_zone

Cortex Data Lake Schema Reference January 2024 209 ©2024 Palo Alto Networks, Inc.
Network Logs

HTTPS Name Query Name

InboundInterface inbound_if.value

InboundInterfaceDetailsPort inbound_if_details.port

InboundInterfaceDetailsSlot inbound_if_details.slot

InboundInterfaceDetailsType inbound_if_details.type.value

InboundInterfaceDetailsUnit inbound_if_details.unit

CaptivePortal is_captive_portal

IsCertECDSA is_cert_ECDSA

IsCertRSA is_cert_RSA

IsCertCNTruncated is_cert_cn_truncated

IsClienttoServer is_client_to_server

IsContainer is_container

IsDecryptMirror is_decrypt_mirror

IsDecrypted is_decrypted

IsDuplicateLog is_dup_log

IsEncrypted is_encrypted

LogExported is_exported

IsForwarded is_forwarded

IsIPV6 is_ipv6

IsIssuerCNTruncated is_issuer_cn_truncated

IsMptcpOn is_mptcp_on

IsNAT is_nat

IsNonStandardDestinationPort is_non_std_dest_port

PacketCapture is_packet_capture

Cortex Data Lake Schema Reference January 2024 210 ©2024 Palo Alto Networks, Inc.
Network Logs

HTTPS Name Query Name

IsPhishing is_phishing

IsPrismaNetwork is_prisma_branch

IsPrismaUsers is_prisma_mobile

IsProxy is_proxy

IsReconExcluded is_recon_excluded

IsResumeSession is_resume_session

IsRootCNTruncated is_root_cn_truncated

IsSaaSApplication is_saas_app

IsServertoClient is_server_to_client

IsSNITruncated is_sni_truncated

IsSourceXForwarded is_source_x_fwded

IsSystemReturn is_sym_return

IsTransaction is_transaction

IsTunnelInspected is_tunnel_inspected

IsURLDenied is_url_denied

IssuerCommonName issuer_cn

IssuerNameLength issuer_len

LogSetting log_set

LogSource log_source

LogSourceGroupID log_source_group_id

DeviceSN log_source_id

DeviceName log_source_name

LogSourceTimeZoneOffset log_source_tz_offset

Cortex Data Lake Schema Reference January 2024 211 ©2024 Palo Alto Networks, Inc.
Network Logs

HTTPS Name Query Name

TimeReceived log_time

LogType log_type.value

NATDestination nat_dest.value

NATDestinationPort nat_dest_port

NATSource nat_source.value

NATSourcePort nat_source_port

TimeNotAfter not_after

TimeNotBefore not_before

OutboundInterface outbound_if.value

OutboundInterfaceDetailsPort outbound_if_details.port

OutboundInterfaceDetailsSlot outbound_if_details.slot

OutboundInterfaceDetailsType outbound_if_details.type.value

OutboundInterfaceDetailsUnit outbound_if_details.unit

Padding padding

Padding3 padding3

PanoramaSN panorama_serial

PlatformType platform_type

ContainerName pod_name

ContainerNameSpace pod_namespace

PolicyName policy_name

Protocol protocol.value

ProxyType proxy_type.value

ApplicationRisk risk_of_app

Cortex Data Lake Schema Reference January 2024 212 ©2024 Palo Alto Networks, Inc.
Network Logs

HTTPS Name Query Name

RootCommonName root_cn

RootCNLength root_cn_len

RootStatus root_status.value

Rule rule_matched

RuleUUID rule_matched_uuid

SanctionedStateOfApp sanctioned_state_of_app

SequenceNo sequence_no

SessionID session_id

ServerNameIndication sni

SNILength sni_len

SourceDeviceCategory source_device_category

SourceDeviceClass source_device_class

SourceDeviceHost source_device_host

SourceDeviceMac source_device_mac

SourceDeviceModel source_device_model

SourceDeviceOS source_device_os

SourceDeviceOSFamily source_device_osfamily

SourceDeviceOSVersion source_device_osversion

SourceDeviceProfile source_device_profile

SourceDeviceVendor source_device_vendor

SourceDynamicAddressGroup source_dynamic_address_group

SourceEDL source_edl

SourceAddress source_ip.value

Cortex Data Lake Schema Reference January 2024 213 ©2024 Palo Alto Networks, Inc.
Network Logs

HTTPS Name Query Name

SourceLocation source_location

SourcePort source_port

SourceUser source_user

SourceUserDomain source_user_info.domain

SourceUserName source_user_info.name

SourceUserUUID source_user_info.uuid

SourceUUID source_uuid

Subtype, SubType sub_type.value

ApplicationTechnology technology_of_app

TimeGenerated time_generated

TimeGeneratedHighResolution time_generated_high_res

TimeReceivedManagementPlane time_received_mp

TLSAuth tls_auth.value

TLSEncryptionAlgorithm tls_enc_algorithm.value

TLSKeyExchange tls_keyxchange.value

TLSVersion tls_version.value

ToZone to_zone

Tpadding tpadding

Tunnel tunnel.value

TunneledApplication tunneled_app

VendorName vendor_name

Vpadding vpadding

VirtualLocation vsys

Cortex Data Lake Schema Reference January 2024 214 ©2024 Palo Alto Networks, Inc.
Network Logs

HTTPS Name Query Name

VirtualSystemID vsys_id

VirtualSystemName vsys_name

Decryption LEEF Fields

Example Decryption log in LEEF:

Sep 21 02:00:51 gke-standard-cluster-2-pool-3-f004381a-0gw6

2462 <14>1 2021-09-21T02:00:51.988Z stream-logfwd20-
d324e775--09201841-lxtx-harness-0cc4 logforwarder - panwlogs
- LEEF:2.0|Palo Alto Networks|Next Generation Firewall|
10.1|Cleartext| |TimeReceived=2021-09-21T02:00:51.000000Z
DeviceSN=xxxxxxxxxxxxx cat=decryption SubType=start
ConfigVersion=10.1 devTime=2021-09-21T02:00:48.000000Z
src=xxx.xx.x.xx dst=xxx.xx.x.xx srcPostNAT=xxx.xx.x.xx
dstPostNAT=xxx.xx.x.xx Rule=deny-attackers usrName=paloaltonetwork
\xxxxx DestinationUser=xxxxx\xxxxx o"'"test Application=chrome-
remote-desktop VirtualLocation=vsys1 FromZone=ethernet4Zone-
test1 ToZone=partners InboundInterface=ethernet1/1
OutboundInterface=ethernet1/4 LogSetting=rs-logging
TimeReceivedManagementPlane=2021-09-21T02:00:48.000000Z
SessionID=643753 CountOfRepeat=1 srcPort=5327 dstPort=13609
srcPostNATPort=28043 dstPostNATPort=21523 proto=tcp
Action=allow Tunnel=IPSEC SourceUUID= DestinationUUID=
RuleUUID=017e4d76-2003-47f4-8afc-1d35c808c615
ClientToFirewall=Unknown FirewallToClient=Unknown TLSVersion=SSL2.0
TLSKeyExchange=TLS1.3 TLSEncryptionAlgorithm=CHACHA20_POLY1305
TLSAuth=SHA512 PolicyName= EllipticCurve=X9_62_prime192v1
ErrorIndex=None RootStatus=uninspected ChainStatus=Uninspected
CertificateSerial=bd786e20508c58d8bed
Fingerprint=fb9291df2dbeaf773075061a50181b42ca92e8ce4aed36353eed764230985a9b
TimeNotBefore=1632189648 TimeNotAfter=1634781648
CertificateVersion=V3 CertificateSize=571 CommonNameLength=23
IssuerNameLength=32 RootCNLength=32 SNILength=21 CertificateFlags=4
CommonName=CN = Bin Lu Server Cert IssuerCommonName=CN = Thawte
Premium Server CA1 RootCommonName=CN = Thawte Premium Server
CA1 ServerNameIndication=devop-host.panw.local ErrorMessage=
ContainerID=1873cc5c-0d31 ContainerNameSpace=pns_default
ContainerName=pan-dp-77754f4 SourceEDL= DestinationEDL=
SourceDynamicAddressGroup= DestinationDynamicAddressGroup=
TimeGeneratedHighResolution=2021-09-21T02:00:48.822000Z
SourceDeviceCategory=A-Phone SourceDeviceProfile=a-
profile SourceDeviceModel=iPhone SourceDeviceVendor=Apple
SourceDeviceOSFamily=X SourceDeviceOSVersion=iOS 11
SourceDeviceHost=pan-211 SourceDeviceMac=304566879056
DestinationDeviceCategory=A-Phone DestinationDeviceProfile=a-
profile DestinationDeviceModel=iPhone DestinationDeviceVendor=Apple
DestinationDeviceOSFamily=9 DestinationDeviceOSVersion=iOS 9
DestinationDeviceHost=pan-233 DestinationDeviceMac=743514319696

Cortex Data Lake Schema Reference January 2024 215 ©2024 Palo Alto Networks, Inc.
Network Logs

SequenceNo=7003061089434423021 devTimeFormat=YYYY-MM-
DD'T'HH:mm:ss.SSSZ

The following table identifies the Decryption field names that the Log Forwarding app uses when
you forward logs using the LEEF log format.

LEEF Name Query Name Field Type

Action action.value Custom

Application app Custom

ApplicationCategory app_category Custom

ApplicationSubcategory app_sub_category Custom

CertificateFlags cert_flags Custom

CertificateSerial cert_serial Custom

CertificateSize certificate_size Custom

CertificateVersion certificate_version.value Custom

ChainStatus chain_status.value Custom

ApplicationCharacteristics characteristics_of_app Custom

ClientToFirewall client_to_firewall.value Custom

CommonName cn Custom

CommonNameLength cn_len Custom

ConfigVersion config_version.value Custom

ContainerID container_id Custom

ApplicationContainer container_of_app Custom

CountOfRepeat count_of_repeats Custom

Cortex Data Lake Schema Reference January 2024 216 ©2024 Palo Alto Networks, Inc.
Network Logs

LEEF Name Query Name Field Type

Cpadding cpadding Custom

CortexDataLakeTenantID customer_id Custom

DestinationDeviceCategory dest_device_category Custom

DestinationDeviceClass dest_device_class Custom

DestinationDeviceHost dest_device_host Custom

DestinationDeviceMac dest_device_mac Custom

DestinationDeviceModel dest_device_model Custom

DestinationDeviceOS dest_device_os Custom

DestinationDeviceOSFamily dest_device_osfamily Custom

DestinationDeviceOSVersion dest_device_osversion Custom

DestinationDeviceProfile dest_device_profile Custom

DestinationDeviceVendor dest_device_vendor Custom

DestinationDynamicAddressGroup dest_dynamic_address_group Custom

DestinationEDL dest_edl Custom

dst dest_ip.value Predefined

DestinationLocation dest_location Custom

dstPort dest_port Predefined

DestinationUser dest_user Custom

DestinationUserDomain dest_user_info.domain Custom

DestinationUserName dest_user_info.name Custom

DestinationUserUUID dest_user_info.uuid Custom

DestinationUUID dest_uuid Custom

DGHierarchyLevel1 dg_hier_level_1 Custom

Cortex Data Lake Schema Reference January 2024 217 ©2024 Palo Alto Networks, Inc.
Network Logs

LEEF Name Query Name Field Type

DGHierarchyLevel2 dg_hier_level_2 Custom

DGHierarchyLevel3 dg_hier_level_3 Custom

DGHierarchyLevel4 dg_hier_level_4 Custom

Domain domain Custom

EllipticCurve elliptic_curve.value Custom

ErrorIndex error_index.value Custom

ErrorMessage error_message Custom

Fingerprint fingerprint Custom

FirewallToClient firewall_to_client.value Custom

FromZone from_zone Custom

InboundInterface inbound_if.value Custom

InboundInterfaceDetailsPort inbound_if_details.port Custom

InboundInterfaceDetailsSlot inbound_if_details.slot Custom

InboundInterfaceDetailsType inbound_if_details.type.value Custom

InboundInterfaceDetailsUnit inbound_if_details.unit Custom

CaptivePortal is_captive_portal Custom

IsCertECDSA is_cert_ECDSA Custom

IsCertRSA is_cert_RSA Custom

IsCertCNTruncated is_cert_cn_truncated Custom

IsClienttoServer is_client_to_server Custom

IsContainer is_container Custom

IsDecryptMirror is_decrypt_mirror Custom

IsDecrypted is_decrypted Custom

Cortex Data Lake Schema Reference January 2024 218 ©2024 Palo Alto Networks, Inc.
Network Logs

LEEF Name Query Name Field Type

IsDuplicateLog is_dup_log Custom

IsEncrypted is_encrypted Custom

LogExported is_exported Custom

IsForwarded is_forwarded Custom

IsIPV6 is_ipv6 Custom

IsIssuerCNTruncated is_issuer_cn_truncated Custom

IsMptcpOn is_mptcp_on Custom

IsNAT is_nat Custom

IsNonStandardDestinationPort is_non_std_dest_port Custom

PacketCapture is_packet_capture Custom

IsPhishing is_phishing Custom

IsPrismaNetwork is_prisma_branch Custom

IsPrismaUsers is_prisma_mobile Custom

IsProxy is_proxy Custom

IsReconExcluded is_recon_excluded Custom

IsResumeSession is_resume_session Custom

IsRootCNTruncated is_root_cn_truncated Custom

IsSaaSApplication is_saas_app Custom

IsServertoClient is_server_to_client Custom

IsSNITruncated is_sni_truncated Custom

IsSourceXForwarded is_source_x_fwded Custom

IsSystemReturn is_sym_return Custom

IsTransaction is_transaction Custom

Cortex Data Lake Schema Reference January 2024 219 ©2024 Palo Alto Networks, Inc.
Network Logs

LEEF Name Query Name Field Type

IsTunnelInspected is_tunnel_inspected Custom

IsURLDenied is_url_denied Custom

IssuerCommonName issuer_cn Custom

IssuerNameLength issuer_len Custom

LogSetting log_set Custom

LogSource log_source Custom

LogSourceGroupID log_source_group_id Custom

DeviceSN log_source_id Custom

DeviceName log_source_name Custom

LogSourceTimeZoneOffset log_source_tz_offset Custom

TimeReceived log_time Custom

cat log_type.value Predefined

dstPostNAT nat_dest.value Predefined

dstPostNATPort nat_dest_port Predefined

srcPostNAT nat_source.value Predefined

srcPostNATPort nat_source_port Predefined

TimeNotAfter not_after Custom

TimeNotBefore not_before Custom

OutboundInterface outbound_if.value Custom

OutboundInterfaceDetailsPort outbound_if_details.port Custom

OutboundInterfaceDetailsSlot outbound_if_details.slot Custom

OutboundInterfaceDetailsType outbound_if_details.type.value Custom

OutboundInterfaceDetailsUnit outbound_if_details.unit Custom

Cortex Data Lake Schema Reference January 2024 220 ©2024 Palo Alto Networks, Inc.
Network Logs

LEEF Name Query Name Field Type

Padding padding Custom

Padding3 padding3 Custom

PanoramaSN panorama_serial Custom

PlatformType platform_type Custom

ContainerName pod_name Custom

ContainerNameSpace pod_namespace Custom

PolicyName policy_name Custom

proto protocol.value Predefined

EventID proxy_type.value Header

ApplicationRisk risk_of_app Custom

RootCommonName root_cn Custom

RootCNLength root_cn_len Custom

RootStatus root_status.value Custom

Rule rule_matched Custom

RuleUUID rule_matched_uuid Custom

SanctionedStateOfApp sanctioned_state_of_app Custom

SequenceNo sequence_no Custom

SessionID session_id Custom

ServerNameIndication sni Custom

SNILength sni_len Custom

SourceDeviceCategory source_device_category Custom

SourceDeviceClass source_device_class Custom

SourceDeviceHost source_device_host Custom

Cortex Data Lake Schema Reference January 2024 221 ©2024 Palo Alto Networks, Inc.
Network Logs

LEEF Name Query Name Field Type

SourceDeviceMac source_device_mac Custom

SourceDeviceModel source_device_model Custom

SourceDeviceOS source_device_os Custom

SourceDeviceOSFamily source_device_osfamily Custom

SourceDeviceOSVersion source_device_osversion Custom

SourceDeviceProfile source_device_profile Custom

SourceDeviceVendor source_device_vendor Custom

SourceDynamicAddressGroup source_dynamic_address_group Custom

SourceEDL source_edl Custom

src source_ip.value Predefined

SourceLocation source_location Custom

srcPort source_port Predefined

usrName source_user Predefined

SourceUserDomain source_user_info.domain Custom

SourceUserName source_user_info.name Custom

SourceUserUUID source_user_info.uuid Custom

SourceUUID source_uuid Custom

SubType sub_type.value Custom

ApplicationTechnology technology_of_app Custom

devTime time_generated Predefined

TimeGeneratedHighResolution time_generated_high_res Custom

TimeReceivedManagementPlane time_received_mp Custom

TLSAuth tls_auth.value Custom

Cortex Data Lake Schema Reference January 2024 222 ©2024 Palo Alto Networks, Inc.
Network Logs

LEEF Name Query Name Field Type

TLSEncryptionAlgorithm tls_enc_algorithm.value Custom

TLSKeyExchange tls_keyxchange.value Custom

TLSVersion tls_version.value Custom

ToZone to_zone Custom

Tpadding tpadding Custom

Tunnel tunnel.value Custom

TunneledApplication tunneled_app Custom

Vendor vendor_name Header

Vpadding vpadding Custom

VirtualLocation vsys Custom

VirtualSystemID vsys_id Custom

VirtualSystemName vsys_name Custom

Cortex Data Lake Schema Reference January 2024 223 ©2024 Palo Alto Networks, Inc.
Network Logs

File
Represents a file transfer across the network. These log records can represent either a successful
transfer, or an attempted transfer that was blocked by the firewall.
See the following for information related to supported log formats:
• File Syslog Default Field Order
• File CEF Fields
• File EMAIL Fields
• File HTTPS Fields
• File LEEF Fields

FILE Field Description

(Display Name)

app Application associated with the network traffic.

(APPLICATION) Syslog field name: Syslog Field Order
CEF field name: app
EMAIL field name: Application
HTTPS field name: Application
LEEF field name: Application

app_category Identifies the high-level family of the application.

(APPLICATION CATEGORY) CEF field name: PanOSApplicationCategory
EMAIL field name: ApplicationCategory
HTTPS field name: ApplicationCategory
LEEF field name: ApplicationCategory

app_sub_category Identifies the application's subcategory. The

subcategory is related to the application's category,
(APPLICATION SUBCATEGORY)
which is identified in app_category.

Cortex Data Lake Schema Reference January 2024 224 ©2024 Palo Alto Networks, Inc.
Network Logs

FILE Field Description

(Display Name)
CEF field name: PanOSApplicationSubcategory
EMAIL field name: ApplicationSubcategory
HTTPS field name: ApplicationSubcategory
LEEF field name: ApplicationSubcategory

cloud_hostname The hostname in which the VM-series firewall is

running.
(CLOUD HOSTNAME)
CEF field name: PanOSCloudHostname
EMAIL field name: CloudHostname
HTTPS field name: CloudHostname
LEEF field name: CloudHostname

cloud_reportid Unique 32 character ID for a file scanned by the DLP

cloud service sent by a firewall running PAN-OS 10.2.0.
(CLOUD REPORTID)
The same Cloud Report ID is displayed for a file the
DLP cloud service has already scanned and generated a
Cloud Report ID for.
CEF field name: PanOSCloudReportID
EMAIL field name: CloudReportID
HTTPS field name: CloudReportID
LEEF field name: CloudReportID

config_version.value Version number of the firewall operating system that

container_id Unknown field. No information is available at this time.

(CONTAINER ID) Syslog field name: Syslog Field Order
CEF field name: PanOSContainerID
EMAIL field name: ContainerID
HTTPS field name: ContainerID

Cortex Data Lake Schema Reference January 2024 225 ©2024 Palo Alto Networks, Inc.
Network Logs

FILE Field Description

(Display Name)
LEEF field name: ContainerID

container_of_app Identifies the managing application or parent of the

content_version Applications and Threats version installed on the

firewall when the log was generated.
(CONTENT VERSION)
Syslog field name: Syslog Field Order
CEF field name: PanOSContentVersion
EMAIL field name: ContentVersion
HTTPS field name: ContentVersion
LEEF field name: ContentVersion

count_of_repeats Number of sessions with same Source IP, Destination

IP, Application, and Content/Threat Type seen for the
(REPEAT COUNT)
summary interval.
Syslog field name: Syslog Field Order
CEF field name: cnt
EMAIL field name: RepeatCount
HTTPS field name: RepeatCount
LEEF field name: RepeatCount

customer_id The ID that uniquely identifies the Cortex Data Lake

dest_device_category Category of the device to which the session was

directed.
(DESTINATION DEVICE
CATEGORY) Syslog field name: Syslog Field Order

Cortex Data Lake Schema Reference January 2024 226 ©2024 Palo Alto Networks, Inc.
Network Logs

FILE Field Description

(Display Name)
CEF field name: PanOSDestinationDeviceCategory
EMAIL field name: DestinationDeviceCategory
HTTPS field name: DestinationDeviceCategory
LEEF field name: DestinationDeviceCategory

dest_device_class Destination device class.

(DESTINATION DEVICE CLASS) CEF field name: PanOSDestinationDeviceClass
EMAIL field name: DestinationDeviceClass
HTTPS field name: DestinationDeviceClass
LEEF field name: DestinationDeviceClass

dest_device_host Hostname of the device to which the session was

dest_device_mac MAC Address of the device to which the session was

dest_device_model Model of the device to which the session was directed.

dest_device_os Destination device OS type.

Cortex Data Lake Schema Reference January 2024 227 ©2024 Palo Alto Networks, Inc.
Network Logs

FILE Field Description

(Display Name)
(DESTINATION DEVICE OS) CEF field name: PanOSDestinationDeviceOS
EMAIL field name: DestinationDeviceOS
HTTPS field name: DestinationDeviceOS
LEEF field name: DestinationDeviceOS

dest_device_osfamily OS family of the device to which the session was

directed.
(DESTINATION DEVICE OS
FAMILY) Syslog field name: Syslog Field Order
CEF field name: PanOSDestinationDeviceOSFamily
EMAIL field name: DestinationDeviceOSFamily
HTTPS field name: DestinationDeviceOSFamily
LEEF field name: DestinationDeviceOSFamily

dest_device_osversion OS version of the device to which the session was

dest_device_profile Profile of the device to which the session was directed.

dest_device_vendor Vendor of the device to which the session was directed.

Cortex Data Lake Schema Reference January 2024 228 ©2024 Palo Alto Networks, Inc.
Network Logs

FILE Field Description

(Display Name)

dest_dynamic_address_group The dynamic address group that Device-ID identifies as

dest_ip.value Original destination IP address.

(DESTINATION ADDRESS) Syslog field name: Syslog Field Order
CEF fields: dst or c6a3
EMAIL field name: DestinationAddress
HTTPS field name: DestinationAddress
LEEF field name: dst

dest_location Destination country or internal region for private

addresses.
(DESTINATION LOCATION)
Syslog field name: Syslog Field Order
CEF field name: PanOSDestinationLocation
EMAIL field name: DestinationLocation
HTTPS field name: DestinationLocation
LEEF field name: DestinationLocation

dest_port Network traffic's destination port. If this value is 0, then

the app is using its standard port.
(DESTINATION PORT)
Syslog field name: Syslog Field Order

Cortex Data Lake Schema Reference January 2024 229 ©2024 Palo Alto Networks, Inc.
Network Logs

FILE Field Description

(Display Name)
CEF field name: dpt
EMAIL field name: DestinationPort
HTTPS field name: DestinationPort
LEEF field name: dstPort

dest_user The username to which the network traffic was

destined.
(DESTINATION USER)
Syslog field name: Syslog Field Order
CEF field name: duser
EMAIL field name: DestinationUser
HTTPS field name: DestinationUser
LEEF field name: DestinationUser

dest_user_info.domain Domain to which the Destination User belongs.

(DESTINATION USER DOMAIN) CEF field name: dntdom
EMAIL field name: DestinationUserDomain
HTTPS field name: DestinationUserDomain
LEEF field name: DestinationUserDomain

dest_user_info.name The Destination User. That is, the username to which

dest_user_info.uuid Unique identifier assigned to the Destination User.

(DESTINATION USER UUID) CEF field name: duid
EMAIL field name: DestinationUserUUID
HTTPS field name: DestinationUserUUID
LEEF field name: DestinationUserUUID

dest_uuid Identifies the destination universal unique identifier

for a guest virtual machine in the VMware NSX
(DESTINATION UUID)
environment.
Syslog field name: Syslog Field Order

Cortex Data Lake Schema Reference January 2024 230 ©2024 Palo Alto Networks, Inc.
Network Logs

FILE Field Description

(Display Name)
CEF field name: PanOSDestinationUUID
EMAIL field name: DestinationUUID
HTTPS field name: DestinationUUID
LEEF field name: DestinationUUID

dg_hier_level_1 A sequence of identification numbers that indicate the

dg_hier_level_2 A sequence of identification numbers that indicate the

dg_hier_level_3 A sequence of identification numbers that indicate the

dg_hier_level_4 A sequence of identification numbers that indicate the

Cortex Data Lake Schema Reference January 2024 231 ©2024 Palo Alto Networks, Inc.
Network Logs

FILE Field Description

(Display Name)
LEEF field name: DGHierarchyLevel4

direction_of_attack.value Indicates the direction of the attack.

(DIRECTION OF ATTACK) Syslog field name: Syslog Field Order
CEF field name: flexString2
EMAIL field name: DirectionOfAttack
HTTPS field name: DirectionOfAttack
LEEF field name: DirectionOfAttack

dlp_version_flag Indicates whether these are old or new data filtering

logs.
(DLP VERSION FLAG)
CEF field name: PanOSDLPVersionFlag
EMAIL field name: DLPVersionFlag
HTTPS field name: DLPVersionFlag
LEEF field name: DLPVersionFlag

domain_edl Domain External Dynamic List. That is, the name of

the external dynamic list that contains the destination
(DOMAIN EDL)
domain of the traffic.
Syslog field name: Syslog Field Order
CEF field name: PanOSDomainEDL
EMAIL field name: DomainEDL
HTTPS field name: DomainEDL
LEEF field name: DomainEDL

dynusergroup_name Dynamic user group of the user who initiated the

network connection.
(DYNAMIC USER GROUP)
Syslog field name: Syslog Field Order
CEF field name: PanOSDynamicUserGroup
EMAIL field name: DynamicUserGroup
HTTPS field name: DynamicUserGroup
LEEF field name: DynamicUserGroup

endpoint_serial_number Serial number of the host on which GlobalProtect is

installed.
(ENDPOINT SERIAL NUMBER)
Syslog field name: Syslog Field Order

Cortex Data Lake Schema Reference January 2024 232 ©2024 Palo Alto Networks, Inc.
Network Logs

FILE Field Description

(Display Name)
CEF field name: PanOSEndpointSerialNumber
EMAIL field name: EndpointSerialNumber
HTTPS field name: EndpointSerialNumber
LEEF field name: EndpointSerialNumber

file_name The name of the file that is blocked.

(FILE NAME) Syslog field name: Syslog Field Order
CEF field name: filePath
EMAIL field name: FileName
HTTPS field name: FileName
LEEF field name: FileName

file_sha_256 The binary hash (SHA256) of the file.

(FILE HASH) Syslog field name: Syslog Field Order
CEF field name: PanOSFileHash
EMAIL field name: FileHash
HTTPS field name: FileHash
LEEF field name: FileHash

file_type Palo Alto Networks textual identifier for the threat.

(FILE TYPE) CEF field name: PanOSFileType
EMAIL field name: FileType
HTTPS field name: FileType
LEEF field name: EventID

file_url File URL.

(FILE URL) CEF field name: PanOSFileURL
EMAIL field name: FileURL
HTTPS field name: FileURL
LEEF field name: FileURL

from_zone The networking zone from which the traffic originated.

(FROM ZONE) Syslog field name: Syslog Field Order
CEF field name: cs4

Cortex Data Lake Schema Reference January 2024 233 ©2024 Palo Alto Networks, Inc.
Network Logs

FILE Field Description

(Display Name)
EMAIL field name: FromZone
HTTPS field name: FromZone
LEEF field name: FromZone

gp_host_id A unique ID that GlobalProtect assigns to identify the

host.
(HOST ID)
Syslog field name: Syslog Field Order
CEF field name: PanOSHostID
EMAIL field name: HostID
HTTPS field name: HostID
LEEF field name: HostID

http2_connection Parent session ID for an HTTP/2 connection. If the

traffic is not using HTTP/2, this field is set to 0.
(HTTP2 CONNECTION)
Syslog field name: Syslog Field Order
CEF field name: PanOSHTTP2Connection
EMAIL field name: HTTP2Connection
HTTPS field name: HTTP2Connection
LEEF field name: HTTP2Connection

inbound_if.value Interface from which the network traffic was sourced.

inbound_if_details.port Hardware port or socket from which the network traffic

inbound_if_details.slot Interface slot from which the network traffic was

sourced.

Cortex Data Lake Schema Reference January 2024 234 ©2024 Palo Alto Networks, Inc.
Network Logs

FILE Field Description

(Display Name)
(INBOUND INTERFACE DETAILS CEF field name: PanOSInboundInterfaceDetailsSlot
SLOT)
EMAIL field name: InboundInterfaceDetailsSlot
HTTPS field name: InboundInterfaceDetailsSlot
LEEF field name: InboundInterfaceDetailsSlot

inbound_if_details.type.value The type of interface from which the network traffic

inbound_if_details.unit Internal use.

is_captive_portal Indicates if user information for the session was

captured through Captive Portal.
(CAPTIVE PORTAL)
CEF field name: PanOSCaptivePortal
EMAIL field name: CaptivePortal
HTTPS field name: CaptivePortal
LEEF field name: CaptivePortal

is_client_to_server Indicates if direction of traffic is from client to server.

(IS CLIENT TO SERVER) CEF field name: PanOSIsClienttoServer
EMAIL field name: IsClienttoServer
HTTPS field name: IsClienttoServer
LEEF field name: IsClienttoServer

is_container Indicates if the session is a container page access

(Container Page).
(IS CONTAINER)
CEF field name: PanOSIsContainer
EMAIL field name: IsContainer

Cortex Data Lake Schema Reference January 2024 235 ©2024 Palo Alto Networks, Inc.
Network Logs

FILE Field Description

(Display Name)
HTTPS field name: IsContainer
LEEF field name: IsContainer

is_decrypt_mirror Indicates whether decrypted traffic was sent out in

clear text through a mirror port.
(IS DECRYPT MIRROR)
CEF field name: PanOSIsDecryptMirror
EMAIL field name: IsDecryptMirror
HTTPS field name: IsDecryptMirror
LEEF field name: IsDecryptMirror

is_decrypted Flag that indicates that the session is decrypted.

(IS DECRYPTED) CEF field name: PanOSIsDecrypted
EMAIL field name: IsDecrypted
HTTPS field name: IsDecrypted
LEEF field name: IsDecrypted

is_dup_log Indicates whether this log data is available in multiple

is_encrypted Flag that indicates that the session is encrypted.

(IS ENCRYPTED) CEF field name: PanOSIsEncrypted
EMAIL field name: IsEncrypted
HTTPS field name: IsEncrypted
LEEF field name: IsEncrypted

Cortex Data Lake Schema Reference January 2024 236 ©2024 Palo Alto Networks, Inc.
Network Logs

FILE Field Description

(Display Name)
LEEF field name: LogExported

is_forwarded Internal-use field that indicates if the log is being

forwarded.
(LOG FORWARDED)
CEF field name: PanOSLogForwarded
EMAIL field name: LogForwarded
HTTPS field name: LogForwarded
LEEF field name: LogForwarded

is_ipv6 Indicates whether IPV6 was used for the session.

(IS IPV6) CEF field name: PanOSIsIPV6
EMAIL field name: IsIPV6
HTTPS field name: IsIPV6
LEEF field name: IsIPV6

is_mptcp_on Indicates whether the option is enabled on the next-

generation firewall that allows a client to use multiple
(IS MPTCP ON)
paths to connect to a destination host.
CEF field name: PanOSIsMptcpOn
EMAIL field name: IsMptcpOn
HTTPS field name: IsMptcpOn
LEEF field name: IsMptcpOn

is_nat Indicates if the firewall is performing network address

translation (NAT) for the logged traffic.
(NAT)
CEF field name: PanOSNAT
EMAIL field name: NAT
HTTPS field name: NAT
LEEF field name: NAT

is_non_std_dest_port Indicates if the destination port is non-standard.

Cortex Data Lake Schema Reference January 2024 237 ©2024 Palo Alto Networks, Inc.
Network Logs

FILE Field Description

(Display Name)

is_packet_capture Indicates whether the session has a packet capture

(PCAP).
(IS PACKET CAPTURE)
CEF field name: PanOSIsPacketCapture
EMAIL field name: IsPacketCapture
HTTPS field name: IsPacketCapture
LEEF field name: IsPacketCapture

is_phishing Indicates whether enterprise credentials were

submitted by an end user.
(IS PHISHING)
CEF field name: PanOSIsPhishing
EMAIL field name: IsPhishing
HTTPS field name: IsPhishing
LEEF field name: IsPhishing

is_prisma_branch Internal-use field. If set to 1, the log was generated on

a cloud-based firewall. If 0, the firewall was running on-
(IS PRISMA NETWORK)
premise.
CEF field name: PanOSIsPrismaNetwork
EMAIL field name: IsPrismaNetwork
HTTPS field name: IsPrismaNetwork
LEEF field name: IsPrismaNetwork

is_prisma_mobile Internal use field. If set to 1, the log record was

is_proxy Indicates whether the SSL session is decrypted (SSL

Proxy).
(IS PROXY)
CEF field name: PanOSIsProxy
EMAIL field name: IsProxy
HTTPS field name: IsProxy

Cortex Data Lake Schema Reference January 2024 238 ©2024 Palo Alto Networks, Inc.
Network Logs

FILE Field Description

(Display Name)
LEEF field name: IsProxy

is_recon_excluded Indicates whether source for the flow is on the firewall

is_saas_app Internal use field. Indicates whether the application

is_server_to_client Indicates if direction of traffic is from server to client.

(IS SERVER TO CLIENT) CEF field name: PanOSIsServertoClient
EMAIL field name: IsServertoClient
HTTPS field name: IsServertoClient
LEEF field name: IsServertoClient

is_source_x_fwded Indicates whether the X-Forwarded-For value from a

is_sym_return Indicates whether symmetric return was used to

forward traffic for this session.
(IS SYSTEM RETURN)
CEF field name: PanOSIsSystemReturn
EMAIL field name: IsSystemReturn
HTTPS field name: IsSystemReturn
LEEF field name: IsSystemReturn

Cortex Data Lake Schema Reference January 2024 239 ©2024 Palo Alto Networks, Inc.
Network Logs

FILE Field Description

(Display Name)

is_transaction Indicates whether the log corresponds to a transaction

within an HTTP proxy session (Proxy Transaction).
(IS TRANSACTION)
CEF field name: PanOSIsTransaction
EMAIL field name: IsTransaction
HTTPS field name: IsTransaction
LEEF field name: IsTransaction

is_url_denied Indicates whether the session was denied due to a URL

filtering rule.
(IS URL DENIED)
CEF field name: PanOSIsURLDenied
EMAIL field name: IsURLDenied
HTTPS field name: IsURLDenied
LEEF field name: IsURLDenied

justification Justification string.

(JUSTIFICATION) Syslog field name: Syslog Field Order
CEF field name: PanOSJustification
EMAIL field name: Justification
HTTPS field name: Justification
LEEF field name: Justification

location Prisma Access Region/Location.

(PRISMA ACCESS LOCATION) CEF field name: PanOSLocation
EMAIL field name: Location
HTTPS field name: Location
LEEF field name: Location

Cortex Data Lake Schema Reference January 2024 240 ©2024 Palo Alto Networks, Inc.
Network Logs

FILE Field Description

(Display Name)

log_set Log forwarding profile name that was applied to

log_source Identifies the origin of the data - the system that

produced the data.
(LOG SOURCE)
CEF field name: PanOSLogSource
EMAIL field name: LogSource
HTTPS field name: LogSource
LEEF field name: LogSource

log_source_group_id ID that uniquely identifies the logSourceGroupId of the

log_source_id ID that uniquely identifies the source of the log - serial

number of the firewall that generated the log.
(DEVICE SN)
If the log is generated by Prisma Access, the serial
number is not displayed.
Syslog field name: Syslog Field Order
CEF field name: deviceExternalId
EMAIL field name: DeviceSN
HTTPS field name: DeviceSN
LEEF field name: DeviceSN

log_source_name Name of the source of the log - hostname of the

firewall that logged the network traffic.
(DEVICE NAME)
Syslog field name: Syslog Field Order

Cortex Data Lake Schema Reference January 2024 241 ©2024 Palo Alto Networks, Inc.
Network Logs

FILE Field Description

(Display Name)
CEF field name: dvchost
EMAIL field name: DeviceName
HTTPS field name: DeviceName
LEEF field name: DeviceName

log_type.value Identifies the log type.

(LOG TYPE) Syslog field name: Syslog Field Order
CEF field name: Device Event Class ID
EMAIL field name: LogType
HTTPS field name: LogType
LEEF field name: cat

monitor_tag_imei A string used to group similar traffic together for

logging and reporting. This value is globally defined on
(IMEI)
the firewall by the administrator.
Syslog field name: Syslog Field Order
CEF field name: PanOSIMEI
EMAIL field name: IMEI
HTTPS field name: IMEI
LEEF field name: IMEI

Cortex Data Lake Schema Reference January 2024 242 ©2024 Palo Alto Networks, Inc.
Network Logs

FILE Field Description

(Display Name)

nat_dest.value If destination NAT performed, the post-NAT destination

IP address.
(NAT DESTINATION)
Syslog field name: Syslog Field Order
CEF field name: destinationTranslatedAddress
EMAIL field name: NATDestination
HTTPS field name: NATDestination
LEEF field name: dstPostNAT

nat_dest_port Post-NAT destination port.

nat_source.value If source NAT was performed, the post-NAT source IP

address.
(NAT SOURCE)
Syslog field name: Syslog Field Order
CEF field name: sourceTranslatedAddress
EMAIL field name: NATSource
HTTPS field name: NATSource
LEEF field name: srcPostNAT

nat_source_port Post-NAT source port.

(NAT SOURCE PORT) Syslog field name: Syslog Field Order
CEF field name: sourceTranslatedPort
EMAIL field name: NATSourcePort
HTTPS field name: NATSourcePort
LEEF field name: srcPostNATPort

non_standard_dest_port Identifies the non-standard or unexpected port used by

the application associated with this session.
(NON STANDARD DESTINATION
PORT) CEF field name: PanOSNonStandardDestinationPort
EMAIL field name: NonStandardDestinationPort

Cortex Data Lake Schema Reference January 2024 243 ©2024 Palo Alto Networks, Inc.
Network Logs

FILE Field Description

(Display Name)
HTTPS field name: NonStandardDestinationPort
LEEF field name: NonStandardDestinationPort

nssai_network_slice_type.value Network Slice Type (SST part of SNSSAI).

(NSSAI NETWORK SLICE TYPE) Syslog field name: Syslog Field Order
CEF field name: PanOSNSSAINetworkSliceType
EMAIL field name: NSSAINetworkSliceType
HTTPS field name: NSSAINetworkSliceType
LEEF field name: NSSAINetworkSliceType

outbound_if.value Interface to which the network traffic was destined.

outbound_if_details.port Hardware port or socket to which the network traffic

outbound_if_details.slot Interface slot to which the network traffic was sent.

outbound_if_details.type.value The type of interface to which the network traffic was

sent.
(OUTBOUND INTERFACE DETAILS
TYPE) CEF field name: PanOSOutboundInterfaceDetailsType
EMAIL field name: OutboundInterfaceDetailsType
HTTPS field name: OutboundInterfaceDetailsType

Cortex Data Lake Schema Reference January 2024 244 ©2024 Palo Alto Networks, Inc.
Network Logs

FILE Field Description

(Display Name)
LEEF field name: OutboundInterfaceDetailsType

outbound_if_details.unit Internal use.

(OUTBOUND INTERFACE DETAILS CEF field name: PanOSOutboundInterfaceDetailsUnit
UNIT)
EMAIL field name: OutboundInterfaceDetailsUnit
HTTPS field name: OutboundInterfaceDetailsUnit
LEEF field name: OutboundInterfaceDetailsUnit

panorama_serial Panorama Serial associated with CDL.

(PANORAMA SN) CEF field name: PanOSPanoramaSN
EMAIL field name: PanoramaSN
HTTPS field name: PanoramaSN
LEEF field name: PanoramaSN

parent_session_id ID of the session in which this network traffic was

tunneled.
(PARENT SESSION ID)
Syslog field name: Syslog Field Order
CEF field name: PanOSParentSessionID
EMAIL field name: ParentSessionID
HTTPS field name: ParentSessionID
LEEF field name: ParentSessionID

parent_start_time Time that the parent session began. This string contains
a timestamp value that is the number of microseconds
(PARENT START TIME)
since the Unix epoch.
Syslog field name: Syslog Field Order
CEF field name: PanOSParentStartTime
EMAIL field name: ParentStartTime
HTTPS field name: ParentStartTime
LEEF field name: ParentStartTime

partial_hash Machine learning partial hash.

(PARTIAL HASH) Syslog field name: Syslog Field Order
CEF field name: PanOSPartialHash
EMAIL field name: PartialHash

Cortex Data Lake Schema Reference January 2024 245 ©2024 Palo Alto Networks, Inc.
Network Logs

FILE Field Description

(Display Name)
HTTPS field name: PartialHash
LEEF field name: PartialHash

pcap Packet that triggered the firewall to generate this threat

log record.
(PACKET)
CEF field name: PanOSPacket
EMAIL field name: Packet
HTTPS field name: Packet
LEEF field name: Packet

pcap_id Packet capture ID. Used to correlate threat pcap files

with extended pcaps taken as a part of the session flow.
(PACKET ID)
Syslog field name: Syslog Field Order
CEF field name: fileId
EMAIL field name: PacketID
HTTPS field name: PacketID
LEEF field name: PacketID

pod_name Container name.

(CONTAINER NAME) Syslog field name: Syslog Field Order
CEF field name: PanOSContainerName
EMAIL field name: ContainerName
HTTPS field name: ContainerName
LEEF field name: ContainerName

pod_namespace Container namespace.

(CONTAINER NAME SPACE) Syslog field name: Syslog Field Order
CEF field name: PanOSContainerNameSpace

Cortex Data Lake Schema Reference January 2024 246 ©2024 Palo Alto Networks, Inc.
Network Logs

FILE Field Description

(Display Name)
EMAIL field name: ContainerNameSpace
HTTPS field name: ContainerNameSpace
LEEF field name: ContainerNameSpace

profile_name Data filtering profile name.

(PROFILE NAME) CEF field name: PanOSProfileName
EMAIL field name: ProfileName
HTTPS field name: ProfileName
LEEF field name: ProfileName

protocol.value IP protocol associated with the session.

(PROTOCOL) Syslog field name: Syslog Field Order
CEF field name: proto
EMAIL field name: Protocol
HTTPS field name: Protocol
LEEF field name: proto

reason_data_filtering Reason for data filtering action.

(REASON FOR DATA FILTERING Syslog field name: Syslog Field Order
ACTION)
CEF field name: PanOSReasonForDataFilteringAction
EMAIL field name: ReasonForDataFilteringAction
HTTPS field name: ReasonForDataFilteringAction
LEEF field name: ReasonForDataFilteringAction

report_id Identifies the analysis requested from the sandbox

(cloud or appliance).
(REPORT ID)
Syslog field name: Syslog Field Order
CEF field name: PanOSReportID
EMAIL field name: ReportID
HTTPS field name: ReportID
LEEF field name: ReportID

risk_of_app Indicates how risky the application is from a network

security perspective.
(APPLICATION RISK)
CEF field name: PanOSApplicationRisk

Cortex Data Lake Schema Reference January 2024 247 ©2024 Palo Alto Networks, Inc.
Network Logs

FILE Field Description

(Display Name)
EMAIL field name: ApplicationRisk
HTTPS field name: ApplicationRisk
LEEF field name: ApplicationRisk

rule_matched_uuid Unique identifier for the security policy rule that the
network traffic matched.
(RULE UUID)
Syslog field name: Syslog Field Order
CEF field name: PanOSRuleUUID
EMAIL field name: RuleUUID
HTTPS field name: RuleUUID
LEEF field name: RuleUUID

sanctioned_state_of_app Indicates whether the application has been flagged as

sequence_no The log entry identifier, which is incremented

Cortex Data Lake Schema Reference January 2024 248 ©2024 Palo Alto Networks, Inc.
Network Logs

FILE Field Description

(Display Name)

session_id Identifies the firewall's internal identifier for a specific

network session.
(SESSION ID)
Syslog field name: Syslog Field Order
CEF field name: cn1
EMAIL field name: SessionID
HTTPS field name: SessionID
LEEF field name: SessionID

severity Severity as defined by the platform.

(SEVERITY) CEF field name: PanOSSeverity
EMAIL field name: Severity
HTTPS field name: Severity
LEEF field name: Severity

sig_flags Internal use only.

(SIG FLAGS) Syslog field name: Syslog Field Order
CEF field name: PanOSSigFlags
EMAIL field name: SigFlags
HTTPS field name: SigFlags
LEEF field name: SigFlags

source_device_category Category of the device from which the session

source_device_class Source device class.

(SOURCE DEVICE CLASS) CEF field name: PanOSSourceDeviceClass
EMAIL field name: SourceDeviceClass
HTTPS field name: SourceDeviceClass
LEEF field name: SourceDeviceClass

Cortex Data Lake Schema Reference January 2024 249 ©2024 Palo Alto Networks, Inc.
Network Logs

FILE Field Description

(Display Name)

source_device_host Hostname of the device from which the session

source_device_mac MAC Address of the device from which the session

source_device_model Model of the device from which the session originated.

source_device_os Source device OS type.

(SOURCE DEVICE OS) CEF field name: PanOSSourceDeviceOS
EMAIL field name: SourceDeviceOS
HTTPS field name: SourceDeviceOS
LEEF field name: SourceDeviceOS

source_device_osfamily OS family of the device from which the session

originated.
(SOURCE DEVICE OS FAMILY)
Syslog field name: Syslog Field Order
CEF field name: PanOSSourceDeviceOSFamily
EMAIL field name: SourceDeviceOSFamily

Cortex Data Lake Schema Reference January 2024 250 ©2024 Palo Alto Networks, Inc.
Network Logs

FILE Field Description

(Display Name)
HTTPS field name: SourceDeviceOSFamily
LEEF field name: SourceDeviceOSFamily

source_device_osversion OS version of the device from which the session

originated.
(SOURCE DEVICE OS VERSION)
Syslog field name: Syslog Field Order
CEF field name: PanOSSourceDeviceOSVersion
EMAIL field name: SourceDeviceOSVersion
HTTPS field name: SourceDeviceOSVersion
LEEF field name: SourceDeviceOSVersion

source_device_profile Profile of the device from which the session originated.

source_device_vendor Vendor of the device from which the session originated.

source_dynamic_address_group The dynamic address group that Device-ID identifies as

source_edl The name of the external dynamic list that contains the
source IP address of the traffic.
(SOURCE EDL)

Cortex Data Lake Schema Reference January 2024 251 ©2024 Palo Alto Networks, Inc.
Network Logs

FILE Field Description

(Display Name)
Syslog field name: Syslog Field Order
CEF field name: PanOSSourceEDL
EMAIL field name: SourceEDL
HTTPS field name: SourceEDL
LEEF field name: SourceEDL

source_ip.value Original source IP address.

(SOURCE ADDRESS) Syslog field name: Syslog Field Order
CEF fields: src or c6a2
EMAIL field name: SourceAddress
HTTPS field name: SourceAddress
LEEF field name: src

source_location Source country or internal region for private addresses.

(SOURCE LOCATION) Syslog field name: Syslog Field Order
CEF field name: PanOSSourceLocation
EMAIL field name: SourceLocation
HTTPS field name: SourceLocation
LEEF field name: SourceLocation

source_port Source port utilized by the session.

(SOURCE PORT) Syslog field name: Syslog Field Order
CEF field name: spt
EMAIL field name: SourcePort
HTTPS field name: SourcePort
LEEF field name: srcPort

source_user The username that initiated the network traffic.

(SOURCE USER) Syslog field name: Syslog Field Order
CEF field name: suser
EMAIL field name: SourceUser
HTTPS field name: SourceUser
LEEF field name: usrName

Cortex Data Lake Schema Reference January 2024 252 ©2024 Palo Alto Networks, Inc.
Network Logs

FILE Field Description

(Display Name)

source_user_info.domain Domain to which the Source User belongs.

(SOURCE USER DOMAIN) CEF field name: sntdom
EMAIL field name: SourceUserDomain
HTTPS field name: SourceUserDomain
LEEF field name: SourceUserDomain

source_user_info.uuid Unique identifier assigned to the Source User.

(SOURCE USER UUID) CEF field name: suid
EMAIL field name: SourceUserUUID
HTTPS field name: SourceUserUUID
LEEF field name: SourceUserUUID

source_uuid Identifies the source universal unique identifier for a

sub_type.value Identifies the log subtype.

(SUB TYPE) Syslog field name: Syslog Field Order
CEF field name: Name
EMAIL field name: All of the following: Subtype,
SubType
HTTPS field name: All of the following: Subtype,
SubType

Cortex Data Lake Schema Reference January 2024 253 ©2024 Palo Alto Networks, Inc.
Network Logs

FILE Field Description

(Display Name)
LEEF field name: SubType

technology_of_app The networking technology used by the identified

application.
(APPLICATION TECHNOLOGY)
CEF field name: PanOSApplicationTechnology
EMAIL field name: ApplicationTechnology
HTTPS field name: ApplicationTechnology
LEEF field name: ApplicationTechnology

threat_category.value Threat category of the detected threat.

(THREAT CATEGORY) CEF field name: PanOSThreatCategory
EMAIL field name: ThreatCategory
HTTPS field name: ThreatCategory
LEEF field name: ThreatCategory

threat_name_firewall Threat Name written by the firewall.

(THREAT NAME FIREWALL) CEF field name: PanOSThreatNameFirewall
EMAIL field name: ThreatNameFirewall
HTTPS field name: ThreatNameFirewall
LEEF field name: ThreatNameFirewall

time_generated_high_res Time the log was generated in data plane

Cortex Data Lake Schema Reference January 2024 254 ©2024 Palo Alto Networks, Inc.
Network Logs

FILE Field Description

(Display Name)
HTTPS field name: TimeGeneratedHighResolution
LEEF field name: TimeGeneratedHighResolution

to_zone Networking zone to which the traffic was sent.

(TO ZONE) Syslog field name: Syslog Field Order
CEF field name: cs5
EMAIL field name: ToZone
HTTPS field name: ToZone
LEEF field name: ToZone

tunnel.value Type of tunnel.

(TUNNEL) Syslog field name: Syslog Field Order
CEF field name: PanOSTunnel
EMAIL field name: Tunnel
HTTPS field name: Tunnel
LEEF field name: Tunnel

tunneled_app For internal use only.

(TUNNELED APPLICATION) CEF field name: PanOSTunneledApplication
EMAIL field name: TunneledApplication
HTTPS field name: TunneledApplication
LEEF field name: TunneledApplication

tunnelid_imsi ID of the tunnel being inspected or the International

Mobile Subscriber Identity (IMSI) ID of the mobile user.
(IMSI)
Syslog field name: Syslog Field Order
CEF field name: PanOSIMSI
EMAIL field name: IMSI
HTTPS field name: IMSI
LEEF field name: IMSI

url_category.value The URL category.

(URL CATEGORY) Syslog field name: Syslog Field Order
CEF field name: cs2
EMAIL field name: URLCategory

Cortex Data Lake Schema Reference January 2024 255 ©2024 Palo Alto Networks, Inc.
Network Logs

FILE Field Description

(Display Name)
HTTPS field name: URLCategory
LEEF field name: URLCategory

url_domain The name of the internet domain that was visited in this
session.
(URL)
CEF field name: PanOSURL
EMAIL field name: URL
HTTPS field name: URL
LEEF field name: URL

users Source/Destination user. If neither is available,

source_ip is used.
(USERS)
CEF field name: PanOSUsers
EMAIL field name: Users
HTTPS field name: Users
LEEF field name: Users

vendor_name Identifies the vendor that produced the data.

(VENDOR NAME) CEF field name: Device Vendor
EMAIL field name: VendorName
HTTPS field name: VendorName
LEEF field name: Vendor

vendor_severity.value Severity associated with the event.

(VENDOR SEVERITY) Syslog field name: Syslog Field Order
CEF field name: PanOSVendorSeverity
EMAIL field name: VendorSeverity
HTTPS field name: VendorSeverity
LEEF field name: VendorSeverity

vsys String representation of the unique identifier for a

virtual system on a Palo Alto Networks firewall.
(VIRTUAL LOCATION)
Syslog field name: Syslog Field Order
CEF field name: cs3
EMAIL field name: VirtualLocation

Cortex Data Lake Schema Reference January 2024 256 ©2024 Palo Alto Networks, Inc.
Network Logs

FILE Field Description

(Display Name)
HTTPS field name: VirtualLocation
LEEF field name: VirtualLocation

vsys_id A unique identifier for a virtual system on a Palo Alto

Networks firewall.
(VIRTUAL SYSTEM ID)
CEF field name: PanOSVirtualSystemID
EMAIL field name: VirtualSystemID
HTTPS field name: VirtualSystemID
LEEF field name: VirtualSystemID

vsys_name The name of the virtual system associated with the

xff_ip.value X-Forwarded-For IP.

(X-FORWARDED-FOR IP) Syslog field name: Syslog Field Order
CEF field name: PanOSX-Forwarded-ForIP
EMAIL field name: X-Forwarded-ForIP
HTTPS field name: X-Forwarded-ForIP
LEEF field name: X-Forwarded-ForIP

File Syslog Default Field Order

Example File log in Syslog:

Oct 13 20:56:15 gke-standard-cluster-2-pool-1-6ea9f13a-fnid 394

<142>1 2020-10-13T20:56:15.519Z stream-logfwd20-156653024-10121421-
eq28-harness-16kn logforwarder - panwlogs - Palo Alto Networks,
firewall,013201004706,PA-5220,11122,2019-07-03T00:36:24.000000Z,,
3,THREAT,5,file,xxx.xx.x.xx,00000000000000000000ffff0a0002e3,37404,
xxx.xx.x.xx,00000000000000000000ffff0a65025a,25,6,tcp,52100,PNG
File Upload,PA-5220,0,client to server,.D_\u001C=w\u0019ByK\u0001K
\u0007N,page-icon.png,,vCbg4~S8|,hd{dM*QDo,\"HR\u0017\u001DC(\rSZ<
\",,3422257956016083937,2,Low,Low,uDX|F\f*A\u00074g,0,0,0,any,4,
alert,-6917529027641081856,smtp,collaboration,3\r\n4\r\n5\r\n6\r

Cortex Data Lake Schema Reference January 2024 257 ©2024 Palo Alto Networks, Inc.
Network Logs

\n7\r\n8,,12,0,0,0,,xxx.xx.x.xx-xxx.xx.x.xx,\"K\\m(+\u0018F\u0017\",
&\u0019qTt.!e|xZ\u001E?,,,false,true,tap,,ethernet,1181132783616,
0,0,ethernet,1,19,false,false,false,false,test,\"\u000Fw\fQO&b4g09$
\",0,xxx.xx.x.xx,00000000000000000000ffff00000000,0,xxx.xx.x.xx,
00000000000000000000ffff00000000,0,ethernet,1181132783616,0,0,
ethernet,1,19,0,1970-01-01T00:00:00.000000Z,9,5,dg-log-policy,
,false,6708774908183346528,4016143,\"EFX4\u0010Mb'\u001D\u001B
\",xxx.xx.x.xx-xxx.xx.x.xx,,\"u\u001BA\u0006\u0011?<m_o\tR\u001E
\",>$BOg]Z5,,email,client-server,2019-07-31T06:06:06.000000Z,
tap,0,N/A,untunneled,0,xxx.xx.x.xx,1,smtp,OSC\u0013%6$\u0002f,
8192,false,false,false,false,false,false,false,false,false,false,
false,false,false,false,false,false,false,,-1322647286,,,\"}Irh!
C}\u000B\u000FE\r\u0016IPP\",,\"\u0016AJ>E~a`\u000F\u0013:Hfw(\",,,,
\"\u0013)\u000Bj)(\u0018cX<\u0012\",,,28$ffo\u0017v&,,,,\"[4\u000FBO?
\"\"w_\u0010\tD\",,\"p5#/\t\u0004e\u0006\",,,\"\u000BO#<L5dFMN\u0015l
\u001C\",\"\u001750g=\u0011'\u0000U\u000EM! \",\"\u0017w>/l9kC??\",
,,\"6\u001D:_\u0018'n\u001B\",,,,\"\"\"*ZdS\u0001/\u0012A^S\",,,
\"\u0013Ifte\u0006nk\u001EsX\",,,true,false,oLyqAH\u00079,,,,

The following identifies the default field order for filters migrated from an earlier version of the
log forwarding application. For log filters created after that migration, you specify the field order
when you create a log filter by specifying the columns you want to receive.
The fields are identified in the default order that they appear in each log line.
HEADER, log_time, log_source_id, log_type.value, sub_type.value, config_version.
value, time_generated, source_ip.value, dest_ip.value, nat_source.value, nat_dest.value,
rule_matched, source_user, dest_user, app, vsys, from_zone, to_zone, inbound_if.value,
outbound_if.value, log_set, EMPTY, session_id, count_of_repeats, source_port, dest_port,
nat_source_port, nat_dest_port, flags, protocol.value, action.value, file_name, file_id,
url_category.value, vendor_severity.value, direction_of_attack.value, sequence_no, action_flags,
source_location, dest_location, EMPTY, EMPTY, pcap_id, file_sha_256, EMPTY, EMPTY,
EMPTY, EMPTY, EMPTY, EMPTY, EMPTY, EMPTY, EMPTY, report_id, dg_hier_level_1,
dg_hier_level_2, dg_hier_level_3, dg_hier_level_4, vsys_name, log_source_name, EMPTY,
source_uuid, dest_uuid, EMPTY, tunnelid_imsi, monitor_tag_imei, parent_session_id,
parent_start_time, tunnel.value, EMPTY, content_version, sig_flags, EMPTY, EMPTY,
EMPTY, EMPTY, rule_matched_uuid, http2_connection, dynusergroup_name, xff_ip.value,
source_device_category, source_device_profile, source_device_model, source_device_vendor,
source_device_osfamily, source_device_osversion, source_device_host, source_device_mac,
dest_device_category, dest_device_profile, dest_device_model, dest_device_vendor,
dest_device_osfamily, dest_device_osversion, dest_device_host, dest_device_mac, container_id,
pod_namespace, pod_name, source_edl, dest_edl, gp_host_id, endpoint_serial_number,
domain_edl, source_dynamic_address_group, dest_dynamic_address_group, partial_hash,
time_generated_high_res, reason_data_filtering, justification, nssai_network_slice_type.value

File CEF Fields

Example File log in CEF:

Mar 1 21:06:08 xxx.xx.x.xx 3916 <14>1 2021-03-01T21:06:08.438Z

Cortex Data Lake Schema Reference January 2024 258 ©2024 Palo Alto Networks, Inc.
Network Logs

PanOSApplicationCategory=collaboration PanOSApplicationContainer=
PanOSApplicationRisk=5 PanOSApplicationSubcategory=email
PanOSApplicationTechnology=client-server PanOSCaptivePortal=false
PanOSCloudHostname=PA-5220 PanOSCortexDataLakeTenantID=xxxxxxxxxxxxx
PanOSDLPVersionFlag= PanOSDestinationDeviceClass=
PanOSDestinationDeviceOS= dntdom= duser= duid= PanOSFileType=PNG
File Upload PanOSInboundInterfaceDetailsPort=19
PanOSInboundInterfaceDetailsSlot=1
PanOSInboundInterfaceDetailsType=ethernet
PanOSInboundInterfaceDetailsUnit=0 PanOSIsClienttoServer=false
PanOSIsContainer=false PanOSIsDecryptMirror=false PanOSIsDecrypted=
PanOSIsDuplicateLog=false PanOSIsEncrypted= PanOSIsIPV6=
PanOSIsMptcpOn=false PanOSIsNonStandardDestinationPort=false
PanOSIsPacketCapture=false PanOSIsPhishing=false
PanOSIsPrismaNetwork=false PanOSIsPrismaUsers=false
PanOSIsProxy=false PanOSIsReconExcluded=false
PanOSIsSaaSApplication=false PanOSIsServertoClient=false
PanOSIsSourceXForwarded= PanOSIsSystemReturn=false
PanOSIsTransaction=false PanOSIsTunnelInspected=false
PanOSIsURLDenied=false PanOSLogExported=false PanOSLogForwarded=true
PanOSLogSource=firewall PanOSLogSourceTimeZoneOffset=
PanOSNAT=false PanOSNonStandardDestinationPort=0
PanOSOutboundInterfaceDetailsPort=19
PanOSOutboundInterfaceDetailsSlot=1
PanOSOutboundInterfaceDetailsType=ethernet
PanOSOutboundInterfaceDetailsUnit=0 PanOSPacket= PanOSProfileName=
PanOSSanctionedStateOfApp=false PanOSSeverity=Low
PanOSSourceDeviceClass= PanOSSourceDeviceOS= sntdom=
suser= suid= PanOSThreatCategory= PanOSThreatNameFirewall=
PanOSTunneledApplication=untunneled PanOSURL= PanOSUsers=xxx.xx.x.xx
PanOSVirtualSystemID=1 start=Mar 01 2021 21:06:06 src=xxx.xx.x.xx
dst=xxx.xx.x.xx sourceTranslatedAddress=xxx.xx.x.xx
destinationTranslatedAddress=xxx.xx.x.xx cs1=dg-log-
policy cs1Label=Rule suser0= duser0= app=smtp cs3=smtp
cs3Label=VirtualLocation cs4=tap cs4Label=FromZone cs5=tap
cs5Label=ToZone deviceInboundInterface=ethernet1/19
deviceOutboundInterface=ethernet1/19 cs6=test cs6Label=LogSetting
cn1=4016143 cn1Label=SessionID cnt=9 spt=37404 dpt=25
sourceTranslatedPort=0 destinationTranslatedPort=0 proto=tcp
act=alert filePath=page-icon.png cs2=any cs2Label=URLCategory
flexString2=client to server flexString2Label=DirectionOfAttack
externalId=xxxxxxxxxxxxx PanOSSourceLocation=xxx.xx.x.xx-
xxx.xx.x.xx PanOSDestinationLocation=xxx.xx.x.xx-xxx.xx.x.xx
fileId=0 PanOSFileHash= PanOSReportID= PanOSDGHierarchyLevel1=12
PanOSDGHierarchyLevel2=0 PanOSDGHierarchyLevel3=0
PanOSDGHierarchyLevel4=0 PanOSVirtualSystemName= dvchost=PA-5220
PanOSSourceUUID= PanOSDestinationUUID= PanOSIMSI=0 PanOSIMEI=
PanOSParentSessionID=0 PanOSParentStartTime=Jan 01 1970 00:00:00
PanOSTunnel=N/A PanOSContentVersion= PanOSSigFlags=0 PanOSRuleUUID=
PanOSHTTP2Connection= PanOSDynamicUserGroup= PanOSX-Forwarded-
ForIP= PanOSSourceDeviceCategory= PanOSSourceDeviceProfile=
PanOSSourceDeviceModel= PanOSSourceDeviceVendor=
PanOSSourceDeviceOSFamily= PanOSSourceDeviceOSVersion=
PanOSSourceDeviceHost= PanOSSourceDeviceMac=
PanOSDestinationDeviceCategory= PanOSDestinationDeviceProfile=
PanOSDestinationDeviceModel= PanOSDestinationDeviceVendor=

Cortex Data Lake Schema Reference January 2024 259 ©2024 Palo Alto Networks, Inc.
Network Logs

PanOSDestinationDeviceOSFamily= PanOSDestinationDeviceOSVersion=
PanOSDestinationDeviceHost= PanOSDestinationDeviceMac=
PanOSContainerID= PanOSContainerNameSpace= PanOSContainerName=
PanOSSourceEDL= PanOSDestinationEDL= PanOSHostID=xxxxxxxxxxxxxx
PanOSEndpointSerialNumber=xxxxxxxxxxxxxx PanOSDomainEDL=
PanOSSourceDynamicAddressGroup= PanOSDestinationDynamicAddressGroup=
PanOSPartialHash= PanOSTimeGeneratedHighResolution=Jul 25 2019
23:30:12 PanOSReasonForDataFilteringAction= PanOSJustification=
PanOSNSSAINetworkSliceType=

The following table identifies the File field names that the Log Forwarding app uses when you
forward logs using the CEF log format.

CEF Name Field Details

PanOSApplicationContainer Query Name: container_of_app

Header Type: Custom

Cortex Data Lake Schema Reference January 2024 260 ©2024 Palo Alto Networks, Inc.
Network Logs

CEF Name Field Details

Cortex Data Lake Schema Reference January 2024 263 ©2024 Palo Alto Networks, Inc.
Network Logs

CEF Name Field Details

Cortex Data Lake Schema Reference January 2024 265 ©2024 Palo Alto Networks, Inc.
Network Logs

CEF Name Field Details

Cortex Data Lake Schema Reference January 2024 266 ©2024 Palo Alto Networks, Inc.
Network Logs

CEF Name Field Details

PanOSLogSource Query Name: log_source

Header Type: Custom

LogSourceGroupID Query Name: log_source_group_id

Header Type: Custom

deviceExternalId Query Name: log_source_id

Header Type: Predefined

Cortex Data Lake Schema Reference January 2024 273 ©2024 Palo Alto Networks, Inc.
Network Logs

SourceUser="paloaltonetwork\xxxxx"
DestinationUser="paloaltonetwork\xxxxx"
Application=groupwise
VirtualLocation=vsys1
FromZone=untrust
ToZone=ethernet4Zone-test2
InboundInterface=unknown
OutboundInterface=unknown
LogSetting=rs-logging
SessionID=644314
RepeatCount=1
SourcePort=15810
DestinationPort=19884
NATSourcePort=11883
NATDestinationPort=6753
Protocol=tcp
Action=reset-client
FileName=0123456789012345678901234567890123456789012345678901234
URLCategory=sports
VendorSeverity=Critical
DirectionOfAttack=server to client
SequenceNo=2638705012
SourceLocation=dallas
DestinationLocation=BR
PacketID=0
FileHash=
ReportID=0
DGHierarchyLevel1=11
DGHierarchyLevel2=0
DGHierarchyLevel3=0
DGHierarchyLevel4=0
VirtualSystemName=
DeviceName=xxxxx
SourceUUID=
DestinationUUID=
IMSI=0
IMEI=
ParentSessionID=0
ParentStartTime=1970-01-01T00:00:00.000000Z
Tunnel=N/A
ContentVersion=50194
SigFlags=4
RuleUUID=2fb8efd4-2f01-421d-a113-097992777432
HTTP2Connection=0
DynamicUserGroup=
X-Forwarded-ForIP=
SourceDeviceCategory=N-Phone
SourceDeviceProfile=n-profile
SourceDeviceModel=Nexus
SourceDeviceVendor=Google
SourceDeviceOSFamily=LG-H790
SourceDeviceOSVersion=Android v6
SourceDeviceHost=pan-301
SourceDeviceMac=839147449905
DestinationDeviceCategory=N-Phone
DestinationDeviceProfile=n-profile

Cortex Data Lake Schema Reference January 2024 274 ©2024 Palo Alto Networks, Inc.
Network Logs

DestinationDeviceModel=Nexus
DestinationDeviceVendor=Google
DestinationDeviceOSFamily=H1511
DestinationDeviceOSVersion=Android v7
DestinationDeviceHost=pan-355
DestinationDeviceMac=530589561221
ContainerID=1873cc5c-0d31
ContainerNameSpace=pns_default
ContainerName=pan-dp-77754f4
SourceEDL=
DestinationEDL=
HostID=3030303030
EndpointSerialNumber=xxxxxxxxxxxxxx
DomainEDL=
SourceDynamicAddressGroup=
DestinationDynamicAddressGroup= red_dag
PartialHash=0
TimeGeneratedHighResolution=2021-02-22T05:27:21.528000Z
ReasonForDataFilteringAction=
Justification=
NSSAINetworkSliceType=bf

The following table identifies the File field names that the Log Forwarding app uses when you
forward logs using the EMAIL log format.

EMAIL Name Query Name

Action action.value

Application app

ApplicationCategory app_category

ApplicationSubcategory app_sub_category

CloudHostname cloud_hostname

CloudReportID cloud_reportid

ConfigVersion config_version.value

ContainerID container_id

ApplicationContainer container_of_app

ContentVersion content_version

RepeatCount count_of_repeats

CortexDataLakeTenantID customer_id

Cortex Data Lake Schema Reference January 2024 275 ©2024 Palo Alto Networks, Inc.
Network Logs

EMAIL Name Query Name

DestinationDeviceCategory dest_device_category

DestinationDeviceClass dest_device_class

DestinationDeviceHost dest_device_host

DestinationDeviceMac dest_device_mac

DestinationDeviceModel dest_device_model

DestinationDeviceOS dest_device_os

DestinationDeviceOSFamily dest_device_osfamily

DestinationDeviceOSVersion dest_device_osversion

DestinationDeviceProfile dest_device_profile

DestinationDeviceVendor dest_device_vendor

DestinationDynamicAddressGroup dest_dynamic_address_group

DestinationEDL dest_edl

DestinationAddress dest_ip.value

DestinationLocation dest_location

DestinationPort dest_port

DestinationUser dest_user

DestinationUserDomain dest_user_info.domain

DestinationUserName dest_user_info.name

DestinationUserUUID dest_user_info.uuid

DestinationUUID dest_uuid

DGHierarchyLevel1 dg_hier_level_1

DGHierarchyLevel2 dg_hier_level_2

DGHierarchyLevel3 dg_hier_level_3

Cortex Data Lake Schema Reference January 2024 276 ©2024 Palo Alto Networks, Inc.
Network Logs

EMAIL Name Query Name

DGHierarchyLevel4 dg_hier_level_4

DirectionOfAttack direction_of_attack.value

DLPVersionFlag dlp_version_flag

DomainEDL domain_edl

DynamicUserGroup dynusergroup_name

EndpointSerialNumber endpoint_serial_number

FileName file_name

FileHash file_sha_256

FileType file_type

FileURL file_url

FromZone from_zone

HostID gp_host_id

HTTP2Connection http2_connection

InboundInterface inbound_if.value

InboundInterfaceDetailsPort inbound_if_details.port

InboundInterfaceDetailsSlot inbound_if_details.slot

InboundInterfaceDetailsType inbound_if_details.type.value

InboundInterfaceDetailsUnit inbound_if_details.unit

CaptivePortal is_captive_portal

IsClienttoServer is_client_to_server

IsContainer is_container

IsDecryptMirror is_decrypt_mirror

IsDecrypted is_decrypted

Cortex Data Lake Schema Reference January 2024 277 ©2024 Palo Alto Networks, Inc.
Network Logs

EMAIL Name Query Name

IsDuplicateLog is_dup_log

IsEncrypted is_encrypted

LogExported is_exported

LogForwarded is_forwarded

IsIPV6 is_ipv6

IsMptcpOn is_mptcp_on

NAT is_nat

IsNonStandardDestinationPort is_non_std_dest_port

IsPacketCapture is_packet_capture

IsPhishing is_phishing

IsPrismaNetwork is_prisma_branch

IsPrismaUsers is_prisma_mobile

IsProxy is_proxy

IsReconExcluded is_recon_excluded

IsSaaSApplication is_saas_app

IsServertoClient is_server_to_client

IsSourceXForwarded is_source_x_fwded

IsSystemReturn is_sym_return

IsTransaction is_transaction

IsTunnelInspected is_tunnel_inspected

IsURLDenied is_url_denied

Justification justification

Location location

Cortex Data Lake Schema Reference January 2024 278 ©2024 Palo Alto Networks, Inc.
Network Logs

EMAIL Name Query Name

LogSetting log_set

LogSource log_source

LogSourceGroupID log_source_group_id

DeviceSN log_source_id

DeviceName log_source_name

LogSourceTimeZoneOffset log_source_tz_offset

TimeReceived log_time

LogType log_type.value

IMEI monitor_tag_imei

NATDestination nat_dest.value

NATDestinationPort nat_dest_port

NATSource nat_source.value

NATSourcePort nat_source_port

NonStandardDestinationPort non_standard_dest_port

NSSAINetworkSliceType nssai_network_slice_type.value

OutboundInterface outbound_if.value

OutboundInterfaceDetailsPort outbound_if_details.port

OutboundInterfaceDetailsSlot outbound_if_details.slot

OutboundInterfaceDetailsType outbound_if_details.type.value

OutboundInterfaceDetailsUnit outbound_if_details.unit

PanoramaSN panorama_serial

ParentSessionID parent_session_id

ParentStartTime parent_start_time

Cortex Data Lake Schema Reference January 2024 279 ©2024 Palo Alto Networks, Inc.
Network Logs

EMAIL Name Query Name

PartialHash partial_hash

Packet pcap

PacketID pcap_id

PlatformType platform_type

ContainerName pod_name

ContainerNameSpace pod_namespace

ProfileName profile_name

Protocol protocol.value

ReasonForDataFilteringAction reason_data_filtering

ReportID report_id

ApplicationRisk risk_of_app

Rule rule_matched

RuleUUID rule_matched_uuid

SanctionedStateOfApp sanctioned_state_of_app

SequenceNo sequence_no

SessionID session_id

Severity severity

SigFlags sig_flags

SourceDeviceCategory source_device_category

SourceDeviceClass source_device_class

SourceDeviceHost source_device_host

SourceDeviceMac source_device_mac

SourceDeviceModel source_device_model

Cortex Data Lake Schema Reference January 2024 280 ©2024 Palo Alto Networks, Inc.
Network Logs

EMAIL Name Query Name

SourceDeviceOS source_device_os

SourceDeviceOSFamily source_device_osfamily

SourceDeviceOSVersion source_device_osversion

SourceDeviceProfile source_device_profile

SourceDeviceVendor source_device_vendor

SourceDynamicAddressGroup source_dynamic_address_group

SourceEDL source_edl

SourceAddress source_ip.value

SourceLocation source_location

SourcePort source_port

SourceUser source_user

SourceUserDomain source_user_info.domain

SourceUserName source_user_info.name

SourceUserUUID source_user_info.uuid

SourceUUID source_uuid

Subtype, SubType sub_type.value

ApplicationTechnology technology_of_app

ThreatCategory threat_category.value

ThreatNameFirewall threat_name_firewall

TimeGenerated time_generated

TimeGeneratedHighResolution time_generated_high_res

ToZone to_zone

Tunnel tunnel.value

Cortex Data Lake Schema Reference January 2024 281 ©2024 Palo Alto Networks, Inc.
Network Logs

EMAIL Name Query Name

TunneledApplication tunneled_app

IMSI tunnelid_imsi

URLCategory url_category.value

URL url_domain

Users users

VendorName vendor_name

VendorSeverity vendor_severity.value

VirtualLocation vsys

VirtualSystemID vsys_id

VirtualSystemName vsys_name

X-Forwarded-ForIP xff_ip.value

File HTTPS Fields

The following table identifies the File field names that the Log Forwarding app uses when you
forward logs using the HTTPS log format.

HTTPS Name Query Name

Action action.value

Application app

ApplicationCategory app_category

ApplicationSubcategory app_sub_category

CloudHostname cloud_hostname

CloudReportID cloud_reportid

ConfigVersion config_version.value

ContainerID container_id

Cortex Data Lake Schema Reference January 2024 282 ©2024 Palo Alto Networks, Inc.
Network Logs

HTTPS Name Query Name

ApplicationContainer container_of_app

ContentVersion content_version

RepeatCount count_of_repeats

CortexDataLakeTenantID customer_id

DestinationDeviceCategory dest_device_category

DestinationDeviceClass dest_device_class

DestinationDeviceHost dest_device_host

DestinationDeviceMac dest_device_mac

DestinationDeviceModel dest_device_model

DestinationDeviceOS dest_device_os

DestinationDeviceOSFamily dest_device_osfamily

DestinationDeviceOSVersion dest_device_osversion

DestinationDeviceProfile dest_device_profile

DestinationDeviceVendor dest_device_vendor

DestinationDynamicAddressGroup dest_dynamic_address_group

DestinationEDL dest_edl

DestinationAddress dest_ip.value

DestinationLocation dest_location

DestinationPort dest_port

DestinationUser dest_user

DestinationUserDomain dest_user_info.domain

DestinationUserName dest_user_info.name

DestinationUserUUID dest_user_info.uuid

Cortex Data Lake Schema Reference January 2024 283 ©2024 Palo Alto Networks, Inc.
Network Logs

HTTPS Name Query Name

DestinationUUID dest_uuid

DGHierarchyLevel1 dg_hier_level_1

DGHierarchyLevel2 dg_hier_level_2

DGHierarchyLevel3 dg_hier_level_3

DGHierarchyLevel4 dg_hier_level_4

DirectionOfAttack direction_of_attack.value

DLPVersionFlag dlp_version_flag

DomainEDL domain_edl

DynamicUserGroup dynusergroup_name

EndpointSerialNumber endpoint_serial_number

FileName file_name

FileHash file_sha_256

FileType file_type

FileURL file_url

FromZone from_zone

HostID gp_host_id

HTTP2Connection http2_connection

InboundInterface inbound_if.value

InboundInterfaceDetailsPort inbound_if_details.port

InboundInterfaceDetailsSlot inbound_if_details.slot

InboundInterfaceDetailsType inbound_if_details.type.value

InboundInterfaceDetailsUnit inbound_if_details.unit

CaptivePortal is_captive_portal

Cortex Data Lake Schema Reference January 2024 284 ©2024 Palo Alto Networks, Inc.
Network Logs

HTTPS Name Query Name

IsClienttoServer is_client_to_server

IsContainer is_container

IsDecryptMirror is_decrypt_mirror

IsDecrypted is_decrypted

IsDuplicateLog is_dup_log

IsEncrypted is_encrypted

LogExported is_exported

LogForwarded is_forwarded

IsIPV6 is_ipv6

IsMptcpOn is_mptcp_on

NAT is_nat

IsNonStandardDestinationPort is_non_std_dest_port

IsPacketCapture is_packet_capture

IsPhishing is_phishing

IsPrismaNetwork is_prisma_branch

IsPrismaUsers is_prisma_mobile

IsProxy is_proxy

IsReconExcluded is_recon_excluded

IsSaaSApplication is_saas_app

IsServertoClient is_server_to_client

IsSourceXForwarded is_source_x_fwded

IsSystemReturn is_sym_return

IsTransaction is_transaction

Cortex Data Lake Schema Reference January 2024 285 ©2024 Palo Alto Networks, Inc.
Network Logs

HTTPS Name Query Name

IsTunnelInspected is_tunnel_inspected

IsURLDenied is_url_denied

Justification justification

Location location

LogSetting log_set

LogSource log_source

LogSourceGroupID log_source_group_id

DeviceSN log_source_id

DeviceName log_source_name

LogSourceTimeZoneOffset log_source_tz_offset

TimeReceived log_time

LogType log_type.value

IMEI monitor_tag_imei

NATDestination nat_dest.value

NATDestinationPort nat_dest_port

NATSource nat_source.value

NATSourcePort nat_source_port

NonStandardDestinationPort non_standard_dest_port

NSSAINetworkSliceType nssai_network_slice_type.value

OutboundInterface outbound_if.value

OutboundInterfaceDetailsPort outbound_if_details.port

OutboundInterfaceDetailsSlot outbound_if_details.slot

OutboundInterfaceDetailsType outbound_if_details.type.value

Cortex Data Lake Schema Reference January 2024 286 ©2024 Palo Alto Networks, Inc.
Network Logs

HTTPS Name Query Name

OutboundInterfaceDetailsUnit outbound_if_details.unit

PanoramaSN panorama_serial

ParentSessionID parent_session_id

ParentStartTime parent_start_time

PartialHash partial_hash

Packet pcap

PacketID pcap_id

PlatformType platform_type

ContainerName pod_name

ContainerNameSpace pod_namespace

ProfileName profile_name

Protocol protocol.value

ReasonForDataFilteringAction reason_data_filtering

ReportID report_id

ApplicationRisk risk_of_app

Rule rule_matched

RuleUUID rule_matched_uuid

SanctionedStateOfApp sanctioned_state_of_app

SequenceNo sequence_no

SessionID session_id

Severity severity

SigFlags sig_flags

SourceDeviceCategory source_device_category

Cortex Data Lake Schema Reference January 2024 287 ©2024 Palo Alto Networks, Inc.
Network Logs

HTTPS Name Query Name

SourceDeviceClass source_device_class

SourceDeviceHost source_device_host

SourceDeviceMac source_device_mac

SourceDeviceModel source_device_model

SourceDeviceOS source_device_os

SourceDeviceOSFamily source_device_osfamily

SourceDeviceOSVersion source_device_osversion

SourceDeviceProfile source_device_profile

SourceDeviceVendor source_device_vendor

SourceDynamicAddressGroup source_dynamic_address_group

SourceEDL source_edl

SourceAddress source_ip.value

SourceLocation source_location

SourcePort source_port

SourceUser source_user

SourceUserDomain source_user_info.domain

SourceUserName source_user_info.name

SourceUserUUID source_user_info.uuid

SourceUUID source_uuid

Subtype, SubType sub_type.value

ApplicationTechnology technology_of_app

ThreatCategory threat_category.value

ThreatNameFirewall threat_name_firewall

Cortex Data Lake Schema Reference January 2024 288 ©2024 Palo Alto Networks, Inc.
Network Logs

HTTPS Name Query Name

TimeGenerated time_generated

TimeGeneratedHighResolution time_generated_high_res

ToZone to_zone

Tunnel tunnel.value

TunneledApplication tunneled_app

IMSI tunnelid_imsi

URLCategory url_category.value

URL url_domain

Users users

VendorName vendor_name

VendorSeverity vendor_severity.value

VirtualLocation vsys

VirtualSystemID vsys_id

VirtualSystemName vsys_name

X-Forwarded-ForIP xff_ip.value

File LEEF Fields

Example File log in LEEF:

Sep 21 01:52:01 xxx.xx.x.xx 2309 <14>1 2021-09-21T01:52:01.624Z

stream-logfwd20-d324e775--09201841-lxtx-harness-b86s logforwarder
- panwlogs - LEEF:2.0|Palo Alto Networks|Next Generation
Firewall|10.1|17657||TimeReceived=2021-09-21T01:52:00.000000Z
DeviceSN=xxxxxxxxxxxxx cat=threat SubType=file
ConfigVersion=10.1 devTime=2021-09-21T01:51:53.000000Z
src=xxx.xx.x.xx dst=srcPostNAT=xxx.xx.x.xx dstPostNAT=
Rule=allow-business-apps usrName=paloaltonetwork\xxxxx
DestinationUser=paloaltonetwork\xxxxx Application=profinet
VirtualLocation=vsys1 FromZone=datacenter ToZone=untrust
InboundInterface=ethernet1/1 OutboundInterface=ethernet1/2
LogSetting=rs-logging SessionID=673161 RepeatCount=1 srcPort=21000
dstPort=12661 srcPostNATPort=22160 dstPostNATPort=6459
proto=tcp Action=block-url FileName=totally another fake

Cortex Data Lake Schema Reference January 2024 289 ©2024 Palo Alto Networks, Inc.
Network Logs

filename URLCategory=custom-category VendorSeverity=Medium

DirectionOfAttack=server to client SequenceNo=7003061085140561385
SourceLocation=east-coast DestinationLocation=AU
PacketID=0 FileHash= ReportID=0 DGHierarchyLevel1=11
DGHierarchyLevel2=0 DGHierarchyLevel3=0 DGHierarchyLevel4=0
VirtualSystemName= DeviceName=xxxxx SourceUUID= DestinationUUID=
IMSI=100002086896379 IMEI=100000001147849194 ParentSessionID=0
ParentStartTime=1970-01-01T00:00:00.000000Z Tunnel=GTP-U
ContentVersion=50097 SigFlags=0 RuleUUID=ec14df0b-c845-4435-87a2-
d207730f5ae8 HTTP2Connection=0 DynamicUserGroup= X-Forwarded-
ForIP=xxx.xx.x.xx SourceDeviceCategory=L-Phone SourceDeviceProfile=l-
profile SourceDeviceModel=Note 4G SourceDeviceVendor=Lenovo
SourceDeviceOSFamily=K6 SourceDeviceOSVersion=Android
v9 SourceDeviceHost=pan-505 SourceDeviceMac=596703749274
DestinationDeviceCategory=L-Phone DestinationDeviceProfile=l-profile
DestinationDeviceModel=Note XT DestinationDeviceVendor=Lenovo
DestinationDeviceOSFamily=K8 DestinationDeviceOSVersion=Android
v8 DestinationDeviceHost=pan-506 DestinationDeviceMac=150083646537
ContainerID=1873cc5c-0d31 ContainerNameSpace=pns_default
ContainerName=pan-dp-77754f4 SourceEDL= DestinationEDL=
HostID=1010101010 EndpointSerialNumber=xxxxxxxxxxxxxx DomainEDL=
SourceDynamicAddressGroup= DestinationDynamicAddressGroup=
PartialHash=0
TimeGeneratedHighResolution=2021-09-21T01:51:53.779000Z
ReasonForDataFilteringAction= Justification=
NSSAINetworkSliceType=fd devTimeFormat=YYYY-MM-DD'T'HH:mm:ss.SSSZ

The following table identifies the File field names that the Log Forwarding app uses when you
forward logs using the LEEF log format.

LEEF Name Query Name Field Type

Action action.value Custom

Application app Custom

ApplicationCategory app_category Custom

ApplicationSubcategory app_sub_category Custom

CloudHostname cloud_hostname Custom

CloudReportID cloud_reportid Custom

ConfigVersion config_version.value Custom

Cortex Data Lake Schema Reference January 2024 290 ©2024 Palo Alto Networks, Inc.
Network Logs

LEEF Name Query Name Field Type

ContainerID container_id Custom

ApplicationContainer container_of_app Custom

ContentVersion content_version Custom

RepeatCount count_of_repeats Custom

CortexDataLakeTenantID customer_id Custom

DestinationDeviceCategory dest_device_category Custom

DestinationDeviceClass dest_device_class Custom

DestinationDeviceHost dest_device_host Custom

DestinationDeviceMac dest_device_mac Custom

DestinationDeviceModel dest_device_model Custom

DestinationDeviceOS dest_device_os Custom

DestinationDeviceOSFamily dest_device_osfamily Custom

DestinationDeviceOSVersion dest_device_osversion Custom

DestinationDeviceProfile dest_device_profile Custom

DestinationDeviceVendor dest_device_vendor Custom

DestinationDynamicAddressGroup dest_dynamic_address_group Custom

DestinationEDL dest_edl Custom

dst dest_ip.value Predefined

DestinationLocation dest_location Custom

dstPort dest_port Predefined

DestinationUser dest_user Custom

DestinationUserDomain dest_user_info.domain Custom

DestinationUserName dest_user_info.name Custom

Cortex Data Lake Schema Reference January 2024 291 ©2024 Palo Alto Networks, Inc.
Network Logs

LEEF Name Query Name Field Type

DestinationUserUUID dest_user_info.uuid Custom

DestinationUUID dest_uuid Custom

DGHierarchyLevel1 dg_hier_level_1 Custom

DGHierarchyLevel2 dg_hier_level_2 Custom

DGHierarchyLevel3 dg_hier_level_3 Custom

DGHierarchyLevel4 dg_hier_level_4 Custom

DirectionOfAttack direction_of_attack.value Custom

DLPVersionFlag dlp_version_flag Custom

DomainEDL domain_edl Custom

DynamicUserGroup dynusergroup_name Custom

EndpointSerialNumber endpoint_serial_number Custom

FileName file_name Custom

FileHash file_sha_256 Custom

EventID file_type Header

FileURL file_url Custom

FromZone from_zone Custom

HostID gp_host_id Custom

HTTP2Connection http2_connection Custom

InboundInterface inbound_if.value Custom

InboundInterfaceDetailsPort inbound_if_details.port Custom

InboundInterfaceDetailsSlot inbound_if_details.slot Custom

InboundInterfaceDetailsType inbound_if_details.type.value Custom

InboundInterfaceDetailsUnit inbound_if_details.unit Custom

Cortex Data Lake Schema Reference January 2024 292 ©2024 Palo Alto Networks, Inc.
Network Logs

LEEF Name Query Name Field Type

CaptivePortal is_captive_portal Custom

IsClienttoServer is_client_to_server Custom

IsContainer is_container Custom

IsDecryptMirror is_decrypt_mirror Custom

IsDecrypted is_decrypted Custom

IsDuplicateLog is_dup_log Custom

IsEncrypted is_encrypted Custom

LogExported is_exported Custom

LogForwarded is_forwarded Custom

IsIPV6 is_ipv6 Custom

IsMptcpOn is_mptcp_on Custom

NAT is_nat Custom

IsNonStandardDestinationPort is_non_std_dest_port Custom

IsPacketCapture is_packet_capture Custom

IsPhishing is_phishing Custom

IsPrismaNetwork is_prisma_branch Custom

IsPrismaUsers is_prisma_mobile Custom

IsProxy is_proxy Custom

IsReconExcluded is_recon_excluded Custom

IsSaaSApplication is_saas_app Custom

IsServertoClient is_server_to_client Custom

IsSourceXForwarded is_source_x_fwded Custom

IsSystemReturn is_sym_return Custom

Cortex Data Lake Schema Reference January 2024 293 ©2024 Palo Alto Networks, Inc.
Network Logs

LEEF Name Query Name Field Type

IsTransaction is_transaction Custom

IsTunnelInspected is_tunnel_inspected Custom

IsURLDenied is_url_denied Custom

Justification justification Custom

Location location Custom

LogSetting log_set Custom

LogSource log_source Custom

LogSourceGroupID log_source_group_id Custom

DeviceSN log_source_id Custom

DeviceName log_source_name Custom

LogSourceTimeZoneOffset log_source_tz_offset Custom

TimeReceived log_time Custom

cat log_type.value Predefined

IMEI monitor_tag_imei Custom

dstPostNAT nat_dest.value Predefined

dstPostNATPort nat_dest_port Predefined

srcPostNAT nat_source.value Predefined

srcPostNATPort nat_source_port Predefined

NonStandardDestinationPort non_standard_dest_port Custom

NSSAINetworkSliceType nssai_network_slice_type.value Custom

OutboundInterface outbound_if.value Custom

OutboundInterfaceDetailsPort outbound_if_details.port Custom

OutboundInterfaceDetailsSlot outbound_if_details.slot Custom

Cortex Data Lake Schema Reference January 2024 294 ©2024 Palo Alto Networks, Inc.
Network Logs

LEEF Name Query Name Field Type

OutboundInterfaceDetailsType outbound_if_details.type.value Custom

OutboundInterfaceDetailsUnit outbound_if_details.unit Custom

PanoramaSN panorama_serial Custom

ParentSessionID parent_session_id Custom

ParentStartTime parent_start_time Custom

PartialHash partial_hash Custom

Packet pcap Custom

PacketID pcap_id Custom

PlatformType platform_type Custom

ContainerName pod_name Custom

ContainerNameSpace pod_namespace Custom

ProfileName profile_name Custom

proto protocol.value Predefined

ReasonForDataFilteringAction reason_data_filtering Custom

ReportID report_id Custom

ApplicationRisk risk_of_app Custom

Rule rule_matched Custom

RuleUUID rule_matched_uuid Custom

SanctionedStateOfApp sanctioned_state_of_app Custom

SequenceNo sequence_no Custom

SessionID session_id Custom

Severity severity Custom

SigFlags sig_flags Custom

Cortex Data Lake Schema Reference January 2024 295 ©2024 Palo Alto Networks, Inc.
Network Logs

LEEF Name Query Name Field Type

SourceDeviceCategory source_device_category Custom

SourceDeviceClass source_device_class Custom

SourceDeviceHost source_device_host Custom

SourceDeviceMac source_device_mac Custom

SourceDeviceModel source_device_model Custom

SourceDeviceOS source_device_os Custom

SourceDeviceOSFamily source_device_osfamily Custom

SourceDeviceOSVersion source_device_osversion Custom

SourceDeviceProfile source_device_profile Custom

SourceDeviceVendor source_device_vendor Custom

SourceDynamicAddressGroup source_dynamic_address_group Custom

SourceEDL source_edl Custom

src source_ip.value Predefined

SourceLocation source_location Custom

srcPort source_port Predefined

usrName source_user Predefined

SourceUserDomain source_user_info.domain Custom

SourceUserName source_user_info.name Custom

SourceUserUUID source_user_info.uuid Custom

SourceUUID source_uuid Custom

SubType sub_type.value Custom

ApplicationTechnology technology_of_app Custom

ThreatCategory threat_category.value Custom

Cortex Data Lake Schema Reference January 2024 296 ©2024 Palo Alto Networks, Inc.
Network Logs

LEEF Name Query Name Field Type

ThreatNameFirewall threat_name_firewall Custom

devTime time_generated Predefined

TimeGeneratedHighResolution time_generated_high_res Custom

ToZone to_zone Custom

Tunnel tunnel.value Custom

TunneledApplication tunneled_app Custom

IMSI tunnelid_imsi Custom

URLCategory url_category.value Custom

URL url_domain Custom

Users users Custom

Vendor vendor_name Header

VendorSeverity vendor_severity.value Custom

VirtualLocation vsys Custom

VirtualSystemID vsys_id Custom

VirtualSystemName vsys_name Custom

X-Forwarded-ForIP xff_ip.value Custom

Cortex Data Lake Schema Reference January 2024 297 ©2024 Palo Alto Networks, Inc.
Network Logs

GlobalProtect
GlobalProtect logs identify network traffic between a GlobalProtect portal or gateway, and
GlobalProtect apps.
See the following for information related to supported log formats:
• GlobalProtect Syslog Default Field Order
• GlobalProtect CEF Fields
• GlobalProtect EMAIL Fields
• GlobalProtect HTTPS Fields
• GlobalProtect LEEF Fields

GLOBALPROTECT Field Description

(Display Name)

attempted_gateways String of all gateways that were available and attempted

for the client location. Contains gateway name, ssl
(ATTEMPTED GATEWAYS)
response time, and priority, separated by a semicolon.
Syslog field name: Syslog Field Order
CEF field name: PanOSAttemptedGateways
EMAIL field name: AttemptedGateways
HTTPS field name: AttemptedGateways
LEEF field name: AttemptedGateways

auth_method Authentication method used for the GlobalProtect

connection.
(AUTH METHOD)
Syslog field name: Syslog Field Order
CEF field name: PanOSAuthMethod
EMAIL field name: AuthMethod
HTTPS field name: AuthMethod
LEEF field name: AuthMethod

config_version.value Version number of the firewall operating system that

wrote this log record.
(CONFIG VERSION)
Syslog field name: Syslog Field Order
CEF field name: PanOSConfigVersion
EMAIL field name: ConfigVersion
HTTPS field name: ConfigVersion

Cortex Data Lake Schema Reference January 2024 298 ©2024 Palo Alto Networks, Inc.
Network Logs

GLOBALPROTECT Field Description

(Display Name)
LEEF field name: ConfigVersion

connect_method Identifies how the GlobalProtect app connected to

the the Gateway. For example, on-demand or user-
(CONNECTION METHOD)
logon.
Syslog field name: Syslog Field Order
CEF field name: PanOSConnectionMethod
EMAIL field name: ConnectionMethod
HTTPS field name: ConnectionMethod
LEEF field name: ConnectionMethod

connection_error.id Enumeration integer assigned to the connection_error

field value.
(CONNECTION ERROR ID)
Syslog field name: Syslog Field Order
CEF field name: PanOSConnectionErrorID
EMAIL field name: ConnectionErrorID
HTTPS field name: ConnectionErrorID
LEEF field name: ConnectionErrorID

connection_error.value Error information for unsuccessful connection.

(CONNECTION ERROR) Syslog field name: Syslog Field Order
CEF field name: PanOSConnectionError
EMAIL field name: ConnectionError
HTTPS field name: ConnectionError
LEEF field name: ConnectionError

count_of_repeats Number of sessions with same Source IP, Destination

IP, Application, and Content/Threat Type seen for the
(REPEAT COUNT)
summary interval.
Syslog field name: Syslog Field Order
CEF field name: PanOSCountOfRepeats
EMAIL field name: All of the following: RepeatCount,
CountOfRepeats
HTTPS field name: All of the following: RepeatCount,
CountOfRepeats
LEEF field name: CountOfRepeats

Cortex Data Lake Schema Reference January 2024 299 ©2024 Palo Alto Networks, Inc.
Network Logs

GLOBALPROTECT Field Description

(Display Name)

customer_id The ID that uniquely identifies the Cortex Data Lake

instance which received this log record.
(CORTEX DATA LAKE TENANT ID)
CEF field name: PanOSTenantID
EMAIL field name: All of the following:
CortexDataLakeTenantID, TenantID
HTTPS field name: All of the following:
CortexDataLakeTenantID, TenantID
LEEF field name: TenantID

dg_hier_level_1 A sequence of identification numbers that indicate the

dg_hier_level_2 A sequence of identification numbers that indicate the

dg_hier_level_3 A sequence of identification numbers that indicate the

dg_hier_level_4 A sequence of identification numbers that indicate the

device group’s location within a device group hierarchy.
(DG HIERARCHY LEVEL 4)
Syslog field name: Syslog Field Order

Cortex Data Lake Schema Reference January 2024 300 ©2024 Palo Alto Networks, Inc.
Network Logs

GLOBALPROTECT Field Description

(Display Name)
CEF field name: PanOSDGHierarchyLevel4
EMAIL field name: DGHierarchyLevel4
HTTPS field name: DGHierarchyLevel4
LEEF field name: DGHierarchyLevel4

endpoint_device_name Name of the device that the user used for the
connection.
(ENDPOINT DEVICE NAME)
Syslog field name: Syslog Field Order
CEF field name: shost
EMAIL field name: EndpointDeviceName
HTTPS field name: EndpointDeviceName
LEEF field name: EndpointDeviceName

endpoint_gp_version GlobalProtect client version number.

(GLOBALPROTECT CLIENT Syslog field name: Syslog Field Order
VERSION)
CEF field name: PanOSGlobalProtectClientVersion
EMAIL field name: GlobalProtectClientVersion
HTTPS field name: GlobalProtectClientVersion
LEEF field name: GlobalProtectClientVersion

endpoint_os_type OS type of the endpoint on which the GlobalProtect

client is deployed.
(ENDPOINT OS TYPE)
Syslog field name: Syslog Field Order
CEF field name: PanOSEndpointOSType
EMAIL field name: EndpointOSType
HTTPS field name: EndpointOSType
LEEF field name: EndpointOSType

endpoint_os_version OS version of the endpoint on which the GlobalProtect

client is deployed.
(ENDPOINT OS VERSION)
Syslog field name: Syslog Field Order
CEF field name: PanOSEndpointOSVersion
EMAIL field name: EndpointOSVersion
HTTPS field name: EndpointOSVersion

Cortex Data Lake Schema Reference January 2024 301 ©2024 Palo Alto Networks, Inc.
Network Logs

GLOBALPROTECT Field Description

(Display Name)
LEEF field name: EndpointOSVersion

endpoint_serial_number ID that uniquely identifies the endpoint on which the

GlobalProtect client is deployed.
(ENDPOINT SN)
Syslog field name: Syslog Field Order
CEF field name: PanOSEndpointSN
EMAIL field name: EndpointSN
HTTPS field name: EndpointSN
LEEF field name: EndpointSN

event_id.value The name of the event.

(EVENT ID VALUE) Syslog field name: Syslog Field Order
CEF field name: Name
EMAIL field name: EventIDValue
HTTPS field name: EventIDValue
LEEF field name: EventID

gateway Selected Gateway for the connection.

(GATEWAY) Syslog field name: Syslog Field Order
CEF field name: PanOSGateway
EMAIL field name: Gateway
HTTPS field name: Gateway
LEEF field name: Gateway

gateway_priority.value Priority of gateway, retrieved from portal configuration.

(GATEWAY PRIORITY) Syslog field name: Syslog Field Order
CEF field name: PanOSGatewayPriority
EMAIL field name: GatewayPriority
HTTPS field name: GatewayPriority
LEEF field name: GatewayPriority

gateway_selection_type Gateway Selection Method i.e automatic, preferred or

manual.
(GATEWAY SELECTION TYPE)
Syslog field name: Syslog Field Order
CEF field name: PanOSGatewaySelectionType

Cortex Data Lake Schema Reference January 2024 302 ©2024 Palo Alto Networks, Inc.
Network Logs

GLOBALPROTECT Field Description

(Display Name)
EMAIL field name: GatewaySelectionType
HTTPS field name: GatewaySelectionType
LEEF field name: GatewaySelectionType

gpg_location Location of the Global Protect Gateway.

(GLOBALPROTECT GATEWAY Syslog field name: Syslog Field Order
LOCATION)
CEF field name: PanOSGlobalProtectGatewayLocation
EMAIL field name: GlobalProtectGatewayLocation
HTTPS field name: GlobalProtectGatewayLocation
LEEF field name: GlobalProtectGatewayLocation

host_id Unique identifier GlobalProtect has assigned to the

host.
(HOST ID)
Syslog field name: Syslog Field Order
CEF field name: PanOSHostID
EMAIL field name: HostID
HTTPS field name: HostID
LEEF field name: HostID

is_dup_log Indicates whether this log data is available in multiple

is_forwarded Internal-use field that indicates if the log is being

forwarded.

Cortex Data Lake Schema Reference January 2024 303 ©2024 Palo Alto Networks, Inc.
Network Logs

GLOBALPROTECT Field Description

(Display Name)
(LOG FORWARDED) CEF field name: PanOSLogForwarded
EMAIL field name: LogForwarded
HTTPS field name: LogForwarded
LEEF field name: LogForwarded

is_prisma_branch Internal-use field. If set to 1, the log was generated on

a cloud-based firewall. If 0, the firewall was running on-
(IS PRISMA NETWORKS)
premise.
CEF field name: PanOSIsPrismaNetworks
EMAIL field name: IsPrismaNetworks
HTTPS field name: IsPrismaNetworks
LEEF field name: IsPrismaNetworks

is_prisma_mobile Internal use field. If set to 1, the log record was

log_source Identifies the origin of the data. That is, the system that
produced the data.
(LOG SOURCE)
CEF field name: sourceServiceName
EMAIL field name: LogSource
HTTPS field name: LogSource
LEEF field name: LogSource

log_source_group_id ID that uniquely identifies the logSourceGroupId of the

log_source_id ID that uniquely identifies the source of the log. That is,
the serial number of the firewall that generated the log.

Cortex Data Lake Schema Reference January 2024 304 ©2024 Palo Alto Networks, Inc.
Network Logs

GLOBALPROTECT Field Description

(Display Name)
(DEVICE SN) If the log is generated by Prisma Access, the serial
number is not displayed.
Syslog field name: Syslog Field Order
CEF field name: deviceExternalID
EMAIL field name: DeviceSN
HTTPS field name: DeviceSN
LEEF field name: DeviceSN

log_type.value Identifies the log type.

(LOG TYPE) Syslog field name: Syslog Field Order
CEF field name: Device Event Class ID
EMAIL field name: LogType

Cortex Data Lake Schema Reference January 2024 305 ©2024 Palo Alto Networks, Inc.
Network Logs

GLOBALPROTECT Field Description

(Display Name)
HTTPS field name: LogType
LEEF field name: cat

login_duration Duration for which the connected user was logged on.
(LOGIN DURATION) Syslog field name: Syslog Field Order
CEF field name: PanOSLoginDuration
EMAIL field name: LoginDuration
HTTPS field name: LoginDuration
LEEF field name: LoginDuration

opaque Additional information regarding the event.

(DESCRIPTION) Syslog field name: Syslog Field Order
CEF field name: PanOSDescription
EMAIL field name: Description
HTTPS field name: Description
LEEF field name: Description

panorama_serial Panorama Serial associated with CDL.

(PANORAMA SN) CEF field name: PanOSPanoramaSN
EMAIL field name: PanoramaSN
HTTPS field name: PanoramaSN
LEEF field name: PanoramaSN

portal Global Protect Portal or Gateway that the user

connected to.
(PORTAL)
Syslog field name: Syslog Field Order
CEF field name: PanOSPortal
EMAIL field name: Portal

Cortex Data Lake Schema Reference January 2024 306 ©2024 Palo Alto Networks, Inc.
Network Logs

GLOBALPROTECT Field Description

(Display Name)
HTTPS field name: Portal
LEEF field name: Portal

private_ip.value Private IP address (v4) of the user that connected.

(PRIVATE IPV4) Syslog field name: Syslog Field Order
CEF field name: PanOSPrivateIPv4
EMAIL field name: PrivateIPv4
HTTPS field name: PrivateIPv4
LEEF field name: PrivateIPv4

private_ipv6.value Private IP address (v6) of the user that connected.

(PRIVATE IPV6) Syslog field name: Syslog Field Order
CEF field name: PanOSPrivateIPv6
EMAIL field name: PrivateIPv6
HTTPS field name: PrivateIPv6
LEEF field name: PrivateIPv6

project_name Reserved for future use.

(PROJECT NAME) CEF field name: ProjectName
EMAIL field name: ProjectName
HTTPS field name: ProjectName
LEEF field name: ProjectName

public_ip.value Public IP address (v4) of the user that connected.

(PUBLIC IPV4) Syslog field name: Syslog Field Order
CEF field name: src
EMAIL field name: PublicIPv4
HTTPS field name: PublicIPv4
LEEF field name: PublicIPv4

public_ipv6.value Public IP address (v6) of the user that connected.

(PUBLIC IPV6) Syslog field name: Syslog Field Order
CEF field name: c6a2
EMAIL field name: PublicIPv6

Cortex Data Lake Schema Reference January 2024 307 ©2024 Palo Alto Networks, Inc.
Network Logs

GLOBALPROTECT Field Description

(Display Name)
HTTPS field name: PublicIPv6
LEEF field name: PublicIPv6

quarantine_reason Quarantine reason.

(QUARANTINE REASON) Syslog field name: Syslog Field Order
CEF field name: PanOSQuarantineReason
EMAIL field name: QuarantineReason
HTTPS field name: QuarantineReason
LEEF field name: QuarantineReason

sequence_no The log entry identifier, which is incremented

sequentially. Each log type has a unique number space.
(SEQUENCE NO)
Syslog field name: Syslog Field Order
CEF field name: PanOSSequenceNo
EMAIL field name: SequenceNo
HTTPS field name: SequenceNo
LEEF field name: SequenceNo

source_region Region of the Gateway (or User) that connected.

(SOURCE REGION) Syslog field name: Syslog Field Order
CEF field name: PanOSSourceRegion
EMAIL field name: SourceRegion
HTTPS field name: SourceRegion
LEEF field name: SourceRegion

source_user The username that connected.

(SOURCE USER NAME) Syslog field name: Syslog Field Order
CEF field name: All of the following: suser, duser
EMAIL field name: SourceUserName
HTTPS field name: SourceUserName
LEEF field name: usrName

source_user_info.domain Domain to which the Source User belongs.

(SOURCE USER DOMAIN) CEF fields: All of the following: sntdom, dntdom
EMAIL field name: SourceUserDomain

Cortex Data Lake Schema Reference January 2024 308 ©2024 Palo Alto Networks, Inc.
Network Logs

GLOBALPROTECT Field Description

(Display Name)
HTTPS field name: SourceUserDomain
LEEF field name: SourceUserDomain

source_user_info.name The Source User. That is, the username that initiated
the network traffic.
(SOURCE USER INFO)
CEF fields: All of the following: suser, duser, susername,
dusername
EMAIL field name: SourceUserName
HTTPS field name: SourceUserName
LEEF field name: SourceUserName

source_user_info.uuid Unique identifier assigned to the Source User.

(SOURCE USER UUID) CEF fields: All of the following: suid, duid
EMAIL field name: SourceUserUUID
HTTPS field name: SourceUserUUID
LEEF field name: SourceUserUUID

ssl_response_time SSL Response Time in milliseconds.

(SSL RESPONSE TIME) Syslog field name: Syslog Field Order
CEF field name: PanOSSSLResponseTime
EMAIL field name: SSLResponseTime
HTTPS field name: SSLResponseTime
LEEF field name: SSLResponseTime

stage Name of the stage in the GlobalProtect connection

workflow.
(STAGE)
Syslog field name: Syslog Field Order
CEF field name: PanOSStage
EMAIL field name: Stage
HTTPS field name: Stage
LEEF field name: Stage

status.value The status (success or failure) of the event.

(EVENT STATUS) Syslog field name: Syslog Field Order
CEF field name: outcome

Cortex Data Lake Schema Reference January 2024 309 ©2024 Palo Alto Networks, Inc.
Network Logs

GLOBALPROTECT Field Description

(Display Name)
EMAIL field name: EventStatus
HTTPS field name: EventStatus
LEEF field name: EventStatus

sub_type.value Identifies the log subtype.

(SUB TYPE) Syslog field name: Syslog Field Order
CEF field name: All of the following: PanOSLogSubtype
EMAIL field name: All of the following: Subtype,
LogSubtype
HTTPS field name: All of the following: Subtype,
LogSubtype
LEEF field name: SubType

time_generated_high_res Time the log was generated in data plane

tunnel Tunnel Type i.e. SSL or VPN.

(TUNNEL TYPE) Syslog field name: Syslog Field Order
CEF field name: PanOSTunnelType
EMAIL field name: TunnelType
HTTPS field name: TunnelType

Cortex Data Lake Schema Reference January 2024 310 ©2024 Palo Alto Networks, Inc.
Network Logs

GLOBALPROTECT Field Description

(Display Name)
LEEF field name: TunnelType

vendor_name Identifies the vendor that produced the data.

(VENDOR NAME) CEF field name: Device Vendor
EMAIL field name: VendorName
HTTPS field name: VendorName
LEEF field name: Vendor

vsys String representation of the unique identifier for a

virtual system on a Palo Alto Networks firewall.
(VIRTUAL SYSTEM)
Syslog field name: Syslog Field Order
CEF field name: PanOSVirtualSystem
EMAIL field name: VirtualSystem
HTTPS field name: VirtualSystem
LEEF field name: VirtualSystem

vsys_id A unique identifier for a virtual system on a Palo Alto

vsys_name The name of the virtual system associated with the

network traffic.
(VIRTUAL SYSTEM NAME)
Syslog field name: Syslog Field Order
CEF field name: cs3
EMAIL field name: VirtualSystemName
HTTPS field name: VirtualSystemName
LEEF field name: VirtualSystemName

Cortex Data Lake Schema Reference January 2024 311 ©2024 Palo Alto Networks, Inc.
Network Logs

GlobalProtect Syslog Default Field Order

Example GlobalProtect log in Syslog:

Oct 13 01:22:41 gke-standard-cluster-2-pool-1-6ea9f13a-

g2z7 848 <142>1 2020-10-13T01:22:40.959Z stream-
logfwd20-156653024-10121421-eq28-harness-16kn logforwarder
- panwlogs - 1,2020-10-13T01:22:32.000000Z,007051000113358,
GLOBALPROTECT,globalprotect,10.0,2020-10-13T01:22:06.000000Z,
vsys1,gateway-switch-to-ssl,before-login,SAML,ipsec,xxxxx\xxxxx
xxxxx,FI,machine_name3,xxx.xx.x.xx,::c307:39c8:ffff:0,xxx.xx.x.xx,
::f32b:d251:ffff:0,67:11:5a:e2:d2:32,serialno_list-1,66567,Intel
Mac OS,9.3.5,16777216,Admin,,opaque_list-0,success,San Francisco,
1,connect_method_list-2,0,portal_list-2,557533,-9223372036854775808,
2020-10-13T01:22:07.388000Z,select_type-0,50055,medium,"gateway-5,
925,1;gateway-4,196,2;gateway-5,583,1;gateway-4,996,5;gateway-1,
442,2;gateway-6,121,4;gateway-0,16,1;gateway-6,173,0;gateway-2,
753,0;gateway-6,651,0;gateway-3,602,3;gateway-1,55,0;gateway-1,384,
2;gateway-4,871,3;gateway-3,546,5;",

GlobalProtect CEF Fields

Example GlobalProtect log in CEF:

Mar 1 20:35:56 xxx.xx.x.xx 1544 <14>1 2021-03-01T20:35:56.565Z

stream-logfwd20-587718190-02280003-lvod-harness-mjdh logforwarder
- panwlogs - CEF:0|Palo Alto Networks|LF|2.0|GLOBALPROTECT|
globalprotect|3|ProfileToken=xxxxx dtz=UTC rt=Mar 01 2021
20:35:54 PanOSDeviceSN=xxxxxxxxxxxxx PanOSConfigVersion=
start=Mar 01 2021 20:35:54 PanOSVirtualSystem=vsys1
PanOSEventIDValue=satellite-gateway-update-route
PanOSStage=connected PanOSAuthMethod=RADIUS PanOSTunnelType=ipsec
PanOSSourceUserName=xxxxx\\\\xxxxx PanOSSourceRegion=ET
PanOSEndpointDeviceName=machine_name2 PanOSPublicIPv4=xxx.xx.x.xx
PanOSPublicIPv6=xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx
PanOSPrivateIPv4=xxx.xx.x.xx
PanOSPrivateIPv6=xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx
PanOSHostID=xxxxxxxxxxxxxxe667947f-d92e-4815-9222-89438203bc2b

Cortex Data Lake Schema Reference January 2024 312 ©2024 Palo Alto Networks, Inc.
Network Logs

PanOSEndpointSN=serialno_list-1
PanOSGlobalProtectClientVersion=3.0.9 PanOSEndpointOSType=Intel
Mac OS PanOSEndpointOSVersion=9.3.5 PanOSCountOfRepeats=16777216
PanOSQuarantineReason=Malicious Traffic
PanOSConnectionError=Client cert not present
PanOSDescription=opaque_list-1 PanOSEventStatus=failure
PanOSGlobalProtectGatewayLocation=San Francisco PanOSLoginDuration=1
PanOSConnectionMethod=connect_method_list-1 PanOSConnectionErrorID=0
PanOSPortal=portal_list-2 PanOSSequenceNo=34401910
PanOSTimeGeneratedHighResolution=Jul 25 2019 23:30:12
PanOSGatewaySelectionType= PanOSSSLResponseTime=
PanOSGatewayPriority= PanOSAttemptedGateways= PanOSGateway=
PanOSDGHierarchyLevel1=20 PanOSDGHierarchyLevel2=0
PanOSDGHierarchyLevel3=0 PanOSDGHierarchyLevel4=0
PanOSVirtualSystemName= PanOSDeviceName=PA-VM PanOSVirtualSystemID=1

The following table identifies the GlobalProtect field names that the Log Forwarding app uses
when you forward logs using the CEF log format.

CEF Name Field Details

PanOSAttemptedGateways Query Name: attempted_gateways

Header Type: Custom

PanOSAuthMethod Query Name: auth_method

Header Type: Custom

PanOSConfigVersion Query Name: config_version.value

Header Type: Predefined

Cortex Data Lake Schema Reference January 2024 316 ©2024 Palo Alto Networks, Inc.
Network Logs

Header Type: Predefined

GlobalProtect EMAIL Fields

Example GlobalProtect log in EMAIL:

TimeReceived=2021-02-23T02:44:27.000000Z
DeviceSN=xxxxxxxxxxxxx
LogType=GLOBALPROTECT
LogSubtype=globalprotect
ConfigVersion=
SourceUserUUID=
TenantID=xxxxxxxxxxxxx
VendorName=Palo Alto Networks
VirtualSystemName=
SourceUserName=xxxxx
SourceUserDomain=paloaltonetwork
LogSourceTimeZoneOffset=
Gateway=
DGHierarchyLevel1=20
DGHierarchyLevel2=0
DGHierarchyLevel3=0
DGHierarchyLevel4=0
DeviceName=PA-VM
EventID=309
IsDuplicateLog=false
IsPrismaNetworks=false
IsPrismaUsers=false
LogExported=false
LogSource=firewall
VirtualSystemID=1
TimeGenerated=2021-02-23T02:44:27.000000Z
VirtualSystem=vsys1
EventIDValue=satellite-gateway-update-route
Stage=connected
AuthMethod=RADIUS
TunnelType=ipsec
SourceUserName0="paloaltonetwork\\xxxxx"
SourceRegion=ET
EndpointDeviceName=machine_name2
PublicIPv4=xxx.xx.x.xx
PublicIPv6=xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx
PrivateIPv4=xxx.xx.x.xx
PrivateIPv6=xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx
HostID=e667947f-d92e-4815-9222-89438203bc2b
EndpointSN=serialno_list-1
GlobalProtectClientVersion=3.0.9
EndpointOSType=Intel Mac OS
EndpointOSVersion=9.3.5
CountOfRepeats=16777216
QuarantineReason=Malicious Traffic
ConnectionError=Client cert not present
Description=opaque_list-1

Cortex Data Lake Schema Reference January 2024 318 ©2024 Palo Alto Networks, Inc.
Network Logs

EventStatus=failure
GlobalProtectGatewayLocation=San Francisco
LoginDuration=1
ConnectionMethod=connect_method_list-1
Portal=portal_list-2
SequenceNo=34401910
TimeGeneratedHighResolution=2019-07-25T23:30:12.000000Z
GatewaySelectionType=
SSLResponseTime=
GatewayPriority=
AttemptedGateways=

The following table identifies the GlobalProtect field names that the Log Forwarding app uses
when you forward logs using the EMAIL log format.

EMAIL Name Query Name

AttemptedGateways attempted_gateways

AuthMethod auth_method

ConfigVersion config_version.value

ConnectionMethod connect_method

ConnectionErrorID connection_error.id

ConnectionError connection_error.value

RepeatCount, CountOfRepeats count_of_repeats

CortexDataLakeTenantID, TenantID customer_id

DGHierarchyLevel1 dg_hier_level_1

DGHierarchyLevel2 dg_hier_level_2

DGHierarchyLevel3 dg_hier_level_3

DGHierarchyLevel4 dg_hier_level_4

EndpointDeviceName endpoint_device_name

GlobalProtectClientVersion endpoint_gp_version

EndpointOSType endpoint_os_type

EndpointOSVersion endpoint_os_version

Cortex Data Lake Schema Reference January 2024 319 ©2024 Palo Alto Networks, Inc.
Network Logs

EMAIL Name Query Name

EndpointSN endpoint_serial_number

EventIDValue event_id.value

Gateway gateway

GatewayPriority gateway_priority.value

GatewaySelectionType gateway_selection_type

GlobalProtectGatewayLocation gpg_location

HostID host_id

IsDuplicateLog is_dup_log

LogExported is_exported

LogForwarded is_forwarded

IsPrismaNetworks is_prisma_branch

IsPrismaUsers is_prisma_mobile

LogSource log_source

LogSourceGroupID log_source_group_id

DeviceSN log_source_id

DeviceName log_source_name

LogSourceTimeZoneOffset log_source_tz_offset

TimeReceived log_time

LogType log_type.value

LoginDuration login_duration

Description opaque

PanoramaSN panorama_serial

PlatformType platform_type

Cortex Data Lake Schema Reference January 2024 320 ©2024 Palo Alto Networks, Inc.
Network Logs

EMAIL Name Query Name

Portal portal

PrivateIPv4 private_ip.value

PrivateIPv6 private_ipv6.value

ProjectName project_name

PublicIPv4 public_ip.value

PublicIPv6 public_ipv6.value

QuarantineReason quarantine_reason

SequenceNo sequence_no

SourceRegion source_region

SourceUserName source_user

SourceUserDomain source_user_info.domain

SourceUserName source_user_info.name

SourceUserUUID source_user_info.uuid

SSLResponseTime ssl_response_time

Stage stage

EventStatus status.value

Subtype, LogSubtype sub_type.value

TimeGenerated time_generated

TimeGeneratedHighResolution time_generated_high_res

TunnelType tunnel

VendorName vendor_name

VirtualSystem vsys

VirtualSystemID vsys_id

Cortex Data Lake Schema Reference January 2024 321 ©2024 Palo Alto Networks, Inc.
Network Logs

EMAIL Name Query Name

VirtualSystemName vsys_name

GlobalProtect HTTPS Fields

The following table identifies the GlobalProtect field names that the Log Forwarding app uses
when you forward logs using the HTTPS log format.

HTTPS Name Query Name

AttemptedGateways attempted_gateways

AuthMethod auth_method

ConfigVersion config_version.value

ConnectionMethod connect_method

ConnectionErrorID connection_error.id

ConnectionError connection_error.value

RepeatCount, CountOfRepeats count_of_repeats

CortexDataLakeTenantID, TenantID customer_id

DGHierarchyLevel1 dg_hier_level_1

DGHierarchyLevel2 dg_hier_level_2

DGHierarchyLevel3 dg_hier_level_3

DGHierarchyLevel4 dg_hier_level_4

EndpointDeviceName endpoint_device_name

GlobalProtectClientVersion endpoint_gp_version

EndpointOSType endpoint_os_type

EndpointOSVersion endpoint_os_version

EndpointSN endpoint_serial_number

EventIDValue event_id.value

Cortex Data Lake Schema Reference January 2024 322 ©2024 Palo Alto Networks, Inc.
Network Logs

HTTPS Name Query Name

Gateway gateway

GatewayPriority gateway_priority.value

GatewaySelectionType gateway_selection_type

GlobalProtectGatewayLocation gpg_location

HostID host_id

IsDuplicateLog is_dup_log

LogExported is_exported

LogForwarded is_forwarded

IsPrismaNetworks is_prisma_branch

IsPrismaUsers is_prisma_mobile

LogSource log_source

LogSourceGroupID log_source_group_id

DeviceSN log_source_id

DeviceName log_source_name

LogSourceTimeZoneOffset log_source_tz_offset

TimeReceived log_time

LogType log_type.value

LoginDuration login_duration

Description opaque

PanoramaSN panorama_serial

PlatformType platform_type

Portal portal

PrivateIPv4 private_ip.value

Cortex Data Lake Schema Reference January 2024 323 ©2024 Palo Alto Networks, Inc.
Network Logs

HTTPS Name Query Name

PrivateIPv6 private_ipv6.value

ProjectName project_name

PublicIPv4 public_ip.value

PublicIPv6 public_ipv6.value

QuarantineReason quarantine_reason

SequenceNo sequence_no

SourceRegion source_region

SourceUserName source_user

SourceUserDomain source_user_info.domain

SourceUserName source_user_info.name

SourceUserUUID source_user_info.uuid

SSLResponseTime ssl_response_time

Stage stage

EventStatus status.value

Subtype, LogSubtype sub_type.value

TimeGenerated time_generated

TimeGeneratedHighResolution time_generated_high_res

TunnelType tunnel

VendorName vendor_name

VirtualSystem vsys

VirtualSystemID vsys_id

VirtualSystemName vsys_name

Cortex Data Lake Schema Reference January 2024 324 ©2024 Palo Alto Networks, Inc.
Network Logs

GlobalProtect LEEF Fields

Example GlobalProtect log in LEEF:

Sep 24 20:13:48 gke-standard-cluster-2-default-pool-2c7fa720-

n8p0 1365 <14>1 2021-09-24T20:13:48.624Z stream-
logfwd20-93a53631--09241148-wcvh-harness-dm5m logforwarder -
panwlogs - LEEF:2.0|Palo Alto Networks|Next Generation Firewall|
10.0|portal-prelogin| |ProfileToken=xxxxx TimeReceived=2021-09-24
20:13:46.277651 DeviceSN=xxxxxxxxxxxxx cat=globalprotect
SubType=globalprotect ConfigVersion=10.0 devTime=2021-09-24
20:13:46.277654 VirtualSystem=vsys1 Stage=connected
AuthMethod=LDAP TunnelType=sslvpn usrName=paloaltonetwork
\xxxxx SourceRegion=US EndpointDeviceName=machine_name1
PublicIPv4=xxx.xx.x.xx PublicIPv6=xxx.xx.x.xx
PrivateIPv4=xxx.xx.x.xx PrivateIPv6=xxx.xx.x.xx HostID=
EndpointSN=serialno_list-2 GlobalProtectClientVersion=2.4.7
EndpointOSType=Ubuntu EndpointOSVersion=16.04.5
LTS CountOfRepeats=16777216 QuarantineReason=Admin
ConnectionError=Device is quarantined Description=opaque_list-0
EventStatus=success GlobalProtectGatewayLocation=Palo Alto
LoginDuration=0 ConnectionMethod=connect_method_list-1
ConnectionErrorID=0 Portal=portal_list-2 SequenceNo=117
TimeGeneratedHighResolution=2021-09-24 20:13:46.277649
GatewaySelectionType=select_type-0 SSLResponseTime=59393
GatewayPriority=highest AttemptedGateways=gateway-0,352,5 Gateway=
DGHierarchyLevel1=11 DGHierarchyLevel2=0 DGHierarchyLevel3=0
DGHierarchyLevel4=0 VirtualSystemName= DeviceName=xxxxx
VirtualSystemID=1 devTimeFormat=YYYY-MM-DD'T'HH:mm:ss.SSSZ

The following table identifies the GlobalProtect field names that the Log Forwarding app uses
when you forward logs using the LEEF log format.

LEEF Name Query Name Field Type

AttemptedGateways attempted_gateways Custom

AuthMethod auth_method Custom

ConfigVersion config_version.value Custom

ConnectionMethod connect_method Custom

ConnectionErrorID connection_error.id Custom

Cortex Data Lake Schema Reference January 2024 325 ©2024 Palo Alto Networks, Inc.
Network Logs

LEEF Name Query Name Field Type

ConnectionError connection_error.value Custom

CountOfRepeats count_of_repeats Custom

TenantID customer_id Custom

DGHierarchyLevel1 dg_hier_level_1 Custom

DGHierarchyLevel2 dg_hier_level_2 Custom

DGHierarchyLevel3 dg_hier_level_3 Custom

DGHierarchyLevel4 dg_hier_level_4 Custom

EndpointDeviceName endpoint_device_name Custom

GlobalProtectClientVersion endpoint_gp_version Custom

EndpointOSType endpoint_os_type Custom

EndpointOSVersion endpoint_os_version Custom

EndpointSN endpoint_serial_number Custom

EventID event_id.value Header

Gateway gateway Custom

GatewayPriority gateway_priority.value Custom

GatewaySelectionType gateway_selection_type Custom

GlobalProtectGatewayLocation gpg_location Custom

HostID host_id Custom

IsDuplicateLog is_dup_log Custom

LogExported is_exported Custom

LogForwarded is_forwarded Custom

IsPrismaNetworks is_prisma_branch Custom

IsPrismaUsers is_prisma_mobile Custom

Cortex Data Lake Schema Reference January 2024 326 ©2024 Palo Alto Networks, Inc.
Network Logs

LEEF Name Query Name Field Type

LogSource log_source Custom

LogSourceGroupID log_source_group_id Custom

DeviceSN log_source_id Custom

DeviceName log_source_name Custom

LogSourceTimeZoneOffset log_source_tz_offset Custom

TimeReceived log_time Custom

cat log_type.value Predefined

LoginDuration login_duration Custom

Description opaque Custom

PanoramaSN panorama_serial Custom

PlatformType platform_type Custom

Portal portal Custom

PrivateIPv4 private_ip.value Custom

PrivateIPv6 private_ipv6.value Custom

ProjectName project_name Custom

PublicIPv4 public_ip.value Custom

PublicIPv6 public_ipv6.value Custom

QuarantineReason quarantine_reason Custom

SequenceNo sequence_no Custom

SourceRegion source_region Custom

usrName source_user Predefined

SourceUserDomain source_user_info.domain Custom

SourceUserName source_user_info.name Custom

Cortex Data Lake Schema Reference January 2024 327 ©2024 Palo Alto Networks, Inc.
Network Logs

LEEF Name Query Name Field Type

SourceUserUUID source_user_info.uuid Custom

SSLResponseTime ssl_response_time Custom

Stage stage Custom

EventStatus status.value Custom

SubType sub_type.value Custom

devTime time_generated Predefined

TimeGeneratedHighResolution time_generated_high_res Custom

TunnelType tunnel Custom

Vendor vendor_name Header

VirtualSystem vsys Custom

VirtualSystemID vsys_id Custom

VirtualSystemName vsys_name Custom

Cortex Data Lake Schema Reference January 2024 328 ©2024 Palo Alto Networks, Inc.
Network Logs

HIP Match
Hipmatch logs are generated by the Palo Alto Networks GlobalProtect Host Information Profile
(HIP) matching feature. These capture information about the security status of the endpoints
accessing a network (such as whether they have disk encryption enabled).
Hipmatch logs are generated whenever an endpoint connects to the GlobalProtect portal on the
next-generation firewall. These logs contain only the information used to match the firewall's HIP-
based security rules.
See the following for information related to supported log formats:
• HIP Match Syslog Default Field Order
• HIP Match CEF Fields
• HIP Match EMAIL Fields
• HIP Match HTTPS Fields
• HIP Match LEEF Fields

HIP MATCH Field Description

(Display Name)

config_version.value Version number of the firewall operating system that

count_of_repeats Number of times the HIP profile matched.

(REPEAT COUNT) Syslog field name: Syslog Field Order
CEF field name: cnt
EMAIL field name: All of the following: RepeatCount,
CountOfRepeats
HTTPS field name: All of the following: RepeatCount,
CountOfRepeats
LEEF field name: CountOfRepeats

customer_id The ID that uniquely identifies the Cortex Data Lake

instance which received this log record.
(CORTEX DATA LAKE TENANT ID)
CEF field name: PanOSTenantID

Cortex Data Lake Schema Reference January 2024 329 ©2024 Palo Alto Networks, Inc.
Network Logs

HIP MATCH Field Description

(Display Name)
EMAIL field name: All of the following:
CortexDataLakeTenantID, TenantID
HTTPS field name: All of the following:
CortexDataLakeTenantID, TenantID
LEEF field name: TenantID

dg_hier_level_1 A sequence of identification numbers that indicate the

dg_hier_level_2 A sequence of identification numbers that indicate the

dg_hier_level_3 A sequence of identification numbers that indicate the

dg_hier_level_4 A sequence of identification numbers that indicate the

Cortex Data Lake Schema Reference January 2024 330 ©2024 Palo Alto Networks, Inc.
Network Logs

HIP MATCH Field Description

(Display Name)
LEEF field name: DGHierarchyLevel4

endpoint_device_name Name of the user’s machine.

(ENDPOINT DEVICE NAME) Syslog field name: Syslog Field Order
CEF fields: All of the following: shost, dhost
EMAIL field name: EndpointDeviceName
HTTPS field name: EndpointDeviceName
LEEF field name: identHostName

endpoint_os_type The operating system installed on the user’s machine or

device (or on the client system).
(ENDPOINT OS TYPE)
Syslog field name: Syslog Field Order
CEF field name: cs2
EMAIL field name: EndpointOSType
HTTPS field name: EndpointOSType
LEEF field name: EndpointOSType

endpoint_serial_number Serial number of the host on which GlobalProtect is

installed.
(ENDPOINT SERIAL NUMBER)
Syslog field name: Syslog Field Order
CEF field name: PanOSEndpointSerialNumber
EMAIL field name: EndpointSerialNumber
HTTPS field name: EndpointSerialNumber
LEEF field name: EndpointSerialNumber

hip_match_name Name of the HIP object or profile.

(HIP MATCH NAME) Syslog field name: Syslog Field Order
CEF field name: cat
EMAIL field name: HipMatchName
HTTPS field name: HipMatchName
LEEF field name: EventID

hip_match_type.value Identifies whether the hip field represents a HIP object

or a HIP profile.
(HIP MATCH TYPE)
Syslog field name: Syslog Field Order

Cortex Data Lake Schema Reference January 2024 331 ©2024 Palo Alto Networks, Inc.
Network Logs

source_device_host Hostname of the device from which the session

source_device_mac MAC Address of the device from which the session

source_device_model Model of the device from which the session originated.

source_device_os Source device OS type.

(SOURCE DEVICE OS) CEF field name: PanOSSourceDeviceOS
EMAIL field name: SourceDeviceOS
HTTPS field name: SourceDeviceOS
LEEF field name: SourceDeviceOS

Cortex Data Lake Schema Reference January 2024 336 ©2024 Palo Alto Networks, Inc.
Network Logs

HIP MATCH Field Description

(Display Name)

source_device_osfamily OS family of the device from which the session

source_device_osversion OS version of the device from which the session

source_device_profile Profile of the device from which the session originated.

source_device_vendor Vendor of the device from which the session originated.

source_ip.value Original source IP address.

(SOURCE IP) Syslog field name: Syslog Field Order
CEF fields: src and dst, or c6a2 and c6a3
EMAIL field name: SourceIP

Cortex Data Lake Schema Reference January 2024 337 ©2024 Palo Alto Networks, Inc.
Network Logs

HIP MATCH Field Description

(Display Name)
HTTPS field name: SourceIP
LEEF field name: src

source_ip_v6.value Source from which mapping information is collected.

(SOURCE IPV6) Syslog field name: Syslog Field Order
CEF field name: c6a1
EMAIL field name: SourceIPv6
HTTPS field name: SourceIPv6
LEEF field name: SourceIPv6

source_user The username that initiated the network traffic.

(SOURCE USER) Syslog field name: Syslog Field Order
CEF field name: PanOSSourceUser
EMAIL field name: SourceUser
HTTPS field name: SourceUser
LEEF field name: usrName

source_user_info.domain Domain to which the Source User belongs.

(SOURCE USER DOMAIN) CEF fields: All of the following: sntdom, dntdom
EMAIL field name: SourceUserDomain
HTTPS field name: SourceUserDomain
LEEF field name: SourceUserDomain

source_user_info.name The Source User. That is, the username that initiated
the network traffic.
(SOURCE USER NAME)
CEF field name: All of the following: susername,
dusername, suser, duser
EMAIL field name: SourceUserName
HTTPS field name: SourceUserName
LEEF field name: SourceUserName

source_user_info.uuid Unique identifier assigned to the Source User.

(SOURCE USER UUID) CEF fields: All of the following: suid, duid
EMAIL field name: SourceUserUUID
HTTPS field name: SourceUserUUID

Cortex Data Lake Schema Reference January 2024 338 ©2024 Palo Alto Networks, Inc.
Network Logs

HIP MATCH Field Description

(Display Name)
LEEF field name: SourceUserUUID

sub_type.value Identifies the log subtype.

(SUBTYPE) Syslog field name: Syslog Field Order
CEF field name: Name
EMAIL field name: Subtype
HTTPS field name: Subtype
LEEF field name: SubType

time_generated_high_res Time the log was generated in data plane

timestamp_device_identification Time the device was identified in format YYYY-MM-

DDTHH:MM:SS[.DDDDDD]Z.
(TIMESTAMP DEVICE
IDENTIFICATION) Syslog field name: Syslog Field Order
CEF field name: PanOSTimestampDeviceIdentification
EMAIL field name: TimestampDeviceIdentification
HTTPS field name: TimestampDeviceIdentification
LEEF field name: TimestampDeviceIdentification

uuid UUID.

Cortex Data Lake Schema Reference January 2024 339 ©2024 Palo Alto Networks, Inc.
Network Logs

HIP MATCH Field Description

(Display Name)
(UUID) CEF field name: PanOSUUID
EMAIL field name: UUID
HTTPS field name: UUID
LEEF field name: UUID

vendor_name Identifies the vendor that produced the data.

(VENDOR NAME) CEF field name: Device Vendor
EMAIL field name: VendorName
HTTPS field name: VendorName
LEEF field name: Vendor

vsys String representation of the unique identifier for a

vsys_id A unique identifier for a virtual system on a Palo Alto

Networks firewall.
(VIRTUAL SYSTEM ID)
Syslog field name: Syslog Field Order
CEF field name: cn2
EMAIL field name: VirtualSystemID
HTTPS field name: VirtualSystemID
LEEF field name: VirtualSystemID

vsys_name The name of the virtual system associated with the

Cortex Data Lake Schema Reference January 2024 340 ©2024 Palo Alto Networks, Inc.
Network Logs

HIP Match Syslog Default Field Order

Example HIP Match log in Syslog:

Oct 12 21:42:57 gke-standard-cluster-2-pool-1-6ea9f13a-

moqf 592 <142>1 2020-10-12T21:42:56.982Z stream-
logfwd20-156653024-10121421-eq28-harness-16kn logforwarder -
panwlogs - 1,2020-10-12T21:42:51.000000Z,007051000113358,HIPMATCH,
hipmatch,10.0,2020-10-12T21:31:20.000000Z,paloaltonetwork\xxxxx,
vsys1,machine_name2,Windows,::105:505:ffff:0,match_name1,16777216,
HIP Object,,,343827467,-9223372036854775808,0,0,0,0,,PA-VM,1,
7856:26e4:0:80fe:2983:1efe:ffb3:2b2,78:22:be:12:55:76,serial
0202020202,2,profile_list-2,5 Plus,Samsung,osfamily_list-2,
osversion_list-2,6c258d1d8347b658,devhost_list-0,source-3,
1996-06-22T05:27:59.000000Z,2020-10-12T21:31:21.110000Z

HIP Match CEF Fields

Example HIP Match log in CEF:

Mar 1 21:20:14 xxx.xx.x.xx 1505 <14>1 2021-03-01T21:20:14.889Z

stream-logfwd20-587718190-03011312-b28y-harness-x4nx
logforwarder - panwlogs - CEF:0|Palo Alto Networks|LF|2.0|
HIPMATCH||3|ProfileToken=xxxxx dtz=UTC rt=Mar 01 2021 21:20:13
deviceExternalId=xxxxxxxxxxxxx PanOSIsDuplicateLog=false
PanOSIsPrismaNetworks=false PanOSIsPrismaUsers=false
PanOSLogExported=false PanOSLogForwarded=true
PanOSLogSource=firewall PanOSLogSourceTimeZoneOffset=
PanOSSourceDeviceClass= PanOSSourceDeviceOS= sntdom=xxxxx
dntdom=xxxxx suser=xxxxx xxxxx duser=xxxxx xxxxx suid= duid=
PanOSTenantID=xxxxxxxxxxxxx PanOSUUID= PanOSConfigVersion=
start=Mar 01 2021 21:20:13 PanOSSourceUser=xxxxx\\xxxxx
xxxxx cs3=vsys1 cs3Label=VirtualLocation shost=machine_name1
dhost=machine_name1 cs2=iOS cs2Label=EndpointOSType src=xxx.xx.x.xx
dst=xxx.xx.x.xx cat=match_name1 cnt=1 PanOSHipMatchType=HIP
Profile externalId=xxxxxxxxxxxxx PanOSDGHierarchyLevel1=12
PanOSDGHierarchyLevel2=0 PanOSDGHierarchyLevel3=0
PanOSDGHierarchyLevel4=0 PanOSVirtualSystemName=
dvchost=PA-5220 cn2=1 cn2Label=VirtualSystemID
c6a1=xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx c6a1Label=Device

Cortex Data Lake Schema Reference January 2024 341 ©2024 Palo Alto Networks, Inc.
Network Logs

IPv6 Address PanOSHostID=xxxxxxxxxxxxxxe777947f-

d92e-4815-9222-89438203bc2b PanOSEndpointSerialNumber=xxxxxxxxxxxxxx
PanOSSourceDeviceCategory= PanOSSourceDeviceProfile=
PanOSSourceDeviceModel= PanOSSourceDeviceVendor=
PanOSSourceDeviceOSFamily= PanOSSourceDeviceOSVersion=
PanOSSourceDeviceMac= PanOSSourceDeviceHost=
PanOSSource= PanOSTimestampDeviceIdentification=Dec
PanOSTimeGeneratedHighResolution=Jul 25 2019 23:30:12

The following table identifies the HIP Match field names that the Log Forwarding app uses when
you forward logs using the CEF log format.

CEF Name Field Details

cs2 Query Name: endpoint_os_type

Header Type: Predefined
Label: cs2Label
Label Text: EndpointOSType
Max Length: 4000

Cortex Data Lake Schema Reference January 2024 342 ©2024 Palo Alto Networks, Inc.
Network Logs

CEF Name Field Details

Cortex Data Lake Schema Reference January 2024 343 ©2024 Palo Alto Networks, Inc.
Network Logs

CEF Name Field Details

suid and duid Query Name: source_user_info.uuid

Header Type: Predefined

Cortex Data Lake Schema Reference January 2024 345 ©2024 Palo Alto Networks, Inc.
Network Logs

CEF Name Field Details

TimeReceived=2021-02-23T02:44:43.000000Z
DeviceSN=xxxxxxxxxxxxx
LogType=HIPMATCH
Subtype=

Cortex Data Lake Schema Reference January 2024 346 ©2024 Palo Alto Networks, Inc.
Network Logs

ConfigVersion=
TimeGenerated=2021-02-23T02:44:43.000000Z
SourceUser="xxxxx\xxxxx xxxxx"
VirtualLocation=vsys1
EndpointDeviceName=machine_name1
EndpointOSType=iOS
SourceIP=xxxxxxxxxxxx
HipMatchName=match_name1
CountOfRepeats=1
HipMatchType=HIP Profile
SequenceNo=6711379990526558208
DGHierarchyLevel1=12
DGHierarchyLevel2=0
DGHierarchyLevel3=0
DGHierarchyLevel4=0
VirtualSystemName=
DeviceName=PA-5220
VirtualSystemID=1
SourceIPv6=xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx
HostID=e777947f-d92e-4815-9222-89438203bc2b
EndpointSerialNumber=xxxxxxxxxxxxxx
SourceDeviceCategory=
SourceDeviceProfile=
SourceDeviceModel=
SourceDeviceVendor=
SourceDeviceOSFamily=
SourceDeviceOSVersion=
SourceDeviceMac=
SourceDeviceHost=
Source=
TimestampDeviceIdentification=
TimeGeneratedHighResolution=2019-07-25T23:30:12.000000Z

The following table identifies the HIP Match field names that the Log Forwarding app uses when
you forward logs using the EMAIL log format.

EMAIL Name Query Name

ConfigVersion config_version.value

RepeatCount, CountOfRepeats count_of_repeats

CortexDataLakeTenantID, TenantID customer_id

DGHierarchyLevel1 dg_hier_level_1

DGHierarchyLevel2 dg_hier_level_2

DGHierarchyLevel3 dg_hier_level_3

DGHierarchyLevel4 dg_hier_level_4

Cortex Data Lake Schema Reference January 2024 347 ©2024 Palo Alto Networks, Inc.
Network Logs

EMAIL Name Query Name

EndpointDeviceName endpoint_device_name

EndpointOSType endpoint_os_type

EndpointSerialNumber endpoint_serial_number

HipMatchName hip_match_name

HipMatchType hip_match_type.value

HostID host_id

IsDuplicateLog is_dup_log

LogExported is_exported

LogForwarded is_forwarded

IsPrismaNetworks is_prisma_branch

IsPrismaUsers is_prisma_mobile

LogSource log_source

LogSourceGroupID log_source_group_id

DeviceSN log_source_id

DeviceName log_source_name

LogSourceTimeZoneOffset log_source_tz_offset

TimeReceived log_time

LogType log_type.value

PanoramaSN panorama_serial

PlatformType platform_type

SequenceNo sequence_no

Source source

SourceDeviceCategory source_device_category

Cortex Data Lake Schema Reference January 2024 348 ©2024 Palo Alto Networks, Inc.
Network Logs

EMAIL Name Query Name

SourceDeviceClass source_device_class

SourceDeviceHost source_device_host

SourceDeviceMac source_device_mac

SourceDeviceModel source_device_model

SourceDeviceOS source_device_os

SourceDeviceOSFamily source_device_osfamily

SourceDeviceOSVersion source_device_osversion

SourceDeviceProfile source_device_profile

SourceDeviceVendor source_device_vendor

SourceIP source_ip.value

SourceIPv6 source_ip_v6.value

SourceUser source_user

SourceUserDomain source_user_info.domain

SourceUserName source_user_info.name

SourceUserUUID source_user_info.uuid

Subtype sub_type.value

TimeGenerated time_generated

TimeGeneratedHighResolution time_generated_high_res

TimestampDeviceIdentification timestamp_device_identification

UUID uuid

VendorName vendor_name

VirtualLocation vsys

VirtualSystemID vsys_id

Cortex Data Lake Schema Reference January 2024 349 ©2024 Palo Alto Networks, Inc.
Network Logs

EMAIL Name Query Name

VirtualSystemName vsys_name

HIP Match HTTPS Fields

The following table identifies the HIP Match field names that the Log Forwarding app uses when
you forward logs using the HTTPS log format.

HTTPS Name Query Name

ConfigVersion config_version.value

RepeatCount, CountOfRepeats count_of_repeats

CortexDataLakeTenantID, TenantID customer_id

DGHierarchyLevel1 dg_hier_level_1

DGHierarchyLevel2 dg_hier_level_2

DGHierarchyLevel3 dg_hier_level_3

DGHierarchyLevel4 dg_hier_level_4

EndpointDeviceName endpoint_device_name

EndpointOSType endpoint_os_type

EndpointSerialNumber endpoint_serial_number

HipMatchName hip_match_name

HipMatchType hip_match_type.value

HostID host_id

IsDuplicateLog is_dup_log

LogExported is_exported

LogForwarded is_forwarded

IsPrismaNetworks is_prisma_branch

IsPrismaUsers is_prisma_mobile

Cortex Data Lake Schema Reference January 2024 350 ©2024 Palo Alto Networks, Inc.
Network Logs

HTTPS Name Query Name

LogSource log_source

LogSourceGroupID log_source_group_id

DeviceSN log_source_id

DeviceName log_source_name

LogSourceTimeZoneOffset log_source_tz_offset

TimeReceived log_time

LogType log_type.value

PanoramaSN panorama_serial

PlatformType platform_type

SequenceNo sequence_no

Source source

SourceDeviceCategory source_device_category

SourceDeviceClass source_device_class

SourceDeviceHost source_device_host

SourceDeviceMac source_device_mac

SourceDeviceModel source_device_model

SourceDeviceOS source_device_os

SourceDeviceOSFamily source_device_osfamily

SourceDeviceOSVersion source_device_osversion

SourceDeviceProfile source_device_profile

SourceDeviceVendor source_device_vendor

SourceIP source_ip.value

SourceIPv6 source_ip_v6.value

Cortex Data Lake Schema Reference January 2024 351 ©2024 Palo Alto Networks, Inc.
Network Logs

HTTPS Name Query Name

SourceUser source_user

SourceUserDomain source_user_info.domain

SourceUserName source_user_info.name

SourceUserUUID source_user_info.uuid

Subtype sub_type.value

TimeGenerated time_generated

TimeGeneratedHighResolution time_generated_high_res

TimestampDeviceIdentification timestamp_device_identification

UUID uuid

VendorName vendor_name

VirtualLocation vsys

VirtualSystemID vsys_id

VirtualSystemName vsys_name

HIP Match LEEF Fields

Example HIP Match log in LEEF:

Sep 21 01:47:20 xxx.xx.x.xx 2368 <14>1 2021-09-21T01:47:20.990Z

stream-logfwd20-b7167985--09201842-8zwj-harness-cc98 logforwarder
- panwlogs - LEEF:2.0|Palo Alto Networks|Next Generation
Firewall|10.1|2| |profileToken=Palotoken VirtualSystemID=1
SequenceNo=6711379990526558208 SourceDeviceClass= src=xxx.xx.x.xx
VirtualSystemName= devTime=2020-10-13T03:31:40.000000Z
DeviceSN=xxxxxxxxxxxxx UUID= Source= identHostName=machine_name1
DeviceName=PA-5220 LogExported=false TimeGeneratedHighResolution=
SourceDeviceModel= HostID=e777947f-d92e-4815-9222-89438203bc2b
TimeReceived=2020-10-13T03:31:40.000000Z SourceDeviceVendor=
EndpointSerialNumber=xxxxxxxxxxxxxx VirtualLocation=vsys1
SourceDeviceHost= TimestampDeviceIdentification= IsPrismaUsers=false
EventID=HIPMATCH SourceUserUUID= SourceUserDomain=xxxxx
SourceIPv6=xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx
HipMatchName=match_name1 IsDuplicateLog=false
LogForwarded=true CountOfRepeats=1 usrName="xxxxx\\xxxxx xxxxx"
LogSourceTimeZoneOffset= TenantID=xxxxxxxxxxxxx SourceUserName=xxxxx
xxxxx SourceDeviceMac= SourceDeviceOSVersion= IsPrismaNetworks=false

Cortex Data Lake Schema Reference January 2024 352 ©2024 Palo Alto Networks, Inc.
Network Logs

EndpointOSType=iOS HipMatchType=HIP Profile SourceDeviceOSFamily=

LogSource=firewall SourceDeviceCategory= SourceDeviceProfile=
Vendor=Palo Alto Networks cat= SourceDeviceOS= devTimeFormat=YYYY-
MM-DDTHH:MM:SSZ

The following table identifies the HIP Match field names that the Log Forwarding app uses when
you forward logs using the LEEF log format.

LEEF Name Query Name Field Type

ConfigVersion config_version.value Custom

CountOfRepeats count_of_repeats Custom

TenantID customer_id Custom

DGHierarchyLevel1 dg_hier_level_1 Custom

DGHierarchyLevel2 dg_hier_level_2 Custom

DGHierarchyLevel3 dg_hier_level_3 Custom

DGHierarchyLevel4 dg_hier_level_4 Custom

identHostName endpoint_device_name Predefined

EndpointOSType endpoint_os_type Custom

EndpointSerialNumber endpoint_serial_number Custom

EventID hip_match_name Header

EventID hip_match_type.value Header

HostID host_id Custom

IsDuplicateLog is_dup_log Custom

LogExported is_exported Custom

LogForwarded is_forwarded Custom

Cortex Data Lake Schema Reference January 2024 353 ©2024 Palo Alto Networks, Inc.
Network Logs

LEEF Name Query Name Field Type

IsPrismaNetworks is_prisma_branch Custom

IsPrismaUsers is_prisma_mobile Custom

LogSource log_source Custom

LogSourceGroupID log_source_group_id Custom

DeviceSN log_source_id Custom

DeviceName log_source_name Custom

LogSourceTimeZoneOffset log_source_tz_offset Custom

TimeReceived log_time Custom

cat log_type.value Predefined

PanoramaSN panorama_serial Custom

PlatformType platform_type Custom

SequenceNo sequence_no Custom

Source source Custom

SourceDeviceCategory source_device_category Custom

SourceDeviceClass source_device_class Custom

SourceDeviceHost source_device_host Custom

SourceDeviceMac source_device_mac Custom

SourceDeviceModel source_device_model Custom

SourceDeviceOS source_device_os Custom

SourceDeviceOSFamily source_device_osfamily Custom

SourceDeviceOSVersion source_device_osversion Custom

SourceDeviceProfile source_device_profile Custom

SourceDeviceVendor source_device_vendor Custom

Cortex Data Lake Schema Reference January 2024 354 ©2024 Palo Alto Networks, Inc.
Network Logs

LEEF Name Query Name Field Type

src source_ip.value Predefined

SourceIPv6 source_ip_v6.value Custom

usrName source_user Predefined

SourceUserDomain source_user_info.domain Custom

SourceUserName source_user_info.name Custom

SourceUserUUID source_user_info.uuid Custom

SubType sub_type.value Custom

devTime time_generated Predefined

TimeGeneratedHighResolution time_generated_high_res Custom

TimestampDeviceIdentification timestamp_device_identification Custom

UUID uuid Custom

Vendor vendor_name Header

VirtualLocation vsys Custom

VirtualSystemID vsys_id Custom

VirtualSystemName vsys_name Custom

Cortex Data Lake Schema Reference January 2024 355 ©2024 Palo Alto Networks, Inc.
Network Logs

IPtag
IPtag logs display how and when a source IP address is registered or unregistered with the
next-generation firewall, and what tag the firewall applied to the address. Additionally, each log
entry displays the configured timeout (if applicable) and the source of the tag-to-IP mapping
information.
See the following for information related to supported log formats:
• IPtag Syslog Default Field Order
• IPtag CEF Fields
• IPtag EMAIL Fields
• IPtag HTTPS Fields
• IPtag LEEF Fields

IPTAG Field Description

(Display Name)

config_version.value Version number of the firewall operating system that

count_of_repeats Number of sessions with same Source IP, Destination

IP, Application, and Content/Threat Type seen for the
(REPEAT COUNT)
summary interval.
Syslog field name: Syslog Field Order
CEF field name: cnt
EMAIL field name: All of the following: RepeatCount,
CountOfRepeats
HTTPS field name: All of the following: RepeatCount,
CountOfRepeats
LEEF field name: CountOfRepeats

customer_id The ID that uniquely identifies the Cortex Data Lake

instance which received this log record.
(CORTEX DATA LAKE TENANT ID)
CEF field name: PanOSTenantID

Cortex Data Lake Schema Reference January 2024 356 ©2024 Palo Alto Networks, Inc.
Network Logs

IPTAG Field Description

(Display Name)
EMAIL field name: All of the following:
CortexDataLakeTenantID, TenantID
HTTPS field name: All of the following:
CortexDataLakeTenantID, TenantID
LEEF field name: TenantID

dg_hier_level_1 A sequence of identification numbers that indicate the

dg_hier_level_2 A sequence of identification numbers that indicate the

dg_hier_level_3 A sequence of identification numbers that indicate the

dg_hier_level_4 A sequence of identification numbers that indicate the

Cortex Data Lake Schema Reference January 2024 357 ©2024 Palo Alto Networks, Inc.
Network Logs

IPTAG Field Description

(Display Name)
LEEF field name: DGHierarchyLevel4

event_id.value Identifies the event.

(EVENT ID) Syslog field name: Syslog Field Order
CEF field name: PanOSEventID
EMAIL field name: EventID
HTTPS field name: EventID
LEEF field name: EventID

ip_subnet_range IP subnet range.

(IP SUBNET RANGE) Syslog field name: Syslog Field Order
CEF field name: PanOSIPSubnetRange
EMAIL field name: IPSubnetRange
HTTPS field name: IPSubnetRange
LEEF field name: IPSubnetRange

is_dup_log Indicates whether this log data is available in multiple

is_forwarded Internal-use field that indicates if the log is being

forwarded.
(LOG FORWARDED)
CEF field name: PanOSLogForwarded
EMAIL field name: LogForwarded
HTTPS field name: LogForwarded

Cortex Data Lake Schema Reference January 2024 358 ©2024 Palo Alto Networks, Inc.
Network Logs

IPTAG Field Description

(Display Name)
LEEF field name: LogForwarded

is_prisma_branch Internal-use field. If set to 1, the log was generated on

is_prisma_mobile Internal use field. If set to 1, the log record was

log_set Log forwarding profile name that was applied to

the session. This name was defined by the firewall's
(LOG SETTING)
administrator.
CEF field name: PanOSLogSetting
EMAIL field name: LogSetting
HTTPS field name: LogSetting
LEEF field name: LogSetting

log_source_group_id ID that uniquely identifies the logSourceGroupId of the

log. That is, the log_source_id of the group.
(LOG SOURCE GROUP ID)
CEF field name: LogSourceGroupID
EMAIL field name: LogSourceGroupID

Cortex Data Lake Schema Reference January 2024 359 ©2024 Palo Alto Networks, Inc.
Network Logs

IPTAG Field Description

(Display Name)
HTTPS field name: LogSourceGroupID
LEEF field name: LogSourceGroupID

Cortex Data Lake Schema Reference January 2024 360 ©2024 Palo Alto Networks, Inc.
Network Logs

IPTAG Field Description

(Display Name)

log_type.value Identifies the log type.

(LOG TYPE) Syslog field name: Syslog Field Order
CEF field name: Device Event Class ID
EMAIL field name: LogType
HTTPS field name: LogType
LEEF field name: cat

mapping_data_source_name Name of the source from which the mapping

information was collected.
(MAPPING DATA SOURCE)
Syslog field name: Syslog Field Order
CEF field name: PanOSMappingDataSource
EMAIL field name: MappingDataSource
HTTPS field name: MappingDataSource
LEEF field name: MappingDataSource

mapping_data_source_sub_type. Mechanism used to identify the IP/User mappings

value within a data source.
(MAPPING DATA SOURCE Syslog field name: Syslog Field Order
SUBTYPE)
CEF field name: PanOSMappingDataSourceSubType
EMAIL field name: MappingDataSourceSubType
HTTPS field name: MappingDataSourceSubType
LEEF field name: MappingDataSourceSubType

mapping_data_source_type.value Source from which mapping information is collected.

(MAPPING DATA SOURCE TYPE) Syslog field name: Syslog Field Order
CEF field name: PanOSMappingDataSourceType
EMAIL field name: MappingDataSourceType
HTTPS field name: MappingDataSourceType
LEEF field name: MappingDataSourceType

mapping_timeout Time interval before the IP-to-tag mapping expires for

the source IP address.
(MAPPING TIMEOUT)
Syslog field name: Syslog Field Order
CEF field name: PanOSMappingTimeout

Cortex Data Lake Schema Reference January 2024 361 ©2024 Palo Alto Networks, Inc.
Network Logs

IPTAG Field Description

(Display Name)
EMAIL field name: MappingTimeout
HTTPS field name: MappingTimeout
LEEF field name: MappingTimeout

panorama_serial Panorama Serial associated with CDL.

(PANORAMA SN) CEF field name: PanOSPanoramaSN
EMAIL field name: PanoramaSN
HTTPS field name: PanoramaSN
LEEF field name: PanoramaSN

rule_matched_uuid Unique identifier for the security policy rule that the
network traffic matched.
(RULE UUID)
CEF field name: PanOSRuleMatchedUUID
EMAIL field name: All of the following: RuleUUID,
RuleMatchedUUID
HTTPS field name: All of the following: RuleUUID,
RuleMatchedUUID
LEEF field name: RuleMatchedUUID

sequence_no The log entry identifier, which is incremented

sequentially. Each log type has a unique number space.

Cortex Data Lake Schema Reference January 2024 362 ©2024 Palo Alto Networks, Inc.
Network Logs

IPTAG Field Description

(Display Name)
(SEQUENCE NO) Syslog field name: Syslog Field Order
CEF field name: externalId
EMAIL field name: SequenceNo
HTTPS field name: SequenceNo
LEEF field name: SequenceNo

source_ip.value Original source IP address.

(SOURCE IP) Syslog field name: Syslog Field Order
CEF fields: src and dst, or c6a2 and c6a3
EMAIL field name: SourceIP
HTTPS field name: SourceIP
LEEF field name: src

sub_type.value Identifies the log subtype.

(SUBTYPE) Syslog field name: Syslog Field Order
CEF field name: Name
EMAIL field name: Subtype
HTTPS field name: Subtype
LEEF field name: SubType

tag_name The tag mapped to the source IP address.

(TAG NAME) Syslog field name: Syslog Field Order
CEF field name: PanOSTagName
EMAIL field name: TagName
HTTPS field name: TagName
LEEF field name: TagName

Cortex Data Lake Schema Reference January 2024 363 ©2024 Palo Alto Networks, Inc.
Network Logs

IPTAG Field Description

(Display Name)
LEEF field name: devTime

time_generated_high_res Time the log was generated in data plane

vendor_name Identifies the vendor that produced the data.

(VENDOR NAME) CEF field name: Device Vendor
EMAIL field name: VendorName
HTTPS field name: VendorName
LEEF field name: Vendor

vsys String representation of the unique identifier for a

vsys_id A unique identifier for a virtual system on a Palo Alto

Networks firewall.
(VIRTUAL SYSTEM ID)
Syslog field name: Syslog Field Order
CEF field name: cn2
EMAIL field name: VirtualSystemID
HTTPS field name: VirtualSystemID
LEEF field name: VirtualSystemID

vsys_name The name of the virtual system associated with the

network traffic.
(VIRTUAL SYSTEM NAME)
Syslog field name: Syslog Field Order

Cortex Data Lake Schema Reference January 2024 364 ©2024 Palo Alto Networks, Inc.
Network Logs

IPTAG Field Description

(Display Name)
CEF field name: PanOSVirtualSystemName
EMAIL field name: VirtualSystemName
HTTPS field name: VirtualSystemName
LEEF field name: VirtualSystemName

IPtag Syslog Default Field Order

Example IPtag log in Syslog:

Oct 13 20:56:15 gke-standard-cluster-2-pool-1-6ea9f13a-

fnid 394 <142>1 2020-10-13T20:56:15.519Z stream-
logfwd20-156653024-10121421-eq28-harness-16kn logforwarder -
panwlogs - Palo Alto Networks,firewall,007099000010804,PA-VM,22229,
2019-06-26T00:42:11.000000Z,1462034616,11,IPTAG,0,iptag,xxx.xx.x.xx,
00000000000000000000ffffac1001b4,-9223372036854775808,18,0,0,0,
false,true,false,false,false,\">C\u000FP,p5\u0016qI\u0006A!\u000E
\",1,,,7743,2019-08-15T02:20:30.000000Z,1,vsys1,\"\u0000\u0000f8B
\u000E@k[y\",,^\u0000\\w\u0006>#&\u0015M`5\u0018'j,5,Unregister,
XMLAPI,1,XML-API,0,Unknown,,10,\"!7eaUpIG-*\u0012pz>\",\"\u00158oi^`
\u000Eru;)\u001C\u0014u\"xxxxxxxxxx",

IPtag CEF Fields

Example IPtag log in CEF:

Mar 1 21:20:15 xxx.xx.x.xx 1042 <14>1 2021-03-01T21:20:15.116Z

stream-logfwd20-587718190-03011312-b28y-harness-x4nx
logforwarder - panwlogs - CEF:0|Palo Alto Networks|LF|2.0|
IPTAG|iptag|3|ProfileToken=xxxxx dtz=UTC rt=Mar 01 2021 21:20:13
deviceExternalId=xxxxxxxxxxxxx PanOSTenantID=xxxxxxxxxxxxx
PanOSIsDuplicateLog=false PanOSIsPrismaNetworks=false
PanOSIsPrismaUsers=false PanOSLogExported=false
PanOSLogForwarded=true PanOSLogSetting= PanOSLogSource=firewall
PanOSLogSourceTimeZoneOffset= PanOSRuleMatched=
PanOSRuleMatchedUUID= PanOSConfigVersion= start=Mar 01 2021 21:20:13

Cortex Data Lake Schema Reference January 2024 365 ©2024 Palo Alto Networks, Inc.
Network Logs

cs3=vsys1 cs3Label=VirtualLocation src=xxx.xx.x.xx dst=xxx.xx.x.xx

PanOSTagName= PanOSEventID=Unregister cnt=1 PanOSMappingTimeout=10
PanOSMappingDataSource=XMLAPI PanOSMappingDataSourceType=XML-API
PanOSMappingDataSourceSubType=Unknown externalId=xxxxxxxxxxxxx
PanOSDGHierarchyLevel1=18 PanOSDGHierarchyLevel2=0
PanOSDGHierarchyLevel3=0 PanOSDGHierarchyLevel4=0
PanOSVirtualSystemName= dvchost=PA-VM cn2=1 cn2Label=VirtualSystemID
PanOSIPSubnetRange= PanOSTimeGeneratedHighResolution=Jul 25 2019
23:30:12

The following table identifies the IPtag field names that the Log Forwarding app uses when you
forward logs using the CEF log format.

CEF Name Field Details

Cortex Data Lake Schema Reference January 2024 366 ©2024 Palo Alto Networks, Inc.
Network Logs

CEF Name Field Details

PanOSTagName Query Name: tag_name

Header Type: Custom

Cortex Data Lake Schema Reference January 2024 368 ©2024 Palo Alto Networks, Inc.
Network Logs

CEF Name Field Details

start Query Name: time_generated

Header Type: Predefined

PanOSTimeGeneratedHighResolution Query Name: time_generated_high_res

CortexDataLakeTenantID, TenantID customer_id

DGHierarchyLevel1 dg_hier_level_1

DGHierarchyLevel2 dg_hier_level_2

DGHierarchyLevel3 dg_hier_level_3

DGHierarchyLevel4 dg_hier_level_4

EventID event_id.value

IPSubnetRange ip_subnet_range

IsDuplicateLog is_dup_log

LogExported is_exported

LogForwarded is_forwarded

IsPrismaNetworks is_prisma_branch

IsPrismaUsers is_prisma_mobile

LogSetting log_set

LogSource log_source

LogSourceGroupID log_source_group_id

Cortex Data Lake Schema Reference January 2024 370 ©2024 Palo Alto Networks, Inc.
Network Logs

EMAIL Name Query Name

DeviceSN log_source_id

DeviceName log_source_name

LogSourceTimeZoneOffset log_source_tz_offset

TimeReceived log_time

LogType log_type.value

MappingDataSource mapping_data_source_name

MappingDataSourceSubType mapping_data_source_sub_type.value

MappingDataSourceType mapping_data_source_type.value

MappingTimeout mapping_timeout

PanoramaSN panorama_serial

PlatformType platform_type

Rule, RuleMatched rule_matched

RuleUUID, RuleMatchedUUID rule_matched_uuid

SequenceNo sequence_no

SourceIP source_ip.value

Subtype sub_type.value

TagName tag_name

TimeGenerated time_generated

TimeGeneratedHighResolution time_generated_high_res

VendorName vendor_name

VirtualLocation vsys

VirtualSystemID vsys_id

VirtualSystemName vsys_name

Cortex Data Lake Schema Reference January 2024 371 ©2024 Palo Alto Networks, Inc.
Network Logs

IPtag HTTPS Fields

The following table identifies the IPtag field names that the Log Forwarding app uses when you
forward logs using the HTTPS log format.

HTTPS Name Query Name

ConfigVersion config_version.value

RepeatCount, CountOfRepeats count_of_repeats

CortexDataLakeTenantID, TenantID customer_id

DGHierarchyLevel1 dg_hier_level_1

DGHierarchyLevel2 dg_hier_level_2

DGHierarchyLevel3 dg_hier_level_3

DGHierarchyLevel4 dg_hier_level_4

EventID event_id.value

IPSubnetRange ip_subnet_range

IsDuplicateLog is_dup_log

LogExported is_exported

LogForwarded is_forwarded

IsPrismaNetworks is_prisma_branch

IsPrismaUsers is_prisma_mobile

LogSetting log_set

LogSource log_source

LogSourceGroupID log_source_group_id

DeviceSN log_source_id

DeviceName log_source_name

LogSourceTimeZoneOffset log_source_tz_offset

TimeReceived log_time

Cortex Data Lake Schema Reference January 2024 372 ©2024 Palo Alto Networks, Inc.
Network Logs

HTTPS Name Query Name

LogType log_type.value

MappingDataSource mapping_data_source_name

MappingDataSourceSubType mapping_data_source_sub_type.value

MappingDataSourceType mapping_data_source_type.value

MappingTimeout mapping_timeout

PanoramaSN panorama_serial

PlatformType platform_type

Rule, RuleMatched rule_matched

RuleUUID, RuleMatchedUUID rule_matched_uuid

SequenceNo sequence_no

SourceIP source_ip.value

Subtype sub_type.value

TagName tag_name

TimeGenerated time_generated

TimeGeneratedHighResolution time_generated_high_res

VendorName vendor_name

VirtualLocation vsys

VirtualSystemID vsys_id

VirtualSystemName vsys_name

IPtag LEEF Fields

Example IPtag log in LEEF:

Sep 21 01:47:20 xxx.xx.x.xx 2368 <14>1 2021-09-21T01:47:20.990Z

Cortex Data Lake Schema Reference January 2024 373 ©2024 Palo Alto Networks, Inc.
Network Logs

src=xxx.xx.x.xx VirtualSystemName= Vendor=Palo Alto Networks

DeviceSN=xxxxxxxxxxxxx TimeGeneratedHighResolution= LogSetting=
TimeReceived=2020-10-13T03:31:40.000000Z MappingDataSource=XMLAPI
RuleMatchedUUID= IsPrismaNetworks=false MappingTimeout=10
MappingDataSourceType=XML-API IsDuplicateLog=false LogForwarded=true
CountOfRepeats=1 devTime=2020-10-13T03:31:40.000000Z
VirtualLocation=vsys1 LogSource=firewall EventID=Unregister TagName=
LogSourceTimeZoneOffset= cat=iptag MappingDataSourceSubType=Unknown
TenantID=xxxxxxxxxxxxx IsPrismaUsers=false EventID0=IPTAG
devTimeFormat=YYYY-MM-DDTHH:MM:SSZ

The following table identifies the IPtag field names that the Log Forwarding app uses when you
forward logs using the LEEF log format.

LEEF Name Query Name Field Type

ConfigVersion config_version.value Custom

CountOfRepeats count_of_repeats Custom

TenantID customer_id Custom

DGHierarchyLevel1 dg_hier_level_1 Custom

DGHierarchyLevel2 dg_hier_level_2 Custom

DGHierarchyLevel3 dg_hier_level_3 Custom

DGHierarchyLevel4 dg_hier_level_4 Custom

EventID event_id.value Header

IPSubnetRange ip_subnet_range Custom

IsDuplicateLog is_dup_log Custom

LogExported is_exported Custom

LogForwarded is_forwarded Custom

IsPrismaNetworks is_prisma_branch Custom

IsPrismaUsers is_prisma_mobile Custom

Cortex Data Lake Schema Reference January 2024 374 ©2024 Palo Alto Networks, Inc.
Network Logs

LEEF Name Query Name Field Type

LogSetting log_set Custom

LogSource log_source Custom

LogSourceGroupID log_source_group_id Custom

DeviceSN log_source_id Custom

DeviceName log_source_name Custom

LogSourceTimeZoneOffset log_source_tz_offset Custom

TimeReceived log_time Custom

cat log_type.value Predefined

MappingDataSource mapping_data_source_name Custom

MappingDataSourceSubType mapping_data_source_sub_type.value Custom

MappingDataSourceType mapping_data_source_type.value Custom

MappingTimeout mapping_timeout Custom

PanoramaSN panorama_serial Custom

PlatformType platform_type Custom

RuleMatched rule_matched Custom

RuleMatchedUUID rule_matched_uuid Custom

SequenceNo sequence_no Custom

src source_ip.value Predefined

SubType sub_type.value Custom

TagName tag_name Custom

devTime time_generated Predefined

TimeGeneratedHighResolution time_generated_high_res Custom

Vendor vendor_name Header

Cortex Data Lake Schema Reference January 2024 375 ©2024 Palo Alto Networks, Inc.
Network Logs

LEEF Name Query Name Field Type

VirtualLocation vsys Custom

VirtualSystemID vsys_id Custom

VirtualSystemName vsys_name Custom

Cortex Data Lake Schema Reference January 2024 376 ©2024 Palo Alto Networks, Inc.
Network Logs

Remote Browser Isolation

Remote Browser Isolation logs display information about Remote Browser Isolation events.

REMOTE BROWSER ISOLATION Description

Field
(Display Name)

action.value Action taken by Remote Browser Isolation. Possible

values:
(ACTION)
• Allow
• Deny

bh_name The name of the browser host.

(BH NAME)

browser_type Browser details.

(BROWSER TYPE)

client_id The session or client ID. Uniquely identifies the user

and browser.
(CLIENT ID)

client_ip.value Public IP address of the session.

(CLIENT IP)

connected_duration Session duration in seconds.

(SESSION DURATION)

customer_id The ID that uniquely identifies the Cortex Data Lake

instance which received this log record.
(CORTEX DATA LAKE TENANT ID)

data_size Value depends on the event_sub_type:

(DATA SIZE) • If event_sub_type is UPLOAD or DOWNLOAD, then
data_size is the size of the file being uploaded or
downloaded.
• If event_sub_type is COPY or PASTE, then
data_size is the size of the data being copied or
pasted.

disconnect_reason.value Disconnect reason upon the end of a session. Possible

values:
(DISCONNECT REASON)
• USER_INIT - The user ended the session.

Cortex Data Lake Schema Reference January 2024 377 ©2024 Palo Alto Networks, Inc.
Network Logs

REMOTE BROWSER ISOLATION Description

Field
(Display Name)
• SYS_INIT - The system ended the session.
• IDLE - The session timed out.
• OTHER - Other reason.

edge_location Name of the edge location region.

(EDGE LOCATION)

event_severity.value Severity of the event. Possible values are INFO or

WARN.
(EVENT SEVERITY)

event_sub_type.value Subtype of the event. The possible values depend on

the event_type.
(EVENT SUBTYPE)
event_type = POLICY:
• COPY
• PASTE
• PRINT
• UPLOAD
• DOWNLOAD
• KEYB (Keyboard)
• VII (View in Isolation)
event_type = SESSION:
• START
• STOP
event_type = AUTH:
• SUCCESS
• FAIL
event_type = ISSUE:
• OTHER
• ACCESS
• PERFORM
• AV
These event subtypes correspond to the security
controls in the isolation profiles.

Cortex Data Lake Schema Reference January 2024 378 ©2024 Palo Alto Networks, Inc.
Network Logs

REMOTE BROWSER ISOLATION Description

Field
(Display Name)

event_type.value Event type. Possible values:

(EVENT TYPE) • SESSION - A browser event. For example, a user
started or ended an isolated browsing session.
• POLICY - A policy event.
• AUTH - An authentication event.
• ISSUE

file_name The names of files being uploaded or downloaded.

(FILE NAME)

issue_details User-reported issue details.

(ISSUE DETAILS)

log_source Identifies the origin of the data. That is, the system that
produced the data.
(LOG SOURCE)

log_source_group_id ID that uniquely identifies the logSourceGroupId of the

log. That is, the log_source_id of the group.
(LOG SOURCE GROUP ID)

log_source_name Name of the source of the log.

(DEVICE NAME)

log_time Time the log was received in Cortex Data Lake. This
string contains a timestamp value that is the number of
(TIME RECEIVED)
microseconds since the Unix epoch.

log_type.value Identifies the log type.

(LOG TYPE)

os_type User's OS type.

(OS TYPE)

Cortex Data Lake Schema Reference January 2024 379 ©2024 Palo Alto Networks, Inc.
Network Logs

REMOTE BROWSER ISOLATION Description

Field
(Display Name)

platform_type The platform type (Valid types are PRISMA_ACCESS,

CNGFW, VM, HWFW).
(PLATFORMTYPE)

sub_type.value Identifies the log subtype.

(SUB TYPE)

time_generated Time when the log was generated on the source. This
string contains a timestamp value that is the number of
(TIME GENERATED)
microseconds since the Unix epoch.

time_generated_high_res Time the log was generated in data plane

with millisec granularity in format YYYY-MM-
(TIME GENERATED HIGH
DDTHH:MM:SS[.DDDDDD]Z.
RESOLUTION)

url URL where the isolation policy was applied. Populated

only when event-type = POLICY
(URL)
.

user_id User name.

(SOURCE USER)

vendor_name Identifies the vendor that produced the data.

(VENDOR NAME)

Cortex Data Lake Schema Reference January 2024 380 ©2024 Palo Alto Networks, Inc.
Network Logs

SCTP
Contains entries for Stream Control Transmission Protocol (SCTP) traffic. See RFC 4960 for a
description of this protocol.
SCTP logs are a special type of traffic log. They are written at the end of every SCTP network
session, as well as optionally at the start of every such session.
See the following for information related to supported log formats:
• SCTP Syslog Default Field Order
• SCTP CEF Fields
• SCTP EMAIL Fields
• SCTP HTTPS Fields
• SCTP LEEF Fields

SCTP Field Description

(Display Name)

app Application associated with the network traffic.

(APPLICATION) Syslog field name: Syslog Field Order
CEF field name: PanOSApplication
EMAIL field name: Application
HTTPS field name: Application
LEEF field name: Application

association_end_reason.value The reason the session terminated. If the termination

had multiple reasons, only the highest priority reason is
(ASSOCATION END REASON)
identified here.
Syslog field name: Syslog Field Order
CEF field name: PanOSAssocationEndReason
EMAIL field name: AssocationEndReason

Cortex Data Lake Schema Reference January 2024 381 ©2024 Palo Alto Networks, Inc.
Network Logs

SCTP Field Description

(Display Name)
HTTPS field name: AssocationEndReason
LEEF field name: AssocationEndReason

chunks_received The total number of SCTP data chunks in the server-to-

client network traffic.
(CHUNKS RECEIVED)
Syslog field name: Syslog Field Order
CEF field name: PanOSChunksReceived
EMAIL field name: ChunksReceived
HTTPS field name: ChunksReceived
LEEF field name: ChunksReceived

chunks_sent The total number of SCTP data chunks in the client-to-

server network traffic.
(CHUNKS SENT)
Syslog field name: Syslog Field Order
CEF field name: PanOSChunksSent
EMAIL field name: ChunksSent
HTTPS field name: ChunksSent
LEEF field name: ChunksSent

chunks_total The total number of SCTP data chunks in the network

traffic.
(CHUNKS TOTAL)
Syslog field name: Syslog Field Order
CEF field name: PanOSChunksTotal
EMAIL field name: ChunksTotal
HTTPS field name: ChunksTotal
LEEF field name: ChunksTotal

config_version.value Version number of the firewall operating system that

(Display Name)
CEF field name: PanOSDestinationEDL
EMAIL field name: DestinationEDL
HTTPS field name: DestinationEDL
LEEF field name: DestinationEDL

dest_ip.value Original destination IP address.

(DESTINATION IP) Syslog field name: Syslog Field Order
CEF fields: dst or c6a3
EMAIL field name: DestinationIP
HTTPS field name: DestinationIP
LEEF field name: dst

dest_location Destination country or internal region for private

addresses.
(DESTINATION LOCATION)
CEF field name: PanOSDestinationLocation
EMAIL field name: DestinationLocation
HTTPS field name: DestinationLocation
LEEF field name: DestinationLocation

dest_port Network traffic's destination port. If this value is 0, then

dest_user The username to which the network traffic was

destined.
(DESTINATION USER)
Syslog field name: Syslog Field Order
CEF field name: PanOSDestinationUser
EMAIL field name: DestinationUser
HTTPS field name: DestinationUser
LEEF field name: DestinationUser

Cortex Data Lake Schema Reference January 2024 385 ©2024 Palo Alto Networks, Inc.
Network Logs

SCTP Field Description

(Display Name)

dest_user_info.domain Domain to which the Destination User belongs.

(DESTINATION USER DOMAIN) CEF field name: PanOSDestinationUserDomain
EMAIL field name: DestinationUserDomain
HTTPS field name: DestinationUserDomain
LEEF field name: DestinationUserDomain

dest_user_info.name The Destination User. That is, the username to which

the network traffic was destined.
(DESTINATION USER NAME)
CEF field name: PanOSDestinationUserName
EMAIL field name: DestinationUserName
HTTPS field name: DestinationUserName
LEEF field name: DestinationUserName

dest_user_info.uuid Unique identifier assigned to the Destination User.

(DESTINATION USER UUID) CEF field name: PanOSDestinationUserUUID
EMAIL field name: DestinationUserUUID
HTTPS field name: DestinationUserUUID
LEEF field name: DestinationUserUUID

dest_uuid Identifies the destination universal unique identifier

for a guest virtual machine in the VMware NSX
(DESTINATION UUID)
environment.
CEF field name: PanOSDestinationUUID
EMAIL field name: DestinationUUID
HTTPS field name: DestinationUUID
LEEF field name: DestinationUUID

dg_hier_level_1 A sequence of identification numbers that indicate the

Cortex Data Lake Schema Reference January 2024 386 ©2024 Palo Alto Networks, Inc.
Network Logs

SCTP Field Description

(Display Name)

dg_hier_level_2 A sequence of identification numbers that indicate the

dg_hier_level_3 A sequence of identification numbers that indicate the

dg_hier_level_4 A sequence of identification numbers that indicate the

diam_app_id The IANA ID assigned to the Diameter application

associated with this network traffic.
(DIAM APP ID)
Syslog field name: Syslog Field Order
CEF field name: PanOSDiamAppID
EMAIL field name: DiamAppID
HTTPS field name: DiamAppID
LEEF field name: DiamAppID

diam_avp_code The AVP code used by the Diameter application

associated with this network traffic.
(DIAM AVP CODE)
Syslog field name: Syslog Field Order

Cortex Data Lake Schema Reference January 2024 387 ©2024 Palo Alto Networks, Inc.
Network Logs

SCTP Field Description

(Display Name)
CEF field name: PanOSDiamAvpCode
EMAIL field name: DiamAvpCode
HTTPS field name: DiamAvpCode
LEEF field name: DiamAvpCode

diam_cmd_code The Diameter command code used by this network

traffic.
(DIAMETER COMMAND CODE)
Syslog field name: Syslog Field Order
CEF field name: PanOSDiameterCommandCode
EMAIL field name: DiameterCommandCode
HTTPS field name: DiameterCommandCode
LEEF field name: DiameterCommandCode

ep_assoc_id The ID assigned to the endpoint association used for

the SCTP network traffic.
(ENDPOINT ASSOCIATION ID)
Syslog field name: Syslog Field Order
CEF field name: PanOSEndpointAssociationID
EMAIL field name: EndpointAssociationID
HTTPS field name: EndpointAssociationID
LEEF field name: EndpointAssociationID

event_code The SCTP event notification code set for this message.
(EVENT CODE) Syslog field name: Syslog Field Order
CEF field name: PanOSEventCode
EMAIL field name: EventCode
HTTPS field name: EventCode
LEEF field name: EventCode

event_type.value The SCTP event notification type set for this message.
(SCTP EVENT TYPE) Syslog field name: Syslog Field Order
CEF field name: PanOSSCTPEventType
EMAIL field name: SCTPEventType
HTTPS field name: SCTPEventType
LEEF field name: SCTPEventType

Cortex Data Lake Schema Reference January 2024 388 ©2024 Palo Alto Networks, Inc.
Network Logs

SCTP Field Description

(Display Name)

from_zone The networking zone from which the traffic originated.

(FROM ZONE) Syslog field name: Syslog Field Order
CEF field name: cs4
EMAIL field name: FromZone
HTTPS field name: FromZone
LEEF field name: FromZone

inbound_if.value Interface from which the network traffic was sourced.

(INBOUND INTERFACE) Syslog field name: Syslog Field Order
CEF field name: PanOSInboundInterface
EMAIL field name: InboundInterface
HTTPS field name: InboundInterface
LEEF field name: InboundInterface

inbound_if_details.port Hardware port or socket from which the network traffic

inbound_if_details.slot Interface slot from which the network traffic was

inbound_if_details.type.value The type of interface from which the network traffic

Cortex Data Lake Schema Reference January 2024 389 ©2024 Palo Alto Networks, Inc.
Network Logs

SCTP Field Description

(Display Name)

inbound_if_details.unit Internal use.

is_captive_portal Indicates if user information for the session was

captured through Captive Portal.
(CAPTIVE PORTAL)
CEF field name: PanOSCaptivePortal
EMAIL field name: CaptivePortal
HTTPS field name: CaptivePortal
LEEF field name: CaptivePortal

is_client_to_server Indicates if direction of traffic is from client to server.

(IS CLIENT TO SERVER) CEF field name: PanOSIsClienttoServer
EMAIL field name: IsClienttoServer
HTTPS field name: IsClienttoServer
LEEF field name: IsClienttoServer

is_container Indicates if the session is a container page access

(Container Page).
(IS CONTAINER)
CEF field name: PanOSIsContainer
EMAIL field name: IsContainer
HTTPS field name: IsContainer
LEEF field name: IsContainer

is_decrypt_mirror Indicates whether decrypted traffic was sent out in

clear text through a mirror port.
(IS DECRYPT MIRROR)
CEF field name: PanOSIsDecryptMirror
EMAIL field name: IsDecryptMirror
HTTPS field name: IsDecryptMirror
LEEF field name: IsDecryptMirror

is_decrypted_payload_fwded Unknown field. No information is available at this time.

CEF field name: PanOSIsDecryptedPayloadForward

Cortex Data Lake Schema Reference January 2024 390 ©2024 Palo Alto Networks, Inc.
Network Logs

SCTP Field Description

(Display Name)
(IS DECRYPTED PAYLOAD EMAIL field name: IsDecryptedPayloadForward
FORWARD)
HTTPS field name: IsDecryptedPayloadForward
LEEF field name: IsDecryptedPayloadForward

is_decryption_log Unknown field. No information is available at this time.

(IS DECRYPTED LOG) CEF field name: PanOSIsDecryptedLog
EMAIL field name: IsDecryptedLog
HTTPS field name: IsDecryptedLog
LEEF field name: IsDecryptedLog

is_dup_log Indicates whether this log data is available in multiple

is_forwarded Internal-use field that indicates if the log is being

forwarded.
(LOG FORWARDED)
CEF field name: PanOSLogForwarded
EMAIL field name: LogForwarded
HTTPS field name: LogForwarded
LEEF field name: LogForwarded

is_ipv6 Indicates whether IPV6 was used for the session.

(IS IPV6) CEF field name: PanOSIsIPV6
EMAIL field name: IsIPV6
HTTPS field name: IsIPV6

Cortex Data Lake Schema Reference January 2024 391 ©2024 Palo Alto Networks, Inc.
Network Logs

SCTP Field Description

(Display Name)
LEEF field name: IsIPV6

is_l7_inspection_b4_session Unknown field. No information is available at this time.

(IS INSPECTION BEFORE SESSION) CEF field name: PanOSIsInspectrionBeforeSession
EMAIL field name: All of the following:
IsInspectionBeforeSession, IsInspectrionBeforeSession
HTTPS field name: All of the following:
IsInspectionBeforeSession, IsInspectrionBeforeSession
LEEF field name: IsInspectrionBeforeSession

is_mptcp_on Indicates whether the option is enabled on the next-

is_nat Indicates if the firewall is performing network address

translation (NAT) for the logged traffic.
(NAT)
CEF field name: PanOSNAT
EMAIL field name: NAT
HTTPS field name: NAT
LEEF field name: NAT

is_non_std_dest_port Indicates if the destination port is non-standard.

is_packet_capture Indicates whether the session has a packet capture

(PCAP).
(IS PACKET CAPTURE)
CEF field name: PanOSIsPacketCapture
EMAIL field name: IsPacketCapture
HTTPS field name: IsPacketCapture

Cortex Data Lake Schema Reference January 2024 392 ©2024 Palo Alto Networks, Inc.
Network Logs

SCTP Field Description

(Display Name)
LEEF field name: IsPacketCapture

is_phishing Indicates whether enterprise credentials were

submitted by an end user.
(IS PHISHING)
CEF field name: PanOSIsPhishing
EMAIL field name: IsPhishing
HTTPS field name: IsPhishing
LEEF field name: IsPhishing

is_prisma_branch Internal-use field. If set to 1, the log was generated on

is_prisma_mobile Internal use field. If set to 1, the log record was

is_proxy Indicates whether the SSL session is decrypted (SSL

Proxy).
(IS PROXY)
CEF field name: PanOSIsProxy
EMAIL field name: IsProxy
HTTPS field name: IsProxy
LEEF field name: IsProxy

is_recon_excluded Indicates whether source for the flow is on the firewall

allow list and not subject to recon protection.
(IS RECON EXCLUDED)
CEF field name: PanOSIsReconExcluded
EMAIL field name: IsReconExcluded
HTTPS field name: IsReconExcluded

Cortex Data Lake Schema Reference January 2024 393 ©2024 Palo Alto Networks, Inc.
Network Logs

SCTP Field Description

(Display Name)
LEEF field name: IsReconExcluded

is_server_to_client Indicates if direction of traffic is from server to client.

(IS SERVER TO CLIENT) CEF field name: PanOSIsServertoClient
EMAIL field name: IsServertoClient
HTTPS field name: IsServertoClient
LEEF field name: IsServertoClient

is_source_x_fwded Indicates whether the X-Forwarded-For value from a

nat_dest.value If destination NAT performed, the post-NAT destination

IP address.
(NAT DESTINATION)
Syslog field name: Syslog Field Order
CEF field name: PanOSNATDestination
EMAIL field name: NATDestination
HTTPS field name: NATDestination
LEEF field name: NATDestination

nat_dest_port Post-NAT destination port.

(NAT DESTINATION PORT) Syslog field name: Syslog Field Order
CEF field name: PanOSNATDestinationPort
EMAIL field name: NATDestinationPort
HTTPS field name: NATDestinationPort
LEEF field name: NATDestinationPort

nat_source.value If source NAT was performed, the post-NAT source IP

address.
(NAT SOURCE)
Syslog field name: Syslog Field Order
CEF field name: PanOSNATSource
EMAIL field name: NATSource
HTTPS field name: NATSource
LEEF field name: NATSource

nat_source_port Post-NAT source port.

(NAT SOURCE PORT) Syslog field name: Syslog Field Order
CEF field name: PanOSNATSourcePort
EMAIL field name: NATSourcePort
HTTPS field name: NATSourcePort

Cortex Data Lake Schema Reference January 2024 397 ©2024 Palo Alto Networks, Inc.
Network Logs

SCTP Field Description

(Display Name)
LEEF field name: NATSourcePort

outbound_if.value Interface to which the network traffic was destined.

outbound_if_details.port Hardware port or socket to which the network traffic

outbound_if_details.slot Interface slot to which the network traffic was sent.

outbound_if_details.type.value The type of interface to which the network traffic was

outbound_if_details.unit Internal use.

packets_received Number of server-to-client packets for the session.

Cortex Data Lake Schema Reference January 2024 398 ©2024 Palo Alto Networks, Inc.
Network Logs

SCTP Field Description

(Display Name)
(PACKETS RECEIVED) Syslog field name: Syslog Field Order
CEF field name: PanOSPacketsReceived
EMAIL field name: PacketsReceived
HTTPS field name: PacketsReceived
LEEF field name: dstPackets

packets_sent Number of client-to-server packets for the session.

(PACKETS SENT) Syslog field name: Syslog Field Order
CEF field name: PanOSPacketsSent
EMAIL field name: PacketsSent
HTTPS field name: PacketsSent
LEEF field name: srcPackets

packets_total Number of total packets (transmit and receive) seen for

the session.
(PACKETS TOTAL)
Syslog field name: Syslog Field Order
CEF field name: PanOSPacketsTotal
EMAIL field name: PacketsTotal
HTTPS field name: PacketsTotal
LEEF field name: PacketsTotal

panorama_serial Panorama Serial associated with CDL.

(PANORAMA SN) CEF field name: PanOSPanoramaSN
EMAIL field name: PanoramaSN
HTTPS field name: PanoramaSN
LEEF field name: PanoramaSN

payload_protocol_id The Payload Protocol Identifier (PPID) associated with

the SCTP data chunk.
(PAYLOAD PROTOCOL ID)
Syslog field name: Syslog Field Order
CEF field name: PanOSPayloadProtocolID
EMAIL field name: PayloadProtocolID
HTTPS field name: PayloadProtocolID
LEEF field name: PayloadProtocolID

Cortex Data Lake Schema Reference January 2024 399 ©2024 Palo Alto Networks, Inc.
Network Logs

SCTP Field Description

(Display Name)

pod_name Container name.

(CONTAINER NAME) Syslog field name: Syslog Field Order
CEF field name: PanOSContainerName
EMAIL field name: ContainerName
HTTPS field name: ContainerName
LEEF field name: ContainerName

pod_namespace Container namespace.

protocol.value IP protocol associated with the session.

(PROTOCOL) Syslog field name: Syslog Field Order
CEF field name: proto
EMAIL field name: Protocol
HTTPS field name: Protocol
LEEF field name: proto

rule_matched Name of the security policy rule that the network traffic
matched.
(RULE)
Syslog field name: Syslog Field Order
CEF field name: cs1
EMAIL field name: Rule
HTTPS field name: Rule

Cortex Data Lake Schema Reference January 2024 400 ©2024 Palo Alto Networks, Inc.
Network Logs

SCTP Field Description

(Display Name)
LEEF field name: Rule

rule_matched_uuid Unique identifier for the security policy rule that the
network traffic matched.
(RULE UUID)
Syslog field name: Syslog Field Order
CEF field name: PanOSRuleUUID
EMAIL field name: RuleUUID
HTTPS field name: RuleUUID
LEEF field name: RuleUUID

sccp_calling_gt The Global Title (GT) specified in the called party

address used for this SCCP protocol message.
(SCCP CALLING GT)
Syslog field name: Syslog Field Order
CEF field name: PanOSSccpCallingGt
EMAIL field name: SccpCallingGt
HTTPS field name: SccpCallingGt
LEEF field name: SccpCallingGt

sccp_calling_ssn The subsystem number (SSN) specified in the called

party address used for this SCCP protocol message.
(SCCP CALLING SSN)
Syslog field name: Syslog Field Order
CEF field name: PanOSSccpCallingSSN
EMAIL field name: SccpCallingSSN
HTTPS field name: SccpCallingSSN
LEEF field name: SccpCallingSSN

sctp_cause_code The error cause code found in the SCTP message.

(SCTP CAUSE CODE) Syslog field name: Syslog Field Order
CEF field name: PanOSSctpCauseCode
EMAIL field name: SctpCauseCode
HTTPS field name: SctpCauseCode
LEEF field name: SctpCauseCode

sctp_chunk_type Type of information contained in the SCTP data chunk.

(SCTP CHUNK TYPE) Syslog field name: Syslog Field Order

Cortex Data Lake Schema Reference January 2024 401 ©2024 Palo Alto Networks, Inc.
Network Logs

SCTP Field Description

(Display Name)
CEF field name: PanOSSctpChunkType
EMAIL field name: SctpChunkType
HTTPS field name: SctpChunkType
LEEF field name: SctpChunkType

sctp_filter The SCTP filter that the firewall applied to this network
traffic.
(SCTP FILTER)
Syslog field name: Syslog Field Order
CEF field name: PanOSSctpFilter
EMAIL field name: SctpFilter
HTTPS field name: SctpFilter
LEEF field name: SctpFilter

sequence_no The log entry identifier, which is incremented

sess_owner_rt_midx Unknown field. No information is available at this time.

(SESSION OWNER MIDX) CEF field name: PanOSSessionOwnerMidx
EMAIL field name: SessionOwnerMidx
HTTPS field name: SessionOwnerMidx
LEEF field name: SessionOwnerMidx

session_end_reason.value The reason a session terminated.

(SESSION END REASON) CEF field name: PanOSSessionEndReason
EMAIL field name: SessionEndReason
HTTPS field name: SessionEndReason
LEEF field name: SessionEndReason

session_id Identifies the firewall's internal identifier for a specific

network session.
(SESSION ID)

Cortex Data Lake Schema Reference January 2024 402 ©2024 Palo Alto Networks, Inc.
Network Logs

SCTP Field Description

(Display Name)
Syslog field name: Syslog Field Order
CEF field name: PanOSSessionID
EMAIL field name: SessionID
HTTPS field name: SessionID
LEEF field name: SessionID

session_tracker Unknown field. No information is available at this time.

(SESSION TRACKER) CEF field name: PanOSSessionTracker
EMAIL field name: SessionTracker
HTTPS field name: SessionTracker
LEEF field name: SessionTracker

severity Severity as defined by the platform.

(SEVERITY) CEF field name: PanOSSeverity
EMAIL field name: Severity
HTTPS field name: Severity
LEEF field name: Severity

source_device_class Source device class.

(SOURCE DEVICE CLASS) CEF field name: PanOSSourceDeviceClass
EMAIL field name: SourceDeviceClass
HTTPS field name: SourceDeviceClass
LEEF field name: SourceDeviceClass

source_device_mac Source device MAC address.

(SOURCE DEVICE MAC) CEF field name: PanOSSourceDeviceMac
EMAIL field name: SourceDeviceMac
HTTPS field name: SourceDeviceMac
LEEF field name: SourceDeviceMac

source_device_model Source device model.

(SOURCE DEVICE MODEL) CEF field name: PanOSSourceDeviceModel
EMAIL field name: SourceDeviceModel
HTTPS field name: SourceDeviceModel

Cortex Data Lake Schema Reference January 2024 403 ©2024 Palo Alto Networks, Inc.
Network Logs

SCTP Field Description

(Display Name)
LEEF field name: SourceDeviceModel

source_device_os Source device OS type.

(SOURCE DEVICE OS) CEF field name: PanOSSourceDeviceOS
EMAIL field name: SourceDeviceOS
HTTPS field name: SourceDeviceOS
LEEF field name: SourceDeviceOS

source_device_vendor Source device vendor.

(SOURCE DEVICE VENDOR) CEF field name: PanOSSourceDeviceVendor
EMAIL field name: SourceDeviceVendor
HTTPS field name: SourceDeviceVendor
LEEF field name: SourceDeviceVendor

source_dynamic_address_group The dynamic address group that Device-ID identifies as

source_ip.value Original source IP address.

(SOURCE IP) Syslog field name: Syslog Field Order
CEF fields: src or c6a2
EMAIL field name: SourceIP
HTTPS field name: SourceIP

Cortex Data Lake Schema Reference January 2024 404 ©2024 Palo Alto Networks, Inc.
Network Logs

SCTP Field Description

(Display Name)
LEEF field name: src

source_location Source country or internal region for private addresses.

(SOURCE LOCATION) CEF field name: PanOSSourceLocation
EMAIL field name: SourceLocation
HTTPS field name: SourceLocation
LEEF field name: SourceLocation

source_port Source port utilized by the session.

(SOURCE PORT) Syslog field name: Syslog Field Order
CEF field name: spt
EMAIL field name: SourcePort
HTTPS field name: SourcePort
LEEF field name: srcPort

source_user The username that initiated the network traffic.

(SOURCE USER) Syslog field name: Syslog Field Order
CEF field name: PanOSSourceUser
EMAIL field name: SourceUser
HTTPS field name: SourceUser
LEEF field name: usrName

source_user_info.domain Domain to which the Source User belongs.

(SOURCE USER DOMAIN) CEF field name: PanOSSourceUserDomain
EMAIL field name: SourceUserDomain
HTTPS field name: SourceUserDomain
LEEF field name: SourceUserDomain

source_user_info.name The Source User. That is, the username that initiated
the network traffic.
(SOURCE USER NAME)
CEF field name: PanOSSourceUserName
EMAIL field name: SourceUserName
HTTPS field name: SourceUserName
LEEF field name: SourceUserName

Cortex Data Lake Schema Reference January 2024 405 ©2024 Palo Alto Networks, Inc.
Network Logs

SCTP Field Description

(Display Name)

source_user_info.uuid Unique identifier assigned to the Source User.

(SOURCE USER UUID) CEF field name: PanOSSourceUserUUID
EMAIL field name: SourceUserUUID
HTTPS field name: SourceUserUUID
LEEF field name: SourceUserUUID

source_uuid Identifies the source universal unique identifier for a

guest virtual machine in the VMware NSX environment.
(SOURCE UUID)
CEF field name: PanOSSourceUUID
EMAIL field name: SourceUUID
HTTPS field name: SourceUUID
LEEF field name: SourceUUID

stream_id Identifies the firewall's internal identifier for the SCTP

stream.
(STREAM ID)
Syslog field name: Syslog Field Order
CEF field name: PanOSStreamID
EMAIL field name: StreamID
HTTPS field name: StreamID
LEEF field name: StreamID

sub_type.value Identifies the log subtype.

(SUBTYPE) Syslog field name: Syslog Field Order
CEF field name: Name
EMAIL field name: Subtype
HTTPS field name: Subtype
LEEF field name: SubType

Cortex Data Lake Schema Reference January 2024 406 ©2024 Palo Alto Networks, Inc.
Network Logs

SCTP Field Description

(Display Name)
LEEF field name: devTime

time_generated_high_res Time the log was generated in data plane

to_zone Networking zone to which the traffic was sent.

(TO ZONE) Syslog field name: Syslog Field Order
CEF field name: cs5
EMAIL field name: ToZone
HTTPS field name: ToZone
LEEF field name: ToZone

tunnel.value Type of tunnel.

(TUNNEL) CEF field name: PanOSTunnel
EMAIL field name: Tunnel
HTTPS field name: Tunnel
LEEF field name: Tunnel

vendor_name Identifies the vendor that produced the data.

(VENDOR NAME) CEF field name: Device Vendor
EMAIL field name: VendorName
HTTPS field name: VendorName
LEEF field name: Vendor

vendor_severity.value Severity associated with the event.

(VENDOR SEVERITY) Syslog field name: Syslog Field Order
CEF field name: PanOSVendorSeverity
EMAIL field name: VendorSeverity
HTTPS field name: VendorSeverity

Cortex Data Lake Schema Reference January 2024 407 ©2024 Palo Alto Networks, Inc.
Network Logs

SCTP Field Description

(Display Name)
LEEF field name: VendorSeverity

verification_tag_1 The verification tag set for the SCTP packet.

(VERIFICATION TAG 1) Syslog field name: Syslog Field Order
CEF field name: PanOSVerificationTag1
EMAIL field name: VerificationTag1
HTTPS field name: VerificationTag1
LEEF field name: VerificationTag1

verification_tag_2 The verification tag set for the SCTP packet.

(VERIFICATION TAG 2) Syslog field name: Syslog Field Order
CEF field name: PanOSVerificationTag2
EMAIL field name: VerificationTag2
HTTPS field name: VerificationTag2
LEEF field name: VerificationTag2

vsys String representation of the unique identifier for a

vsys_id A unique identifier for a virtual system on a Palo Alto

Networks firewall.
(VIRTUAL SYSTEM ID)
CEF field name: PanOSVirtualSystemID
EMAIL field name: VirtualSystemID
HTTPS field name: VirtualSystemID
LEEF field name: VirtualSystemID

vsys_name The name of the virtual system associated with the

network traffic.
(VIRTUAL SYSTEM NAME)
Syslog field name: Syslog Field Order
CEF field name: PanOSVirtualSystemName

Cortex Data Lake Schema Reference January 2024 408 ©2024 Palo Alto Networks, Inc.
Network Logs

SCTP Field Description

(Display Name)
EMAIL field name: VirtualSystemName
HTTPS field name: VirtualSystemName
LEEF field name: VirtualSystemName

SCTP Syslog Default Field Order

Example SCTP log in Syslog:

Oct 13 01:09:49 gke-standard-cluster-2-pool-1-6ea9f13a-

g2z7 695 <142>1 2020-10-13T01:09:49.516Z stream-
logfwd20-156653024-10121421-eq28-harness-16kn logforwarder
- panwlogs - 1,2020-10-13T01:09:43.000000Z,007051000113358,
SCTP,,,2020-10-13T01:09:35.000000Z,xxx.xx.x.xx,xxx.xx.x.xx,
xxx.xx.x.xx,xxx.xx.x.xx,allow-business-apps,,"xxxxx\xxxxx
o"xxxxxxxxxx"'"xxxxxxxxxx"test",mcafee-endpoint-encryption,
vsys1,untrust,ethernet4Zone-test1,,,rs-logging,,424904,1,21740,
17506,25019,4608,2048,tcp,drop-packet,0,0,0,0,,PA-VM,201003871,
-9223372036854775808,1705351682,12,Medium,255,authentication failure,
8,1565171669,192004283,0,-1,-1,0,0,,0,0,,,913,19,894,2628,1327,1301,
f8800078-8fac-4abf-98a0-77c96ef3ca36,1873cc5c-0d31,pns_default,pan-
dp-77754f4,,,,,2020-10-13T01:09:36.365000Z

SCTP CEF Fields

Example SCTP log in CEF:

Mar 1 21:22:04 xxx.xx.x.xx 3429 <14>1 2021-03-01T21:22:04.531Z

stream-logfwd20-587718190-03011312-b28y-harness-x4nx

Cortex Data Lake Schema Reference January 2024 409 ©2024 Palo Alto Networks, Inc.
Network Logs

logforwarder - panwlogs - CEF:0|Palo Alto Networks|LF|

2.0|SCTP||9|ProfileToken=xxxxx dtz=UTC rt=Mar 01 2021
21:22:02 deviceExternalId=xxxxxxxxxxxxx PanOSCaptivePortal=
PanOSContentVersion= PanOSCortexDataLakeTenantID=xxxxxxxxxxxxx
PanOSDestinationDeviceClass= PanOSDestinationDeviceMac=
PanOSDestinationDeviceModel= PanOSDestinationDeviceOS=
PanOSDestinationDeviceVendor= PanOSDestinationLocation=IN
PanOSDestinationUUID= PanOSDestinationUserDomain=paloaltonetwork
PanOSDestinationUserName=xxxxx PanOSDestinationUserUUID=
PanOSInboundInterfaceDetailsPort=1
PanOSInboundInterfaceDetailsSlot=1
PanOSInboundInterfaceDetailsType=ethernet
PanOSInboundInterfaceDetailsUnit=0 PanOSIsClienttoServer=
PanOSIsContainer= PanOSIsDecryptMirror= PanOSIsDecryptedLog=
PanOSIsDecryptedPayloadForward= PanOSIsDuplicateLog=false
PanOSIsIPV6= PanOSIsInspectrionBeforeSession=
PanOSIsMptcpOn= PanOSIsNonStandardDestinationPort=
PanOSIsPacketCapture= PanOSIsPhishing= PanOSIsPrismaNetwork=false
PanOSIsPrismaUsers=false PanOSIsProxy= PanOSIsReconExcluded=
PanOSIsServertoClient= PanOSIsSourceXForwarded=
PanOSIsSystemReturn= PanOSIsTransaction= PanOSIsTunnelInspected=
PanOSIsURLDenied= PanOSLogExported=false PanOSLogForwarded=true
PanOSLogSource=firewall PanOSLogSourceTimeZoneOffset=
PanOSNAT= PanOSOutboundInterfaceDetailsPort=2
PanOSOutboundInterfaceDetailsSlot=1
PanOSOutboundInterfaceDetailsType=ethernet
PanOSOutboundInterfaceDetailsUnit=0 PanOSSessionEndReason=
PanOSSessionOwnerMidx= PanOSSessionTracker= PanOSSeverity=Critical
PanOSSourceDeviceClass= PanOSSourceDeviceMac=
PanOSSourceDeviceModel= PanOSSourceDeviceOS=
PanOSSourceDeviceVendor= PanOSSourceLocation=US
PanOSSourceUUID= PanOSSourceUserDomain=paloaltonetwork
PanOSSourceUserName=xxxxx PanOSSourceUserUUID= PanOSTunnel=N/
A PanOSVirtualSystemID=1 PanOSConfigVersion= start=Mar 01 2021
21:22:02 src=xxx.xx.x.xx dst=xxx.xx.x.xx PanOSNATSource=xxx.xx.x.xx
PanOSNATDestination=xxx.xx.x.xx cs1=allow-business-apps
cs1Label=Rule PanOSSourceUser=paloaltonetwork\\xxxxx
PanOSDestinationUser=paloaltonetworkxxxxx PanOSApplication=panorama
cs3=vsys1 cs3Label=VirtualLocation cs4=corporate cs4Label=FromZone
cs5=untrust cs5Label=ToZone PanOSInboundInterface=ethernet1/1
deviceOutboundInterface=ethernet1/2 cs6=test cs6Label=LogSetting
PanOSSessionID=391582 cnt=1 spt=3033 dpt=5496
PanOSNATSourcePort=26714 PanOSNATDestinationPort=15054 proto=tcp
act=alert PanOSDGHierarchyLevel1=12 PanOSDGHierarchyLevel2=0
PanOSDGHierarchyLevel3=0 PanOSDGHierarchyLevel4=0
PanOSVirtualSystemName= dvchost=PA-5220 externalId=xxxxxxxxxxxxx
PanOSEndpointAssociationID=2086888838 PanOSPayloadProtocolID=-1
PanOSSctpChunkType=9 PanOSSCTPEventType=Kerberos single sign-
on failed PanOSEventCode=3 PanOSVerificationTag1=0x3bae3042
PanOSVerificationTag2=0x1911015e PanOSSctpCauseCode=0
PanOSDiamAppID=-1 PanOSDiameterCommandCode=-1 PanOSDiamAvpCode=0
PanOSStreamID=0 PanOSAssocationEndReason= PanOSMapAppCode=0
PanOSSccpCallingSSN=0 PanOSSccpCallingGt= PanOSSctpFilter=
PanOSChunksTotal=0 PanOSChunksSent=0 PanOSChunksReceived=0
PanOSPacketsTotal=0 PanOSPacketsSent=0 PanOSPacketsReceived=0
PanOSRuleUUID= PanOSContainerID= PanOSContainerNameSpace=

Cortex Data Lake Schema Reference January 2024 410 ©2024 Palo Alto Networks, Inc.
Network Logs

PanOSContainerName= PanOSSourceEDL= PanOSDestinationEDL=

PanOSSourceDynamicAddressGroup= PanOSDestinationDynamicAddressGroup=
PanOSTimeGeneratedHighResolution=Jul 25 2019 23:30:12

The following table identifies the SCTP field names that the Log Forwarding app uses when you
forward logs using the CEF log format.

CEF Name Field Details

PanOSCortexDataLakeTenantID Query Name: customer_id

Header Type: Custom

Cortex Data Lake Schema Reference January 2024 411 ©2024 Palo Alto Networks, Inc.
Network Logs

CEF Name Field Details

cs4 Query Name: from_zone

Header Type: Predefined

Header Type: Custom

Cortex Data Lake Schema Reference January 2024 418 ©2024 Palo Alto Networks, Inc.
Network Logs

CEF Name Field Details

PanOSSourceDeviceModel Query Name: source_device_model

Header Type: Custom

Cortex Data Lake Schema Reference January 2024 419 ©2024 Palo Alto Networks, Inc.
Network Logs

CEF Name Field Details

TimeReceived=2021-02-23T02:45:00.000000Z
DeviceSN=xxxxxxxxxxxxx
LogType=SCTP
Subtype=
ConfigVersion=
TimeGenerated=2021-02-23T02:45:00.000000Z
SourceIP=xxxxxxxxxxxx
DestinationIP=xxx.xx.x.xx
NATSource=xxx.xx.x.xx
NATDestination=xxx.xx.x.xx
Rule=allow-business-apps
SourceUser="paloaltonetwork\xxxxx"
DestinationUser=paloaltonetworkxxxxx
Application=panorama
VirtualLocation=vsys1
FromZone=corporate
ToZone=untrust
InboundInterface=ethernet1/1
OutboundInterface=ethernet1/2
LogSetting=test
SessionID=391582
RepeatCount=1
SourcePort=3033
DestinationPort=5496
NATSourcePort=26714
NATDestinationPort=15054
Protocol=tcp
Action=alert
DGHierarchyLevel1=12
DGHierarchyLevel2=0
DGHierarchyLevel3=0
DGHierarchyLevel4=0
VirtualSystemName=
DeviceName=PA-5220
SequenceNo=6711379990526573312
EndpointAssociationID=2086888838
PayloadProtocolID=-1
VendorSeverity=Critical
SctpChunkType=9
SCTPEventType=Kerberos single sign-on failed
EventCode=3
VerificationTag1=0x3bae3042
VerificationTag2=0x1911015e

Cortex Data Lake Schema Reference January 2024 422 ©2024 Palo Alto Networks, Inc.
Network Logs

SctpCauseCode=0
DiamAppID=-1
DiameterCommandCode=-1
DiamAvpCode=0
StreamID=0
AssocationEndReason=
MapAppCode=0
SccpCallingSSN=0
SccpCallingGt=
SctpFilter=
ChunksTotal=0
ChunksSent=0
ChunksReceived=0
PacketsTotal=0
PacketsSent=0
PacketsReceived=0
RuleUUID=
ContainerID=
ContainerNameSpace=
ContainerName=
SourceEDL=
DestinationEDL=
SourceDynamicAddressGroup=
DestinationDynamicAddressGroup=
TimeGeneratedHighResolution=2019-07-25T23:30:12.000000Z

The following table identifies the SCTP field names that the Log Forwarding app uses when you
forward logs using the EMAIL log format.

EMAIL Name Query Name

Action action.value

Application app

AssocationEndReason association_end_reason.value

ChunksReceived chunks_received

ChunksSent chunks_sent

ChunksTotal chunks_total

ConfigVersion config_version.value

ContainerID container_id

ContentVersion content_version

RepeatCount count_of_repeats

Cortex Data Lake Schema Reference January 2024 423 ©2024 Palo Alto Networks, Inc.
Network Logs

EMAIL Name Query Name

CortexDataLakeTenantID customer_id

DestinationDeviceClass dest_device_class

DestinationDeviceMac dest_device_mac

DestinationDeviceModel dest_device_model

DestinationDeviceOS dest_device_os

DestinationDeviceVendor dest_device_vendor

DestinationDynamicAddressGroup dest_dynamic_address_group

DestinationEDL dest_edl

DestinationIP dest_ip.value

DestinationLocation dest_location

DestinationPort dest_port

DestinationUser dest_user

DestinationUserDomain dest_user_info.domain

DestinationUserName dest_user_info.name

DestinationUserUUID dest_user_info.uuid

DestinationUUID dest_uuid

DGHierarchyLevel1 dg_hier_level_1

DGHierarchyLevel2 dg_hier_level_2

DGHierarchyLevel3 dg_hier_level_3

DGHierarchyLevel4 dg_hier_level_4

DiamAppID diam_app_id

DiamAvpCode diam_avp_code

DiameterCommandCode diam_cmd_code

Cortex Data Lake Schema Reference January 2024 424 ©2024 Palo Alto Networks, Inc.
Network Logs

EMAIL Name Query Name

EndpointAssociationID ep_assoc_id

EventCode event_code

SCTPEventType event_type.value

FromZone from_zone

InboundInterface inbound_if.value

InboundInterfaceDetailsPort inbound_if_details.port

InboundInterfaceDetailsSlot inbound_if_details.slot

InboundInterfaceDetailsType inbound_if_details.type.value

InboundInterfaceDetailsUnit inbound_if_details.unit

CaptivePortal is_captive_portal

IsClienttoServer is_client_to_server

IsContainer is_container

IsDecryptMirror is_decrypt_mirror

IsDecryptedPayloadForward is_decrypted_payload_fwded

IsDecryptedLog is_decryption_log

IsDuplicateLog is_dup_log

LogExported is_exported

LogForwarded is_forwarded

IsIPV6 is_ipv6

IsInspectionBeforeSession, is_l7_inspection_b4_session
IsInspectrionBeforeSession

IsMptcpOn is_mptcp_on

NAT is_nat

IsNonStandardDestinationPort is_non_std_dest_port

Cortex Data Lake Schema Reference January 2024 425 ©2024 Palo Alto Networks, Inc.
Network Logs

EMAIL Name Query Name

IsPacketCapture is_packet_capture

IsPhishing is_phishing

IsPrismaNetwork is_prisma_branch

IsPrismaUsers is_prisma_mobile

IsProxy is_proxy

IsReconExcluded is_recon_excluded

IsServertoClient is_server_to_client

IsSourceXForwarded is_source_x_fwded

IsSystemReturn is_sym_return

IsTransaction is_transaction

IsTunnelInspected is_tunnel_inspected

IsURLDenied is_url_denied

LogSetting log_set

LogSource log_source

LogSourceGroupID log_source_group_id

DeviceSN log_source_id

DeviceName log_source_name

LogSourceTimeZoneOffset log_source_tz_offset

TimeReceived log_time

LogType log_type.value

MapAppCode map_op_code

NATDestination nat_dest.value

NATDestinationPort nat_dest_port

Cortex Data Lake Schema Reference January 2024 426 ©2024 Palo Alto Networks, Inc.
Network Logs

EMAIL Name Query Name

NATSource nat_source.value

NATSourcePort nat_source_port

OutboundInterface outbound_if.value

OutboundInterfaceDetailsPort outbound_if_details.port

OutboundInterfaceDetailsSlot outbound_if_details.slot

OutboundInterfaceDetailsType outbound_if_details.type.value

OutboundInterfaceDetailsUnit outbound_if_details.unit

PacketsReceived packets_received

PacketsSent packets_sent

PacketsTotal packets_total

PanoramaSN panorama_serial

PayloadProtocolID payload_protocol_id

PlatformType platform_type

ContainerName pod_name

ContainerNameSpace pod_namespace

Protocol protocol.value

Rule rule_matched

RuleUUID rule_matched_uuid

SccpCallingGt sccp_calling_gt

SccpCallingSSN sccp_calling_ssn

SctpCauseCode sctp_cause_code

SctpChunkType sctp_chunk_type

SctpFilter sctp_filter

Cortex Data Lake Schema Reference January 2024 427 ©2024 Palo Alto Networks, Inc.
Network Logs

EMAIL Name Query Name

SequenceNo sequence_no

SessionOwnerMidx sess_owner_rt_midx

SessionEndReason session_end_reason.value

SessionID session_id

SessionTracker session_tracker

Severity severity

SourceDeviceClass source_device_class

SourceDeviceMac source_device_mac

SourceDeviceModel source_device_model

SourceDeviceOS source_device_os

SourceDeviceVendor source_device_vendor

SourceDynamicAddressGroup source_dynamic_address_group

SourceEDL source_edl

SourceIP source_ip.value

SourceLocation source_location

SourcePort source_port

SourceUser source_user

SourceUserDomain source_user_info.domain

SourceUserName source_user_info.name

SourceUserUUID source_user_info.uuid

SourceUUID source_uuid

StreamID stream_id

Subtype sub_type.value

Cortex Data Lake Schema Reference January 2024 428 ©2024 Palo Alto Networks, Inc.
Network Logs

EMAIL Name Query Name

TimeGenerated time_generated

TimeGeneratedHighResolution time_generated_high_res

ToZone to_zone

Tunnel tunnel.value

VendorName vendor_name

VendorSeverity vendor_severity.value

VerificationTag1 verification_tag_1

VerificationTag2 verification_tag_2

VirtualLocation vsys

VirtualSystemID vsys_id

VirtualSystemName vsys_name

SCTP HTTPS Fields

The following table identifies the SCTP field names that the Log Forwarding app uses when you
forward logs using the HTTPS log format.

HTTPS Name Query Name

Action action.value

Application app

AssocationEndReason association_end_reason.value

ChunksReceived chunks_received

ChunksSent chunks_sent

ChunksTotal chunks_total

ConfigVersion config_version.value

ContainerID container_id

Cortex Data Lake Schema Reference January 2024 429 ©2024 Palo Alto Networks, Inc.
Network Logs

HTTPS Name Query Name

ContentVersion content_version

RepeatCount count_of_repeats

CortexDataLakeTenantID customer_id

DestinationDeviceClass dest_device_class

DestinationDeviceMac dest_device_mac

DestinationDeviceModel dest_device_model

DestinationDeviceOS dest_device_os

DestinationDeviceVendor dest_device_vendor

DestinationDynamicAddressGroup dest_dynamic_address_group

DestinationEDL dest_edl

DestinationIP dest_ip.value

DestinationLocation dest_location

DestinationPort dest_port

DestinationUser dest_user

DestinationUserDomain dest_user_info.domain

DestinationUserName dest_user_info.name

DestinationUserUUID dest_user_info.uuid

DestinationUUID dest_uuid

DGHierarchyLevel1 dg_hier_level_1

DGHierarchyLevel2 dg_hier_level_2

DGHierarchyLevel3 dg_hier_level_3

DGHierarchyLevel4 dg_hier_level_4

DiamAppID diam_app_id

Cortex Data Lake Schema Reference January 2024 430 ©2024 Palo Alto Networks, Inc.
Network Logs

HTTPS Name Query Name

DiamAvpCode diam_avp_code

DiameterCommandCode diam_cmd_code

EndpointAssociationID ep_assoc_id

EventCode event_code

SCTPEventType event_type.value

FromZone from_zone

InboundInterface inbound_if.value

InboundInterfaceDetailsPort inbound_if_details.port

InboundInterfaceDetailsSlot inbound_if_details.slot

InboundInterfaceDetailsType inbound_if_details.type.value

InboundInterfaceDetailsUnit inbound_if_details.unit

CaptivePortal is_captive_portal

IsClienttoServer is_client_to_server

IsContainer is_container

IsDecryptMirror is_decrypt_mirror

IsDecryptedPayloadForward is_decrypted_payload_fwded

IsDecryptedLog is_decryption_log

IsDuplicateLog is_dup_log

LogExported is_exported

LogForwarded is_forwarded

IsIPV6 is_ipv6

IsInspectionBeforeSession, is_l7_inspection_b4_session
IsInspectrionBeforeSession

IsMptcpOn is_mptcp_on

Cortex Data Lake Schema Reference January 2024 431 ©2024 Palo Alto Networks, Inc.
Network Logs

HTTPS Name Query Name

NAT is_nat

IsNonStandardDestinationPort is_non_std_dest_port

IsPacketCapture is_packet_capture

IsPhishing is_phishing

IsPrismaNetwork is_prisma_branch

IsPrismaUsers is_prisma_mobile

IsProxy is_proxy

IsReconExcluded is_recon_excluded

IsServertoClient is_server_to_client

IsSourceXForwarded is_source_x_fwded

IsSystemReturn is_sym_return

IsTransaction is_transaction

IsTunnelInspected is_tunnel_inspected

IsURLDenied is_url_denied

LogSetting log_set

LogSource log_source

LogSourceGroupID log_source_group_id

DeviceSN log_source_id

DeviceName log_source_name

LogSourceTimeZoneOffset log_source_tz_offset

TimeReceived log_time

LogType log_type.value

MapAppCode map_op_code

Cortex Data Lake Schema Reference January 2024 432 ©2024 Palo Alto Networks, Inc.
Network Logs

HTTPS Name Query Name

NATDestination nat_dest.value

NATDestinationPort nat_dest_port

NATSource nat_source.value

NATSourcePort nat_source_port

OutboundInterface outbound_if.value

OutboundInterfaceDetailsPort outbound_if_details.port

OutboundInterfaceDetailsSlot outbound_if_details.slot

OutboundInterfaceDetailsType outbound_if_details.type.value

OutboundInterfaceDetailsUnit outbound_if_details.unit

PacketsReceived packets_received

PacketsSent packets_sent

PacketsTotal packets_total

PanoramaSN panorama_serial

PayloadProtocolID payload_protocol_id

PlatformType platform_type

ContainerName pod_name

ContainerNameSpace pod_namespace

Protocol protocol.value

Rule rule_matched

RuleUUID rule_matched_uuid

SccpCallingGt sccp_calling_gt

SccpCallingSSN sccp_calling_ssn

SctpCauseCode sctp_cause_code

Cortex Data Lake Schema Reference January 2024 433 ©2024 Palo Alto Networks, Inc.
Network Logs

HTTPS Name Query Name

SctpChunkType sctp_chunk_type

SctpFilter sctp_filter

SequenceNo sequence_no

SessionOwnerMidx sess_owner_rt_midx

SessionEndReason session_end_reason.value

SessionID session_id

SessionTracker session_tracker

Severity severity

SourceDeviceClass source_device_class

SourceDeviceMac source_device_mac

SourceDeviceModel source_device_model

SourceDeviceOS source_device_os

SourceDeviceVendor source_device_vendor

SourceDynamicAddressGroup source_dynamic_address_group

SourceEDL source_edl

SourceIP source_ip.value

SourceLocation source_location

SourcePort source_port

SourceUser source_user

SourceUserDomain source_user_info.domain

SourceUserName source_user_info.name

SourceUserUUID source_user_info.uuid

SourceUUID source_uuid

Cortex Data Lake Schema Reference January 2024 434 ©2024 Palo Alto Networks, Inc.
Network Logs

HTTPS Name Query Name

StreamID stream_id

Subtype sub_type.value

TimeGenerated time_generated

TimeGeneratedHighResolution time_generated_high_res

ToZone to_zone

Tunnel tunnel.value

VendorName vendor_name

VendorSeverity vendor_severity.value

VerificationTag1 verification_tag_1

VerificationTag2 verification_tag_2

VirtualLocation vsys

VirtualSystemID vsys_id

VirtualSystemName vsys_name

SCTP LEEF Fields

Example SCTP log in LEEF:

Sep 21 07:09:02 gke-standard-cluster-2-pool-3-f004381a-0gw6

1557 <14>1 2021-09-21T07:09:02.763Z stream-logfwd20-
b7167985--09201842-8zwj-harness-cc98 logforwarder - panwlogs
- LEEF:2.0|Palo Alto Networks|Next Generation Firewall|
null|alert| |TimeReceived=2021-09-21 07:09:00.046851
DeviceSN=xxxxxxxxxxxxx cat=sctp SubType= ConfigVersion=
devTime=2021-09-21 07:09:00.046860 src=xxx.xx.x.xx
dst=xxx.xx.x.xx NATSource=xxx.xx.x.xx NATDestination=xxx.xx.x.xx
Rule=allow-business-apps usrName=paloaltonetwork\xxxxx
DestinationUser=paloaltonetworkxxxxx Application=panorama
VirtualLocation=vsys1 FromZone=corporate ToZone=untrust
InboundInterface=ethernet1/1 OutboundInterface=ethernet1/2
LogSetting=test SessionID=391582 RepeatCount=1 srcPort=3033
dstPort=5496 NATSourcePort=26714 NATDestinationPort=15054 proto=tcp
DGHierarchyLevel1=12 DGHierarchyLevel2=0 DGHierarchyLevel3=0
DGHierarchyLevel4=0 VirtualSystemName= DeviceName=PA-5220
SequenceNo=6711379990526573312 EndpointAssociationID=2086888838
PayloadProtocolID=-1 VendorSeverity=Critical SctpChunkType=9

Cortex Data Lake Schema Reference January 2024 435 ©2024 Palo Alto Networks, Inc.
Network Logs

SCTPEventType=Kerberos single sign-on failed EventCode=3

VerificationTag1=0x3bae3042 VerificationTag2=0x1911015e
SctpCauseCode=0 DiamAppID=-1 DiameterCommandCode=-1 DiamAvpCode=0
StreamID=0 AssocationEndReason= MapAppCode=0 SccpCallingSSN=0
SccpCallingGt= SctpFilter= ChunksTotal=0 ChunksSent=0
ChunksReceived=0 PacketsTotal=0 srcPackets=0 dstPackets=0
RuleUUID= ContainerID= ContainerNameSpace= ContainerName=
SourceEDL= DestinationEDL= SourceDynamicAddressGroup=
DestinationDynamicAddressGroup= TimeGeneratedHighResolution=
devTimeFormat=YYYY-MM-DD'T'HH:mm:ss.SSSZ

The following table identifies the SCTP field names that the Log Forwarding app uses when you
forward logs using the LEEF log format.

LEEF Name Query Name Field Type

EventID action.value Header

Application app Custom

AssocationEndReason association_end_reason.value Custom

ChunksReceived chunks_received Custom

ChunksSent chunks_sent Custom

ChunksTotal chunks_total Custom

ConfigVersion config_version.value Custom

ContainerID container_id Custom

ContentVersion content_version Custom

RepeatCount count_of_repeats Custom

CortexDataLakeTenantID customer_id Custom

DestinationDeviceClass dest_device_class Custom

DestinationDeviceMac dest_device_mac Custom

DestinationDeviceModel dest_device_model Custom

Cortex Data Lake Schema Reference January 2024 436 ©2024 Palo Alto Networks, Inc.
Network Logs

LEEF Name Query Name Field Type

DestinationDeviceOS dest_device_os Custom

DestinationDeviceVendor dest_device_vendor Custom

DestinationDynamicAddressGroup dest_dynamic_address_group Custom

DestinationEDL dest_edl Custom

dst dest_ip.value Predefined

DestinationLocation dest_location Custom

dstPort dest_port Predefined

DestinationUser dest_user Custom

DestinationUserDomain dest_user_info.domain Custom

DestinationUserName dest_user_info.name Custom

DestinationUserUUID dest_user_info.uuid Custom

DestinationUUID dest_uuid Custom

DGHierarchyLevel1 dg_hier_level_1 Custom

DGHierarchyLevel2 dg_hier_level_2 Custom

DGHierarchyLevel3 dg_hier_level_3 Custom

DGHierarchyLevel4 dg_hier_level_4 Custom

DiamAppID diam_app_id Custom

DiamAvpCode diam_avp_code Custom

DiameterCommandCode diam_cmd_code Custom

EndpointAssociationID ep_assoc_id Custom

EventCode event_code Custom

SCTPEventType event_type.value Custom

FromZone from_zone Custom

Cortex Data Lake Schema Reference January 2024 437 ©2024 Palo Alto Networks, Inc.
Network Logs

LEEF Name Query Name Field Type

InboundInterface inbound_if.value Custom

InboundInterfaceDetailsPort inbound_if_details.port Custom

InboundInterfaceDetailsSlot inbound_if_details.slot Custom

InboundInterfaceDetailsType inbound_if_details.type.value Custom

InboundInterfaceDetailsUnit inbound_if_details.unit Custom

CaptivePortal is_captive_portal Custom

IsClienttoServer is_client_to_server Custom

IsContainer is_container Custom

IsDecryptMirror is_decrypt_mirror Custom

IsDecryptedPayloadForward is_decrypted_payload_fwded Custom

IsDecryptedLog is_decryption_log Custom

IsDuplicateLog is_dup_log Custom

LogExported is_exported Custom

LogForwarded is_forwarded Custom

IsIPV6 is_ipv6 Custom

IsInspectrionBeforeSession is_l7_inspection_b4_session Custom

IsMptcpOn is_mptcp_on Custom

NAT is_nat Custom

IsNonStandardDestinationPort is_non_std_dest_port Custom

IsPacketCapture is_packet_capture Custom

IsPhishing is_phishing Custom

IsPrismaNetwork is_prisma_branch Custom

IsPrismaUsers is_prisma_mobile Custom

Cortex Data Lake Schema Reference January 2024 438 ©2024 Palo Alto Networks, Inc.
Network Logs

LEEF Name Query Name Field Type

IsProxy is_proxy Custom

IsReconExcluded is_recon_excluded Custom

IsServertoClient is_server_to_client Custom

IsSourceXForwarded is_source_x_fwded Custom

IsSystemReturn is_sym_return Custom

IsTransaction is_transaction Custom

IsTunnelInspected is_tunnel_inspected Custom

IsURLDenied is_url_denied Custom

LogSetting log_set Custom

LogSource log_source Custom

LogSourceGroupID log_source_group_id Custom

DeviceSN log_source_id Custom

DeviceName log_source_name Custom

LogSourceTimeZoneOffset log_source_tz_offset Custom

TimeReceived log_time Custom

cat log_type.value Predefined

MapAppCode map_op_code Custom

NATDestination nat_dest.value Custom

NATDestinationPort nat_dest_port Custom

NATSource nat_source.value Custom

NATSourcePort nat_source_port Custom

OutboundInterface outbound_if.value Custom

OutboundInterfaceDetailsPort outbound_if_details.port Custom

Cortex Data Lake Schema Reference January 2024 439 ©2024 Palo Alto Networks, Inc.
Network Logs

LEEF Name Query Name Field Type

OutboundInterfaceDetailsSlot outbound_if_details.slot Custom

OutboundInterfaceDetailsType outbound_if_details.type.value Custom

OutboundInterfaceDetailsUnit outbound_if_details.unit Custom

dstPackets packets_received Predefined

srcPackets packets_sent Predefined

PacketsTotal packets_total Custom

PanoramaSN panorama_serial Custom

PayloadProtocolID payload_protocol_id Custom

PlatformType platform_type Custom

ContainerName pod_name Custom

ContainerNameSpace pod_namespace Custom

proto protocol.value Predefined

Rule rule_matched Custom

RuleUUID rule_matched_uuid Custom

SccpCallingGt sccp_calling_gt Custom

SccpCallingSSN sccp_calling_ssn Custom

SctpCauseCode sctp_cause_code Custom

SctpChunkType sctp_chunk_type Custom

SctpFilter sctp_filter Custom

SequenceNo sequence_no Custom

SessionOwnerMidx sess_owner_rt_midx Custom

SessionEndReason session_end_reason.value Custom

SessionID session_id Custom

Cortex Data Lake Schema Reference January 2024 440 ©2024 Palo Alto Networks, Inc.
Network Logs

LEEF Name Query Name Field Type

SessionTracker session_tracker Custom

Severity severity Custom

SourceDeviceClass source_device_class Custom

SourceDeviceMac source_device_mac Custom

SourceDeviceModel source_device_model Custom

SourceDeviceOS source_device_os Custom

SourceDeviceVendor source_device_vendor Custom

SourceDynamicAddressGroup source_dynamic_address_group Custom

SourceEDL source_edl Custom

src source_ip.value Predefined

SourceLocation source_location Custom

srcPort source_port Predefined

usrName source_user Predefined

SourceUserDomain source_user_info.domain Custom

SourceUserName source_user_info.name Custom

SourceUserUUID source_user_info.uuid Custom

SourceUUID source_uuid Custom

StreamID stream_id Custom

SubType sub_type.value Custom

devTime time_generated Predefined

TimeGeneratedHighResolution time_generated_high_res Custom

ToZone to_zone Custom

Tunnel tunnel.value Custom

Cortex Data Lake Schema Reference January 2024 441 ©2024 Palo Alto Networks, Inc.
Network Logs

LEEF Name Query Name Field Type

Vendor vendor_name Header

VendorSeverity vendor_severity.value Custom

VerificationTag1 verification_tag_1 Custom

VerificationTag2 verification_tag_2 Custom

VirtualLocation vsys Custom

VirtualSystemID vsys_id Custom

VirtualSystemName vsys_name Custom

Cortex Data Lake Schema Reference January 2024 442 ©2024 Palo Alto Networks, Inc.
Network Logs

Threat
Threat logs contain entries for when network traffic matches one of the security profiles attached
to a next-generation firewall security rule.
As network traffic passes through the firewall, it inspects the content contained in the traffic.
Whenever this content matches a threat pattern (that is, it presents a pattern suggesting the
content is a virus, or spyware, or a known vulnerability in a legitimate application), the firewall will
create a Threat log.
The frequency of this pattern matching within a network session is unpredictable. Most often
you should see sessions with no Threat logs, followed by sessions with a single Threat log. But it
is also possible for sessions to require many Threat logs. Remember that a network session can
include multiple messages sent and received between two communicating endpoints. If these
messages contain content that matches the firewall's threat patterns, they will cause the firewall
to generate multiple threat logs.
See the following for information related to supported log formats:
• Threat Syslog Default Field Order
• Threat CEF Fields
• Threat EMAIL Fields
• Threat HTTPS Fields
• Threat LEEF Fields

THREAT Field Description

(Display Name)

app Application associated with the network traffic.

(APPLICATION) Syslog field name: Syslog Field Order
CEF field name: app
EMAIL field name: Application
HTTPS field name: Application
LEEF field name: Application

Cortex Data Lake Schema Reference January 2024 443 ©2024 Palo Alto Networks, Inc.
Network Logs

THREAT Field Description

(Display Name)

app_category Identifies the high-level family of the application.

(APPLICATION CATEGORY) CEF field name: PanOSApplicationCategory
EMAIL field name: ApplicationCategory
HTTPS field name: ApplicationCategory
LEEF field name: ApplicationCategory

app_sub_category Identifies the application's subcategory. The

subcategory is related to the application's category,
(APPLICATION SUBCATEGORY)
which is identified in app_category.
CEF field name: PanOSApplicationSubcategory
EMAIL field name: ApplicationSubcategory
HTTPS field name: ApplicationSubcategory
LEEF field name: ApplicationSubcategory

cloud FQDN of either the appliance (private) or the cloud

(public) from where the file was uploaded for analysis.
(APPLIANCE/CLOUD)
Syslog field name: Syslog Field Order
CEF field name: PanOSApplianceOrCloud
EMAIL field name: ApplianceOrCloud
HTTPS field name: ApplianceOrCloud
LEEF field name: ApplianceOrCloud

cloud_hostname The hostname in which the VM-series firewall is

running.
(CLOUD HOSTNAME)
CEF field name: PanOSCloudHostname
EMAIL field name: CloudHostname
HTTPS field name: CloudHostname
LEEF field name: CloudHostname

cloud_reportid Unique 32 character ID for a file scanned by the DLP

Cortex Data Lake Schema Reference January 2024 444 ©2024 Palo Alto Networks, Inc.
Network Logs

THREAT Field Description

(Display Name)
HTTPS field name: CloudReportID
LEEF field name: CloudReportID

config_version.value Version number of the firewall operating system that

container_id Unknown field. No information is available at this time.

(CONTAINER ID) Syslog field name: Syslog Field Order
CEF field name: PanOSContainerID
EMAIL field name: ContainerID
HTTPS field name: ContainerID
LEEF field name: ContainerID

container_of_app Identifies the managing application or parent of the

content_version Applications and Threats version installed on the

count_of_repeats Number of sessions with same Source IP, Destination

IP, Application, and Content/Threat Type seen for the
(REPEAT COUNT)
summary interval.

Cortex Data Lake Schema Reference January 2024 445 ©2024 Palo Alto Networks, Inc.
Network Logs

THREAT Field Description

(Display Name)
Syslog field name: Syslog Field Order
CEF field name: cnt
EMAIL field name: RepeatCount
HTTPS field name: RepeatCount
LEEF field name: RepeatCount

customer_id The ID that uniquely identifies the Cortex Data Lake

dest_device_category Category of the device to which the session was

dest_device_class Destination device class.

(DESTINATION DEVICE CLASS) CEF field name: PanOSDestinationDeviceClass
EMAIL field name: DestinationDeviceClass
HTTPS field name: DestinationDeviceClass
LEEF field name: DestinationDeviceClass

dest_device_host Hostname of the device to which the session was

Cortex Data Lake Schema Reference January 2024 446 ©2024 Palo Alto Networks, Inc.
Network Logs

THREAT Field Description

(Display Name)

dest_device_mac MAC Address of the device to which the session was

dest_device_model Model of the device to which the session was directed.

dest_device_os Destination device OS type.

(DESTINATION DEVICE OS) CEF field name: PanOSDestinationDeviceOS
EMAIL field name: DestinationDeviceOS
HTTPS field name: DestinationDeviceOS
LEEF field name: DestinationDeviceOS

dest_device_osfamily OS family of the device to which the session was

dest_device_osversion OS version of the device to which the session was

directed.
(DESTINATION DEVICE OS
VERSION) Syslog field name: Syslog Field Order
CEF field name: PanOSDestinationDeviceOSVersion
EMAIL field name: DestinationDeviceOSVersion

Cortex Data Lake Schema Reference January 2024 447 ©2024 Palo Alto Networks, Inc.
Network Logs

THREAT Field Description

(Display Name)
HTTPS field name: DestinationDeviceOSVersion
LEEF field name: DestinationDeviceOSVersion

dest_device_profile Profile of the device to which the session was directed.

dest_device_vendor Vendor of the device to which the session was directed.

dest_dynamic_address_group The dynamic address group that Device-ID identifies as

dest_ip.value Original destination IP address.

Cortex Data Lake Schema Reference January 2024 448 ©2024 Palo Alto Networks, Inc.
Network Logs

THREAT Field Description

(Display Name)
(DESTINATION ADDRESS) Syslog field name: Syslog Field Order
CEF fields: dst or c6a3
EMAIL field name: DestinationAddress
HTTPS field name: DestinationAddress
LEEF field name: dst

dest_location Destination country or internal region for private

dest_port Network traffic's destination port. If this value is 0, then

dest_user The username to which the network traffic was

destined.
(DESTINATION USER)
Syslog field name: Syslog Field Order
CEF field name: duser
EMAIL field name: DestinationUser
HTTPS field name: DestinationUser
LEEF field name: DestinationUser

dest_user_info.domain Domain to which the Destination User belongs.

(DESTINATION USER DOMAIN) CEF field name: dntdom
EMAIL field name: DestinationUserDomain
HTTPS field name: DestinationUserDomain

Cortex Data Lake Schema Reference January 2024 449 ©2024 Palo Alto Networks, Inc.
Network Logs

THREAT Field Description

(Display Name)
LEEF field name: DestinationUserDomain

dest_user_info.name The Destination User. That is, the username to which

dest_user_info.uuid Unique identifier assigned to the Destination User.

(DESTINATION USER UUID) CEF field name: duid
EMAIL field name: DestinationUserUUID
HTTPS field name: DestinationUserUUID
LEEF field name: DestinationUserUUID

dest_uuid Identifies the destination universal unique identifier

dg_hier_level_1 A sequence of identification numbers that indicate the

dg_hier_level_2 A sequence of identification numbers that indicate the

device group’s location within a device group hierarchy.
(DG HIERARCHY LEVEL 2)
Syslog field name: Syslog Field Order
CEF field name: PanOSDGHierarchyLevel2

Cortex Data Lake Schema Reference January 2024 450 ©2024 Palo Alto Networks, Inc.
Network Logs

THREAT Field Description

(Display Name)
EMAIL field name: DGHierarchyLevel2
HTTPS field name: DGHierarchyLevel2
LEEF field name: DGHierarchyLevel2

dg_hier_level_3 A sequence of identification numbers that indicate the

dg_hier_level_4 A sequence of identification numbers that indicate the

direction_of_attack.value Indicates the direction of the attack.

(DIRECTION OF ATTACK) Syslog field name: Syslog Field Order
CEF field name: flexString2
EMAIL field name: DirectionOfAttack
HTTPS field name: DirectionOfAttack
LEEF field name: DirectionOfAttack

domain_edl Domain External Dynamic List. That is, the name of

Cortex Data Lake Schema Reference January 2024 451 ©2024 Palo Alto Networks, Inc.
Network Logs

THREAT Field Description

(Display Name)

dynusergroup_name Dynamic user group of the user who initiated the

network connection.
(DYNAMIC USER GROUP NAME)
Syslog field name: Syslog Field Order
CEF field name: PanOSDynamicUserGroupName
EMAIL field name: DynamicUserGroupName
HTTPS field name: DynamicUserGroupName
LEEF field name: DynamicUserGroupName

endpoint_serial_number Serial number of the host on which GlobalProtect is

file_name The name of the infected file when the threat is 'virus'.
(FILE NAME) Syslog field name: Syslog Field Order
CEF field name: request
EMAIL field name: FileName
HTTPS field name: FileName
LEEF field name: FileName

file_sha_256 The binary hash (SHA256) of the file sent for virus
analysis.
(FILE HASH)
Syslog field name: Syslog Field Order
CEF field name: PanOSFileHash
EMAIL field name: FileHash
HTTPS field name: FileHash
LEEF field name: FileHash

file_type The type of the file sent for virus analysis.

(FILE TYPE) Syslog field name: Syslog Field Order
CEF field name: PanOSFileType

Cortex Data Lake Schema Reference January 2024 452 ©2024 Palo Alto Networks, Inc.
Network Logs

THREAT Field Description

(Display Name)
EMAIL field name: FileType
HTTPS field name: FileType
LEEF field name: FileType

file_url File URL.

(FILE URL) CEF field name: PanOSFileURL
EMAIL field name: FileURL
HTTPS field name: FileURL
LEEF field name: FileURL

flow_type.value Define the traffic type, whether it is for explicit proxy,

transparent proxy or no proxy traffic.
(FLOW TYPE)
CEF field name: FlowType
EMAIL field name: FlowType
HTTPS field name: FlowType
LEEF field name: FlowType

from_zone The networking zone from which the traffic originated.

(FROM ZONE) Syslog field name: Syslog Field Order
CEF field name: cs4
EMAIL field name: FromZone
HTTPS field name: FromZone
LEEF field name: FromZone

host_id A unique ID that GlobalProtect assigns to identify the

host.
(GP HOST ID)
Syslog field name: Syslog Field Order
CEF field name: PanOSHostID
EMAIL field name: HostID
HTTPS field name: HostID
LEEF field name: HostID

http2_connection Parent session ID for an HTTP/2 connection. If the

traffic is not using HTTP/2, this field is set to 0.
(HTTP2 CONNECTION)
Syslog field name: Syslog Field Order

Cortex Data Lake Schema Reference January 2024 453 ©2024 Palo Alto Networks, Inc.
Network Logs

THREAT Field Description

(Display Name)
CEF field name: PanOSHTTP2Connection
EMAIL field name: HTTP2Connection
HTTPS field name: HTTP2Connection
LEEF field name: HTTP2Connection

http_method.value Describes the HTTP Method used in the web request.

(HTTP METHOD) CEF field name: PanOSHTTPMethod
EMAIL field name: HTTPMethod
HTTPS field name: HTTPMethod
LEEF field name: HTTPMethod

inbound_if.value Interface from which the network traffic was sourced.

inbound_if_details.port Hardware port or socket from which the network traffic

inbound_if_details.slot Interface slot from which the network traffic was

inbound_if_details.type.value The type of interface from which the network traffic

was sourced.
(INBOUND INTERFACE DETAILS
TYPE) CEF field name: PanOSInboundInterfaceDetailsType

Cortex Data Lake Schema Reference January 2024 454 ©2024 Palo Alto Networks, Inc.
Network Logs

THREAT Field Description

(Display Name)
EMAIL field name: InboundInterfaceDetailsType
HTTPS field name: InboundInterfaceDetailsType
LEEF field name: InboundInterfaceDetailsType

inbound_if_details.unit Internal use.

is_captive_portal Indicates if user information for the session was

captured through Captive Portal.
(CAPTIVE PORTAL)
CEF field name: PanOSCaptivePortal
EMAIL field name: CaptivePortal
HTTPS field name: CaptivePortal
LEEF field name: CaptivePortal

is_client_to_server Indicates if direction of traffic is from client to server.

(IS CLIENT TO SERVER) CEF field name: PanOSIsClienttoServer
EMAIL field name: IsClienttoServer
HTTPS field name: IsClienttoServer
LEEF field name: IsClienttoServer

is_container Indicates if the session is a container page access

(Container Page).
(IS CONTAINER)
CEF field name: PanOSIsContainer
EMAIL field name: IsContainer
HTTPS field name: IsContainer
LEEF field name: IsContainer

is_decrypt_mirror Indicates whether decrypted traffic was sent out in

clear text through a mirror port.
(IS DECRYPT MIRROR)
CEF field name: PanOSIsDecryptMirror
EMAIL field name: IsDecryptMirror
HTTPS field name: IsDecryptMirror

Cortex Data Lake Schema Reference January 2024 455 ©2024 Palo Alto Networks, Inc.
Network Logs

THREAT Field Description

(Display Name)
LEEF field name: IsDecryptMirror

is_decrypted Flag that indicates that the session is decrypted.

(IS DECRYPTED) CEF field name: PanOSIsDecrypted
EMAIL field name: IsDecrypted
HTTPS field name: IsDecrypted
LEEF field name: IsDecrypted

is_dup_log Indicates whether this log data is available in multiple

is_encrypted Flag that indicates that the session is encrypted.

(IS ENCRYPTED) CEF field name: PanOSIsEncrypted
EMAIL field name: IsEncrypted
HTTPS field name: IsEncrypted
LEEF field name: IsEncrypted

is_forwarded Internal-use field. Indicates if the log is being forwarded.

(LOG FORWARDED) CEF field name: PanOSLogForwarded
EMAIL field name: LogForwarded
HTTPS field name: LogForwarded
LEEF field name: LogForwarded

is_ipv6 Indicates whether IPV6 was used for the session.

Cortex Data Lake Schema Reference January 2024 456 ©2024 Palo Alto Networks, Inc.
Network Logs

THREAT Field Description

(Display Name)
(IS IPV6) CEF field name: PanOSIsIPV6
EMAIL field name: IsIPV6
HTTPS field name: IsIPV6
LEEF field name: IsIPV6

is_mptcp_on Indicates whether the option is enabled on the next-

is_nat Indicates if the firewall is performing network address

translation (NAT) for the logged traffic.
(NAT)
CEF field name: PanOSNAT
EMAIL field name: NAT
HTTPS field name: NAT
LEEF field name: NAT

is_non_std_dest_port Indicates if the destination port is non-standard.

is_packet_capture Indicates whether the session has a packet capture

(PCAP).
(IS PACKET CAPTURE)
CEF field name: PanOSIsPacketCapture
EMAIL field name: IsPacketCapture
HTTPS field name: IsPacketCapture
LEEF field name: IsPacketCapture

is_phishing Indicates whether enterprise credentials were

submitted by an end user.
(IS PHISHING)
CEF field name: PanOSIsPhishing

Cortex Data Lake Schema Reference January 2024 457 ©2024 Palo Alto Networks, Inc.
Network Logs

THREAT Field Description

(Display Name)
EMAIL field name: IsPhishing
HTTPS field name: IsPhishing
LEEF field name: IsPhishing

is_prisma_branch Internal-use field. If set to 1, the log was generated on

is_prisma_mobile Internal use field. If set to 1, the log record was

is_proxy Indicates whether the SSL session is decrypted (SSL

Proxy).
(IS PROXY)
CEF field name: PanOSIsProxy
EMAIL field name: IsProxy
HTTPS field name: IsProxy
LEEF field name: IsProxy

is_recon_excluded Indicates whether source for the flow is on the firewall

is_saas_app Internal use field. Indicates whether the application

associated with this network traffic is a SAAS
(IS SAAS APPLICATION)
application.

Cortex Data Lake Schema Reference January 2024 458 ©2024 Palo Alto Networks, Inc.
Network Logs

THREAT Field Description

(Display Name)
CEF field name: PanOSIsSaaSApplication
EMAIL field name: IsSaaSApplication
HTTPS field name: IsSaaSApplication
LEEF field name: IsSaaSApplication

is_server_to_client Indicates if direction of traffic is from server to client.

(IS SERVER TO CLIENT) CEF field name: PanOSIsServertoClient
EMAIL field name: IsServertoClient
HTTPS field name: IsServertoClient
LEEF field name: IsServertoClient

is_source_x_fwded Indicates whether the X-Forwarded-For value from a

is_sym_return Indicates whether symmetric return was used to

forward traffic for this session.
(IS SYSTEM RETURN)
CEF field name: PanOSIsSystemReturn
EMAIL field name: IsSystemReturn
HTTPS field name: IsSystemReturn
LEEF field name: IsSystemReturn

is_transaction Indicates whether the log corresponds to a transaction

within an HTTP proxy session (Proxy Transaction).
(IS TRANSACTION)
CEF field name: PanOSIsTransaction
EMAIL field name: IsTransaction
HTTPS field name: IsTransaction
LEEF field name: IsTransaction

is_tunnel_inspected Indicates whether the payload for the outer tunnel was
inspected.
(IS TUNNEL INSPECTED)
CEF field name: PanOSIsTunnelInspected
EMAIL field name: IsTunnelInspected

Cortex Data Lake Schema Reference January 2024 459 ©2024 Palo Alto Networks, Inc.
Network Logs

THREAT Field Description

(Display Name)
HTTPS field name: IsTunnelInspected
LEEF field name: IsTunnelInspected

is_url_denied Indicates whether the session was denied due to a URL

filtering rule.
(IS URL DENIED)
CEF field name: PanOSIsURLDenied
EMAIL field name: IsURLDenied
HTTPS field name: IsURLDenied
LEEF field name: IsURLDenied

location Prisma Access Region/Location.

(PRISMA ACCESS LOCATION) CEF field name: PanOSLocation
EMAIL field name: Location
HTTPS field name: Location
LEEF field name: Location

log_set Log forwarding profile name that was applied to

log_source Identifies the origin of the data - the system that

produced the data.
(LOG SOURCE)
CEF field name: PanOSLogSource
EMAIL field name: LogSource
HTTPS field name: LogSource
LEEF field name: LogSource

log_source_group_id ID that uniquely identifies the logSourceGroupId of the

log. That is, the log_source_id of the group.
(LOG SOURCE GROUP ID)
CEF field name: LogSourceGroupID
EMAIL field name: LogSourceGroupID

(Display Name)
EMAIL field name: NATSource
HTTPS field name: NATSource
LEEF field name: srcPostNAT

nat_source_port Post-NAT source port.

(NAT SOURCE PORT) Syslog field name: Syslog Field Order
CEF field name: sourceTranslatedPort
EMAIL field name: NATSourcePort
HTTPS field name: NATSourcePort
LEEF field name: srcPostNATPort

non_standard_dest_port Identifies the non-standard or unexpected port used by

the application associated with this session.
(NON STANDARD DESTINATION
PORT) CEF field name: PanOSNonStandardDestinationPort
EMAIL field name: NonStandardDestinationPort
HTTPS field name: NonStandardDestinationPort
LEEF field name: NonStandardDestinationPort

nssai_network_slice_type.value Network Slice Type (SST part of SNSSAI).

outbound_if.value Interface to which the network traffic was destined.

outbound_if_details.port Hardware port or socket to which the network traffic

was sent.
(OUTBOUND INTERFACE DETAILS
PORT) CEF field name: PanOSOutboundInterfaceDetailsPort

Cortex Data Lake Schema Reference January 2024 463 ©2024 Palo Alto Networks, Inc.
Network Logs

THREAT Field Description

(Display Name)
EMAIL field name: OutboundInterfaceDetailsPort
HTTPS field name: OutboundInterfaceDetailsPort
LEEF field name: OutboundInterfaceDetailsPort

outbound_if_details.slot Interface slot to which the network traffic was sent.

outbound_if_details.type.value The type of interface to which the network traffic was

outbound_if_details.unit Internal use.

panorama_serial Panorama Serial associated with CDL.

(PANORAMA SN) CEF field name: PanOSPanoramaSN
EMAIL field name: PanoramaSN
HTTPS field name: PanoramaSN
LEEF field name: PanoramaSN

parent_session_id ID of the session in which this network traffic was

tunneled.
(PARENT SESSION ID)
Syslog field name: Syslog Field Order
CEF field name: PanOSParentSessionID
EMAIL field name: ParentSessionID
HTTPS field name: ParentSessionID

Cortex Data Lake Schema Reference January 2024 464 ©2024 Palo Alto Networks, Inc.
Network Logs

THREAT Field Description

(Display Name)
LEEF field name: ParentSessionID

parent_start_time Time that the parent session began. This string contains
a timestamp value that is the number of microseconds
(PARENT START TIME)
since the Unix epoch.
Syslog field name: Syslog Field Order
CEF field name: PanOSParentStarttime
EMAIL field name: ParentStarttime
HTTPS field name: ParentStarttime
LEEF field name: ParentStarttime

partial_hash Machine learning partial hash.

(PARTIAL HASH) Syslog field name: Syslog Field Order
CEF field name: PanOSPartialHash
EMAIL field name: PartialHash
HTTPS field name: PartialHash
LEEF field name: PartialHash

payload_protocol_id The associated Payload Protocol Identifier.

(PAYLOAD PROTOCOL ID) CEF field name: PanOSPayloadProtocolID
EMAIL field name: PayloadProtocolID
HTTPS field name: PayloadProtocolID
LEEF field name: PayloadProtocolID

pcap Packet that triggered the firewall to generate this threat

log record.
(PACKET)
CEF field name: PanOSPacket
EMAIL field name: Packet
HTTPS field name: Packet
LEEF field name: Packet

pcap_id Packet capture ID. Used to correlate threat pcap files

with extended pcaps taken as a part of the session flow.
(PACKET ID)
Syslog field name: Syslog Field Order
CEF field name: fileId
EMAIL field name: PacketID

Cortex Data Lake Schema Reference January 2024 465 ©2024 Palo Alto Networks, Inc.
Network Logs

THREAT Field Description

(Display Name)
HTTPS field name: PacketID
LEEF field name: PacketID

pod_name Container name.

(POD NAME) Syslog field name: Syslog Field Order
CEF field name: PanOSContainerName
EMAIL field name: ContainerName
HTTPS field name: ContainerName
LEEF field name: ContainerName

pod_namespace Container namespace.

protocol.value IP protocol associated with the session.

(PROTOCOL) Syslog field name: Syslog Field Order
CEF field name: proto
EMAIL field name: Protocol
HTTPS field name: Protocol
LEEF field name: proto

recipient_of_virus Identifies the recipient of an email that sandbox

determined to be malicious when it was analyzing an
(RECIPIENT EMAIL)
email link forwarded by the firewall.
Syslog field name: Syslog Field Order

Cortex Data Lake Schema Reference January 2024 466 ©2024 Palo Alto Networks, Inc.
Network Logs

THREAT Field Description

(Display Name)
CEF field name: PanOSRecipientEmail
EMAIL field name: RecipientEmail
HTTPS field name: RecipientEmail
LEEF field name: RecipientEmail

report_id Identifies the analysis requested from the sandbox

(cloud or appliance).
(REPORT ID)
Syslog field name: Syslog Field Order
CEF field name: PanOSReportID
EMAIL field name: ReportID
HTTPS field name: ReportID
LEEF field name: ReportID

risk_of_app Indicates how risky the application is from a network

security perspective.
(APPLICATION RISK)
CEF field name: PanOSApplicationRisk
EMAIL field name: ApplicationRisk
HTTPS field name: ApplicationRisk
LEEF field name: ApplicationRisk

rule_matched_uuid Unique identifier for the security policy rule that the
network traffic matched.
(RULE UUID)
Syslog field name: Syslog Field Order
CEF field name: PanOSRuleUUID
EMAIL field name: RuleUUID
HTTPS field name: RuleUUID
LEEF field name: RuleUUID

Cortex Data Lake Schema Reference January 2024 467 ©2024 Palo Alto Networks, Inc.
Network Logs

THREAT Field Description

(Display Name)

sanctioned_state_of_app Indicates whether the application has been flagged as

sender_of_virus Identifies the sender of an email that sandbox

determined to be malicious when it was analyzing an
(SENDER EMAIL)
email link forwarded by the firewall.
Syslog field name: Syslog Field Order
CEF field name: PanOSSenderEmail
EMAIL field name: SenderEmail
HTTPS field name: SenderEmail
LEEF field name: SenderEmail

sequence_no The log entry identifier, which is incremented

session_id Identifies the firewall's internal identifier for a specific

network session.
(SESSION ID)
Syslog field name: Syslog Field Order
CEF field name: cn1
EMAIL field name: SessionID
HTTPS field name: SessionID
LEEF field name: SessionID

severity Severity as defined by the platform.

(SEVERITY) CEF field name: PanOSSeverity
EMAIL field name: Severity

Cortex Data Lake Schema Reference January 2024 468 ©2024 Palo Alto Networks, Inc.
Network Logs

THREAT Field Description

(Display Name)
HTTPS field name: Severity
LEEF field name: Severity

sig_flags Internal use only.

(SIG FLAGS) Syslog field name: Syslog Field Order
CEF field name: PanOSSigFlags
EMAIL field name: SigFlags
HTTPS field name: SigFlags
LEEF field name: SigFlags

source_device_category Category of the device from which the session

source_device_class Source device class.

(SOURCE DEVICE CLASS) CEF field name: PanOSSourceDeviceClass
EMAIL field name: SourceDeviceClass
HTTPS field name: SourceDeviceClass
LEEF field name: SourceDeviceClass

source_device_host Hostname of the device from which the session

source_device_mac MAC Address of the device from which the session

originated.
(SOURCE DEVICE MAC)
Syslog field name: Syslog Field Order

Cortex Data Lake Schema Reference January 2024 469 ©2024 Palo Alto Networks, Inc.
Network Logs

THREAT Field Description

(Display Name)
CEF field name: PanOSSourceDeviceMac
EMAIL field name: SourceDeviceMac
HTTPS field name: SourceDeviceMac
LEEF field name: SourceDeviceMac

source_device_model Model of the device from which the session originated.

source_device_os Source device OS type.

(SOURCE DEVICE OS) CEF field name: PanOSSourceDeviceOS
EMAIL field name: SourceDeviceOS
HTTPS field name: SourceDeviceOS
LEEF field name: SourceDeviceOS

source_device_osfamily OS family of the device from which the session

source_device_osversion OS version of the device from which the session

source_device_profile Profile of the device from which the session originated.

Cortex Data Lake Schema Reference January 2024 470 ©2024 Palo Alto Networks, Inc.
Network Logs

THREAT Field Description

(Display Name)
(SOURCE DEVICE PROFILE) Syslog field name: Syslog Field Order
CEF field name: PanOSSourceDeviceProfile
EMAIL field name: SourceDeviceProfile
HTTPS field name: SourceDeviceProfile
LEEF field name: SourceDeviceProfile

source_device_vendor Vendor of the device from which the session originated.

source_dynamic_address_group The dynamic address group that Device-ID identifies as

source_ip.value Original source IP address.

(SOURCE ADDRESS) Syslog field name: Syslog Field Order
CEF fields: src or c6a2
EMAIL field name: SourceAddress
HTTPS field name: SourceAddress

Cortex Data Lake Schema Reference January 2024 471 ©2024 Palo Alto Networks, Inc.
Network Logs

THREAT Field Description

(Display Name)
LEEF field name: src

source_location Source country or internal region for private addresses.

(SOURCE LOCATION) Syslog field name: Syslog Field Order
CEF field name: PanOSSourceLocation
EMAIL field name: SourceLocation
HTTPS field name: SourceLocation
LEEF field name: SourceLocation

source_port Source port utilized by the session.

(SOURCE PORT) Syslog field name: Syslog Field Order
CEF field name: spt
EMAIL field name: SourcePort
HTTPS field name: SourcePort
LEEF field name: srcPort

source_user The username that initiated the network traffic.

(SOURCE USER) Syslog field name: Syslog Field Order
CEF field name: suser
EMAIL field name: SourceUser
HTTPS field name: SourceUser
LEEF field name: usrName

source_user_info.domain Domain to which the Source User belongs.

(SOURCE USER DOMAIN) CEF field name: sntdom
EMAIL field name: SourceUserDomain
HTTPS field name: SourceUserDomain
LEEF field name: SourceUserDomain

Cortex Data Lake Schema Reference January 2024 472 ©2024 Palo Alto Networks, Inc.
Network Logs

THREAT Field Description

(Display Name)
LEEF field name: SourceUserName

source_user_info.uuid Unique identifier assigned to the Source User.

(SOURCE USER UUID) CEF field name: suid
EMAIL field name: SourceUserUUID
HTTPS field name: SourceUserUUID
LEEF field name: SourceUserUUID

source_uuid Identifies the source universal unique identifier for a

sub_type.value Identifies the log subtype.

(SUBTYPE) Syslog field name: Syslog Field Order
CEF field name: Name
EMAIL field name: Subtype
HTTPS field name: Subtype
LEEF field name: SubType

subject_of_email Identifies the subject of an email that the sandbox

determined to be malicious when it was analyzing an
(EMAIL SUBJECT)
email link forwarded by the firewall.
Syslog field name: Syslog Field Order
CEF field name: PanOSEmailSubject
EMAIL field name: EmailSubject
HTTPS field name: EmailSubject
LEEF field name: EmailSubject

technology_of_app The networking technology used by the identified

application.
(APPLICATION TECHNOLOGY)
CEF field name: PanOSApplicationTechnology
EMAIL field name: ApplicationTechnology

Cortex Data Lake Schema Reference January 2024 473 ©2024 Palo Alto Networks, Inc.
Network Logs

THREAT Field Description

(Display Name)
HTTPS field name: ApplicationTechnology
LEEF field name: ApplicationTechnology

threat_category.value Threat category of the detected threat.

(THREAT CATEGORY) Syslog field name: Syslog Field Order
CEF field name: PanOSThreatCategory
EMAIL field name: ThreatCategory
HTTPS field name: ThreatCategory
LEEF field name: ThreatCategory

threat_id Numerical identifier for the threat type.

(THREAT ID) Syslog field name: Syslog Field Order
CEF field name: PanOSThreatID
EMAIL field name: ThreatID
HTTPS field name: ThreatID
LEEF field name: EventID

threat_name Palo Alto Networks textual identifier for the threat.

(THREAT NAME) CEF field name: cat
EMAIL field name: ThreatName
HTTPS field name: ThreatName
LEEF field name: ThreatName

threat_name_firewall Threat Name written by the firewall.

(THREAT NAME FIREWALL) CEF field name: PanOSThreatNameFirewall
EMAIL field name: ThreatNameFirewall
HTTPS field name: ThreatNameFirewall
LEEF field name: ThreatNameFirewall

Cortex Data Lake Schema Reference January 2024 474 ©2024 Palo Alto Networks, Inc.
Network Logs

THREAT Field Description

(Display Name)
HTTPS field name: TimeGenerated
LEEF field name: devTime

time_generated_high_res Time the log was generated in data plane

to_zone Networking zone to which the traffic was sent.

(TO ZONE) Syslog field name: Syslog Field Order
CEF field name: cs5
EMAIL field name: ToZone
HTTPS field name: ToZone
LEEF field name: ToZone

tunnel.value Type of tunnel.

(TUNNEL) Syslog field name: Syslog Field Order
CEF field name: PanOSTunnel
EMAIL field name: Tunnel
HTTPS field name: Tunnel
LEEF field name: Tunnel

tunneled_app For internal use only.

(TUNNELED APPLICATION) CEF field name: PanOSTunneledApplication
EMAIL field name: TunneledApplication
HTTPS field name: TunneledApplication
LEEF field name: TunneledApplication

tunnelid_imsi ID of the tunnel being inspected or the International

Mobile Subscriber Identity (IMSI) ID of the mobile user.
(IMSI)
Syslog field name: Syslog Field Order

Cortex Data Lake Schema Reference January 2024 475 ©2024 Palo Alto Networks, Inc.
Network Logs

THREAT Field Description

(Display Name)
CEF field name: PanOSIMSI
EMAIL field name: IMSI
HTTPS field name: IMSI
LEEF field name: IMSI

url_domain The name of the internet domain that was visited in this
session.
(URL DOMAIN)
CEF field name: PanOSURLDomain
EMAIL field name: URLDomain
HTTPS field name: URLDomain
LEEF field name: URLDomain

url_idx The column that correlates the traffic, url and sandbox
logs.
(URL COUNTER)
Syslog field name: Syslog Field Order
CEF field name: PanOSURLCounter
EMAIL field name: URLCounter
HTTPS field name: URLCounter
LEEF field name: URLCounter

users Source/Destination user. If neither is available,

source_ip is used.
(USERS)
CEF field name: PanOSUsers
EMAIL field name: Users
HTTPS field name: Users
LEEF field name: Users

vendor_name Identifies the vendor that produced the data.

(VENDOR NAME) CEF field name: Device Vendor
EMAIL field name: VendorName
HTTPS field name: VendorName
LEEF field name: Vendor

vendor_severity.value Severity associated with the event.

(VENDOR SEVERITY) Syslog field name: Syslog Field Order

Cortex Data Lake Schema Reference January 2024 476 ©2024 Palo Alto Networks, Inc.
Network Logs

THREAT Field Description

(Display Name)
CEF field name: PanOSVendorSeverity
EMAIL field name: VendorSeverity
HTTPS field name: VendorSeverity
LEEF field name: VendorSeverity

verdict.value The verdict on the file sent for virus analysis.

(VERDICT) CEF field name: PanOSVerdict
EMAIL field name: Verdict
HTTPS field name: Verdict
LEEF field name: Verdict

vsys String representation of the unique identifier for a

vsys_id A unique identifier for a virtual system on a Palo Alto

Networks firewall.
(VIRTUAL SYSTEM ID)
CEF field name: PanOSVirtualSystemID
EMAIL field name: VirtualSystemID
HTTPS field name: VirtualSystemID
LEEF field name: VirtualSystemID

vsys_name The name of the virtual system associated with the

xff_ip.value X-Forwarded-For IP.

Cortex Data Lake Schema Reference January 2024 477 ©2024 Palo Alto Networks, Inc.
Network Logs

THREAT Field Description

(Display Name)
(X-FORWARDED-FOR IP) Syslog field name: Syslog Field Order
CEF field name: PanOSX-Forwarded-ForIP
EMAIL field name: X-Forwarded-ForIP
HTTPS field name: X-Forwarded-ForIP
LEEF field name: X-Forwarded-ForIP

Threat Syslog Default Field Order

Example Threat log in Syslog:

Oct 13 01:12:15 gke-standard-cluster-2-pool-1-6ea9f13a-moqf 1028

<142>1 2020-10-13T01:12:15.892Z stream-logfwd20-156653024-10121421-
eq28-harness-16kn logforwarder - panwlogs - 1,
2020-10-13T01:12:03.000000Z,007051000113358,THREAT,wildfire,10.0,
2020-10-13T01:11:59.000000Z,fe80:aa33:abcd:444:7202:b3ff:fe1e:8329,
fe80:55ee:ee89:abcd:e202:b3ff:fe1e:8329,xxx.xx.x.xx,xxx.xx.x.xx,
allow-all-employees,paloaltonetwork\xxxxx,"xxxxx\xxxxx
o"xxxxxxxxxx"'"xxxxxxxxxx"test",xunlei-kankan,vsys1,dmz,
ethernet4Zone-test4,,,rs-logging,,721482,1,25342,442,16758,
29009,2899968,tcp,block-ip,some other fake filename,21000,,Low,
server to client,400993366,-6917529027641081856,chicago,US,,,0,
885e78ce802e42561193c1d76bd3a7ac3e2fec291508e6ba75d1e10ddb522869,
"xxxxxxxxxx",0,,filetype_name3,,,,,,10003,0,0,0,0,,PA-VM,,,,,0,,
0,,N/A,unknown,50118,0,,,,,75fd49ee-9899-4257-94f3-54abc79faa5a,
0,,xxx.xx.x.xx,S-Phone,s-profile,Redmi,Xiaomi,5 Plus,Android v8.2,
pan-603,264570122566,S-Phone,s-profile,S9,Samsung,Galaxy,Android
v9,pan-121,180872328842,1873cc5c-0d31,pns_default,pan-dp-77754f4,,,
6060606060,XM0000001,,,,0,2020-10-13T01:12:00.306000Z,,,172,ac

Cortex Data Lake Schema Reference January 2024 478 ©2024 Palo Alto Networks, Inc.
Network Logs

dynusergroup_name, xff_ip.value, source_device_category, source_device_profile,

source_device_model, source_device_vendor, source_device_osfamily, source_device_osversion,
source_device_host, source_device_mac, dest_device_category, dest_device_profile,
dest_device_model, dest_device_vendor, dest_device_osfamily, dest_device_osversion,
dest_device_host, dest_device_mac, container_id, pod_namespace, pod_name, source_edl,
dest_edl, host_id, endpoint_serial_number, domain_edl, source_dynamic_address_group,
dest_dynamic_address_group, partial_hash, time_generated_high_res, EMPTY, EMPTY,
nssai_network_slice_type.value

Threat CEF Fields

Example Threat log in CEF:

Mar 1 20:48:22 gke-standard-cluster-2-default-pool-2c7fa720-sw0m 4465

<14>1 2021-03-01T20:48:22.900Z stream-logfwd20-587718190-03011242-
xynu-harness-l80k logforwarder - panwlogs - CEF:0|Palo Alto
Networks|LF|2.0|THREAT|spyware|1|ProfileToken=xxxxx dtz=UTC
rt=Mar 01 2021 20:48:21 deviceExternalId=xxxxxxxxxxxxx start=Mar
01 2021 20:48:16 PanOSApplicationCategory=general-internet
PanOSApplicationContainer=sina-weibo PanOSApplicationRisk=4
PanOSApplicationSubcategory=social-networking
PanOSApplicationTechnology=browser-based PanOSCaptivePortal=false
PanOSCloudHostname=xxxxx PanOSCortexDataLakeTenantID=xxxxxxxxxxxxx
PanOSDestinationDeviceClass= PanOSDestinationDeviceOS=
dntdom=paloaltonetwork duser=xxxxx duid=
PanOSHTTPMethod=get PanOSInboundInterfaceDetailsPort=0
PanOSInboundInterfaceDetailsSlot=0
PanOSInboundInterfaceDetailsType=unknown
PanOSInboundInterfaceDetailsUnit=0 PanOSIsClienttoServer=true
PanOSIsContainer=false PanOSIsDecryptMirror=false
PanOSIsDecrypted=false PanOSIsDuplicateLog=false
PanOSIsEncrypted=false PanOSIsIPV6=false PanOSIsMptcpOn=false
PanOSIsNonStandardDestinationPort=false PanOSIsPacketCapture=false
PanOSIsPhishing=false PanOSIsPrismaNetwork=false
PanOSIsPrismaUsers=false PanOSIsProxy=false
PanOSIsReconExcluded=false PanOSIsSaaSApplication=false
PanOSIsServertoClient=false PanOSIsSourceXForwarded=true
PanOSIsSystemReturn=true PanOSIsTransaction=false
PanOSIsTunnelInspected=false PanOSIsURLDenied=false
PanOSLogExported=false PanOSLogForwarded=true
PanOSLogSource=firewall PanOSLogSourceTimeZoneOffset=
PanOSNAT=false PanOSNonStandardDestinationPort=13884
PanOSOutboundInterfaceDetailsPort=0
PanOSOutboundInterfaceDetailsSlot=0
PanOSOutboundInterfaceDetailsType=unknown
PanOSOutboundInterfaceDetailsUnit=0 PanOSPacket=
PanOSPayloadProtocolID=-1 PanOSSanctionedStateOfApp=false
PanOSSeverity=Informational PanOSSourceDeviceClass=
PanOSSourceDeviceOS= sntdom=paloaltonetwork suser=xxxxx
suid= cat=27379 PanOSThreatNameFirewall=27379
PanOSTunneledApplication=tunneled-app PanOSURLDomain=
PanOSUsers=paloaltonetwork\\xxxxx PanOSVerdict=
PanOSVirtualSystemID=1 c6a2=fe80:110:8897:efab:9202:b3ff:fe1e:8329
c6a2Label=Source IPv6 Address
c6a3=fe80:110:8897:efab:9202:b3ff:fe1e:8329 c6a3Label=Destination

Cortex Data Lake Schema Reference January 2024 479 ©2024 Palo Alto Networks, Inc.
Network Logs

IPv6 Address sourceTranslatedAddress=xxx.xx.x.xx

destinationTranslatedAddress=xxx.xx.x.xx cs1=deny-attackers
cs1Label=Rule suser0=paloaltonetwork\\xxxxx duser0=paloaltonetwork
\\xxxxx app=sina-weibo-base cs3=vsys1 cs3Label=VirtualLocation
cs4=datacenter cs4Label=FromZone cs5=ethernet4Zone-
test4 cs5Label=ToZone deviceInboundInterface=unknown
deviceOutboundInterface=unknown cs6=rs-logging cs6Label=LogSetting
cn1=947181 cn1Label=SessionID cnt=1 spt=13884 dpt=4228
sourceTranslatedPort=30116 destinationTranslatedPort=20966
proto=tcp act=drop-all request=some other fake filename
PanOSThreatID=27379(27379) flexString2=server to client
flexString2Label=DirectionOfAttack externalId=xxxxxxxxxxxxx
PanOSSourceLocation=LY PanOSDestinationLocation=BR
fileId=0 PanOSFileHash= PanOSApplianceOrCloud=
PanOSURLCounter=0 PanOSFileType= PanOSSenderEmail=
PanOSEmailSubject= PanOSRecipientEmail= PanOSReportID=0
PanOSDGHierarchyLevel1=11 PanOSDGHierarchyLevel2=0
PanOSDGHierarchyLevel3=0 PanOSDGHierarchyLevel4=0
PanOSVirtualSystemName= dvchost=xxxxx PanOSSourceUUID=
PanOSDestinationUUID= PanOSIMSI=0 PanOSIMEI= PanOSParentSessionID=0
PanOSParentStarttime=Jan 01 1970 00:00:00 PanOSTunnel=N/
A PanOSThreatCategory=unknown PanOSContentVersion=50059
PanOSSigFlags=0x0 PanOSRuleUUID=017e4d76-2003-47f4-8afc-1d35c808c615
PanOSHTTP2Connection=0 PanOSDynamicUserGroupName=
PanOSX-Forwarded-ForIP= PanOSSourceDeviceCategory=X-Phone
PanOSSourceDeviceProfile=x-profile PanOSSourceDeviceModel=Note
4G PanOSSourceDeviceVendor=Lenovo PanOSSourceDeviceOSFamily=K6
PanOSSourceDeviceOSVersion=Android v9 PanOSSourceDeviceHost=pan-505
PanOSSourceDeviceMac=596703749274 PanOSDestinationDeviceCategory=X-
Phone PanOSDestinationDeviceProfile=x-profile
PanOSDestinationDeviceModel=MI PanOSDestinationDeviceVendor=Xiaomi
PanOSDestinationDeviceOSFamily=A1
PanOSDestinationDeviceOSVersion=Android
v9.1 PanOSDestinationDeviceHost=pan-622
PanOSDestinationDeviceMac=620797415366
PanOSContainerID=1873cc5c-0d31 PanOSContainerNameSpace=pns_default
PanOSSourceEDL= PanOSDestinationEDL= PanOSHostID=xxxxxxxxxxxxxx
PanOSEndpointSerialNumber=xxxxxxxxxxxxxx PanOSDomainEDL=
PanOSSourceDynamicAddressGroup= PanOSDestinationDynamicAddressGroup=
PanOSPartialHash=0 PanOSTimeGeneratedHighResolution=Mar 01 2021
20:48:16 PanOSNSSAINetworkSliceType=dc

The following table identifies the Threat field names that the Log Forwarding app uses when you
forward logs using the CEF log format.

CEF Name Field Details

PanOSDestinationLocation Query Name: dest_location

Header Type: Custom

Cortex Data Lake Schema Reference January 2024 482 ©2024 Palo Alto Networks, Inc.
Network Logs

CEF Name Field Details

flexString2 Query Name: direction_of_attack.value

Header Type: Predefined
Label: flexString2Label
Label Text: DirectionOfAttack

Header Type: Custom

Cortex Data Lake Schema Reference January 2024 484 ©2024 Palo Alto Networks, Inc.
Network Logs

CEF Name Field Details

PanOSIsEncrypted Query Name: is_encrypted

Header Type: Custom

Cortex Data Lake Schema Reference January 2024 485 ©2024 Palo Alto Networks, Inc.
Network Logs

CEF Name Field Details

Header Type: Custom

Cortex Data Lake Schema Reference January 2024 492 ©2024 Palo Alto Networks, Inc.
Network Logs

CEF Name Field Details

Application=gtpv1-c
VirtualLocation=vsys1
FromZone=ethernet4Zone-test2
ToZone=partners
InboundInterface=unknown
OutboundInterface=unknown
LogSetting=rs-logging
SessionID=855279
RepeatCount=1
SourcePort=29447
DestinationPort=10810
NATSourcePort=9459
NATDestinationPort=20230
Protocol=tcp
Action=reset-server
FileName=some other fake filename
ThreatID=Bot: Backdoor_Win32_IRCBot_emv(19974)
VendorSeverity=High
DirectionOfAttack=client to server
SequenceNo=2638696487
SourceLocation=east-coast
DestinationLocation=ZZ
PacketID=0
FileHash=
ApplianceOrCloud=
URLCounter=0
FileType=
SenderEmail=
EmailSubject=
RecipientEmail=
ReportID=0
DGHierarchyLevel1=11
DGHierarchyLevel2=0
DGHierarchyLevel3=0
DGHierarchyLevel4=0
VirtualSystemName=
DeviceName=xxxxx
SourceUUID=
DestinationUUID=
IMSI=47
IMEI=xxxxx
ParentSessionID=7605
ParentStarttime=2021-02-22T03:55:57.000000Z
Tunnel=GTP-U-TCI
ThreatCategory=backdoor
ContentVersion=50199
SigFlags=0x2
RuleUUID=017e4d76-2003-47f4-8afc-1d35c808c615
HTTP2Connection=0
DynamicUserGroupName=
X-Forwarded-ForIP=xxx.xx.x.xx
SourceDeviceCategory=S-Phone
SourceDeviceProfile=s-profile
SourceDeviceModel=720P/60
SourceDeviceVendor=Samsung
SourceDeviceOSFamily=M4500

Cortex Data Lake Schema Reference January 2024 495 ©2024 Palo Alto Networks, Inc.
Network Logs

SourceDeviceOSVersion=Android v8
SourceDeviceHost=pan-123
SourceDeviceMac=264989591511
DestinationDeviceCategory=S-Phone
DestinationDeviceProfile=s-profile
DestinationDeviceModel=S9
DestinationDeviceVendor=Samsung
DestinationDeviceOSFamily=Galaxy
DestinationDeviceOSVersion=Android v9
DestinationDeviceHost=pan-121
DestinationDeviceMac=180872328842
ContainerID=1873cc5c-0d31
ContainerNameSpace=pns_default
ContainerName=pan-dp-77754f4
SourceEDL=
DestinationEDL=
HostID=1010101010
EndpointSerialNumber=xxxxxxxxxxxxxx
DomainEDL=
SourceDynamicAddressGroup=
DestinationDynamicAddressGroup=
PartialHash=0
TimeGeneratedHighResolution=2021-02-22T03:55:57.964000Z
NSSAINetworkSliceType=f1

The following table identifies the Threat field names that the Log Forwarding app uses when you
forward logs using the EMAIL log format.

EMAIL Name Query Name

Action action.value

Application app

ApplicationCategory app_category

ApplicationSubcategory app_sub_category

ApplianceOrCloud cloud

CloudHostname cloud_hostname

CloudReportID cloud_reportid

ConfigVersion config_version.value

ContainerID container_id

ApplicationContainer container_of_app

ContentVersion content_version

Cortex Data Lake Schema Reference January 2024 496 ©2024 Palo Alto Networks, Inc.
Network Logs

EMAIL Name Query Name

RepeatCount count_of_repeats

CortexDataLakeTenantID customer_id

DestinationDeviceCategory dest_device_category

DestinationDeviceClass dest_device_class

DestinationDeviceHost dest_device_host

DestinationDeviceMac dest_device_mac

DestinationDeviceModel dest_device_model

DestinationDeviceOS dest_device_os

DestinationDeviceOSFamily dest_device_osfamily

DestinationDeviceOSVersion dest_device_osversion

DestinationDeviceProfile dest_device_profile

DestinationDeviceVendor dest_device_vendor

DestinationDynamicAddressGroup dest_dynamic_address_group

DestinationEDL dest_edl

DestinationAddress dest_ip.value

DestinationLocation dest_location

DestinationPort dest_port

DestinationUser dest_user

DestinationUserDomain dest_user_info.domain

DestinationUserName dest_user_info.name

DestinationUserUUID dest_user_info.uuid

DestinationUUID dest_uuid

DGHierarchyLevel1 dg_hier_level_1

Cortex Data Lake Schema Reference January 2024 497 ©2024 Palo Alto Networks, Inc.
Network Logs

EMAIL Name Query Name

DGHierarchyLevel2 dg_hier_level_2

DGHierarchyLevel3 dg_hier_level_3

DGHierarchyLevel4 dg_hier_level_4

DirectionOfAttack direction_of_attack.value

DomainEDL domain_edl

DynamicUserGroupName dynusergroup_name

EndpointSerialNumber endpoint_serial_number

FileName file_name

FileHash file_sha_256

FileType file_type

FileURL file_url

FlowType flow_type.value

FromZone from_zone

HostID host_id

HTTP2Connection http2_connection

HTTPMethod http_method.value

InboundInterface inbound_if.value

InboundInterfaceDetailsPort inbound_if_details.port

InboundInterfaceDetailsSlot inbound_if_details.slot

InboundInterfaceDetailsType inbound_if_details.type.value

InboundInterfaceDetailsUnit inbound_if_details.unit

CaptivePortal is_captive_portal

IsClienttoServer is_client_to_server

Cortex Data Lake Schema Reference January 2024 498 ©2024 Palo Alto Networks, Inc.
Network Logs

EMAIL Name Query Name

IsContainer is_container

IsDecryptMirror is_decrypt_mirror

IsDecrypted is_decrypted

IsDuplicateLog is_dup_log

IsEncrypted is_encrypted

LogExported is_exported

LogForwarded is_forwarded

IsIPV6 is_ipv6

IsMptcpOn is_mptcp_on

NAT is_nat

IsNonStandardDestinationPort is_non_std_dest_port

IsPacketCapture is_packet_capture

IsPhishing is_phishing

IsPrismaNetwork is_prisma_branch

IsPrismaUsers is_prisma_mobile

IsProxy is_proxy

IsReconExcluded is_recon_excluded

IsSaaSApplication is_saas_app

IsServertoClient is_server_to_client

IsSourceXForwarded is_source_x_fwded

IsSystemReturn is_sym_return

IsTransaction is_transaction

IsTunnelInspected is_tunnel_inspected

Cortex Data Lake Schema Reference January 2024 499 ©2024 Palo Alto Networks, Inc.
Network Logs

EMAIL Name Query Name

IsURLDenied is_url_denied

Location location

LogSetting log_set

LogSource log_source

LogSourceGroupID log_source_group_id

DeviceSN log_source_id

DeviceName log_source_name

LogSourceTimeZoneOffset log_source_tz_offset

TimeReceived log_time

LogType log_type.value

IMEI monitor_tag_imei

NATDestination nat_dest.value

NATDestinationPort nat_dest_port

NATSource nat_source.value

NATSourcePort nat_source_port

NonStandardDestinationPort non_standard_dest_port

NSSAINetworkSliceType nssai_network_slice_type.value

OutboundInterface outbound_if.value

OutboundInterfaceDetailsPort outbound_if_details.port

OutboundInterfaceDetailsSlot outbound_if_details.slot

OutboundInterfaceDetailsType outbound_if_details.type.value

OutboundInterfaceDetailsUnit outbound_if_details.unit

PanoramaSN panorama_serial

Cortex Data Lake Schema Reference January 2024 500 ©2024 Palo Alto Networks, Inc.
Network Logs

EMAIL Name Query Name

ParentSessionID parent_session_id

ParentStarttime parent_start_time

PartialHash partial_hash

PayloadProtocolID payload_protocol_id

Packet pcap

PacketID pcap_id

PlatformType platform_type

ContainerName pod_name

ContainerNameSpace pod_namespace

Protocol protocol.value

RecipientEmail recipient_of_virus

ReportID report_id

ApplicationRisk risk_of_app

Rule rule_matched

RuleUUID rule_matched_uuid

SanctionedStateOfApp sanctioned_state_of_app

SenderEmail sender_of_virus

SequenceNo sequence_no

SessionID session_id

Severity severity

SigFlags sig_flags

SourceDeviceCategory source_device_category

SourceDeviceClass source_device_class

Cortex Data Lake Schema Reference January 2024 501 ©2024 Palo Alto Networks, Inc.
Network Logs

EMAIL Name Query Name

SourceDeviceHost source_device_host

SourceDeviceMac source_device_mac

SourceDeviceModel source_device_model

SourceDeviceOS source_device_os

SourceDeviceOSFamily source_device_osfamily

SourceDeviceOSVersion source_device_osversion

SourceDeviceProfile source_device_profile

SourceDeviceVendor source_device_vendor

SourceDynamicAddressGroup source_dynamic_address_group

SourceEDL source_edl

SourceAddress source_ip.value

SourceLocation source_location

SourcePort source_port

SourceUser source_user

SourceUserDomain source_user_info.domain

SourceUserName source_user_info.name

SourceUserUUID source_user_info.uuid

SourceUUID source_uuid

Subtype sub_type.value

EmailSubject subject_of_email

ApplicationTechnology technology_of_app

ThreatCategory threat_category.value

ThreatID threat_id

Cortex Data Lake Schema Reference January 2024 502 ©2024 Palo Alto Networks, Inc.
Network Logs

EMAIL Name Query Name

ThreatName threat_name

ThreatNameFirewall threat_name_firewall

TimeGenerated time_generated

TimeGeneratedHighResolution time_generated_high_res

ToZone to_zone

Tunnel tunnel.value

TunneledApplication tunneled_app

IMSI tunnelid_imsi

URLDomain url_domain

URLCounter url_idx

Users users

VendorName vendor_name

VendorSeverity vendor_severity.value

Verdict verdict.value

VirtualLocation vsys

VirtualSystemID vsys_id

VirtualSystemName vsys_name

X-Forwarded-ForIP xff_ip.value

Threat HTTPS Fields

The following table identifies the Threat field names that the Log Forwarding app uses when you
forward logs using the HTTPS log format.

HTTPS Name Query Name

Action action.value

Cortex Data Lake Schema Reference January 2024 503 ©2024 Palo Alto Networks, Inc.
Network Logs

HTTPS Name Query Name

Application app

ApplicationCategory app_category

ApplicationSubcategory app_sub_category

ApplianceOrCloud cloud

CloudHostname cloud_hostname

CloudReportID cloud_reportid

ConfigVersion config_version.value

ContainerID container_id

ApplicationContainer container_of_app

ContentVersion content_version

RepeatCount count_of_repeats

CortexDataLakeTenantID customer_id

DestinationDeviceCategory dest_device_category

DestinationDeviceClass dest_device_class

DestinationDeviceHost dest_device_host

DestinationDeviceMac dest_device_mac

DestinationDeviceModel dest_device_model

DestinationDeviceOS dest_device_os

DestinationDeviceOSFamily dest_device_osfamily

DestinationDeviceOSVersion dest_device_osversion

DestinationDeviceProfile dest_device_profile

DestinationDeviceVendor dest_device_vendor

DestinationDynamicAddressGroup dest_dynamic_address_group

Cortex Data Lake Schema Reference January 2024 504 ©2024 Palo Alto Networks, Inc.
Network Logs

HTTPS Name Query Name

DestinationEDL dest_edl

DestinationAddress dest_ip.value

DestinationLocation dest_location

DestinationPort dest_port

DestinationUser dest_user

DestinationUserDomain dest_user_info.domain

DestinationUserName dest_user_info.name

DestinationUserUUID dest_user_info.uuid

DestinationUUID dest_uuid

DGHierarchyLevel1 dg_hier_level_1

DGHierarchyLevel2 dg_hier_level_2

DGHierarchyLevel3 dg_hier_level_3

DGHierarchyLevel4 dg_hier_level_4

DirectionOfAttack direction_of_attack.value

DomainEDL domain_edl

DynamicUserGroupName dynusergroup_name

EndpointSerialNumber endpoint_serial_number

FileName file_name

FileHash file_sha_256

FileType file_type

FileURL file_url

FlowType flow_type.value

FromZone from_zone

Cortex Data Lake Schema Reference January 2024 505 ©2024 Palo Alto Networks, Inc.
Network Logs

HTTPS Name Query Name

HostID host_id

HTTP2Connection http2_connection

HTTPMethod http_method.value

InboundInterface inbound_if.value

InboundInterfaceDetailsPort inbound_if_details.port

InboundInterfaceDetailsSlot inbound_if_details.slot

InboundInterfaceDetailsType inbound_if_details.type.value

InboundInterfaceDetailsUnit inbound_if_details.unit

CaptivePortal is_captive_portal

IsClienttoServer is_client_to_server

IsContainer is_container

IsDecryptMirror is_decrypt_mirror

IsDecrypted is_decrypted

IsDuplicateLog is_dup_log

IsEncrypted is_encrypted

LogExported is_exported

LogForwarded is_forwarded

IsIPV6 is_ipv6

IsMptcpOn is_mptcp_on

NAT is_nat

IsNonStandardDestinationPort is_non_std_dest_port

IsPacketCapture is_packet_capture

IsPhishing is_phishing

Cortex Data Lake Schema Reference January 2024 506 ©2024 Palo Alto Networks, Inc.
Network Logs

HTTPS Name Query Name

IsPrismaNetwork is_prisma_branch

IsPrismaUsers is_prisma_mobile

IsProxy is_proxy

IsReconExcluded is_recon_excluded

IsSaaSApplication is_saas_app

IsServertoClient is_server_to_client

IsSourceXForwarded is_source_x_fwded

IsSystemReturn is_sym_return

IsTransaction is_transaction

IsTunnelInspected is_tunnel_inspected

IsURLDenied is_url_denied

Location location

LogSetting log_set

LogSource log_source

LogSourceGroupID log_source_group_id

DeviceSN log_source_id

DeviceName log_source_name

LogSourceTimeZoneOffset log_source_tz_offset

TimeReceived log_time

LogType log_type.value

IMEI monitor_tag_imei

NATDestination nat_dest.value

NATDestinationPort nat_dest_port

Cortex Data Lake Schema Reference January 2024 507 ©2024 Palo Alto Networks, Inc.
Network Logs

HTTPS Name Query Name

NATSource nat_source.value

NATSourcePort nat_source_port

NonStandardDestinationPort non_standard_dest_port

NSSAINetworkSliceType nssai_network_slice_type.value

OutboundInterface outbound_if.value

OutboundInterfaceDetailsPort outbound_if_details.port

OutboundInterfaceDetailsSlot outbound_if_details.slot

OutboundInterfaceDetailsType outbound_if_details.type.value

OutboundInterfaceDetailsUnit outbound_if_details.unit

PanoramaSN panorama_serial

ParentSessionID parent_session_id

ParentStarttime parent_start_time

PartialHash partial_hash

PayloadProtocolID payload_protocol_id

Packet pcap

PacketID pcap_id

PlatformType platform_type

ContainerName pod_name

ContainerNameSpace pod_namespace

Protocol protocol.value

RecipientEmail recipient_of_virus

ReportID report_id

ApplicationRisk risk_of_app

Cortex Data Lake Schema Reference January 2024 508 ©2024 Palo Alto Networks, Inc.
Network Logs

HTTPS Name Query Name

Rule rule_matched

RuleUUID rule_matched_uuid

SanctionedStateOfApp sanctioned_state_of_app

SenderEmail sender_of_virus

SequenceNo sequence_no

SessionID session_id

Severity severity

SigFlags sig_flags

SourceDeviceCategory source_device_category

SourceDeviceClass source_device_class

SourceDeviceHost source_device_host

SourceDeviceMac source_device_mac

SourceDeviceModel source_device_model

SourceDeviceOS source_device_os

SourceDeviceOSFamily source_device_osfamily

SourceDeviceOSVersion source_device_osversion

SourceDeviceProfile source_device_profile

SourceDeviceVendor source_device_vendor

SourceDynamicAddressGroup source_dynamic_address_group

SourceEDL source_edl

SourceAddress source_ip.value

SourceLocation source_location

SourcePort source_port

Cortex Data Lake Schema Reference January 2024 509 ©2024 Palo Alto Networks, Inc.
Network Logs

HTTPS Name Query Name

SourceUser source_user

SourceUserDomain source_user_info.domain

SourceUserName source_user_info.name

SourceUserUUID source_user_info.uuid

SourceUUID source_uuid

Subtype sub_type.value

EmailSubject subject_of_email

ApplicationTechnology technology_of_app

ThreatCategory threat_category.value

ThreatID threat_id

ThreatName threat_name

ThreatNameFirewall threat_name_firewall

TimeGenerated time_generated

TimeGeneratedHighResolution time_generated_high_res

ToZone to_zone

Tunnel tunnel.value

TunneledApplication tunneled_app

IMSI tunnelid_imsi

URLDomain url_domain

URLCounter url_idx

Users users

VendorName vendor_name

VendorSeverity vendor_severity.value

Cortex Data Lake Schema Reference January 2024 510 ©2024 Palo Alto Networks, Inc.
Network Logs

HTTPS Name Query Name

Verdict verdict.value

VirtualLocation vsys

VirtualSystemID vsys_id

VirtualSystemName vsys_name

X-Forwarded-ForIP xff_ip.value

Threat LEEF Fields

Example Threat log in LEEF:

Sep 21 01:47:20 xxx.xx.x.xx 2368 <14>1 2021-09-21T01:47:20.990Z

stream-logfwd20-b7167985--09201842-8zwj-harness-cc98 logforwarder
- panwlogs - LEEF:2.0|Palo Alto Networks|Next Generation
Firewall|10.1|2| |TimeReceived=2021-09-21T01:47:20.000000Z
DeviceSN=xxxxxxxxxxxxx cat=threat SubType=packet ConfigVersion=10.1
devTime=2021-09-21T01:47:18.000000Z src=xxx.xx.x.xx dst=xxx.xx.x.xx
srcPostNAT=xxx.xx.x.xx dstPostNAT=xxx.xx.x.xx Rule=allow-business-
apps usrName=paloaltonetwork\xxxxx DestinationUser=paloaltonetwork
\xxxxx Application=websense VirtualLocation=vsys1
FromZone=datacenter ToZone=datacenter InboundInterface=ethernet1/1
OutboundInterface=ethernet1/4 LogSetting=rs-logging
SessionID=366981 RepeatCount=1 srcPort=12023 dstPort=8466
srcPostNATPort=2374 dstPostNATPort=2463 proto=tcp Action=drop-packet
FileName=0123456789012345678901234567890123456789012345678901234
VendorSeverity=Low DirectionOfAttack=client to server
SequenceNo=7003061085140560926 SourceLocation=dallas
DestinationLocation=IN PacketID=0 FileHash= ApplianceOrCloud=
URLCounter=0 FileType= SenderEmail= EmailSubject=
RecipientEmail= ReportID=0 DGHierarchyLevel1=11
DGHierarchyLevel2=0 DGHierarchyLevel3=0 DGHierarchyLevel4=0
VirtualSystemName= DeviceName=xxxxx SourceUUID=
DestinationUUID= IMSI=35 IMEI=datacenter ParentSessionID=5534
ParentStarttime=1970-01-01T00:00:00.000000Z Tunnel=GTP-U-
TCI ThreatCategory=unknown ContentVersion=50122SigFlags=0x0
RuleUUID=ec14df0b-c845-4435-87a2-d207730f5ae8
HTTP2Connection=0 DynamicUserGroupName= X-Forwarded-
ForIP=xxx.xx.x.xx SourceDeviceCategory=A-Phone
SourceDeviceProfile=a-profile SourceDeviceModel=720P/60
SourceDeviceVendor=Samsung SourceDeviceOSFamily=M4500
SourceDeviceOSVersion=Android v8 SourceDeviceHost=pan-123
SourceDeviceMac=264989591511DestinationDeviceCategory=A-Phone
DestinationDeviceProfile=a-profile DestinationDeviceModel=iPhone
DestinationDeviceVendor=Apple DestinationDeviceOSFamily=9
DestinationDeviceOSVersion=iOS 9 DestinationDeviceHost=pan-233
DestinationDeviceMac=743514319696 ContainerID=1873cc5c-0d31
ContainerNameSpace=pns_default ContainerName=pan-
dp-77754f4 SourceEDL= DestinationEDL= HostID=1010101010

Cortex Data Lake Schema Reference January 2024 511 ©2024 Palo Alto Networks, Inc.
Network Logs

EndpointSerialNumber=xxxxxxxxxxxxxx DomainEDL=
SourceDynamicAddressGroup= DestinationDynamicAddressGroup=
PartialHash=0
TimeGeneratedHighResolution=2021-09-21T01:47:18.732000Z
NSSAINetworkSliceType=be devTimeFormat=YYYY-MM-DD'T'HH:mm:ss.SSSZ

The following table identifies the Threat field names that the Log Forwarding app uses when you
forward logs using the LEEF log format.

LEEF Name Query Name Field Type

Action action.value Custom

Application app Custom

ApplicationCategory app_category Custom

ApplicationSubcategory app_sub_category Custom

ApplianceOrCloud cloud Custom

CloudHostname cloud_hostname Custom

CloudReportID cloud_reportid Custom

ConfigVersion config_version.value Custom

ContainerID container_id Custom

ApplicationContainer container_of_app Custom

ContentVersion content_version Custom

RepeatCount count_of_repeats Custom

CortexDataLakeTenantID customer_id Custom

DestinationDeviceCategory dest_device_category Custom

DestinationDeviceClass dest_device_class Custom

DestinationDeviceHost dest_device_host Custom

Cortex Data Lake Schema Reference January 2024 512 ©2024 Palo Alto Networks, Inc.
Network Logs

LEEF Name Query Name Field Type

DestinationDeviceMac dest_device_mac Custom

DestinationDeviceModel dest_device_model Custom

DestinationDeviceOS dest_device_os Custom

DestinationDeviceOSFamily dest_device_osfamily Custom

DestinationDeviceOSVersion dest_device_osversion Custom

DestinationDeviceProfile dest_device_profile Custom

DestinationDeviceVendor dest_device_vendor Custom

DestinationDynamicAddressGroup dest_dynamic_address_group Custom

DestinationEDL dest_edl Custom

dst dest_ip.value Predefined

DestinationLocation dest_location Custom

dstPort dest_port Predefined

DestinationUser dest_user Custom

DestinationUserDomain dest_user_info.domain Custom

DestinationUserName dest_user_info.name Custom

DestinationUserUUID dest_user_info.uuid Custom

DestinationUUID dest_uuid Custom

DGHierarchyLevel1 dg_hier_level_1 Custom

DGHierarchyLevel2 dg_hier_level_2 Custom

DGHierarchyLevel3 dg_hier_level_3 Custom

DGHierarchyLevel4 dg_hier_level_4 Custom

DirectionOfAttack direction_of_attack.value Custom

DomainEDL domain_edl Custom

Cortex Data Lake Schema Reference January 2024 513 ©2024 Palo Alto Networks, Inc.
Network Logs

LEEF Name Query Name Field Type

DynamicUserGroupName dynusergroup_name Custom

EndpointSerialNumber endpoint_serial_number Custom

FileName file_name Custom

FileHash file_sha_256 Custom

FileType file_type Custom

FileURL file_url Custom

FlowType flow_type.value Custom

FromZone from_zone Custom

HostID host_id Custom

HTTP2Connection http2_connection Custom

HTTPMethod http_method.value Custom

InboundInterface inbound_if.value Custom

InboundInterfaceDetailsPort inbound_if_details.port Custom

InboundInterfaceDetailsSlot inbound_if_details.slot Custom

InboundInterfaceDetailsType inbound_if_details.type.value Custom

InboundInterfaceDetailsUnit inbound_if_details.unit Custom

CaptivePortal is_captive_portal Custom

IsClienttoServer is_client_to_server Custom

IsContainer is_container Custom

IsDecryptMirror is_decrypt_mirror Custom

IsDecrypted is_decrypted Custom

IsDuplicateLog is_dup_log Custom

IsEncrypted is_encrypted Custom

Cortex Data Lake Schema Reference January 2024 514 ©2024 Palo Alto Networks, Inc.
Network Logs

LEEF Name Query Name Field Type

LogExported is_exported Custom

LogForwarded is_forwarded Custom

IsIPV6 is_ipv6 Custom

IsMptcpOn is_mptcp_on Custom

NAT is_nat Custom

IsNonStandardDestinationPort is_non_std_dest_port Custom

IsPacketCapture is_packet_capture Custom

IsPhishing is_phishing Custom

IsPrismaNetwork is_prisma_branch Custom

IsPrismaUsers is_prisma_mobile Custom

IsProxy is_proxy Custom

IsReconExcluded is_recon_excluded Custom

IsSaaSApplication is_saas_app Custom

IsServertoClient is_server_to_client Custom

IsSourceXForwarded is_source_x_fwded Custom

IsSystemReturn is_sym_return Custom

IsTransaction is_transaction Custom

IsTunnelInspected is_tunnel_inspected Custom

IsURLDenied is_url_denied Custom

Location location Custom

LogSetting log_set Custom

LogSource log_source Custom

LogSourceGroupID log_source_group_id Custom

Cortex Data Lake Schema Reference January 2024 515 ©2024 Palo Alto Networks, Inc.
Network Logs

LEEF Name Query Name Field Type

DeviceSN log_source_id Custom

DeviceName log_source_name Custom

LogSourceTimeZoneOffset log_source_tz_offset Custom

TimeReceived log_time Custom

cat log_type.value Predefined

IMEI monitor_tag_imei Custom

dstPostNAT nat_dest.value Predefined

dstPostNATPort nat_dest_port Predefined

srcPostNAT nat_source.value Predefined

srcPostNATPort nat_source_port Predefined

NonStandardDestinationPort non_standard_dest_port Custom

NSSAINetworkSliceType nssai_network_slice_type.value Custom

OutboundInterface outbound_if.value Custom

OutboundInterfaceDetailsPort outbound_if_details.port Custom

OutboundInterfaceDetailsSlot outbound_if_details.slot Custom

OutboundInterfaceDetailsType outbound_if_details.type.value Custom

OutboundInterfaceDetailsUnit outbound_if_details.unit Custom

PanoramaSN panorama_serial Custom

ParentSessionID parent_session_id Custom

ParentStarttime parent_start_time Custom

PartialHash partial_hash Custom

PayloadProtocolID payload_protocol_id Custom

Packet pcap Custom

Cortex Data Lake Schema Reference January 2024 516 ©2024 Palo Alto Networks, Inc.
Network Logs

LEEF Name Query Name Field Type

PacketID pcap_id Custom

PlatformType platform_type Custom

ContainerName pod_name Custom

ContainerNameSpace pod_namespace Custom

proto protocol.value Predefined

RecipientEmail recipient_of_virus Custom

ReportID report_id Custom

ApplicationRisk risk_of_app Custom

Rule rule_matched Custom

RuleUUID rule_matched_uuid Custom

SanctionedStateOfApp sanctioned_state_of_app Custom

SenderEmail sender_of_virus Custom

SequenceNo sequence_no Custom

SessionID session_id Custom

Severity severity Custom

SigFlags sig_flags Custom

SourceDeviceCategory source_device_category Custom

SourceDeviceClass source_device_class Custom

SourceDeviceHost source_device_host Custom

SourceDeviceMac source_device_mac Custom

SourceDeviceModel source_device_model Custom

SourceDeviceOS source_device_os Custom

SourceDeviceOSFamily source_device_osfamily Custom

Cortex Data Lake Schema Reference January 2024 517 ©2024 Palo Alto Networks, Inc.
Network Logs

LEEF Name Query Name Field Type

SourceDeviceOSVersion source_device_osversion Custom

SourceDeviceProfile source_device_profile Custom

SourceDeviceVendor source_device_vendor Custom

SourceDynamicAddressGroup source_dynamic_address_group Custom

SourceEDL source_edl Custom

src source_ip.value Predefined

SourceLocation source_location Custom

srcPort source_port Predefined

usrName source_user Predefined

SourceUserDomain source_user_info.domain Custom

SourceUserName source_user_info.name Custom

SourceUserUUID source_user_info.uuid Custom

SourceUUID source_uuid Custom

SubType sub_type.value Custom

EmailSubject subject_of_email Custom

ApplicationTechnology technology_of_app Custom

ThreatCategory threat_category.value Custom

EventID threat_id Header

ThreatName threat_name Custom

ThreatNameFirewall threat_name_firewall Custom

devTime time_generated Predefined

TimeGeneratedHighResolution time_generated_high_res Custom

ToZone to_zone Custom

Cortex Data Lake Schema Reference January 2024 518 ©2024 Palo Alto Networks, Inc.
Network Logs

LEEF Name Query Name Field Type

Tunnel tunnel.value Custom

TunneledApplication tunneled_app Custom

IMSI tunnelid_imsi Custom

URLDomain url_domain Custom

URLCounter url_idx Custom

Users users Custom

Vendor vendor_name Header

VendorSeverity vendor_severity.value Custom

Verdict verdict.value Custom

VirtualLocation vsys Custom

VirtualSystemID vsys_id Custom

VirtualSystemName vsys_name Custom

container_of_app Identifies the managing application or parent of the

count_of_repeats Number of sessions with same Source IP, Destination

customer_id The ID that uniquely identifies the Cortex Data Lake

Cortex Data Lake Schema Reference January 2024 523 ©2024 Palo Alto Networks, Inc.
Network Logs

TRAFFIC Field Description

(Display Name)

dest_device_category Category of the device to which the session was

dest_device_class Destination device class.

(DESTINATION DEVICE CLASS) CEF field name: PanOSDestinationDeviceClass
EMAIL field name: DestinationDeviceClass
HTTPS field name: DestinationDeviceClass
LEEF field name: DestinationDeviceClass

dest_device_host Hostname of the device to which the session was

dest_device_mac MAC Address of the device to which the session was

dest_device_model Model of the device to which the session was directed.

(DESTINATION DEVICE MODEL) Syslog field name: Syslog Field Order
CEF field name: PanOSDestinationDeviceModel
EMAIL field name: DestinationDeviceModel

Cortex Data Lake Schema Reference January 2024 524 ©2024 Palo Alto Networks, Inc.
Network Logs

TRAFFIC Field Description

(Display Name)
HTTPS field name: DestinationDeviceModel
LEEF field name: DestinationDeviceModel

dest_device_os Destination device OS type.

(DESTINATION DEVICE OS) CEF field name: PanOSDestinationDeviceOS
EMAIL field name: DestinationDeviceOS
HTTPS field name: DestinationDeviceOS
LEEF field name: DestinationDeviceOS

dest_device_osfamily OS family of the device to which the session was

dest_device_osversion OS version of the device to which the session was

dest_device_profile Profile of the device to which the session was directed.

dest_device_vendor Vendor of the device to which the session was directed.

(DESTINATION DEVICE VENDOR) Syslog field name: Syslog Field Order
CEF field name: PanOSDestinationDeviceVendor

(Display Name)

dest_uuid Identifies the destination universal unique identifier

dg_hier_level_1 A sequence of identification numbers that indicate the

dg_hier_level_2 A sequence of identification numbers that indicate the

dg_hier_level_3 A sequence of identification numbers that indicate the

dg_hier_level_4 A sequence of identification numbers that indicate the

device group’s location within a device group hierarchy.
(DG HIERARCHY LEVEL 4)

Cortex Data Lake Schema Reference January 2024 528 ©2024 Palo Alto Networks, Inc.
Network Logs

TRAFFIC Field Description

(Display Name)
Syslog field name: Syslog Field Order
CEF field name: PanOSDGHierarchyLevel4
EMAIL field name: DGHierarchyLevel4
HTTPS field name: DGHierarchyLevel4
LEEF field name: DGHierarchyLevel4

dynusergroup_name Dynamic user group of the user who initiated the

endpoint_serial_number Serial number of the host on which GlobalProtect is

ep_assoc_id The ID assigned to the endpoint association used for

flow_type.value Define the traffic type, whether it is for explicit proxy,

transparent proxy or no proxy traffic.
(FLOW TYPE)
CEF field name: FlowType
EMAIL field name: FlowType
HTTPS field name: FlowType

Cortex Data Lake Schema Reference January 2024 529 ©2024 Palo Alto Networks, Inc.
Network Logs

TRAFFIC Field Description

(Display Name)
LEEF field name: FlowType

from_zone The networking zone from which the traffic originated.

(FROM ZONE) Syslog field name: Syslog Field Order
CEF field name: cs4
EMAIL field name: FromZone
HTTPS field name: FromZone
LEEF field name: FromZone

ha_session_owner Name of cluster member in which session failed over

from.
(HA SESSION OWNER)
Syslog field name: Syslog Field Order
CEF field name: PanOSHASessionOwner
EMAIL field name: HASessionOwner
HTTPS field name: HASessionOwner
LEEF field name: HASessionOwner

host_id A unique ID that GlobalProtect assigns to identify the

host.
(GP HOST ID)
Syslog field name: Syslog Field Order
CEF field name: PanOSGPHostID
EMAIL field name: GPHostID
HTTPS field name: GPHostID
LEEF field name: GPHostID

http2_connection Parent session ID for an HTTP/2 connection. If the

inbound_if.value Interface from which the network traffic was sourced.

(INBOUND INTERFACE) Syslog field name: Syslog Field Order

Cortex Data Lake Schema Reference January 2024 530 ©2024 Palo Alto Networks, Inc.
Network Logs

TRAFFIC Field Description

(Display Name)
CEF field name: deviceInboundInterface
EMAIL field name: InboundInterface
HTTPS field name: InboundInterface
LEEF field name: InboundInterface

inbound_if_details.port Hardware port or socket from which the network traffic

inbound_if_details.slot Interface slot from which the network traffic was

inbound_if_details.type.value The type of interface from which the network traffic

inbound_if_details.unit Internal use.

is_captive_portal Indicates if user information for the session was

captured through Captive Portal.
(CAPTIVE PORTAL)
CEF field name: PanOSCaptivePortal
EMAIL field name: CaptivePortal

Cortex Data Lake Schema Reference January 2024 531 ©2024 Palo Alto Networks, Inc.
Network Logs

TRAFFIC Field Description

(Display Name)
HTTPS field name: CaptivePortal
LEEF field name: CaptivePortal

is_client_to_server Indicates if direction of traffic is from client to server.

(IS CLIENT TO SERVER) CEF field name: PanOSIsClienttoServer
EMAIL field name: IsClienttoServer
HTTPS field name: IsClienttoServer
LEEF field name: IsClienttoServer

is_container Indicates if the session is a container page access

(Container Page).
(IS CONTAINER)
CEF field name: PanOSIsContainer
EMAIL field name: IsContainer
HTTPS field name: IsContainer
LEEF field name: IsContainer

is_decrypt_mirror Indicates whether decrypted traffic was sent out in

clear text through a mirror port.
(IS DECRYPT MIRROR)
CEF field name: PanOSIsDecryptMirror
EMAIL field name: IsDecryptMirror
HTTPS field name: IsDecryptMirror
LEEF field name: IsDecryptMirror

is_decrypted Flag that indicates that the session is decrypted.

(IS DECRYPTED) CEF field name: PanOSIsDecrypted
EMAIL field name: IsDecrypted
HTTPS field name: IsDecrypted
LEEF field name: IsDecrypted

is_decrypted_payload_fwded Unknown field. No information is available at this time.

(IS DECRYPTED PAYLOAD CEF field name: PanOSIsDecryptedPayloadForward
FORWARD)
EMAIL field name: IsDecryptedPayloadForward
HTTPS field name: IsDecryptedPayloadForward
LEEF field name: IsDecryptedPayloadForward

is_decryption_log Unknown field. No information is available at this time.

Cortex Data Lake Schema Reference January 2024 532 ©2024 Palo Alto Networks, Inc.
Network Logs

TRAFFIC Field Description

(Display Name)
(IS DECRYPTED LOG) CEF field name: PanOSIsDecryptedLog
EMAIL field name: IsDecryptedLog
HTTPS field name: IsDecryptedLog
LEEF field name: IsDecryptedLog

is_dup_log Indicates whether this log data is available in multiple

is_encrypted Flag that indicates that the session is encrypted.

(IS ENCRYPTED) CEF field name: PanOSIsEncrypted
EMAIL field name: IsEncrypted
HTTPS field name: IsEncrypted
LEEF field name: IsEncrypted

is_forwarded Internal-use field that indicates if the log is being

forwarded.
(LOG FORWARDED)
CEF field name: PanOSLogForwarded
EMAIL field name: LogForwarded
HTTPS field name: LogForwarded
LEEF field name: LogForwarded

is_ipv6 Indicates whether IPV6 was used for the session.

(IS IPV6) CEF field name: PanOSIsIPV6
EMAIL field name: IsIPV6

Cortex Data Lake Schema Reference January 2024 533 ©2024 Palo Alto Networks, Inc.
Network Logs

TRAFFIC Field Description

(Display Name)
HTTPS field name: IsIPV6
LEEF field name: IsIPV6

is_l7_inspection_b4_session Unknown field. No information is available at this time.

(IS INSPECTION BEFORE SESSION) CEF field name: PanOSIsInspectionBeforeSession
EMAIL field name: IsInspectionBeforeSession
HTTPS field name: IsInspectionBeforeSession
LEEF field name: IsInspectionBeforeSession

is_mptcp_on Indicates whether the option is enabled on the next-

is_nat Indicates if the firewall is performing network address

translation (NAT) for the logged traffic.
(NAT)
CEF field name: PanOSNAT
EMAIL field name: NAT
HTTPS field name: NAT
LEEF field name: NAT

is_non_std_dest_port Indicates if the destination port is non-standard.

is_offloaded Indicates whether the traffic flow is offloaded to

hardware before the packets enter Linux kernel on VM/
(IS OFFLOADED)
CN series.
CEF field name: PanOSIsOffloaded
EMAIL field name: IsOffloaded
HTTPS field name: IsOffloaded

Cortex Data Lake Schema Reference January 2024 534 ©2024 Palo Alto Networks, Inc.
Network Logs

TRAFFIC Field Description

(Display Name)
LEEF field name: IsOffloaded

is_packet_capture Indicates whether the session has a packet capture

(PCAP).
(IS PACKET CAPTURE)
CEF field name: PanOSIsPacketCapture
EMAIL field name: IsPacketCapture
HTTPS field name: IsPacketCapture
LEEF field name: IsPacketCapture

is_phishing Indicates whether enterprise credentials were

submitted by an end user.
(IS PHISHING)
CEF field name: PanOSIsPhishing
EMAIL field name: IsPhishing
HTTPS field name: IsPhishing
LEEF field name: IsPhishing

is_prisma_branch Internal-use field. If set to 1, the log was generated on

is_prisma_mobile Internal use field. If set to 1, the log record was

is_proxy Indicates whether the SSL session is decrypted (SSL

Proxy).
(IS PROXY)
CEF field name: PanOSIsProxy
EMAIL field name: IsProxy
HTTPS field name: IsProxy

Cortex Data Lake Schema Reference January 2024 535 ©2024 Palo Alto Networks, Inc.
Network Logs

TRAFFIC Field Description

(Display Name)
LEEF field name: IsProxy

is_recon_excluded Indicates whether source for the flow is on the firewall

is_saas_app Internal use field. Indicates whether the application

is_server_to_client Indicates if direction of traffic is from server to client.

(IS SERVER TO CLIENT) CEF field name: PanOSIsServertoClient
EMAIL field name: IsServertoClient
HTTPS field name: IsServertoClient
LEEF field name: IsServertoClient

is_source_x_fwded Indicates whether the X-Forwarded-For value from a

is_sym_return Indicates whether symmetric return was used to

forward traffic for this session.
(IS SYSTEM RETURN)
CEF field name: PanOSIsSystemReturn
EMAIL field name: IsSystemReturn
HTTPS field name: IsSystemReturn
LEEF field name: IsSystemReturn

Cortex Data Lake Schema Reference January 2024 536 ©2024 Palo Alto Networks, Inc.
Network Logs

TRAFFIC Field Description

(Display Name)

is_transaction Indicates whether the log corresponds to a transaction

within an HTTP proxy session (Proxy Transaction).
(IS TRANSACTION)
CEF field name: PanOSIsTransaction
EMAIL field name: IsTransaction
HTTPS field name: IsTransaction
LEEF field name: IsTransaction

is_url_denied Indicates whether the session was denied due to a URL

filtering rule.
(IS URL DENIED)
CEF field name: PanOSIsURLDenied
EMAIL field name: IsURLDenied
HTTPS field name: IsURLDenied
LEEF field name: IsURLDenied

link_change_count Number of times the app flapped in that session.

(LINK CHANGE COUNT) Syslog field name: Syslog Field Order
CEF field name: PanOSLinkChangeCount
EMAIL field name: LinkChangeCount
HTTPS field name: LinkChangeCount
LEEF field name: LinkChangeCount

link_switches Details of the links switches (up-to 4).

(LINK SWITCHES) Syslog field name: Syslog Field Order
CEF field name: PanOSLinkSwitches
EMAIL field name: LinkSwitches
HTTPS field name: LinkSwitches
LEEF field name: LinkSwitches

Cortex Data Lake Schema Reference January 2024 537 ©2024 Palo Alto Networks, Inc.
Network Logs

TRAFFIC Field Description

(Display Name)

location Prisma Access Region/Location.

(PRISMA ACCESS LOCATION) CEF field name: PanOSLocation
EMAIL field name: Location
HTTPS field name: Location
LEEF field name: Location

log_set Log forwarding profile name that was applied to

log_source_group_id ID that uniquely identifies the logSourceGroupId of the

Cortex Data Lake Schema Reference January 2024 538 ©2024 Palo Alto Networks, Inc.
Network Logs

TRAFFIC Field Description

(Display Name)
EMAIL field name: DeviceSN
HTTPS field name: DeviceSN
LEEF field name: DeviceSN

log_type.value Identifies the log type.

(LOG TYPE) Syslog field name: Syslog Field Order
CEF field name: Device Event Class ID
EMAIL field name: LogType
HTTPS field name: LogType
LEEF field name: cat

Cortex Data Lake Schema Reference January 2024 539 ©2024 Palo Alto Networks, Inc.
Network Logs

TRAFFIC Field Description

(Display Name)

monitor_tag_imei A string used to group similar traffic together for

nat_dest.value If destination NAT was performed, the post-NAT

destination IP address.
(NAT DESTINATION)
Syslog field name: Syslog Field Order
CEF field name: destinationTranslatedAddress
EMAIL field name: NATDestination
HTTPS field name: NATDestination
LEEF field name: dstPostNAT

nat_dest_port Post-NAT destination port.

nat_source.value If source NAT was performed, the post-NAT source IP

address.
(NAT SOURCE)
Syslog field name: Syslog Field Order
CEF field name: sourceTranslatedAddress
EMAIL field name: NATSource
HTTPS field name: NATSource
LEEF field name: srcPostNAT

nat_source_port Post-NAT source port.

(NAT SOURCE PORT) Syslog field name: Syslog Field Order
CEF field name: sourceTranslatedPort

Cortex Data Lake Schema Reference January 2024 540 ©2024 Palo Alto Networks, Inc.
Network Logs

TRAFFIC Field Description

(Display Name)
EMAIL field name: NATSourcePort
HTTPS field name: NATSourcePort
LEEF field name: srcPostNATPort

non_standard_dest_port Identifies the non-standard or unexpected port used by

nssai_network_slice_differentiator. Network Slice Differentiator (SD part of SNSSAI).

value
Syslog field name: Syslog Field Order
(NSSAI NETWORK SLICE
CEF field name:
DIFFERENTIATOR)
PanOSNSSAINetworkSliceDifferentiator
EMAIL field name: NSSAINetworkSliceDifferentiator
HTTPS field name: NSSAINetworkSliceDifferentiator
LEEF field name: NSSAINetworkSliceDifferentiator

nssai_network_slice_type.value Network Slice Type (SST part of SNSSAI).

outbound_if.value Interface to which the network traffic was destined.

outbound_if_details.port Hardware port or socket to which the network traffic

was sent.

Cortex Data Lake Schema Reference January 2024 541 ©2024 Palo Alto Networks, Inc.
Network Logs

TRAFFIC Field Description

(Display Name)
(OUTBOUND INTERFACE DETAILS CEF field name: PanOSOutboundInterfaceDetailsPort
PORT)
EMAIL field name: OutboundInterfaceDetailsPort
HTTPS field name: OutboundInterfaceDetailsPort
LEEF field name: OutboundInterfaceDetailsPort

outbound_if_details.slot Interface slot to which the network traffic was sent.

outbound_if_details.type.value The type of interface to which the network traffic was

outbound_if_details.unit Internal use.

packets_received Number of server-to-client packets for the session.

(PACKETS RECEIVED) Syslog field name: Syslog Field Order
CEF field name: PanOSPacketsReceived
EMAIL field name: PacketsReceived
HTTPS field name: PacketsReceived
LEEF field name: dstPackets

packets_sent Number of client-to-server packets for the session.

(PACKETS SENT) Syslog field name: Syslog Field Order
CEF field name: PanOSPacketsSent
EMAIL field name: PacketsSent

Cortex Data Lake Schema Reference January 2024 542 ©2024 Palo Alto Networks, Inc.
Network Logs

TRAFFIC Field Description

(Display Name)
HTTPS field name: PacketsSent
LEEF field name: srcPackets

packets_total Number of total packets (transmit and receive) seen for

the session.
(PACKETS TOTAL)
Syslog field name: Syslog Field Order
CEF field name: cn2
EMAIL field name: PacketsTotal
HTTPS field name: PacketsTotal
LEEF field name: totalPackets

panorama_serial Panorama Serial associated with CDL.

(PANORAMA SN) CEF field name: PanOSPanoramaSN
EMAIL field name: PanoramaSN
HTTPS field name: PanoramaSN
LEEF field name: PanoramaSN

parent_session_id ID of the session in which this network traffic was

parent_start_time Time that the parent session began. This string contains
a timestamp value that is the number of microseconds
(PARENT START TIME)
since the Unix epoch.
Syslog field name: Syslog Field Order
CEF field name: PanOSParentStarttime
EMAIL field name: ParentStarttime
HTTPS field name: ParentStarttime
LEEF field name: ParentStarttime

platform_type The platform type (Valid types are VM, PA, NGFW,
CNGFW).

Cortex Data Lake Schema Reference January 2024 543 ©2024 Palo Alto Networks, Inc.
Network Logs

TRAFFIC Field Description

(Display Name)
(PLATFORM TYPE) CEF field name: PlatformType
EMAIL field name: PlatformType
HTTPS field name: PlatformType
LEEF field name: PlatformType

pod_name Container name.

(CONTAINER NAME) Syslog field name: Syslog Field Order
CEF field name: PanOSContainerName
EMAIL field name: ContainerName
HTTPS field name: ContainerName
LEEF field name: ContainerName

pod_namespace Container namespace.

policy_id Name of the SD-WAN policy.

(SDWAN POLICY NAME) Syslog field name: Syslog Field Order
CEF field name: PanOSSDWANPolicyName
EMAIL field name: SDWANPolicyName
HTTPS field name: SDWANPolicyName
LEEF field name: SDWANPolicyName

protocol.value IP protocol associated with the session.

(PROTOCOL) Syslog field name: Syslog Field Order
CEF field name: proto
EMAIL field name: Protocol
HTTPS field name: Protocol
LEEF field name: proto

risk_of_app Indicates how risky the application is from a network

security perspective.

Cortex Data Lake Schema Reference January 2024 544 ©2024 Palo Alto Networks, Inc.
Network Logs

TRAFFIC Field Description

(Display Name)
(APPLICATION RISK) CEF field name: PanOSApplicationRisk
EMAIL field name: ApplicationRisk
HTTPS field name: ApplicationRisk
LEEF field name: ApplicationRisk

rule_matched_uuid Unique identifier for the security policy rule that the
network traffic matched.
(RULE UUID)
Syslog field name: Syslog Field Order
CEF field name: PanOSRuleUUID
EMAIL field name: RuleUUID
HTTPS field name: RuleUUID
LEEF field name: RuleUUID

sanctioned_state_of_app Indicates whether the application has been flagged as

sdwan_FEC_ratio SDWAN forward error correction (FEC) ratio.

(SDWAN FEC RATIO) CEF field name: PanOSSDWANFECRatio
EMAIL field name: SDWANFECRatio
HTTPS field name: SDWANFECRatio
LEEF field name: SDWANFECRatio

sdwan_cluster Name of the SD-WAN cluster.

Cortex Data Lake Schema Reference January 2024 545 ©2024 Palo Alto Networks, Inc.
Network Logs

TRAFFIC Field Description

(Display Name)
(SDWAN CLUSTER) Syslog field name: Syslog Field Order
CEF field name: PanOSSDWANCluster
EMAIL field name: SDWANCluster
HTTPS field name: SDWANCluster
LEEF field name: SDWANCluster

sdwan_cluster_type Type of SD-WAN cluster. Either mesh or hub-spoke.

(SDWAN CLUSTER TYPE) Syslog field name: Syslog Field Order
CEF field name: PanOSSDWANClusterType
EMAIL field name: SDWANClusterType
HTTPS field name: SDWANClusterType
LEEF field name: SDWANClusterType

sdwan_device_type Type of SD-WAN device. Either hub or branch.

(SDWAN DEVICE TYPE) Syslog field name: Syslog Field Order
CEF field name: PanOSSDWANDeviceType
EMAIL field name: SDWANDeviceType
HTTPS field name: SDWANDeviceType
LEEF field name: SDWANDeviceType

sdwan_site Name of the SD-WAN site.

(SDWAN SITE) Syslog field name: Syslog Field Order
CEF field name: PanOSSDWANSite
EMAIL field name: SDWANSite
HTTPS field name: SDWANSite
LEEF field name: SDWANSite

sequence_no The log entry identifier, which is incremented

Cortex Data Lake Schema Reference January 2024 546 ©2024 Palo Alto Networks, Inc.
Network Logs

TRAFFIC Field Description

(Display Name)

sess_owner_rt_midx Unknown field. No information is available at this time.

(SESSION OWNER MIDX) CEF field name: PanOSSessionOwnerMidx
EMAIL field name: SessionOwnerMidx
HTTPS field name: SessionOwnerMidx
LEEF field name: SessionOwnerMidx

session_end_reason.value The reason a session terminated.

(SESSION END REASON) Syslog field name: Syslog Field Order
CEF field name: reason
EMAIL field name: SessionEndReason
HTTPS field name: SessionEndReason
LEEF field name: SessionEndReason

session_id Identifies the firewall's internal identifier for a specific

network session.
(SESSION ID)
Syslog field name: Syslog Field Order
CEF field name: cn1
EMAIL field name: SessionID
HTTPS field name: SessionID
LEEF field name: SessionID

session_start_time Time when the session was established. This string

contains a timestamp value that is the number of
(SESSION START TIME)
microseconds since the Unix epoch.
Syslog field name: Syslog Field Order
CEF field name: PanOSSessionStartTime
EMAIL field name: SessionStartTime
HTTPS field name: SessionStartTime
LEEF field name: SessionStartTime

session_tracker Unknown field. No information is available at this time.

(SESSION TRACKER) CEF field name: PanOSSessionTracker
EMAIL field name: SessionTracker
HTTPS field name: SessionTracker

Cortex Data Lake Schema Reference January 2024 547 ©2024 Palo Alto Networks, Inc.
Network Logs

TRAFFIC Field Description

(Display Name)
LEEF field name: SessionTracker

source_device_category Category of the device from which the session

source_device_class Source device class.

(SOURCE DEVICE CLASS) CEF field name: PanOSSourceDeviceClass
EMAIL field name: SourceDeviceClass
HTTPS field name: SourceDeviceClass
LEEF field name: SourceDeviceClass

source_device_host Hostname of the device from which the session

source_device_mac MAC Address of the device from which the session

source_device_model Model of the device from which the session originated.

(SOURCE DEVICE MODEL) Syslog field name: Syslog Field Order
CEF field name: PanOSSourceDeviceModel

Cortex Data Lake Schema Reference January 2024 548 ©2024 Palo Alto Networks, Inc.
Network Logs

TRAFFIC Field Description

(Display Name)
EMAIL field name: SourceDeviceModel
HTTPS field name: SourceDeviceModel
LEEF field name: SourceDeviceModel

source_device_os Source device OS type.

(SOURCE DEVICE OS) CEF field name: PanOSSourceDeviceOS
EMAIL field name: SourceDeviceOS
HTTPS field name: SourceDeviceOS
LEEF field name: SourceDeviceOS

source_device_osfamily OS family of the device from which the session

source_device_osversion OS version of the device from which the session

source_device_profile Profile of the device from which the session originated.

source_device_vendor Vendor of the device from which the session originated.

(SOURCE DEVICE VENDOR) Syslog field name: Syslog Field Order

Cortex Data Lake Schema Reference January 2024 549 ©2024 Palo Alto Networks, Inc.
Network Logs

TRAFFIC Field Description

(Display Name)
CEF field name: PanOSSourceDeviceVendor
EMAIL field name: SourceDeviceVendor
HTTPS field name: SourceDeviceVendor
LEEF field name: SourceDeviceVendor

source_dynamic_address_group The dynamic address group that Device-ID identifies as

source_ip.value Original source IP address.

(SOURCE ADDRESS) Syslog field name: Syslog Field Order
CEF fields: src or c6a2
EMAIL field name: SourceAddress
HTTPS field name: SourceAddress
LEEF field name: src

source_location Source country or internal region for private addresses.

(SOURCE LOCATION) Syslog field name: Syslog Field Order
CEF field name: PanOSSourceLocation
EMAIL field name: SourceLocation
HTTPS field name: SourceLocation
LEEF field name: SourceLocation

Cortex Data Lake Schema Reference January 2024 550 ©2024 Palo Alto Networks, Inc.
Network Logs

TRAFFIC Field Description

(Display Name)

source_port Source port utilized by the session.

(SOURCE PORT) Syslog field name: Syslog Field Order
CEF field name: spt
EMAIL field name: SourcePort
HTTPS field name: SourcePort
LEEF field name: srcPort

source_user The username that initiated the network traffic.

(SOURCE USER) Syslog field name: Syslog Field Order
CEF field name: suser
EMAIL field name: SourceUser
HTTPS field name: SourceUser
LEEF field name: usrName

source_user_info.domain Domain to which the Source User belongs.

(SOURCE USER DOMAIN) CEF field name: sntdom
EMAIL field name: SourceUserDomain
HTTPS field name: SourceUserDomain
LEEF field name: SourceUserDomain

source_user_info.uuid Unique identifier assigned to the Source User.

(SOURCE USER UUID) CEF field name: suid
EMAIL field name: SourceUserUUID
HTTPS field name: SourceUserUUID
LEEF field name: SourceUserUUID

source_uuid Identifies the source universal unique identifier for a

guest virtual machine in the VMware NSX environment.

Cortex Data Lake Schema Reference January 2024 551 ©2024 Palo Alto Networks, Inc.
Network Logs

TRAFFIC Field Description

(Display Name)
(SOURCE UUID) Syslog field name: Syslog Field Order
CEF field name: PanOSSourceUUID
EMAIL field name: SourceUUID
HTTPS field name: SourceUUID
LEEF field name: SourceUUID

sub_type.value Identifies the log subtype.

(SUBTYPE) Syslog field name: Syslog Field Order
CEF field name: Name
EMAIL field name: Subtype
HTTPS field name: Subtype
LEEF field name: SubType

technology_of_app The networking technology used by the identified

application.
(APPLICATION TECHNOLOGY)
CEF field name: PanOSApplicationTechnology
EMAIL field name: ApplicationTechnology
HTTPS field name: ApplicationTechnology
LEEF field name: ApplicationTechnology

time_generated_high_res Time the log was generated in data plane

Cortex Data Lake Schema Reference January 2024 552 ©2024 Palo Alto Networks, Inc.
Network Logs

TRAFFIC Field Description

(Display Name)
HTTPS field name: TimeGeneratedHighResolution
LEEF field name: TimeGeneratedHighResolution

to_zone Networking zone to which the traffic was sent.

(TO ZONE) Syslog field name: Syslog Field Order
CEF field name: cs5
EMAIL field name: ToZone
HTTPS field name: ToZone
LEEF field name: ToZone

total_time_elapsed Total time taken for the network session to complete.

(SESSION DURATION) Syslog field name: Syslog Field Order
CEF field name: cn3
EMAIL field name: SessionDuration
HTTPS field name: SessionDuration
LEEF field name: SessionDuration

tunnel.value Type of tunnel.

(TUNNEL) Syslog field name: Syslog Field Order
CEF field name: PanOSTunnel
EMAIL field name: Tunnel
HTTPS field name: Tunnel
LEEF field name: Tunnel

tunneled_app For internal use only.

(TUNNELED APPLICATION) CEF field name: PanOSTunneledApplication
EMAIL field name: TunneledApplication
HTTPS field name: TunneledApplication
LEEF field name: TunneledApplication

tunnelid_imsi ID of the tunnel being inspected or the International

Mobile Subscriber Identity (IMSI) ID of the mobile user.
(IMSI)
Syslog field name: Syslog Field Order
CEF field name: PanOSIMSI
EMAIL field name: IMSI

Cortex Data Lake Schema Reference January 2024 553 ©2024 Palo Alto Networks, Inc.
Network Logs

TRAFFIC Field Description

(Display Name)
HTTPS field name: IMSI
LEEF field name: IMSI

url_category.value URL category associated with the session.

(URL CATEGORY) Syslog field name: Syslog Field Order
CEF field name: cs2
EMAIL field name: URLCategory
HTTPS field name: URLCategory
LEEF field name: URLCategory

users Source/Destination user. If neither is available,

source_ip is used.
(USERS)
CEF field name: PanOSUsers
EMAIL field name: Users
HTTPS field name: Users
LEEF field name: Users

vendor_name Identifies the vendor that produced the data.

(VENDOR NAME) CEF field name: Device Vendor
EMAIL field name: VendorName
HTTPS field name: VendorName
LEEF field name: Vendor

vsys String representation of the unique identifier for a

vsys_id A unique identifier for a virtual system on a Palo Alto

Networks firewall.
(VIRTUAL SYSTEM ID)
CEF field name: PanOSVirtualSystemID
EMAIL field name: VirtualSystemID

Cortex Data Lake Schema Reference January 2024 554 ©2024 Palo Alto Networks, Inc.
Network Logs

TRAFFIC Field Description

(Display Name)
HTTPS field name: VirtualSystemID
LEEF field name: VirtualSystemID

vsys_name The name of the virtual system associated with the

xff_ip.value X-Forwarded-For IP.

Traffic Syslog Default Field Order

Example Traffic log in Syslog:

Oct 12 21:28:47 gke-standard-cluster-2-pool-1-6ea9f13a-

moqf 953 <142>1 2020-10-12T21:28:47.110Z stream-
logfwd20-156653024-10121421-eq28-harness-16kn logforwarder
- panwlogs - 1,2020-10-12T21:28:42.000000Z,007051000113358,
TRAFFIC,start,10.0,2020-10-12T19:56:43.000000Z,xxx.xx.x.xx,
xxx.xx.x.xx,xxx.xx.x.xx,xxx.xx.x.xx,allow-all-employees,
"xxxxx\xxxxx o"xxxxxxxxxx"'"xxxxxxxxxx"test",,psiphon,vsys1,
ethernet4Zone-test2,partners,,,rs-logging,,371791,1,26367,
21078,5556,16804,2048,tcp,allow,1230723,526649,704074,2229,
2020-10-12T19:56:14.000000Z,40,any,,563731018,-9223372036854775808,
BR,AU,,1237,992,unknown,0,0,0,0,,PA-VM,unknown,,,0,,0,
2020-10-12T19:56:14.000000Z,GTP-U-TCI,-2522015791327477700,2295,729,
1566,75fd49ee-9899-4257-94f3-54abc79faa5a,424809,0,,,,,,,dynug-1-
test,xxx.xx.x.xx,X-Phone,x-profile,Note 4G,Lenovo,K6,Android v9,
pan-505,596703749274,X-Phone,x-profile,MI,Xiaomi,A1,Android v9.1,
pan-622,620797415366,1873cc5c-0d31,pns_default,pan-dp-77754f4,,,
5050505050,LN0000001,,,session_owner-0,2020-10-12T19:56:44.728000Z,
c6,122f7

Cortex Data Lake Schema Reference January 2024 555 ©2024 Palo Alto Networks, Inc.
Network Logs

The following identifies the default field order for filters migrated from an earlier version of the
log forwarding application. For log filters created after that migration, you specify the field order
when you create a log filter by specifying the columns you want to receive.
The fields are identified in the default order that they appear in each log line.
HEADER, log_time, log_source_id, log_type.value, sub_type.value, config_version.
value, time_generated, source_ip.value, dest_ip.value, nat_source.value, nat_dest.
value, rule_matched, source_user, dest_user, app, vsys, from_zone, to_zone, inbound_if.
value, outbound_if.value, log_set, EMPTY, session_id, count_of_repeats, source_port,
dest_port, nat_source_port, nat_dest_port, flags, protocol.value, action.value, bytes_total,
bytes_sent, bytes_received, packets_total, session_start_time, total_time_elapsed,
url_category.value, EMPTY, sequence_no, action_flags, source_location, dest_location,
EMPTY, packets_sent, packets_received, session_end_reason.value, dg_hier_level_1,
dg_hier_level_2, dg_hier_level_3, dg_hier_level_4, vsys_name, log_source_name, action_source.
value, source_uuid, dest_uuid, tunnelid_imsi, monitor_tag_imei, parent_session_id,
parent_start_time, tunnel.value, ep_assoc_id, chunks_total, chunks_sent, chunks_received,
rule_matched_uuid, http2_connection, link_change_count, policy_id, link_switches, sdwan_cluster,
sdwan_device_type, sdwan_cluster_type, sdwan_site, dynusergroup_name, xff_ip.value,
source_device_category, source_device_profile, source_device_model, source_device_vendor,
source_device_osfamily, source_device_osversion, source_device_host, source_device_mac,
dest_device_category, dest_device_profile, dest_device_model, dest_device_vendor,
dest_device_osfamily, dest_device_osversion, dest_device_host, dest_device_mac, container_id,
pod_namespace, pod_name, source_edl, dest_edl, host_id, endpoint_serial_number,
source_dynamic_address_group, dest_dynamic_address_group, ha_session_owner,
time_generated_high_res, nssai_network_slice_type.value, nssai_network_slice_differentiator.
value

Traffic CEF Fields

Example Traffic log in CEF:

Mar 1 20:46:50 xxx.xx.x.xx 4581 <14>1 2021-03-01T20:46:50.869Z

stream-logfwd20-587718190-03011242-xynu-harness-zpqg logforwarder
- panwlogs - CEF:0|Palo Alto Networks|LF|2.0|TRAFFIC|
end|3|ProfileToken=xxxxx dtz=UTC rt=Feb 27 2021 20:16:21
deviceExternalId=xxxxxxxxxxxxx PanOSApplicationContainer=
PanOSApplicationRisk=5 PanOSApplicationSubcategory=file-
sharing PanOSApplicationTechnology=peer-to-peer
PanOSCaptivePortal=false PanOSCortexDataLakeTenantID=xxxxxxxxxxxxx
PanOSDestinationDeviceClass= PanOSDestinationDeviceOS=
dntdom=paloaltonetwork duser=xxxxx duid=
PanOSInboundInterfaceDetailsPort=0
PanOSInboundInterfaceDetailsSlot=0
PanOSInboundInterfaceDetailsType=unknown
PanOSInboundInterfaceDetailsUnit=0 PanOSIsClienttoServer=false
PanOSIsContainer=false PanOSIsDecryptMirror=false
PanOSIsDecrypted=false PanOSIsDecryptedLog=false
PanOSIsDecryptedPayloadForward=false PanOSIsDuplicateLog=false
PanOSIsEncrypted=false PanOSIsIPV6=false
PanOSIsInspectionBeforeSession=true PanOSIsMptcpOn=false
PanOSIsNonStandardDestinationPort=false PanOSIsPacketCapture=false
PanOSIsPhishing=false PanOSIsPrismaNetwork=false

Cortex Data Lake Schema Reference January 2024 556 ©2024 Palo Alto Networks, Inc.
Network Logs

PanOSIsPrismaUsers=false PanOSIsProxy=false
PanOSIsReconExcluded=false PanOSIsSaaSApplication=false
PanOSIsServertoClient=false PanOSIsSourceXForwarded=false
PanOSIsSystemReturn=false PanOSIsTransaction=false
PanOSIsTunnelInspected=false PanOSIsURLDenied=false
PanOSLogExported=false PanOSLogForwarded=true
PanOSLogSource=firewall PanOSLogSourceTimeZoneOffset=
PanOSNAT=false PanOSNonStandardDestinationPort=0
PanOSOutboundInterfaceDetailsPort=0
PanOSOutboundInterfaceDetailsSlot=0
PanOSOutboundInterfaceDetailsType=unknown
PanOSOutboundInterfaceDetailsUnit=0 PanOSSDWANFECRatio=0.0
PanOSSanctionedStateOfApp=false PanOSSessionOwnerMidx=false
PanOSSessionTracker=16 PanOSSourceDeviceClass=
PanOSSourceDeviceOS= sntdom=xxxxx suser=xxxxx xxxxx suid=
PanOSTunneledApplication=tunneled-app PanOSUsers=xxxxx\\xxxxx
xxxxx PanOSVirtualSystemID=1 PanOSApplicationCategory=peer2peer
PanOSConfigVersion=10.0 start=Feb 27 2021 20:16:17 src=xxx.xx.x.xx
dst=xxx.xx.x.xx sourceTranslatedAddress=xxx.xx.x.xx
destinationTranslatedAddress=xxx.xx.x.xx cs1=deny-attackers
cs1Label=Rule suser0=xxxxx\\xxxxx xxxxx duser0=paloaltonetwork
\\xxxxx app=fileguri cs3=vsys1 cs3Label=VirtualLocation
cs4=untrust cs4Label=FromZone cs5=ethernet4Zone-
test1 cs5Label=ToZone deviceInboundInterface=unknown
deviceOutboundInterface=unknown cs6=rs-logging cs6Label=LogSetting
cn1=25596 cn1Label=SessionID cnt=1 spt=22871 dpt=27092
sourceTranslatedPort=24429 destinationTranslatedPort=14744
proto=tcp act=deny PanOSBytes=1370294 out=400448 in=969846
cn2=314 cn2Label=PacketsTotal PanOSSessionStartTime=Feb 27
2021 20:15:48 cn3=56 cn3Label=SessionDuration cs2=custom-
category cs2Label=URLCategory externalId=xxxxxxxxxxxxx
PanOSSourceLocation=east-coast PanOSDestinationLocation=BR
PanOSPacketsSent=194 PanOSPacketsReceived=120 reason=unknown
PanOSDGHierarchyLevel1=11 PanOSDGHierarchyLevel2=0
PanOSDGHierarchyLevel3=0 PanOSDGHierarchyLevel4=0
PanOSVirtualSystemName= dvchost=xxxxx cat=unknown
PanOSSourceUUID= PanOSDestinationUUID= PanOSIMSI=0 PanOSIMEI=
PanOSParentSessionID=0 PanOSParentStarttime=Feb 27 2021 20:15:40
PanOSTunnel=GRE PanOSEndpointAssociationID=-3746994889972252628
PanOSChunksTotal=1945 PanOSChunksSent=323 PanOSChunksReceived=1622
PanOSRuleUUID=017e4d76-2003-47f4-8afc-1d35c808c615
PanOSHTTP2Connection=469139 PanOSLinkChangeCount=0
PanOSSDWANPolicyName= PanOSLinkSwitches= PanOSSDWANCluster=
PanOSSDWANDeviceType= PanOSSDWANClusterType= PanOSSDWANSite=
PanOSDynamicUserGroupName=dynug-4 PanOSX-Forwarded-
ForIP=xxx.xx.x.xx PanOSSourceDeviceCategory=N-Phone
PanOSSourceDeviceProfile=n-profile PanOSSourceDeviceModel=Nexus
PanOSSourceDeviceVendor=Google PanOSSourceDeviceOSFamily=LG-H790
PanOSSourceDeviceOSVersion=Android v6 PanOSSourceDeviceHost=pan-301
PanOSSourceDeviceMac=839147449905 PanOSDestinationDeviceCategory=N-
Phone PanOSDestinationDeviceProfile=n-profile
PanOSDestinationDeviceModel=Nexus
PanOSDestinationDeviceVendor=Google
PanOSDestinationDeviceOSFamily=H1511
PanOSDestinationDeviceOSVersion=Android v7
PanOSDestinationDeviceHost=pan-355

Cortex Data Lake Schema Reference January 2024 557 ©2024 Palo Alto Networks, Inc.
Network Logs

PanOSDestinationDeviceMac=530589561221
PanOSContainerID=1873cc5c-0d31 PanOSContainerNameSpace=pns_default
PanOSContainerName=pan-dp-77754f4 PanOSSourceEDL=
PanOSDestinationEDL= PanOSGPHostID=xxxxxxxxxxxxxx
PanOSEndpointSerialNumber=xxxxxxxxxxxxxx
PanOSSourceDynamicAddressGroup= aqua_dag
PanOSDestinationDynamicAddressGroup=
PanOSHASessionOwner=session_owner-4
PanOSTimeGeneratedHighResolution=Feb 27
2021 20:16:18 PanOSNSSAINetworkSliceType=0
PanOSNSSAINetworkSliceDifferentiator=1bca5

The following table identifies the Traffic field names that the Log Forwarding app uses when you
forward logs using the CEF log format.

CEF Name Field Details

act Query Name: action.value

Header Type: Predefined
Max Length: 63

cat Query Name: action_source.value

Header Type: Predefined
Max Length: 1023

app Query Name: app

Header Type: Custom

destinationTranslatedAddress Query Name: nat_dest.value

Header Type: Custom

PanOSApplicationTechnology Query Name: technology_of_app

Header Type: Custom

start Query Name: time_generated

cs3 Query Name: vsys

CEF Name Field Details

Header Type: Predefined
Label: cs3Label
Label Text: VirtualLocation
Max Length: 4000

PanOSVirtualSystemID Query Name: vsys_id

Header Type: Custom

PanOSVirtualSystemName Query Name: vsys_name

Header Type: Custom

PanOSX-Forwarded-ForIP Query Name: xff_ip.value

Header Type: Custom

Traffic EMAIL Fields

Example Traffic log in EMAIL:

TimeReceived=2021-01-22T21:43:39.000000Z
DeviceSN=xxxxxxxxxxxxx
LogType=TRAFFIC
Subtype=end
ConfigVersion=10.0
TimeGenerated=2021-01-22T21:43:23.000000Z
SourceAddress=xxx.xx.x.xx
DestinationAddress=xxx.xx.x.xx
NATSource=xxx.xx.x.xx
NATDestination=xxx.xx.x.xx
Rule=allow-business-apps
SourceUser="paloaltonetwork\xxxxx"
DestinationUser=
Application=infoblox-grid
VirtualLocation=vsys1
FromZone=ethernet4Zone-test1
ToZone=untrust
InboundInterface=unknown
OutboundInterface=unknown
LogSetting=rs-logging
SessionID=952362
RepeatCount=1
SourcePort=5547
DestinationPort=6564
NATSourcePort=8940
NATDestinationPort=16125
Protocol=tcp
Action=deny
Bytes=652430
BytesSent=231247

BytesReceived=421183
PacketsTotal=2058
SessionStartTime=2021-01-22T21:42:53.000000Z
SessionDuration=58
URLCategory=1
SequenceNo=20397927
SourceLocation=BR
DestinationLocation=CN
PacketsSent=1086
PacketsReceived=972
SessionEndReason=unknown
VirtualSystemName=
DeviceName=xxxxx
ActionSource=unknown
SourceUUID=
DestinationUUID=
IMSI=0
IMEI=
ParentSessionID=0
ParentStarttime=2021-01-22T21:42:44.000000Z
Tunnel=N/A
EndpointAssociationID=7349874591868649490
ChunksTotal=3424
ChunksSent=3119
ChunksReceived=305
RuleUUID=ec14df0b-c845-4435-87a2-d207730f5ae8
HTTP2Connection=547970
LinkChangeCount=0
SDWANPolicyName=
LinkSwitches=
SDWANCluster=
SDWANDeviceType=
SDWANClusterType=
SDWANSite=
DynamicUserGroupName=dynug-3
X-Forwarded-ForIP=xxx.xx.x.xx
SourceDeviceCategory=X-Phone
SourceDeviceProfile=x-profile
SourceDeviceModel=Redmi
SourceDeviceVendor=Xiaomi
SourceDeviceOSFamily=5 Plus
SourceDeviceOSVersion=Android v8.2
SourceDeviceHost=pan-603
SourceDeviceMac=645701225660
DestinationDeviceCategory=X-Phone
DestinationDeviceProfile=x-profile
DestinationDeviceModel=MI
DestinationDeviceVendor=Xiaomi
DestinationDeviceOSFamily=A1
DestinationDeviceOSVersion=Android v9.1
DestinationDeviceHost=pan-622
DestinationDeviceMac=207974153661
ContainerID=1873cc5c-0d31
ContainerNameSpace=pns_default
ContainerName=pan-dp-77754f4
SourceEDL=

DestinationEDL=
GPHostID=6060606060
EndpointSerialNumber=xxxxxxxxxxxxxx
SourceDynamicAddressGroup= aqua_dag
DestinationDynamicAddressGroup=
HASessionOwner=session_owner-2
TimeGeneratedHighResolution=2021-01-22T21:43:23.795000Z
NSSAINetworkSliceType=a7
NSSAINetworkSliceDifferentiator=5700

The following table identifies the Traffic field names that the Log Forwarding app uses when you
forward logs using the EMAIL log format.

EMAIL Name Query Name

Action action.value

ActionSource action_source.value

Application app

ApplicationCategory app_category

ApplicationSubcategory app_sub_category

BytesReceived bytes_received

BytesSent bytes_sent

Bytes bytes_total

ChunksReceived chunks_received

ChunksSent chunks_sent

ChunksTotal chunks_total

ConfigVersion config_version.value

ContainerID container_id

ApplicationContainer container_of_app

RepeatCount count_of_repeats

CortexDataLakeTenantID customer_id

DestinationDeviceCategory dest_device_category

EMAIL Name Query Name

DestinationDeviceClass dest_device_class

DestinationDeviceHost dest_device_host

DestinationDeviceMac dest_device_mac

DestinationDeviceModel dest_device_model

DestinationDeviceOS dest_device_os

DestinationDeviceOSFamily dest_device_osfamily

DestinationDeviceOSVersion dest_device_osversion

DestinationDeviceProfile dest_device_profile

DestinationDeviceVendor dest_device_vendor

DestinationDynamicAddressGroup dest_dynamic_address_group

DestinationEDL dest_edl

DestinationAddress dest_ip.value

DestinationLocation dest_location

DestinationPort dest_port

DestinationUser dest_user

DestinationUserDomain dest_user_info.domain

DestinationUserName dest_user_info.name

DestinationUserUUID dest_user_info.uuid

DestinationUUID dest_uuid

DGHierarchyLevel1 dg_hier_level_1

DGHierarchyLevel2 dg_hier_level_2

DGHierarchyLevel3 dg_hier_level_3

DGHierarchyLevel4 dg_hier_level_4

EMAIL Name Query Name

DynamicUserGroupName dynusergroup_name

EndpointSerialNumber endpoint_serial_number

EndpointAssociationID ep_assoc_id

FlowType flow_type.value

FromZone from_zone

HASessionOwner ha_session_owner

GPHostID host_id

HTTP2Connection http2_connection

InboundInterface inbound_if.value

InboundInterfaceDetailsPort inbound_if_details.port

InboundInterfaceDetailsSlot inbound_if_details.slot

InboundInterfaceDetailsType inbound_if_details.type.value

InboundInterfaceDetailsUnit inbound_if_details.unit

CaptivePortal is_captive_portal

IsClienttoServer is_client_to_server

IsContainer is_container

IsDecryptMirror is_decrypt_mirror

IsDecrypted is_decrypted

IsDecryptedPayloadForward is_decrypted_payload_fwded

IsDecryptedLog is_decryption_log

IsDuplicateLog is_dup_log

IsEncrypted is_encrypted

LogExported is_exported

EMAIL Name Query Name

LogForwarded is_forwarded

IsIPV6 is_ipv6

IsInspectionBeforeSession is_l7_inspection_b4_session

IsMptcpOn is_mptcp_on

NAT is_nat

IsNonStandardDestinationPort is_non_std_dest_port

IsOffloaded is_offloaded

IsPacketCapture is_packet_capture

IsPhishing is_phishing

IsPrismaNetwork is_prisma_branch

IsPrismaUsers is_prisma_mobile

IsProxy is_proxy

IsReconExcluded is_recon_excluded

IsSaaSApplication is_saas_app

IsServertoClient is_server_to_client

IsSourceXForwarded is_source_x_fwded

IsSystemReturn is_sym_return

IsTransaction is_transaction

IsTunnelInspected is_tunnel_inspected

IsURLDenied is_url_denied

LinkChangeCount link_change_count

LinkSwitches link_switches

Location location

EMAIL Name Query Name

LogSetting log_set

LogSource log_source

LogSourceGroupID log_source_group_id

DeviceSN log_source_id

DeviceName log_source_name

LogSourceTimeZoneOffset log_source_tz_offset

TimeReceived log_time

LogType log_type.value

IMEI monitor_tag_imei

NATDestination nat_dest.value

NATDestinationPort nat_dest_port

NATSource nat_source.value

NATSourcePort nat_source_port

NonStandardDestinationPort non_standard_dest_port

NSSAINetworkSliceDifferentiator nssai_network_slice_differentiator.value

NSSAINetworkSliceType nssai_network_slice_type.value

OutboundInterface outbound_if.value

OutboundInterfaceDetailsPort outbound_if_details.port

OutboundInterfaceDetailsSlot outbound_if_details.slot

OutboundInterfaceDetailsType outbound_if_details.type.value

OutboundInterfaceDetailsUnit outbound_if_details.unit

PacketsReceived packets_received

PacketsSent packets_sent

EMAIL Name Query Name

PacketsTotal packets_total

PanoramaSN panorama_serial

ParentSessionID parent_session_id

ParentStarttime parent_start_time

PlatformType platform_type

ContainerName pod_name

ContainerNameSpace pod_namespace

SDWANPolicyName policy_id

Protocol protocol.value

ApplicationRisk risk_of_app

Rule rule_matched

RuleUUID rule_matched_uuid

SanctionedStateOfApp sanctioned_state_of_app

SDWANFECRatio sdwan_FEC_ratio

SDWANCluster sdwan_cluster

SDWANClusterType sdwan_cluster_type

SDWANDeviceType sdwan_device_type

SDWANSite sdwan_site

SequenceNo sequence_no

SessionOwnerMidx sess_owner_rt_midx

SessionEndReason session_end_reason.value

SessionID session_id

SessionStartTime session_start_time

EMAIL Name Query Name

SessionTracker session_tracker

SourceDeviceCategory source_device_category

SourceDeviceClass source_device_class

SourceDeviceHost source_device_host

SourceDeviceMac source_device_mac

SourceDeviceModel source_device_model

SourceDeviceOS source_device_os

SourceDeviceOSFamily source_device_osfamily

SourceDeviceOSVersion source_device_osversion

SourceDeviceProfile source_device_profile

SourceDeviceVendor source_device_vendor

SourceDynamicAddressGroup source_dynamic_address_group

SourceEDL source_edl

SourceAddress source_ip.value

SourceLocation source_location

SourcePort source_port

SourceUser source_user

SourceUserDomain source_user_info.domain

SourceUserName source_user_info.name

SourceUserUUID source_user_info.uuid

SourceUUID source_uuid

Subtype sub_type.value

ApplicationTechnology technology_of_app

EMAIL Name Query Name

TimeGenerated time_generated

TimeGeneratedHighResolution time_generated_high_res

ToZone to_zone

SessionDuration total_time_elapsed

Tunnel tunnel.value

TunneledApplication tunneled_app

IMSI tunnelid_imsi

URLCategory url_category.value

Users users

VendorName vendor_name

VirtualLocation vsys

VirtualSystemID vsys_id

VirtualSystemName vsys_name

X-Forwarded-ForIP xff_ip.value

Traffic HTTPS Fields

The following table identifies the Traffic field names that the Log Forwarding app uses when you
forward logs using the HTTPS log format.

HTTPS Name Query Name

Action action.value

ActionSource action_source.value

Application app

ApplicationCategory app_category

ApplicationSubcategory app_sub_category

HTTPS Name Query Name

BytesReceived bytes_received

BytesSent bytes_sent

Bytes bytes_total

ChunksReceived chunks_received

ChunksSent chunks_sent

ChunksTotal chunks_total

ConfigVersion config_version.value

ContainerID container_id

ApplicationContainer container_of_app

RepeatCount count_of_repeats

CortexDataLakeTenantID customer_id

DestinationDeviceCategory dest_device_category

DestinationDeviceClass dest_device_class

DestinationDeviceHost dest_device_host

DestinationDeviceMac dest_device_mac

DestinationDeviceModel dest_device_model

DestinationDeviceOS dest_device_os

DestinationDeviceOSFamily dest_device_osfamily

DestinationDeviceOSVersion dest_device_osversion

DestinationDeviceProfile dest_device_profile

DestinationDeviceVendor dest_device_vendor

DestinationDynamicAddressGroup dest_dynamic_address_group

DestinationEDL dest_edl

HTTPS Name Query Name

DestinationAddress dest_ip.value

DestinationLocation dest_location

DestinationPort dest_port

DestinationUser dest_user

DestinationUserDomain dest_user_info.domain

DestinationUserName dest_user_info.name

DestinationUserUUID dest_user_info.uuid

DestinationUUID dest_uuid

DGHierarchyLevel1 dg_hier_level_1

DGHierarchyLevel2 dg_hier_level_2

DGHierarchyLevel3 dg_hier_level_3

DGHierarchyLevel4 dg_hier_level_4

DynamicUserGroupName dynusergroup_name

EndpointSerialNumber endpoint_serial_number

EndpointAssociationID ep_assoc_id

FlowType flow_type.value

FromZone from_zone

HASessionOwner ha_session_owner

GPHostID host_id

HTTP2Connection http2_connection

InboundInterface inbound_if.value

InboundInterfaceDetailsPort inbound_if_details.port

InboundInterfaceDetailsSlot inbound_if_details.slot

HTTPS Name Query Name

InboundInterfaceDetailsType inbound_if_details.type.value

InboundInterfaceDetailsUnit inbound_if_details.unit

CaptivePortal is_captive_portal

IsClienttoServer is_client_to_server

IsContainer is_container

IsDecryptMirror is_decrypt_mirror

IsDecrypted is_decrypted

IsDecryptedPayloadForward is_decrypted_payload_fwded

IsDecryptedLog is_decryption_log

IsDuplicateLog is_dup_log

IsEncrypted is_encrypted

LogExported is_exported

LogForwarded is_forwarded

IsIPV6 is_ipv6

IsInspectionBeforeSession is_l7_inspection_b4_session

IsMptcpOn is_mptcp_on

NAT is_nat

IsNonStandardDestinationPort is_non_std_dest_port

IsOffloaded is_offloaded

IsPacketCapture is_packet_capture

IsPhishing is_phishing

IsPrismaNetwork is_prisma_branch

IsPrismaUsers is_prisma_mobile

HTTPS Name Query Name

IsProxy is_proxy

IsReconExcluded is_recon_excluded

IsSaaSApplication is_saas_app

IsServertoClient is_server_to_client

IsSourceXForwarded is_source_x_fwded

IsSystemReturn is_sym_return

IsTransaction is_transaction

IsTunnelInspected is_tunnel_inspected

IsURLDenied is_url_denied

LinkChangeCount link_change_count

LinkSwitches link_switches

Location location

LogSetting log_set

LogSource log_source

LogSourceGroupID log_source_group_id

DeviceSN log_source_id

DeviceName log_source_name

LogSourceTimeZoneOffset log_source_tz_offset

TimeReceived log_time

LogType log_type.value

IMEI monitor_tag_imei

NATDestination nat_dest.value

NATDestinationPort nat_dest_port

HTTPS Name Query Name

NATSource nat_source.value

NATSourcePort nat_source_port

NonStandardDestinationPort non_standard_dest_port

NSSAINetworkSliceDifferentiator nssai_network_slice_differentiator.value

NSSAINetworkSliceType nssai_network_slice_type.value

OutboundInterface outbound_if.value

OutboundInterfaceDetailsPort outbound_if_details.port

OutboundInterfaceDetailsSlot outbound_if_details.slot

OutboundInterfaceDetailsType outbound_if_details.type.value

OutboundInterfaceDetailsUnit outbound_if_details.unit

PacketsReceived packets_received

PacketsSent packets_sent

PacketsTotal packets_total

PanoramaSN panorama_serial

ParentSessionID parent_session_id

ParentStarttime parent_start_time

PlatformType platform_type

ContainerName pod_name

ContainerNameSpace pod_namespace

SDWANPolicyName policy_id

Protocol protocol.value

ApplicationRisk risk_of_app

Rule rule_matched

HTTPS Name Query Name

RuleUUID rule_matched_uuid

SanctionedStateOfApp sanctioned_state_of_app

SDWANFECRatio sdwan_FEC_ratio

SDWANCluster sdwan_cluster

SDWANClusterType sdwan_cluster_type

SDWANDeviceType sdwan_device_type

SDWANSite sdwan_site

SequenceNo sequence_no

SessionOwnerMidx sess_owner_rt_midx

SessionEndReason session_end_reason.value

SessionID session_id

SessionStartTime session_start_time

SessionTracker session_tracker

SourceDeviceCategory source_device_category

SourceDeviceClass source_device_class

SourceDeviceHost source_device_host

SourceDeviceMac source_device_mac

SourceDeviceModel source_device_model

SourceDeviceOS source_device_os

SourceDeviceOSFamily source_device_osfamily

SourceDeviceOSVersion source_device_osversion

SourceDeviceProfile source_device_profile

SourceDeviceVendor source_device_vendor

HTTPS Name Query Name

SourceDynamicAddressGroup source_dynamic_address_group

SourceEDL source_edl

SourceAddress source_ip.value

SourceLocation source_location

SourcePort source_port

SourceUser source_user

SourceUserDomain source_user_info.domain

SourceUserName source_user_info.name

SourceUserUUID source_user_info.uuid

SourceUUID source_uuid

Subtype sub_type.value

ApplicationTechnology technology_of_app

TimeGenerated time_generated

TimeGeneratedHighResolution time_generated_high_res

ToZone to_zone

SessionDuration total_time_elapsed

Tunnel tunnel.value

TunneledApplication tunneled_app

IMSI tunnelid_imsi

URLCategory url_category.value

Users users

VendorName vendor_name

VirtualLocation vsys

HTTPS Name Query Name

VirtualSystemID vsys_id

VirtualSystemName vsys_name

X-Forwarded-ForIP xff_ip.value

Traffic LEEF Fields

Example Traffic log in LEEF:

Sep 21 01:47:21 gke-standard-cluster-2-pool-3-f004381a-0gw6

2557 <14>1 2021-09-21T01:47:21.059Z stream-logfwd20-
d324e775--09201841-lxtx-harness-0cc4 logforwarder - panwlogs
- LEEF:2.0|Palo Alto Networks|Next Generation Firewall|
10.1|drop-reset| |TimeReceived=2021-09-21T01:47:20.000000Z
DeviceSN=xxxxxxxxxxxxx cat=traffic SubType=end ConfigVersion=10.1
devTime=2021-09-21T01:47:18.000000Z src=xxx.xx.x.xx
dst=xxx.xx.x.xx srcPostNAT=xxx.xx.x.xx dstPostNAT=xxx.xx.x.xx
Rule=deny-attackers usrName=paloaltonetwork\xxxxx
DestinationUser=paloaltonetwork\xxxxx Application=kik
VirtualLocation=vsys1 FromZone=ethernet4Zone-test1 ToZone=dmz
InboundInterface=ethernet1/1 OutboundInterface=ethernet1/1
LogSetting=rs-logging SessionID=378400 RepeatCount=1 srcPort=30217
dstPort=19224 srcPostNATPort=30495 dstPostNATPort=26496
proto=tcp Bytes=1662791 srcBytes=1011460 dstBytes=651331
totalPackets=1296 SessionStartTime=2021-09-21T01:46:47.000000Z
SessionDuration=21 URLCategory=travel SequenceNo=7003061085139304175
SourceLocation=CN DestinationLocation=AU srcPackets=773
dstPackets=523 SessionEndReason=unknown DGHierarchyLevel1=11
DGHierarchyLevel2=0 DGHierarchyLevel3=0 DGHierarchyLevel4=0
VirtualSystemName= DeviceName=xxxxx ActionSource=unknown
SourceUUID=DestinationUUID= IMSI=1625217256995207 IMEI=
ParentSessionID=0 ParentStarttime=2021-09-21T01:46:47.000000Z
Tunnel=N/A EndpointAssociationID=-7926053869195362181
ChunksTotal=2388 ChunksSent=1194 ChunksReceived=1194
RuleUUID=017e4d76-2003-47f4-8afc-1d35c808c615 HTTP2Connection=378400
LinkChangeCount=0 SDWANPolicyName= LinkSwitches=
SDWANCluster= SDWANDeviceType= SDWANClusterType= SDWANSite=
DynamicUserGroupName=test-dynug-5 X-Forwarded-ForIP=xxx.xx.x.xx
SourceDeviceCategory=N-Phone SourceDeviceProfile=n-
profile SourceDeviceModel=Nexus SourceDeviceVendor=Google
SourceDeviceOSFamily=LG-H790 SourceDeviceOSVersion=Android
v6 SourceDeviceHost=pan-301 SourceDeviceMac=839147449905
DestinationDeviceCategory=N-Phone DestinationDeviceProfile=n-
profile DestinationDeviceModel=Nexus DestinationDeviceVendor=Google
DestinationDeviceOSFamily=H1511 DestinationDeviceOSVersion=Android
v7 DestinationDeviceHost=pan-355 DestinationDeviceMac=530589561221
ContainerID=1873cc5c-0d31 ContainerNameSpace=pns_default
ContainerName=pan-dp-77754f4 SourceEDL= DestinationEDL=
GPHostID=3030303030EndpointSerialNumber=xxxxxxxxxxxxxx
SourceDynamicAddressGroup= DestinationDynamicAddressGroup=

HASessionOwner=session_owner-2
TimeGeneratedHighResolution=2021-09-21T01:47:18.730000Z
NSSAINetworkSliceType=39 NSSAINetworkSliceDifferentiator=ca1d
devTimeFormat=YYYY-MM-DD'T'HH:mm:ss.SSSZ

The following table identifies the Traffic field names that the Log Forwarding app uses when you
forward logs using the LEEF log format.

LEEF Name Query Name Field Type

EventID action.value Header

ActionSource action_source.value Custom

Application app Custom

ApplicationCategory app_category Custom

ApplicationSubcategory app_sub_category Custom

dstBytes bytes_received Predefined

srcBytes bytes_sent Predefined

Bytes bytes_total Custom

ChunksReceived chunks_received Custom

ChunksSent chunks_sent Custom

ChunksTotal chunks_total Custom

ConfigVersion config_version.value Custom

ContainerID container_id Custom

ApplicationContainer container_of_app Custom

RepeatCount count_of_repeats Custom

CortexDataLakeTenantID customer_id Custom

LEEF Name Query Name Field Type

DestinationDeviceCategory dest_device_category Custom

DestinationDeviceClass dest_device_class Custom

DestinationDeviceHost dest_device_host Custom

DestinationDeviceMac dest_device_mac Custom

DestinationDeviceModel dest_device_model Custom

DestinationDeviceOS dest_device_os Custom

DestinationDeviceOSFamily dest_device_osfamily Custom

DestinationDeviceOSVersion dest_device_osversion Custom

DestinationDeviceProfile dest_device_profile Custom

DestinationDeviceVendor dest_device_vendor Custom

DestinationDynamicAddressGroup dest_dynamic_address_group Custom

DestinationEDL dest_edl Custom

dst dest_ip.value Predefined

DestinationLocation dest_location Custom

dstPort dest_port Predefined

DestinationUser dest_user Custom

DestinationUserDomain dest_user_info.domain Custom

DestinationUserName dest_user_info.name Custom

DestinationUserUUID dest_user_info.uuid Custom

DestinationUUID dest_uuid Custom

DGHierarchyLevel1 dg_hier_level_1 Custom

DGHierarchyLevel2 dg_hier_level_2 Custom

DGHierarchyLevel3 dg_hier_level_3 Custom

LEEF Name Query Name Field Type

DGHierarchyLevel4 dg_hier_level_4 Custom

DynamicUserGroupName dynusergroup_name Custom

EndpointSerialNumber endpoint_serial_number Custom

EndpointAssociationID ep_assoc_id Custom

FlowType flow_type.value Custom

FromZone from_zone Custom

HASessionOwner ha_session_owner Custom

GPHostID host_id Custom

HTTP2Connection http2_connection Custom

InboundInterface inbound_if.value Custom

InboundInterfaceDetailsPort inbound_if_details.port Custom

InboundInterfaceDetailsSlot inbound_if_details.slot Custom

InboundInterfaceDetailsType inbound_if_details.type.value Custom

InboundInterfaceDetailsUnit inbound_if_details.unit Custom

CaptivePortal is_captive_portal Custom

IsClienttoServer is_client_to_server Custom

IsContainer is_container Custom

IsDecryptMirror is_decrypt_mirror Custom

IsDecrypted is_decrypted Custom

IsDecryptedPayloadForward is_decrypted_payload_fwded Custom

IsDecryptedLog is_decryption_log Custom

IsDuplicateLog is_dup_log Custom

IsEncrypted is_encrypted Custom

LEEF Name Query Name Field Type

LogExported is_exported Custom

LogForwarded is_forwarded Custom

IsIPV6 is_ipv6 Custom

IsInspectionBeforeSession is_l7_inspection_b4_session Custom

IsMptcpOn is_mptcp_on Custom

NAT is_nat Custom

IsNonStandardDestinationPort is_non_std_dest_port Custom

IsOffloaded is_offloaded Custom

IsPacketCapture is_packet_capture Custom

IsPhishing is_phishing Custom

IsPrismaNetwork is_prisma_branch Custom

IsPrismaUsers is_prisma_mobile Custom

IsProxy is_proxy Custom

IsReconExcluded is_recon_excluded Custom

IsSaaSApplication is_saas_app Custom

IsServertoClient is_server_to_client Custom

IsSourceXForwarded is_source_x_fwded Custom

IsSystemReturn is_sym_return Custom

IsTransaction is_transaction Custom

IsTunnelInspected is_tunnel_inspected Custom

IsURLDenied is_url_denied Custom

LinkChangeCount link_change_count Custom

LinkSwitches link_switches Custom

LEEF Name Query Name Field Type

Location location Custom

LogSetting log_set Custom

LogSource log_source Custom

LogSourceGroupID log_source_group_id Custom

DeviceSN log_source_id Custom

DeviceName log_source_name Custom

LogSourceTimeZoneOffset log_source_tz_offset Custom

TimeReceived log_time Custom

cat log_type.value Predefined

IMEI monitor_tag_imei Custom

dstPostNAT nat_dest.value Predefined

dstPostNATPort nat_dest_port Predefined

srcPostNAT nat_source.value Predefined

srcPostNATPort nat_source_port Predefined

NonStandardDestinationPort non_standard_dest_port Custom

NSSAINetworkSliceDifferentiator nssai_network_slice_differentiator.value Custom

NSSAINetworkSliceType nssai_network_slice_type.value Custom

OutboundInterface outbound_if.value Custom

OutboundInterfaceDetailsPort outbound_if_details.port Custom

OutboundInterfaceDetailsSlot outbound_if_details.slot Custom

OutboundInterfaceDetailsType outbound_if_details.type.value Custom

OutboundInterfaceDetailsUnit outbound_if_details.unit Custom

dstPackets packets_received Predefined

LEEF Name Query Name Field Type

srcPackets packets_sent Predefined

totalPackets packets_total Predefined

PanoramaSN panorama_serial Custom

ParentSessionID parent_session_id Custom

ParentStarttime parent_start_time Custom

PlatformType platform_type Custom

ContainerName pod_name Custom

ContainerNameSpace pod_namespace Custom

SDWANPolicyName policy_id Custom

proto protocol.value Predefined

ApplicationRisk risk_of_app Custom

Rule rule_matched Custom

RuleUUID rule_matched_uuid Custom

SanctionedStateOfApp sanctioned_state_of_app Custom

SDWANFECRatio sdwan_FEC_ratio Custom

SDWANCluster sdwan_cluster Custom

SDWANClusterType sdwan_cluster_type Custom

SDWANDeviceType sdwan_device_type Custom

SDWANSite sdwan_site Custom

SequenceNo sequence_no Custom

SessionOwnerMidx sess_owner_rt_midx Custom

SessionEndReason session_end_reason.value Custom

SessionID session_id Custom

LEEF Name Query Name Field Type

SessionStartTime session_start_time Custom

SessionTracker session_tracker Custom

SourceDeviceCategory source_device_category Custom

SourceDeviceClass source_device_class Custom

SourceDeviceHost source_device_host Custom

SourceDeviceMac source_device_mac Custom

SourceDeviceModel source_device_model Custom

SourceDeviceOS source_device_os Custom

SourceDeviceOSFamily source_device_osfamily Custom

SourceDeviceOSVersion source_device_osversion Custom

SourceDeviceProfile source_device_profile Custom

SourceDeviceVendor source_device_vendor Custom

SourceDynamicAddressGroup source_dynamic_address_group Custom

SourceEDL source_edl Custom

src source_ip.value Predefined

SourceLocation source_location Custom

srcPort source_port Predefined

usrName source_user Predefined

SourceUserDomain source_user_info.domain Custom

SourceUserName source_user_info.name Custom

SourceUserUUID source_user_info.uuid Custom

SourceUUID source_uuid Custom

SubType sub_type.value Custom

LEEF Name Query Name Field Type

ApplicationTechnology technology_of_app Custom

devTime time_generated Predefined

TimeGeneratedHighResolution time_generated_high_res Custom

ToZone to_zone Custom

SessionDuration total_time_elapsed Custom

Tunnel tunnel.value Custom

TunneledApplication tunneled_app Custom

IMSI tunnelid_imsi Custom

URLCategory url_category.value Custom

Users users Custom

Vendor vendor_name Header

VirtualLocation vsys Custom

VirtualSystemID vsys_id Custom

VirtualSystemName vsys_name Custom

TUNNEL Field Description

(Display Name)

container_of_app Identifies the managing application or parent of the

content_version Version of the content on the firewall.

(CONTENT VERSION) CEF field name: PanOSContentVersion
EMAIL field name: ContentVersion
HTTPS field name: ContentVersion
LEEF field name: ContentVersion

count_of_repeats Number of sessions with same Source IP, Destination

customer_id The ID that uniquely identifies the Cortex Data Lake

instance which received this log record.
(LOGGING SERVICE ID)
CEF field name: PanOSLoggingServiceID
EMAIL field name: LoggingServiceID
HTTPS field name: LoggingServiceID
LEEF field name: LoggingServiceID

dest_device_class Destination device class.

(DESTINATION DEVICE CLASS) CEF field name: PanOSDestinationDeviceClass
EMAIL field name: DestinationDeviceClass
HTTPS field name: DestinationDeviceClass
LEEF field name: DestinationDeviceClass

TUNNEL Field Description

(Display Name)

dest_device_mac Destination device MAC address.

(DESTINATION DEVICE MAC) CEF field name: PanOSDestinationDeviceMac
EMAIL field name: DestinationDeviceMac
HTTPS field name: DestinationDeviceMac
LEEF field name: DestinationDeviceMac

dest_device_model Destination device model.

(DESTINATION DEVICE MODEL) CEF field name: PanOSDestinationDeviceModel
EMAIL field name: DestinationDeviceModel
HTTPS field name: DestinationDeviceModel
LEEF field name: DestinationDeviceModel

dest_device_os Destination device OS type.

(DESTINATION DEVICE OS) CEF field name: PanOSDestinationDeviceOS
EMAIL field name: DestinationDeviceOS
HTTPS field name: DestinationDeviceOS
LEEF field name: DestinationDeviceOS

dest_device_vendor Destination device vendor.

(DESTINATION DEVICE VENDOR) CEF field name: PanOSDestinationDeviceVendor
EMAIL field name: DestinationDeviceVendor
HTTPS field name: DestinationDeviceVendor
LEEF field name: DestinationDeviceVendor

dest_dynamic_address_group The dynamic address group that Device-ID identifies as

dest_edl The name of the external dynamic list that contains the
destination IP address of the traffic.

TUNNEL Field Description

(Display Name)
(DESTINATION EDL) Syslog field name: Syslog Field Order
CEF field name: PanOSDestinationEDL
EMAIL field name: DestinationEDL
HTTPS field name: DestinationEDL
LEEF field name: DestinationEDL

dest_ip.value Original destination IP address.

(DESTINATION ADDRESS) Syslog field name: Syslog Field Order
CEF fields: dst or c6a3
EMAIL field name: DestinationAddress
HTTPS field name: DestinationAddress
LEEF field name: dst

dest_location Destination country or internal region for private

dest_port Network traffic's destination port. If this value is 0, then

dest_user The username to which the network traffic was

destined.
(DESTINATION USER)
Syslog field name: Syslog Field Order
CEF field name: duser
EMAIL field name: DestinationUser
HTTPS field name: DestinationUser

TUNNEL Field Description

(Display Name)
LEEF field name: DestinationUser

dest_user_info.domain Domain to which the Destination User belongs.

(DESTINATION USER DOMAIN) CEF field name: dntdom
EMAIL field name: DestinationUserDomain
HTTPS field name: DestinationUserDomain
LEEF field name: DestinationUserDomain

dest_user_info.name The Destination User. That is, the username to which

dest_user_info.uuid Unique identifier assigned to the Destination User.

(DESTINATION USER UUID) CEF field name: duid
EMAIL field name: DestinationUserUUID
HTTPS field name: DestinationUserUUID
LEEF field name: DestinationUserUUID

dest_uuid Identifies the destination universal unique identifier

dg_hier_level_1 A sequence of identification numbers that indicate the

TUNNEL Field Description

(Display Name)
LEEF field name: DGHierarchyLevel1

dg_hier_level_2 A sequence of identification numbers that indicate the

dg_hier_level_3 A sequence of identification numbers that indicate the

dg_hier_level_4 A sequence of identification numbers that indicate the

dynusergroup_name Dynamic user group of the user who initiated the

from_zone The networking zone from which the traffic originated.

Syslog field name: Syslog Field Order

TUNNEL Field Description

(Display Name)
(FROM ZONE) CEF field name: cs4
EMAIL field name: FromZone
HTTPS field name: FromZone
LEEF field name: FromZone

inbound_if.value Interface from which the network traffic was sourced.

inbound_if_details.port Hardware port or socket from which the network traffic

inbound_if_details.slot Interface slot from which the network traffic was

inbound_if_details.type.value The type of interface from which the network traffic

inbound_if_details.unit Internal use.

CEF field name: PanOSInboundInterfaceDetailsUnit

TUNNEL Field Description

(Display Name)
(INBOUND INTERFACE DETAILS EMAIL field name: InboundInterfaceDetailsUnit
UNIT)
HTTPS field name: InboundInterfaceDetailsUnit
LEEF field name: InboundInterfaceDetailsUnit

is_captive_portal Indicates if user information for the session was

captured through Captive Portal.
(CAPTIVE PORTAL)
CEF field name: PanOSCaptivePortal
EMAIL field name: CaptivePortal
HTTPS field name: CaptivePortal
LEEF field name: CaptivePortal

is_client_to_server Indicates if direction of traffic is from client to server.

(IS CLIENT TO SERVER) CEF field name: PanOSIsClienttoServer
EMAIL field name: IsClienttoServer
HTTPS field name: IsClienttoServer
LEEF field name: IsClienttoServer

TUNNEL Field Description

(Display Name)

is_saas_app Internal use field. Indicates whether the application

is_server_to_client Indicates if direction of traffic is from server to client.

(IS SERVER TO CLIENT) CEF field name: PanOSIsServertoClient
EMAIL field name: IsServertoClient
HTTPS field name: IsServertoClient
LEEF field name: IsServertoClient

is_source_x_fwded Indicates whether the X-Forwarded-For value from a

is_sym_return Indicates whether symmetric return was used to

forward traffic for this session.
(IS SYSTEM RETURN)
CEF field name: PanOSIsSystemReturn
EMAIL field name: IsSystemReturn
HTTPS field name: IsSystemReturn
LEEF field name: IsSystemReturn

is_transaction Indicates whether the log corresponds to a transaction

mobile_base_station_code Base station within an area code.

(MOBILE BASE STATION CODE) Syslog field name: Syslog Field Order
CEF field name: PanOSMobileBaseStationCode
EMAIL field name: MobileBaseStationCode
HTTPS field name: MobileBaseStationCode
LEEF field name: MobileBaseStationCode

mobile_country_code Mobile country code of serving core network operator.

(MOBILE COUNTRY CODE) Syslog field name: Syslog Field Order
CEF field name: PanOSMobileCountryCode
EMAIL field name: MobileCountryCode
HTTPS field name: MobileCountryCode
LEEF field name: MobileCountryCode

mobile_ip.value IP address of a mobile subscriber allocated by a PGW/

GGSN.
(MOBILE IP)
Syslog field name: Syslog Field Order
CEF field name: PanOSMobileIP
EMAIL field name: MobileIP
HTTPS field name: MobileIP
LEEF field name: MobileIP

TUNNEL Field Description

(Display Name)

mobile_network_code Mobile network code of serving core network operator.

(MOBILE NETWORK CODE) Syslog field name: Syslog Field Order
CEF field name: PanOSMobileNetworkCode
EMAIL field name: MobileNetworkCode
HTTPS field name: MobileNetworkCode
LEEF field name: MobileNetworkCode

mobile_subscriber_isdn Service identity associated with the mobile subscriber.

(MOBILE SUBSCRIBER ISDN) Syslog field name: Syslog Field Order
CEF field name: PanOSMobileSubscriberISDN
EMAIL field name: MobileSubscriberISDN
HTTPS field name: MobileSubscriberISDN
LEEF field name: MobileSubscriberISDN

monitor_tag_imei A string used to group similar traffic together for

nat_dest.value If destination NAT performed, the post-NAT destination

nat_dest_port Post-NAT destination port.

(NAT DESTINATION PORT) Syslog field name: Syslog Field Order
CEF field name: destinationTranslatedPort

TUNNEL Field Description

(Display Name)
EMAIL field name: NATDestinationPort
HTTPS field name: NATDestinationPort
LEEF field name: dstPostNATPort

nat_source.value If source NAT was performed, the post-NAT source IP

address.
(NAT SOURCE)
Syslog field name: Syslog Field Order
CEF field name: sourceTranslatedAddress
EMAIL field name: NATSource
HTTPS field name: NATSource
LEEF field name: srcPostNAT

nat_source_port Post-NAT source port.

(NAT SOURCE PORT) Syslog field name: Syslog Field Order
CEF field name: sourceTranslatedPort
EMAIL field name: NATSourcePort
HTTPS field name: NATSourcePort
LEEF field name: srcPostNATPort

non_standard_dest_port Identifies the non-standard or unexpected port used by

nssai_network_slice_differentiator. Network Slice Differentiator (SD part of SNSSAI).

nssai_network_slice_type.value Network Slice Type (SST part of SNSSAI).

TUNNEL Field Description

(Display Name)
(NSSAI NETWORK SLICE TYPE) Syslog field name: Syslog Field Order
CEF field name: PanOSNSSAINetworkSliceType
EMAIL field name: NSSAINetworkSliceType
HTTPS field name: NSSAINetworkSliceType
LEEF field name: NSSAINetworkSliceType

outbound_if.value Interface to which the network traffic was destined.

outbound_if_details.port Hardware port or socket to which the network traffic

outbound_if_details.slot Interface slot to which the network traffic was sent.

outbound_if_details.type.value The type of interface to which the network traffic was

outbound_if_details.unit Internal use.

CEF field name: PanOSOutboundInterfaceDetailsUnit

TUNNEL Field Description

(Display Name)
(OUTBOUND INTERFACE DETAILS EMAIL field name: OutboundInterfaceDetailsUnit
UNIT)
HTTPS field name: OutboundInterfaceDetailsUnit
LEEF field name: OutboundInterfaceDetailsUnit

packets_dropped_max_encap Number of packets the firewall dropped because

the packet exceeded the maximum number of
(PACKETS DROPPED MAX)
encapsulation levels configured.
Syslog field name: Syslog Field Order
CEF field name: PanOSPacketsDroppedMax
EMAIL field name: PacketsDroppedMax
HTTPS field name: PacketsDroppedMax
LEEF field name: PacketsDroppedMax

packets_dropped_strict_check Number of packets the firewall dropped because the

tunnel protocol header in the packet failed to comply
(PACKETS DROPPED STRICT)
with the RFC for the tunnel protocol.
Syslog field name: Syslog Field Order
CEF field name: cfp2
EMAIL field name: PacketsDroppedStrict
HTTPS field name: PacketsDroppedStrict
LEEF field name: PacketsDroppedStrict

packets_dropped_tunnel_frag Number of packets the firewall dropped because of

fragmentation errors.
(PACKETS DROPPED TUNNEL)
Syslog field name: Syslog Field Order
CEF field name: PanOSPacketsDroppedTunnel
EMAIL field name: PacketsDroppedTunnel
HTTPS field name: PacketsDroppedTunnel
LEEF field name: PacketsDroppedTunnel

packets_dropped_ukn_proto Number of packets the firewall dropped because the

packet contains an unknown protocol.
(PACKETS DROPPED PROTOCOL)
Syslog field name: Syslog Field Order
CEF field name: cfp1
EMAIL field name: PacketsDroppedProtocol
HTTPS field name: PacketsDroppedProtocol

TUNNEL Field Description

(Display Name)
LEEF field name: PacketsDroppedProtocol

packets_received Number of server-to-client packets for the session.

(PACKETS RECEIVED) Syslog field name: Syslog Field Order
CEF field name: PanOSPacketsReceived
EMAIL field name: PacketsReceived
HTTPS field name: PacketsReceived
LEEF field name: dstPackets

packets_sent Number of client-to-server packets for the session.

(PACKETS SENT) Syslog field name: Syslog Field Order
CEF field name: PanOSPacketsSent
EMAIL field name: PacketsSent
HTTPS field name: PacketsSent
LEEF field name: srcPackets

packets_total Number of total packets (transmit and receive) seen for

the session.
(PACKETS TOTAL)
Syslog field name: Syslog Field Order
CEF field name: cn2
EMAIL field name: PacketsTotal
HTTPS field name: PacketsTotal
LEEF field name: totalPackets

panorama_serial Panorama Serial associated with CDL.

(PANORAMA SN) CEF field name: PanOSPanoramaSN
EMAIL field name: PanoramaSN
HTTPS field name: PanoramaSN
LEEF field name: PanoramaSN

parent_session_id ID of the session in which this network traffic was

tunneled.
(PARENT SESSION ID)
Syslog field name: Syslog Field Order
CEF field name: PanOSParentSessionID
EMAIL field name: ParentSessionID

TUNNEL Field Description

(Display Name)
HTTPS field name: ParentSessionID
LEEF field name: ParentSessionID

parent_start_time Time that the parent session began. This string contains
a timestamp value that is the number of microseconds
(PARENT START TIME)
since the Unix epoch.
Syslog field name: Syslog Field Order
CEF field name: PanOSParentStarttime
EMAIL field name: ParentStarttime
HTTPS field name: ParentStarttime
LEEF field name: ParentStarttime

pdu_session_id Protocol Data Unit session ID.

(PROTOCOL DATA UNIT SESSION Syslog field name: Syslog Field Order
ID)
CEF field name: PanOSProtocolDataUnitsessionID
EMAIL field name: ProtocolDataUnitsessionID
HTTPS field name: ProtocolDataUnitsessionID
LEEF field name: ProtocolDataUnitsessionID

pod_name Container name.

(POD NAME) Syslog field name: Syslog Field Order
CEF field name: PanOSContainerName
EMAIL field name: ContainerName
HTTPS field name: ContainerName
LEEF field name: ContainerName

pod_namespace Container namespace.

(CONTAINER NAME SPACE) Syslog field name: Syslog Field Order

TUNNEL Field Description

(Display Name)
CEF field name: PanOSContainerNameSpace
EMAIL field name: ContainerNameSpace
HTTPS field name: ContainerNameSpace
LEEF field name: ContainerNameSpace

protocol.value IP protocol associated with the session.

(PROTOCOL) Syslog field name: Syslog Field Order
CEF field name: proto
EMAIL field name: Protocol
HTTPS field name: Protocol
LEEF field name: proto

radio_access_technology Identifies the type of technology used for radio access.

(RADIO ACCESS TECHNOLOGY) Syslog field name: Syslog Field Order
CEF field name: PanOSRadioAccessTechnology
EMAIL field name: RadioAccessTechnology
HTTPS field name: RadioAccessTechnology
LEEF field name: RadioAccessTechnology

risk_of_app Indicates how risky the application is from a network

security perspective.
(APPLICATION RISK)
CEF field name: PanOSApplicationRisk
EMAIL field name: ApplicationRisk
HTTPS field name: ApplicationRisk
LEEF field name: ApplicationRisk

TUNNEL Field Description

(Display Name)

rule_matched_uuid Unique identifier for the security policy rule that the
network traffic matched.
(RULE UUID)
Syslog field name: Syslog Field Order
CEF field name: PanOSRuleUUID
EMAIL field name: RuleUUID
HTTPS field name: RuleUUID
LEEF field name: RuleUUID

sanctioned_state_of_app Indicates whether the application has been flagged as

sanctioned by the firewall administrator.
(SANCTIONED STATE OF APP)
CEF field name: PanOSSanctionedStateofApp
EMAIL field name: All of the following:
SanctionedStateOfApp, SanctionedStateofApp
HTTPS field name: All of the following:
SanctionedStateOfApp, SanctionedStateofApp
LEEF field name: SanctionedStateofApp

sequence_no The log entry identifier, which is incremented

sess_owner_rt_midx Unknown field. No information is available at this time.

(SESSION OWNER MIDX) CEF field name: PanOSSessionOwnerMidx
EMAIL field name: SessionOwnerMidx
HTTPS field name: SessionOwnerMidx
LEEF field name: SessionOwnerMidx

session_end_reason.value The reason a session terminated.

(SESSION END REASON) Syslog field name: Syslog Field Order
CEF field name: reason
EMAIL field name: SessionEndReason

TUNNEL Field Description

(Display Name)
HTTPS field name: SessionEndReason
LEEF field name: SessionEndReason

session_id Identifies the firewall's internal identifier for a specific

network session.
(SESSION ID)
Syslog field name: Syslog Field Order
CEF field name: cn1
EMAIL field name: SessionID
HTTPS field name: SessionID
LEEF field name: SessionID

session_start_time Time when the session was established. This string

session_tracker Unknown field. No information is available at this time.

(SESSION TRACKER) CEF field name: PanOSSessionTracker
EMAIL field name: SessionTracker
HTTPS field name: SessionTracker
LEEF field name: SessionTracker

severity Severity as defined by the platform.

(SEVERITY) CEF field name: PanOSSeverity
EMAIL field name: Severity
HTTPS field name: Severity
LEEF field name: Severity

source_device_class Source device class.

(SOURCE DEVICE CLASS) CEF field name: PanOSSourceDeviceClass
EMAIL field name: SourceDeviceClass

TUNNEL Field Description

(Display Name)
HTTPS field name: SourceDeviceClass
LEEF field name: SourceDeviceClass

source_device_mac Source device MAC address.

(SOURCE DEVICE MAC) CEF field name: PanOSSourceDeviceMac
EMAIL field name: SourceDeviceMac
HTTPS field name: SourceDeviceMac
LEEF field name: SourceDeviceMac

source_device_model Source device model.

(SOURCE DEVICE MODEL) CEF field name: PanOSSourceDeviceModel
EMAIL field name: SourceDeviceModel
HTTPS field name: SourceDeviceModel
LEEF field name: SourceDeviceModel

source_device_os Source device OS type.

(SOURCE DEVICE OS) CEF field name: PanOSSourceDeviceOS
EMAIL field name: SourceDeviceOS
HTTPS field name: SourceDeviceOS
LEEF field name: SourceDeviceOS

source_device_vendor Source device vendor.

(SOURCE DEVICE VENDOR) CEF field name: PanOSSourceDeviceVendor
EMAIL field name: SourceDeviceVendor
HTTPS field name: SourceDeviceVendor
LEEF field name: SourceDeviceVendor

(Display Name)
(SUBTYPE) CEF field name: Name
EMAIL field name: Subtype
HTTPS field name: Subtype
LEEF field name: SubType

technology_of_app The networking technology used by the identified

application.
(APPLICATION TECHNOLOGY)
CEF field name: PanOSApplicationTechnology
EMAIL field name: ApplicationTechnology
HTTPS field name: ApplicationTechnology
LEEF field name: ApplicationTechnology

(VENDOR NAME) CEF field name: Device Vendor
EMAIL field name: VendorName
HTTPS field name: VendorName
LEEF field name: Vendor

vendor_severity.value Severity associated with the event.

Syslog field name: Syslog Field Order

TUNNEL Field Description

(Display Name)
(VENDOR SEVERITY) CEF field name: PanOSVendorSeverity
EMAIL field name: VendorSeverity
HTTPS field name: VendorSeverity
LEEF field name: VendorSeverity

vsys String representation of the unique identifier for a

vsys_id A unique identifier for a virtual system on a Palo Alto

Networks firewall.
(VIRTUAL SYSTEM ID)
CEF field name: PanOSVirtualSystemID
EMAIL field name: VirtualSystemID
HTTPS field name: VirtualSystemID
LEEF field name: VirtualSystemID

vsys_name The name of the virtual system associated with the

Tunnel Syslog Default Field Order

source_user, dest_user, app, vsys, from_zone, to_zone, inbound_if.value, outbound_if.value,

log_set, EMPTY, session_id, count_of_repeats, source_port, dest_port, nat_source_port,
nat_dest_port, flags, protocol.value, action.value, tunnel_event_type, mobile_subscriber_isdn,
access_point_name, radio_access_technology, tunnel_message_type, mobile_ip.value,
tunnel_endpoint_id_1, tunnel_endpoint_id_2, tunnel_interface, tunnel_cause_code,
vendor_severity.value, mobile_country_code, mobile_network_code, mobile_area_code,
mobile_base_station_code, tunnel_event_code, sequence_no, action_flags, source_location,
dest_location, EMPTY, dg_hier_level_1, dg_hier_level_2, dg_hier_level_3, dg_hier_level_4,
vsys_name, log_source_name, tunnelid_imsi, monitor_tag_imei, parent_session_id,
parent_start_time, tunnel.value, bytes_total, bytes_sent, bytes_received, packets_total,
packets_sent, packets_received, packets_dropped_max_encap, packets_dropped_ukn_proto,
packets_dropped_strict_check, packets_dropped_tunnel_frag, tunnel_sessions_created,
tunnel_sessions_closed, session_end_reason.value, action_source.value, session_start_time,
total_time_elapsed, tunnel_inspection_rule, tunnel_remote_user_ip.value, tunnel_remote_imsi_id,
rule_matched_uuid, EMPTY, dynusergroup_name, container_id, pod_namespace, pod_name,
source_edl, dest_edl, source_dynamic_address_group, dest_dynamic_address_group,
time_generated_high_res, nssai_network_slice_differentiator.value, nssai_network_slice_type.
value, pdu_session_id

Tunnel CEF Fields

The following table identifies the Tunnel field names that the Log Forwarding app uses when you
forward logs using the CEF log format.

CEF Name Field Details

PanOSAccessPointName Query Name: access_point_name

Header Type: Custom

act Query Name: action.value

Header Type: Predefined
Max Length: 63

cat Query Name: action_source.value

Header Type: Predefined
Max Length: 1023

app Query Name: app

Header Type: Predefined
Max Length: 31

PanOSApplicationCategory Query Name: app_category

Header Type: Custom

CEF Name Field Details

PanOSApplicationSubcategory Query Name: app_sub_category

Header Type: Custom

CEF Name Field Details

Header Type: Predefined
Max Length: 1023

PanOSSourceUUID Query Name: source_uuid

PanOSTunnelEndpointID1 Query Name: tunnel_endpoint_id_1

CEF Name Field Details

Action action.value

ActionSource action_source.value

Application app

ApplicationCategory app_category

ApplicationSubcategory app_sub_category

BytesReceived bytes_received

BytesSent bytes_sent

Bytes bytes_total

ConfigVersion config_version.value

ContainerID container_id

EMAIL Name Query Name

ApplicationContainer container_of_app

ContentVersion content_version

RepeatCount count_of_repeats

LoggingServiceID customer_id

DestinationDeviceClass dest_device_class

DestinationDeviceMac dest_device_mac

DestinationDeviceModel dest_device_model

DestinationDeviceOS dest_device_os

DestinationDeviceVendor dest_device_vendor

DestinationDynamicAddressGroup dest_dynamic_address_group

DestinationEDL dest_edl

DestinationAddress dest_ip.value

DestinationLocation dest_location

DestinationPort dest_port

DestinationUser dest_user

DestinationUserDomain dest_user_info.domain

DestinationUserName dest_user_info.name

DestinationUserUUID dest_user_info.uuid

DestinationUUID dest_uuid

DGHierarchyLevel1 dg_hier_level_1

DGHierarchyLevel2 dg_hier_level_2

DGHierarchyLevel3 dg_hier_level_3

DGHierarchyLevel4 dg_hier_level_4

EMAIL Name Query Name

DynamicUserGroupName dynusergroup_name

FromZone from_zone

InboundInterface inbound_if.value

InboundInterfaceDetailsPort inbound_if_details.port

InboundInterfaceDetailsSlot inbound_if_details.slot

InboundInterfaceDetailsType inbound_if_details.type.value

InboundInterfaceDetailsUnit inbound_if_details.unit

CaptivePortal is_captive_portal

IsClienttoServer is_client_to_server

IsContainer is_container

IsDecryptMirror is_decrypt_mirror

IsDecryptedPayloadForward is_decrypted_payload_fwded

IsDecryptedLog is_decryption_log

IsDuplicateLog is_dup_log

LogExported is_exported

LogForwarded is_forwarded

IsIPV6 is_ipv6

IsInspectionBeforeSession is_l7_inspection_b4_session

IsMptcpOn is_mptcp_on

NAT is_nat

IsNonStandardDestinationPort is_non_std_dest_port

IsPacketCapture is_packet_capture

IsPhishing is_phishing

EMAIL Name Query Name

IsPrismaNetwork is_prisma_branch

IsPrismaUsers is_prisma_mobile

IsProxy is_proxy

IsReconExcluded is_recon_excluded

IsSaaSApplication is_saas_app

IsServertoClient is_server_to_client

IsSourceXForwarded is_source_x_fwded

IsSystemReturn is_sym_return

IsTransaction is_transaction

IsTunnelInspected is_tunnel_inspected

IsURLDenied is_url_denied

LogSetting log_set

LogSource log_source

LogSourceGroupID log_source_group_id

DeviceSN log_source_id

DeviceName log_source_name

LogSourceTimeZoneOffset log_source_tz_offset

TimeReceived log_time

LogType log_type.value

MobileAreaCode mobile_area_code

MobileBaseStationCode mobile_base_station_code

MobileCountryCode mobile_country_code

MobileIP mobile_ip.value

EMAIL Name Query Name

MobileNetworkCode mobile_network_code

MobileSubscriberISDN mobile_subscriber_isdn

IMEI monitor_tag_imei

NATDestination nat_dest.value

NATDestinationPort nat_dest_port

NATSource nat_source.value

NATSourcePort nat_source_port

NonStandardDestinationPort non_standard_dest_port

NSSAINetworkSliceDifferentiator nssai_network_slice_differentiator.value

NSSAINetworkSliceType nssai_network_slice_type.value

OutboundInterface outbound_if.value

OutboundInterfaceDetailsPort outbound_if_details.port

OutboundInterfaceDetailsSlot outbound_if_details.slot

OutboundInterfaceDetailsType outbound_if_details.type.value

OutboundInterfaceDetailsUnit outbound_if_details.unit

PacketsDroppedMax packets_dropped_max_encap

PacketsDroppedStrict packets_dropped_strict_check

PacketsDroppedTunnel packets_dropped_tunnel_frag

PacketsDroppedProtocol packets_dropped_ukn_proto

PacketsReceived packets_received

PacketsSent packets_sent

PacketsTotal packets_total

PanoramaSN panorama_serial

EMAIL Name Query Name

ParentSessionID parent_session_id

ParentStarttime parent_start_time

ProtocolDataUnitsessionID pdu_session_id

PlatformType platform_type

ContainerName pod_name

ContainerNameSpace pod_namespace

Protocol protocol.value

RadioAccessTechnology radio_access_technology

ApplicationRisk risk_of_app

Rule rule_matched

RuleUUID rule_matched_uuid

SanctionedStateOfApp, sanctioned_state_of_app
SanctionedStateofApp

SequenceNo sequence_no

SessionOwnerMidx sess_owner_rt_midx

SessionEndReason session_end_reason.value

SessionID session_id

SessionStartTime session_start_time

SessionTracker session_tracker

Severity severity

SourceDeviceClass source_device_class

SourceDeviceMac source_device_mac

SourceDeviceModel source_device_model

SourceDeviceOS source_device_os

EMAIL Name Query Name

SourceDeviceVendor source_device_vendor

SourceDynamicAddressGroup source_dynamic_address_group

SourceEDL source_edl

SourceAddress source_ip.value

SourceLocation source_location

SourcePort source_port

SourceUser source_user

SourceUserDomain source_user_info.domain

SourceUserName source_user_info.name

SourceUserUUID source_user_info.uuid

SourceUUID source_uuid

StandardPortsOfApp standard_ports_of_app

Subtype sub_type.value

ApplicationTechnology technology_of_app

TimeGenerated time_generated

TimeGeneratedHighResolution time_generated_high_res

ToZone to_zone

SessionDuration total_time_elapsed

Tunnel tunnel.value

TunnelCauseCode tunnel_cause_code

TunnelEndpointID1 tunnel_endpoint_id_1

TunnelEndpointID2 tunnel_endpoint_id_2

TunnelEventCode tunnel_event_code

EMAIL Name Query Name

TunnelEventType tunnel_event_type

TunnelInspectionRule tunnel_inspection_rule

TunnelInterface tunnel_interface

TunnelMessageType tunnel_message_type

TunnelRemoteIMSIID tunnel_remote_imsi_id

TunnelRemoteUserIP tunnel_remote_user_ip.value

TunnelSessionsClosed tunnel_sessions_closed

TunnelSessionsCreated tunnel_sessions_created

TunneledApplication tunneled_app

IMSI tunnelid_imsi

URLCategory url_category.value

Users users

VendorName vendor_name

VendorSeverity vendor_severity.value

VirtualLocation vsys

VirtualSystemID vsys_id

VirtualSystemName vsys_name

Tunnel HTTPS Fields

The following table identifies the Tunnel field names that the Log Forwarding app uses when you
forward logs using the HTTPS log format.

HTTPS Name Query Name

AccessPointName access_point_name

Action action.value

HTTPS Name Query Name

ActionSource action_source.value

Application app

ApplicationCategory app_category

ApplicationSubcategory app_sub_category

BytesReceived bytes_received

BytesSent bytes_sent

Bytes bytes_total

ConfigVersion config_version.value

ContainerID container_id

ApplicationContainer container_of_app

ContentVersion content_version

RepeatCount count_of_repeats

LoggingServiceID customer_id

DestinationDeviceClass dest_device_class

DestinationDeviceMac dest_device_mac

DestinationDeviceModel dest_device_model

DestinationDeviceOS dest_device_os

DestinationDeviceVendor dest_device_vendor

DestinationDynamicAddressGroup dest_dynamic_address_group

DestinationEDL dest_edl

DestinationAddress dest_ip.value

DestinationLocation dest_location

DestinationPort dest_port

HTTPS Name Query Name

DestinationUser dest_user

DestinationUserDomain dest_user_info.domain

DestinationUserName dest_user_info.name

DestinationUserUUID dest_user_info.uuid

DestinationUUID dest_uuid

DGHierarchyLevel1 dg_hier_level_1

DGHierarchyLevel2 dg_hier_level_2

DGHierarchyLevel3 dg_hier_level_3

DGHierarchyLevel4 dg_hier_level_4

DynamicUserGroupName dynusergroup_name

FromZone from_zone

InboundInterface inbound_if.value

InboundInterfaceDetailsPort inbound_if_details.port

InboundInterfaceDetailsSlot inbound_if_details.slot

InboundInterfaceDetailsType inbound_if_details.type.value

InboundInterfaceDetailsUnit inbound_if_details.unit

CaptivePortal is_captive_portal

IsClienttoServer is_client_to_server

IsContainer is_container

IsDecryptMirror is_decrypt_mirror

IsDecryptedPayloadForward is_decrypted_payload_fwded

IsDecryptedLog is_decryption_log

IsDuplicateLog is_dup_log

HTTPS Name Query Name

LogExported is_exported

LogForwarded is_forwarded

IsIPV6 is_ipv6

IsInspectionBeforeSession is_l7_inspection_b4_session

IsMptcpOn is_mptcp_on

NAT is_nat

IsNonStandardDestinationPort is_non_std_dest_port

IsPacketCapture is_packet_capture

IsPhishing is_phishing

IsPrismaNetwork is_prisma_branch

IsPrismaUsers is_prisma_mobile

IsProxy is_proxy

IsReconExcluded is_recon_excluded

IsSaaSApplication is_saas_app

IsServertoClient is_server_to_client

IsSourceXForwarded is_source_x_fwded

IsSystemReturn is_sym_return

IsTransaction is_transaction

IsTunnelInspected is_tunnel_inspected

IsURLDenied is_url_denied

LogSetting log_set

LogSource log_source

LogSourceGroupID log_source_group_id

HTTPS Name Query Name

DeviceSN log_source_id

DeviceName log_source_name

LogSourceTimeZoneOffset log_source_tz_offset

TimeReceived log_time

LogType log_type.value

MobileAreaCode mobile_area_code

MobileBaseStationCode mobile_base_station_code

MobileCountryCode mobile_country_code

MobileIP mobile_ip.value

MobileNetworkCode mobile_network_code

MobileSubscriberISDN mobile_subscriber_isdn

IMEI monitor_tag_imei

NATDestination nat_dest.value

NATDestinationPort nat_dest_port

NATSource nat_source.value

NATSourcePort nat_source_port

NonStandardDestinationPort non_standard_dest_port

NSSAINetworkSliceDifferentiator nssai_network_slice_differentiator.value

NSSAINetworkSliceType nssai_network_slice_type.value

OutboundInterface outbound_if.value

OutboundInterfaceDetailsPort outbound_if_details.port

OutboundInterfaceDetailsSlot outbound_if_details.slot

OutboundInterfaceDetailsType outbound_if_details.type.value

HTTPS Name Query Name

OutboundInterfaceDetailsUnit outbound_if_details.unit

PacketsDroppedMax packets_dropped_max_encap

PacketsDroppedStrict packets_dropped_strict_check

PacketsDroppedTunnel packets_dropped_tunnel_frag

PacketsDroppedProtocol packets_dropped_ukn_proto

PacketsReceived packets_received

PacketsSent packets_sent

PacketsTotal packets_total

PanoramaSN panorama_serial

ParentSessionID parent_session_id

ParentStarttime parent_start_time

ProtocolDataUnitsessionID pdu_session_id

PlatformType platform_type

ContainerName pod_name

ContainerNameSpace pod_namespace

Protocol protocol.value

RadioAccessTechnology radio_access_technology

ApplicationRisk risk_of_app

Rule rule_matched

RuleUUID rule_matched_uuid

SanctionedStateOfApp, sanctioned_state_of_app
SanctionedStateofApp

SequenceNo sequence_no

SessionOwnerMidx sess_owner_rt_midx

HTTPS Name Query Name

SessionEndReason session_end_reason.value

SessionID session_id

SessionStartTime session_start_time

SessionTracker session_tracker

Severity severity

SourceDeviceClass source_device_class

SourceDeviceMac source_device_mac

SourceDeviceModel source_device_model

SourceDeviceOS source_device_os

SourceDeviceVendor source_device_vendor

SourceDynamicAddressGroup source_dynamic_address_group

SourceEDL source_edl

SourceAddress source_ip.value

SourceLocation source_location

SourcePort source_port

SourceUser source_user

SourceUserDomain source_user_info.domain

SourceUserName source_user_info.name

SourceUserUUID source_user_info.uuid

SourceUUID source_uuid

StandardPortsOfApp standard_ports_of_app

Subtype sub_type.value

ApplicationTechnology technology_of_app

HTTPS Name Query Name

TimeGenerated time_generated

TimeGeneratedHighResolution time_generated_high_res

ToZone to_zone

SessionDuration total_time_elapsed

Tunnel tunnel.value

TunnelCauseCode tunnel_cause_code

TunnelEndpointID1 tunnel_endpoint_id_1

TunnelEndpointID2 tunnel_endpoint_id_2

TunnelEventCode tunnel_event_code

TunnelEventType tunnel_event_type

TunnelInspectionRule tunnel_inspection_rule

TunnelInterface tunnel_interface

TunnelMessageType tunnel_message_type

TunnelRemoteIMSIID tunnel_remote_imsi_id

TunnelRemoteUserIP tunnel_remote_user_ip.value

TunnelSessionsClosed tunnel_sessions_closed

TunnelSessionsCreated tunnel_sessions_created

TunneledApplication tunneled_app

IMSI tunnelid_imsi

URLCategory url_category.value

Users users

VendorName vendor_name

VendorSeverity vendor_severity.value

HTTPS Name Query Name

VirtualLocation vsys

VirtualSystemID vsys_id

VirtualSystemName vsys_name

Tunnel LEEF Fields

Example Tunnel log in LEEF:

Sep 21 02:13:19 xxx.xx.x.xx 2203 <14>1 2021-09-21T02:13:19.109Z

stream-logfwd20-b7167985--09201842-8zwj-harness-cc98 logforwarder
- panwlogs - LEEF:2.0|Palo Alto Networks|Next Generation
Firewall|10.1|drop||TimeReceived=2021-09-21T02:13:18.000000Z
DeviceSN=xxxxxxxxxxxxx cat=gtp SubType=drop ConfigVersion=10.1
devTime=2021-09-21T02:13:03.000000Z src=xxx.xx.x.xx
dst= srcPostNAT=xxx.xx.x.xx dstPostNAT=xxx.xx.x.xx
Rule=allow-all-employees usrName=paloaltonetwork\xxxxx
DestinationUser=paloaltonetwork\xxxxx Application=rlogin
VirtualLocation=vsys1 FromZone=untrust ToZone=ethernet4Zone-
test1 InboundInterface=ethernet1/1 OutboundInterface=ethernet1/1
LogSetting=rs-logging SessionID=396610 RepeatCount=1 srcPort=20679
dstPort=2619 srcPostNATPort=8544 dstPostNATPort=27147 proto=tcp
TunnelEventType=51 MobileSubscriberISDN= AccessPointName=
RadioAccessTechnology=11 TunnelMessageType=0 MobileIP=
TunnelEndpointID1=0 TunnelEndpointID2=0 TunnelInterface=0
TunnelCauseCode=0 VendorSeverity=Unused MobileCountryCode=0
MobileNetworkCode=0 MobileAreaCode=0 MobileBaseStationCode=0
TunnelEventCode=0 SequenceNo=7003061089432915273
SourceLocation=west-coast DestinationLocation=BR
DGHierarchyLevel1=11 DGHierarchyLevel2=0 DGHierarchyLevel3=0
DGHierarchyLevel4=0 VirtualSystemName= DeviceName=xxxxx IMSI=0
IMEI= ParentSessionID=0 ParentStarttime=1970-01-01T00:00:00.000000Z
Tunnel=HTTP2-CONNECTION Bytes=7102726800694 srcBytes=58980433922
dstBytes=7043746366772 totalPackets=1632190399
srcPackets=1632190349 dstPackets=50 PacketsDroppedMax=0
PacketsDroppedProtocol=724238337 PacketsDroppedStrict=0
PacketsDroppedTunnel=45 TunnelSessionsCreated=536936689
TunnelSessionsClosed=-1107230720 SessionEndReason=aged-
out ActionSource= startTime=1970-01-01T00:00:03.000000Z
SessionDuration=-121241600 TunnelInspectionRule=
TunnelRemoteUserIP= TunnelRemoteIMSIID=0 RuleUUID=d0658a8e-
c749-4b1c-a7dc-3247de1c94e7 DynamicUserGroupName= ContainerID=
ContainerNameSpace= ContainerName= SourceEDL= DestinationEDL=
SourceDynamicAddressGroup= DestinationDynamicAddressGroup=
TimeGeneratedHighResolution=2021-09-21T02:13:03.915000Z
NSSAINetworkSliceDifferentiator=0 NSSAINetworkSliceType=0
ProtocolDataUnitsessionID=0 devTimeFormat=YYYY-MM-DD'T'HH:mm:ss.SSSZ

The following table identifies the Tunnel field names that the Log Forwarding app uses when you
forward logs using the LEEF log format.

LEEF Name Query Name Field Type

AccessPointName access_point_name Custom

EventID action.value Header

ActionSource action_source.value Custom

Application app Custom

ApplicationCategory app_category Custom

ApplicationSubcategory app_sub_category Custom

dstBytes bytes_received Predefined

srcBytes bytes_sent Predefined

Bytes bytes_total Custom

ConfigVersion config_version.value Custom

ContainerID container_id Custom

ApplicationContainer container_of_app Custom

ContentVersion content_version Custom

RepeatCount count_of_repeats Custom

LoggingServiceID customer_id Custom

DestinationDeviceClass dest_device_class Custom

DestinationDeviceMac dest_device_mac Custom

DestinationDeviceModel dest_device_model Custom

DestinationDeviceOS dest_device_os Custom

DestinationDeviceVendor dest_device_vendor Custom

LEEF Name Query Name Field Type

DestinationDynamicAddressGroup dest_dynamic_address_group Custom

DestinationEDL dest_edl Custom

dst dest_ip.value Predefined

DestinationLocation dest_location Custom

dstPort dest_port Predefined

DestinationUser dest_user Custom

DestinationUserDomain dest_user_info.domain Custom

DestinationUserName dest_user_info.name Custom

DestinationUserUUID dest_user_info.uuid Custom

DestinationUUID dest_uuid Custom

DGHierarchyLevel1 dg_hier_level_1 Custom

DGHierarchyLevel2 dg_hier_level_2 Custom

DGHierarchyLevel3 dg_hier_level_3 Custom

DGHierarchyLevel4 dg_hier_level_4 Custom

DynamicUserGroupName dynusergroup_name Custom

FromZone from_zone Custom

InboundInterface inbound_if.value Custom

InboundInterfaceDetailsPort inbound_if_details.port Custom

InboundInterfaceDetailsSlot inbound_if_details.slot Custom

InboundInterfaceDetailsType inbound_if_details.type.value Custom

InboundInterfaceDetailsUnit inbound_if_details.unit Custom

CaptivePortal is_captive_portal Custom

IsClienttoServer is_client_to_server Custom

LEEF Name Query Name Field Type

IsContainer is_container Custom

IsDecryptMirror is_decrypt_mirror Custom

IsDecryptedPayloadForward is_decrypted_payload_fwded Custom

IsDecryptedLog is_decryption_log Custom

IsDuplicateLog is_dup_log Custom

LogExported is_exported Custom

LogForwarded is_forwarded Custom

IsIPV6 is_ipv6 Custom

IsInspectionBeforeSession is_l7_inspection_b4_session Custom

IsMptcpOn is_mptcp_on Custom

NAT is_nat Custom

IsNonStandardDestinationPort is_non_std_dest_port Custom

IsPacketCapture is_packet_capture Custom

IsPhishing is_phishing Custom

IsPrismaNetwork is_prisma_branch Custom

IsPrismaUsers is_prisma_mobile Custom

IsProxy is_proxy Custom

IsReconExcluded is_recon_excluded Custom

IsSaaSApplication is_saas_app Custom

IsServertoClient is_server_to_client Custom

IsSourceXForwarded is_source_x_fwded Custom

IsSystemReturn is_sym_return Custom

IsTransaction is_transaction Custom

LEEF Name Query Name Field Type

IsTunnelInspected is_tunnel_inspected Custom

IsURLDenied is_url_denied Custom

LogSetting log_set Custom

LogSource log_source Custom

LogSourceGroupID log_source_group_id Custom

DeviceSN log_source_id Custom

DeviceName log_source_name Custom

LogSourceTimeZoneOffset log_source_tz_offset Custom

TimeReceived log_time Custom

cat log_type.value Predefined

MobileAreaCode mobile_area_code Custom

MobileBaseStationCode mobile_base_station_code Custom

MobileCountryCode mobile_country_code Custom

MobileIP mobile_ip.value Custom

MobileNetworkCode mobile_network_code Custom

MobileSubscriberISDN mobile_subscriber_isdn Custom

IMEI monitor_tag_imei Custom

dstPostNAT nat_dest.value Predefined

dstPostNATPort nat_dest_port Predefined

srcPostNAT nat_source.value Predefined

srcPostNATPort nat_source_port Predefined

NonStandardDestinationPort non_standard_dest_port Custom

NSSAINetworkSliceDifferentiator nssai_network_slice_differentiator.value Custom

LEEF Name Query Name Field Type

NSSAINetworkSliceType nssai_network_slice_type.value Custom

OutboundInterface outbound_if.value Custom

OutboundInterfaceDetailsPort outbound_if_details.port Custom

OutboundInterfaceDetailsSlot outbound_if_details.slot Custom

OutboundInterfaceDetailsType outbound_if_details.type.value Custom

OutboundInterfaceDetailsUnit outbound_if_details.unit Custom

PacketsDroppedMax packets_dropped_max_encap Custom

PacketsDroppedStrict packets_dropped_strict_check Custom

PacketsDroppedTunnel packets_dropped_tunnel_frag Custom

PacketsDroppedProtocol packets_dropped_ukn_proto Custom

dstPackets packets_received Predefined

srcPackets packets_sent Predefined

totalPackets packets_total Predefined

PanoramaSN panorama_serial Custom

ParentSessionID parent_session_id Custom

ParentStarttime parent_start_time Custom

ProtocolDataUnitsessionID pdu_session_id Custom

PlatformType platform_type Custom

ContainerName pod_name Custom

ContainerNameSpace pod_namespace Custom

proto protocol.value Predefined

RadioAccessTechnology radio_access_technology Custom

ApplicationRisk risk_of_app Custom

LEEF Name Query Name Field Type

Rule rule_matched Custom

RuleUUID rule_matched_uuid Custom

SanctionedStateofApp sanctioned_state_of_app Custom

SequenceNo sequence_no Custom

SessionOwnerMidx sess_owner_rt_midx Custom

SessionEndReason session_end_reason.value Custom

SessionID session_id Custom

startTime session_start_time Predefined

SessionTracker session_tracker Custom

Severity severity Custom

SourceDeviceClass source_device_class Custom

SourceDeviceMac source_device_mac Custom

SourceDeviceModel source_device_model Custom

SourceDeviceOS source_device_os Custom

SourceDeviceVendor source_device_vendor Custom

SourceDynamicAddressGroup source_dynamic_address_group Custom

SourceEDL source_edl Custom

src source_ip.value Predefined

SourceLocation source_location Custom

srcPort source_port Predefined

usrName source_user Predefined

SourceUserDomain source_user_info.domain Custom

SourceUserName source_user_info.name Custom

LEEF Name Query Name Field Type

SourceUserUUID source_user_info.uuid Custom

SourceUUID source_uuid Custom

StandardPortsOfApp standard_ports_of_app Custom

SubType sub_type.value Custom

ApplicationTechnology technology_of_app Custom

devTime time_generated Predefined

TimeGeneratedHighResolution time_generated_high_res Custom

ToZone to_zone Custom

SessionDuration total_time_elapsed Custom

Tunnel tunnel.value Custom

TunnelCauseCode tunnel_cause_code Custom

TunnelEndpointID1 tunnel_endpoint_id_1 Custom

TunnelEndpointID2 tunnel_endpoint_id_2 Custom

TunnelEventCode tunnel_event_code Custom

TunnelEventType tunnel_event_type Custom

TunnelInspectionRule tunnel_inspection_rule Custom

TunnelInterface tunnel_interface Custom

TunnelMessageType tunnel_message_type Custom

TunnelRemoteIMSIID tunnel_remote_imsi_id Custom

TunnelRemoteUserIP tunnel_remote_user_ip.value Custom

TunnelSessionsClosed tunnel_sessions_closed Custom

TunnelSessionsCreated tunnel_sessions_created Custom

TunneledApplication tunneled_app Custom

LEEF Name Query Name Field Type

IMSI tunnelid_imsi Custom

URLCategory url_category.value Custom

Users users Custom

Vendor vendor_name Header

VendorSeverity vendor_severity.value Custom

VirtualLocation vsys Custom

VirtualSystemID vsys_id Custom

VirtualSystemName vsys_name Custom

URL
URL logs are written by next-generation firewalls whenever network traffic matches a URL
Filtering Profile attached to one or more security rules. For example, the firewall generates a log if
a rule blocks access to specific web sites or web site categories, or the firewall is configured with a
rule to generate an alert when a user accesses a web site.
See the following for information related to supported log formats:
• URL Syslog Default Field Order
• URL CEF Fields
• URL EMAIL Fields
• URL HTTPS Fields
• URL LEEF Fields

URL Field Description

(Display Name)

app Application associated with the network traffic.

(APPLICATION) Syslog field name: Syslog Field Order
CEF field name: app
EMAIL field name: Application
HTTPS field name: Application
LEEF field name: Application

app_category Identifies the high-level family of the application.

(APPLICATION CATEGORY) CEF field name: PanOSApplicationCategory
EMAIL field name: ApplicationCategory
HTTPS field name: ApplicationCategory
LEEF field name: ApplicationCategory

URL Field Description

(Display Name)

app_sub_category Identifies the application's subcategory. The

cloud_hostname The hostname in which the VM-series firewall is

running.
(CLOUD HOSTNAME)
CEF field name: PanOSCloudHostname
EMAIL field name: CloudHostname
HTTPS field name: CloudHostname
LEEF field name: CloudHostname

cloud_reportid Unique 32 character ID for a file scanned by the DLP

config_version.value Version number of the firewall operating system that

container_id Unknown field. No information is available at this time.

(CONTAINER ID) Syslog field name: Syslog Field Order
CEF field name: PanOSContainerID

URL Field Description

(Display Name)
EMAIL field name: ContainerID
HTTPS field name: ContainerID
LEEF field name: ContainerID

container_of_app Identifies the managing application or parent of the

content_type Content type of the HTTP response data.

(CONTENT TYPE) Syslog field name: Syslog Field Order
CEF field name: requestContext
EMAIL field name: ContentType
HTTPS field name: ContentType
LEEF field name: ContentType

content_version Applications and Threats version installed on the

count_of_repeats Number of sessions with same Source IP, Destination

URL Field Description

(Display Name)

customer_id The ID that uniquely identifies the Cortex Data Lake

dest_device_category Category of the device to which the session was

dest_device_class Destination device class.

(DESTINATION DEVICE CLASS) CEF field name: PanOSDestinationDeviceClass
EMAIL field name: DestinationDeviceClass
HTTPS field name: DestinationDeviceClass
LEEF field name: DestinationDeviceClass

dest_device_host Hostname of the device to which the session was

dest_device_mac MAC Address of the device to which the session was

directed.
(DESTINATION DEVICE MAC)
Syslog field name: Syslog Field Order
CEF field name: PanOSDestinationDeviceMac
EMAIL field name: DestinationDeviceMac
HTTPS field name: DestinationDeviceMac

URL Field Description

(Display Name)
LEEF field name: DestinationDeviceMac

dest_device_model Model of the device to which the session was directed.

dest_device_os Destination device OS type.

(DESTINATION DEVICE OS) CEF field name: PanOSDestinationDeviceOS
EMAIL field name: DestinationDeviceOS
HTTPS field name: DestinationDeviceOS
LEEF field name: DestinationDeviceOS

dest_device_osfamily OS family of the device to which the session was

dest_device_osversion OS version of the device to which the session was

dest_device_profile Profile of the device to which the session was directed.

(DESTINATION DEVICE PROFILE) Syslog field name: Syslog Field Order
CEF field name: PanOSDestinationDeviceProfile
EMAIL field name: DestinationDeviceProfile

URL Field Description

(Display Name)
HTTPS field name: DestinationDeviceProfile
LEEF field name: DestinationDeviceProfile

dest_device_vendor Vendor of the device to which the session was directed.

dest_dynamic_address_group The dynamic address group that Device-ID identifies as

dest_ip.value Original destination IP address.

(DESTINATION ADDRESS) Syslog field name: Syslog Field Order
CEF fields: dst or c6a3
EMAIL field name: DestinationAddress
HTTPS field name: DestinationAddress
LEEF field name: dst

dest_location Destination country or internal region for private

addresses.

URL Field Description

(Display Name)
(DESTINATION LOCATION) Syslog field name: Syslog Field Order
CEF field name: PanOSDestinationLocation
EMAIL field name: DestinationLocation
HTTPS field name: DestinationLocation
LEEF field name: DestinationLocation

dest_port Network traffic's destination port. If this value is 0, then

dest_user The username to which the network traffic was

destined.
(DESTINATION USER)
Syslog field name: Syslog Field Order
CEF field name: duser
EMAIL field name: DestinationUser
HTTPS field name: DestinationUser
LEEF field name: DestinationUser

dest_user_info.domain Domain to which the Destination User belongs.

(DESTINATION USER DOMAIN) CEF field name: dntdom
EMAIL field name: DestinationUserDomain
HTTPS field name: DestinationUserDomain
LEEF field name: DestinationUserDomain

dest_user_info.name The Destination User. That is, the username to which

URL Field Description

(Display Name)

dest_user_info.uuid Unique identifier assigned to the Destination User.

(DESTINATION USER UUID) CEF field name: duid
EMAIL field name: DestinationUserUUID
HTTPS field name: DestinationUserUUID
LEEF field name: DestinationUserUUID

dest_uuid Identifies the destination universal unique identifier

dg_hier_level_1 A sequence of identification numbers that indicate the

dg_hier_level_2 A sequence of identification numbers that indicate the

dg_hier_level_3 A sequence of identification numbers that indicate the

device group’s location within a device group hierarchy.
(DG HIERARCHY LEVEL 3)
Syslog field name: Syslog Field Order
CEF field name: PanOSDGHierarchyLevel3

URL Field Description

(Display Name)
EMAIL field name: DGHierarchyLevel3
HTTPS field name: DGHierarchyLevel3
LEEF field name: DGHierarchyLevel3

dg_hier_level_4 A sequence of identification numbers that indicate the

device group’s location within a device group hierarchy.
( DG HIERARCHY LEVEL 4)
Syslog field name: Syslog Field Order
CEF field name: PanOSDGHierarchyLevel4
EMAIL field name: DGHierarchyLevel4
HTTPS field name: DGHierarchyLevel4
LEEF field name: DGHierarchyLevel4

direction_of_attack.value Indicates the direction of the attack.

(DIRECTION OF ATTACK) Syslog field name: Syslog Field Order
CEF field name: flexString2
EMAIL field name: DirectionOfAttack
HTTPS field name: DirectionOfAttack
LEEF field name: DirectionOfAttack

dynusergroup_name Dynamic user group of the user who initiated the

endpoint_serial_number Serial number of the host on which GlobalProtect is

URL Field Description

(Display Name)

file_url File URL.

(FILE URL) CEF field name: PanOSFileURL
EMAIL field name: FileURL
HTTPS field name: FileURL
LEEF field name: FileURL

flow_type.value Define the traffic type, whether it is for explicit proxy,

transparent proxy or no proxy traffic.
(FLOW TYPE)
CEF field name: FlowType
EMAIL field name: FlowType
HTTPS field name: FlowType
LEEF field name: FlowType

from_zone The networking zone from which the traffic originated.

(FROM ZONE) Syslog field name: Syslog Field Order
CEF field name: cs4
EMAIL field name: FromZone
HTTPS field name: FromZone
LEEF field name: FromZone

gp_host_id A unique ID that GlobalProtect assigns to identify the

host.
(GP HOST ID)
Syslog field name: Syslog Field Order
CEF field name: PanOSHostID
EMAIL field name: HostID
HTTPS field name: HostID
LEEF field name: HostID

(Container Page).
(IS CONTAINER)
CEF field name: PanOSIsContainer
EMAIL field name: IsContainer
HTTPS field name: IsContainer
LEEF field name: IsContainer

is_decrypt_mirror Indicates whether decrypted traffic was sent out in

clear text through a mirror port.
(IS DECRYPT MIRROR)
CEF field name: PanOSIsDecryptMirror
EMAIL field name: IsDecryptMirror
HTTPS field name: IsDecryptMirror
LEEF field name: IsDecryptMirror

is_decrypted Flag that indicates that the session is decrypted.

(IS DECRYPTED) CEF field name: PanOSIsDecrypted
EMAIL field name: IsDecrypted
HTTPS field name: IsDecrypted
LEEF field name: IsDecrypted

is_dup_log Indicates whether this log data is available in multiple

is_encrypted Flag that indicates that the session is encrypted.

(IS ENCRYPTED) CEF field name: PanOSIsEncrypted
EMAIL field name: IsEncrypted
HTTPS field name: IsEncrypted
LEEF field name: IsEncrypted

is_exported Indicates if this log was exported from the firewall using
the firewall's log export function.

URL Field Description

(Display Name)
(LOG EXPORTED) CEF field name: PanOSLogExported
EMAIL field name: LogExported
HTTPS field name: LogExported
LEEF field name: LogExported

is_forwarded Internal-use field that indicates if the log is being

forwarded.
(LOG FORWARDED)
CEF field name: PanOSLogForwarded
EMAIL field name: LogForwarded
HTTPS field name: LogForwarded
LEEF field name: LogForwarded

is_ipv6 Indicates whether IPV6 was used for the session.

(IS IPV6) CEF field name: PanOSIsIPV6
EMAIL field name: IsIPV6
HTTPS field name: IsIPV6
LEEF field name: IsIPV6

is_mptcp_on Indicates whether the option is enabled on the next-

is_nat Indicates if the firewall is performing network address

translation (NAT) for the logged traffic.
(NAT)
CEF field name: PanOSNAT
EMAIL field name: NAT
HTTPS field name: NAT
LEEF field name: NAT

is_non_std_dest_port Indicates if the destination port is non-standard.

(IS NON STANDARD CEF field name: PanOSIsNonStandardDestinationPort
DESTINATION PORT)
EMAIL field name: IsNonStandardDestinationPort

URL Field Description

(Display Name)
HTTPS field name: IsNonStandardDestinationPort
LEEF field name: IsNonStandardDestinationPort

is_packet_capture Indicates whether the session has a packet capture

(PCAP).
(IS PACKET CAPTURE)
CEF field name: PanOSIsPacketCapture
EMAIL field name: IsPacketCapture
HTTPS field name: IsPacketCapture
LEEF field name: IsPacketCapture

is_phishing Indicates whether enterprise credentials were

submitted by an end user.
(IS PHISHING)
CEF field name: PanOSIsPhishing
EMAIL field name: IsPhishing
HTTPS field name: IsPhishing
LEEF field name: IsPhishing

is_prisma_branch Internal-use field. If set to 1, the log was generated on

is_prisma_mobile Internal use field. If set to 1, the log record was

is_proxy Indicates whether the SSL session is decrypted (SSL

Proxy).
(IS PROXY)
CEF field name: PanOSIsProxy
EMAIL field name: IsProxy

URL Field Description

(Display Name)
HTTPS field name: IsProxy
LEEF field name: IsProxy

is_recon_excluded Indicates whether source for the flow is on the firewall

is_saas_app Internal use field. Indicates whether the application

is_server_to_client Indicates if direction of traffic is from server to client.

(IS SERVER TO CLIENT) CEF field name: PanOSIsServertoClient
EMAIL field name: IsServertoClient
HTTPS field name: IsServertoClient
LEEF field name: IsServertoClient

(Display Name)
EMAIL field name: LogSourceTimeZoneOffset
HTTPS field name: LogSourceTimeZoneOffset
LEEF field name: LogSourceTimeZoneOffset

log_type.value Identifies the log type.

(LOG TYPE) Syslog field name: Syslog Field Order
CEF field name: Device Event Class ID
EMAIL field name: LogType
HTTPS field name: LogType
LEEF field name: cat

monitor_tag_imei A string used to group similar traffic together for

nat_dest.value If destination NAT performed, the post-NAT destination

IP address.
(NAT DESTINATION)
Syslog field name: Syslog Field Order
CEF field name: destinationTranslatedAddress
EMAIL field name: NATDestination
HTTPS field name: NATDestination

URL Field Description

(Display Name)
LEEF field name: dstPostNAT

nat_dest_port Post-NAT destination port.

nat_source.value If source NAT was performed, the post-NAT source IP

address.
(NAT SOURCE)
Syslog field name: Syslog Field Order
CEF field name: sourceTranslatedAddress
EMAIL field name: NATSource
HTTPS field name: NATSource
LEEF field name: srcPostNAT

nat_source_port Post-NAT source port.

(NAT SOURCE PORT) Syslog field name: Syslog Field Order
CEF field name: sourceTranslatedPort
EMAIL field name: NATSourcePort
HTTPS field name: NATSourcePort
LEEF field name: srcPostNATPort

non_standard_dest_port Identifies the non-standard or unexpected port used by

nssai_network_slice_type.value Network Slice Type (SST part of SNSSAI).

(NSSAI NETWORK SLICE TYPE) Syslog field name: Syslog Field Order
CEF field name: PanOSNSSAINetworkSliceType
EMAIL field name: NSSAINetworkSliceType

URL Field Description

(Display Name)
HTTPS field name: NSSAINetworkSliceType
LEEF field name: NSSAINetworkSliceType

outbound_if.value Interface to which the network traffic was destined.

outbound_if_details.port Hardware port or socket to which the network traffic

outbound_if_details.slot Interface slot to which the network traffic was sent.

outbound_if_details.type.value The type of interface to which the network traffic was

outbound_if_details.unit Internal use.

URL Field Description

(Display Name)

panorama_serial Panorama Serial associated with CDL.

(PANORAMA SN) CEF field name: PanOSPanoramaSN
EMAIL field name: PanoramaSN
HTTPS field name: PanoramaSN
LEEF field name: PanoramaSN

parent_session_id ID of the session in which this network traffic was

parent_start_time Time that the parent session began. This string contains
a timestamp value that is the number of microseconds
(PARENT START TIME)
since the Unix epoch.
Syslog field name: Syslog Field Order
CEF field name: PanOSParentStarttime
EMAIL field name: ParentStarttime
HTTPS field name: ParentStarttime
LEEF field name: ParentStarttime

pcap Packet that triggered the firewall to generate this URL

log record.
(PACKET)
CEF field name: PanOSPacket
EMAIL field name: Packet
HTTPS field name: Packet
LEEF field name: Packet

pcap_id Packet capture ID. Used to correlate threat pcap files

with extended pcaps taken as a part of the session flow.
(PACKET ID)
Syslog field name: Syslog Field Order
CEF field name: fileId
EMAIL field name: PacketID

URL Field Description

(Display Name)
HTTPS field name: PacketID
LEEF field name: PacketID

pod_name Container name.

(CONTAINER NAME) Syslog field name: Syslog Field Order
CEF field name: PanOSContainerName
EMAIL field name: ContainerName
HTTPS field name: ContainerName
LEEF field name: ContainerName

pod_namespace Container namespace.

protocol.value IP protocol associated with the session.

(PROTOCOL) Syslog field name: Syslog Field Order
CEF field name: proto
EMAIL field name: Protocol
HTTPS field name: Protocol
LEEF field name: proto

referer The web page URL identified in the HTTP REFERER

header field.
(REFERER)
Syslog field name: Syslog Field Order
CEF field name: PanOSReferer

URL Field Description

(Display Name)
EMAIL field name: Referer
HTTPS field name: Referer
LEEF field name: Referer

referer_fqdn The fully qualified domain name used in the HTTP

REFERER header field.
(HTTP REFERER FQDN)
CEF field name: PanOSHTTPRefererFQDN
EMAIL field name: HTTPRefererFQDN
HTTPS field name: HTTPRefererFQDN
LEEF field name: HTTPRefererFQDN

referer_port The port used in the HTTP REFERER header field.

(HTTP REFERER PORT) CEF field name: PanOSHTTPRefererPort
EMAIL field name: HTTPRefererPort
HTTPS field name: HTTPRefererPort
LEEF field name: HTTPRefererPort

referer_protocol.value The protocol used in the HTTP REFERER header field.

(HTTP REFERER PROTOCOL) CEF field name: PanOSHTTPRefererProtocol
EMAIL field name: HTTPRefererProtocol
HTTPS field name: HTTPRefererProtocol
LEEF field name: HTTPRefererProtocol

referer_url_path The URL path used in the HTTP REFERER header field.
(HTTP REFERER URL PATH) CEF field name: PanOSHTTPRefererURLPath
EMAIL field name: HTTPRefererURLPath
HTTPS field name: HTTPRefererURLPath
LEEF field name: HTTPRefererURLPath

risk_of_app Indicates how risky the application is from a network

security perspective.
(APPLICATION RISK)
CEF field name: PanOSApplicationRisk
EMAIL field name: ApplicationRisk
HTTPS field name: ApplicationRisk
LEEF field name: ApplicationRisk

URL Field Description

(Display Name)

rule_matched_uuid Unique identifier for the security policy rule that the
network traffic matched.
(RULE UUID)
Syslog field name: Syslog Field Order
CEF field name: PanOSRuleUUID
EMAIL field name: RuleUUID
HTTPS field name: RuleUUID
LEEF field name: RuleUUID

sanctioned_state_of_app Indicates whether the application has been flagged as

sequence_no The log entry identifier, which is incremented

session_id Identifies the firewall's internal identifier for a specific

network session.
(SESSION ID)
Syslog field name: Syslog Field Order

URL Field Description

(Display Name)
CEF field name: cn1
EMAIL field name: SessionID
HTTPS field name: SessionID
LEEF field name: SessionID

severity Severity as defined by the platform.

(SEVERITY) CEF field name: PanOSSeverity
EMAIL field name: Severity
HTTPS field name: Severity
LEEF field name: Severity

sig_flags Internal use only.

(SIG FLAGS) Syslog field name: Syslog Field Order
CEF field name: PanOSSigFlags
EMAIL field name: SigFlags
HTTPS field name: SigFlags
LEEF field name: SigFlags

source_device_category Category of the device from which the session

source_device_class Source device class.

(SOURCE DEVICE CLASS) CEF field name: PanOSSourceDeviceClass
EMAIL field name: SourceDeviceClass
HTTPS field name: SourceDeviceClass
LEEF field name: SourceDeviceClass

source_device_host Hostname of the device from which the session

originated.
(SOURCE DEVICE HOST)
Syslog field name: Syslog Field Order

URL Field Description

(Display Name)
CEF field name: PanOSSourceDeviceHost
EMAIL field name: SourceDeviceHost
HTTPS field name: SourceDeviceHost
LEEF field name: SourceDeviceHost

source_device_mac MAC Address of the device from which the session

source_device_model Model of the device from which the session originated.

source_device_os Source device OS type.

(SOURCE DEVICE OS) CEF field name: PanOSSourceDeviceOS
EMAIL field name: SourceDeviceOS
HTTPS field name: SourceDeviceOS
LEEF field name: SourceDeviceOS

source_device_osfamily OS family of the device from which the session

URL Field Description

(Display Name)

source_device_osversion OS version of the device from which the session

source_device_profile Profile of the device from which the session originated.

source_device_vendor Vendor of the device from which the session originated.

source_dynamic_address_group The dynamic address group that Device-ID identifies as

source_edl The name of the external dynamic list that contains the
source IP address of the traffic.
(SOURCE EDL)
Syslog field name: Syslog Field Order
CEF field name: PanOSSourceEDL

URL Field Description

(Display Name)
EMAIL field name: SourceEDL
HTTPS field name: SourceEDL
LEEF field name: SourceEDL

source_ip.value Original source IP address.

(SOURCE ADDRESS) Syslog field name: Syslog Field Order
CEF fields: src or c6a2
EMAIL field name: SourceAddress
HTTPS field name: SourceAddress
LEEF field name: src

source_location Source country or internal region for private addresses.

(SOURCE LOCATION) Syslog field name: Syslog Field Order
CEF field name: PanOSSourceLocation
EMAIL field name: SourceLocation
HTTPS field name: SourceLocation
LEEF field name: SourceLocation

source_port Source port utilized by the session.

(SOURCE PORT) Syslog field name: Syslog Field Order
CEF field name: spt
EMAIL field name: SourcePort
HTTPS field name: SourcePort
LEEF field name: srcPort

source_user The username that initiated the network traffic.

tunneled_app For internal use only.

(TUNNELED APPLICATION) CEF field name: PanOSTunneledApplication
EMAIL field name: TunneledApplication
HTTPS field name: TunneledApplication
LEEF field name: TunneledApplication

tunnelid_imsi ID of the tunnel being inspected or the International

Mobile Subscriber Identity (IMSI) ID of the mobile user.
(IMSI)
Syslog field name: Syslog Field Order
CEF field name: PanOSIMSI
EMAIL field name: IMSI
HTTPS field name: IMSI
LEEF field name: IMSI

uri The Uniform Resource Identifier (URI) used in the web

request.
(URL)
Syslog field name: Syslog Field Order
CEF field name: request
EMAIL field name: URL
HTTPS field name: URL
LEEF field name: URL

url_category.value The URL category.

(URL CATEGORY) Syslog field name: Syslog Field Order
CEF field name: cs2
EMAIL field name: URLCategory
HTTPS field name: URLCategory
LEEF field name: EventID

url_category_list The list of associated URL categories.

(URL CATEGORY LIST) Syslog field name: Syslog Field Order
CEF field name: PanOSURLCategoryList
EMAIL field name: URLCategoryList
HTTPS field name: URLCategoryList

URL Field Description

(Display Name)
LEEF field name: URLCategoryList

url_idx The column that correlates the traffic, url, and sandbox
logs.
(URL COUNTER)
Syslog field name: Syslog Field Order
CEF field name: PanOSURLCounter
EMAIL field name: URLCounter
HTTPS field name: URLCounter
LEEF field name: URLCounter

user_agent The User Agent field specifies the web browser that the
user used to access the URL.
(USER AGENT)
Syslog field name: Syslog Field Order
CEF field name: requestClientApplication
EMAIL field name: UserAgent
HTTPS field name: UserAgent
LEEF field name: UserAgent

users Source/Destination user. If neither is available, source.

(USERS) CEF field name: PanOSUsers
EMAIL field name: Users
HTTPS field name: Users
LEEF field name: Users

vendor_name Identifies the vendor that produced the data.

(VENDOR NAME) CEF field name: Device Vendor
EMAIL field name: VendorName
HTTPS field name: VendorName

URL Field Description

(Display Name)
LEEF field name: Vendor

vendor_severity.value Severity associated with the event.

(VENDOR SEVERITY) Syslog field name: Syslog Field Order
CEF field name: PanOSVendorSeverity
EMAIL field name: VendorSeverity
HTTPS field name: VendorSeverity
LEEF field name: VendorSeverity

vsys String representation of the unique identifier for a

vsys_id A unique identifier for a virtual system on a Palo Alto

Networks firewall.
(VIRTUAL SYSTEM ID)
CEF field name: PanOSVirtualSystemID
EMAIL field name: VirtualSystemID
HTTPS field name: VirtualSystemID
LEEF field name: VirtualSystemID

vsys_name The name of the virtual system associated with the

xff The IP address of the user who requested the web

page.
(X-FORWARDED-FOR)
Syslog field name: Syslog Field Order
CEF field name: PanOSX-Forwarded-For

URL Field Description

(Display Name)
EMAIL field name: X-Forwarded-For
HTTPS field name: X-Forwarded-For
LEEF field name: identSrc

xff_ip.value X-Forwarded-For IP.

URL Syslog Default Field Order

Example URL log in Syslog:

Oct 13 20:56:15 gke-standard-cluster-2-pool-1-6ea9f13a-

fnid 394 <142>1 2020-10-13T20:56:15.519Z stream-
logfwd20-156653024-10121421-eq28-harness-16kn logforwarder -
panwlogs - Palo Alto Networks,firewall,013201004706,PA-5220,
22229,2019-07-03T00:05:03.000000Z,-2021464963,3,THREAT,1,url,
xxx.xx.x.xx,00000000000000000000ffff0a365c38,57085,xxx.xx.x.xx,
00000000000000000000ffff0a65023e,8080,6,tcp,,PA-5220,0,client
to server,sjccbovw01p:8080,1,,1,get,\"\u001B\t\u0003 hL\"\"Z}u
\u0015\",sjccbovw01p:8080/BOE/portal/1606170029/InfoView/DataLoader?
notification=true&usercurrenttime=2019-7-2%2017:4&usertimezoneoffset=-7:00,
https%253A%252F%252Fconsole.cloud.google.com%252Fdataflow
%252FjobsDetail%252Flocations%252Fus-central1%252Fjobs
%252F2019-08-09_20_00_42-9931281171472243776%253Fproject
%253Drepl-prd1-eu%2526organizationId%253D992524860932,1,https,
80,console.cloud.google.com,/dataflow/jobsDetail/locations/
us-central1/jobs/2019-08-09_20_00_42-9931281171472243776,
\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/xxx.xx.x.xx Safari/537.36\",,1,
Informational,Informational,,0,0,10077,private-ip-addresses,,4,alert,
-6917529027641081856,web-browsing,general-internet,3\r\n4\r\n5\r\n6\r
\n8,\" Ezajw*{\u0000}`\",12,0,0,0,,xxx.xx.x.xx-xxx.xx.x.xx,,,\"e y@i
\u0003AQ\u0011\u0011c'H\r \",,false,true,tap,,ethernet,1181132783616,
0,0,ethernet,1,19,false,false,false,false,test,\")\nq\u0010~
\u0016C\u001F\",0,xxx.xx.x.xx,00000000000000000000ffff00000000,
0,xxx.xx.x.xx,00000000000000000000ffff00000000,8080,ethernet,
1181132783616,0,0,ethernet,1,19,0,\"WkuL0\n,[Cr\",1,4,dg-
log-policy,,false,6708774908183291111,4189227,,xxx.xx.x.xx-
xxx.xx.x.xx,R9/k!`>\u0017:TN,,internet-utility,browser-based,
2019-08-15T03:05:54.000000Z,tap,0,N/A,tunneled-app,0,xxx.xx.x.xx,1,
vsys1,\"\r\u0007\u001F+#c\bw\",-1004264700,,1093632,false,false,true,
false,false,false,true,false,false,false,false,false,false,false,

false,false,false,,\"eef3\u001A\u0012\\ozM\u0015>\u000E\u0003\",
,\"S/!]\u000B\u0017\"\"r38\",,\"p<[<L\t(,\",,,,,,,,\"\tm\u0004Pq<
\u00066uJq\n\",ujm@\u000Ek*Ggl6,,,,;H;jyv\\\u0016\u0000S,,,,\"j6u7^ ,
\u0015\b\u0016S~\u000E&\",,,\":\u0018\r\u0006\u0016*-y\u0002OQN\",,
\"\u0000#ROK4e \r\u0004DD\u0000\",1551419174186411220,,,-537061822,,^
\u0002@nRq\u001DxZ!w,;nTVmp=H\u001CCQ\u0000O,,,,,,,

The following identifies the default field order for filters migrated from an earlier version of the
log forwarding application. For log filters created after that migration, you specify the field order
when you create a log filter by specifying the columns you want to receive.
The fields are identified in the default order that they appear in each log line.
HEADER, log_time, log_source_id, log_type.value, sub_type.value, config_version.value,
time_generated, source_ip.value, dest_ip.value, nat_source.value, nat_dest.value, rule_matched,
source_user, dest_user, app, vsys, from_zone, to_zone, inbound_if.value, outbound_if.value,
log_set, EMPTY, session_id, count_of_repeats, source_port, dest_port, nat_source_port,
nat_dest_port, flags, protocol.value, action.value, uri, EMPTY, url_category.value, vendor_severity.
value, direction_of_attack.value, sequence_no, action_flags, source_location, dest_location,
EMPTY, content_type, pcap_id, EMPTY, EMPTY, url_idx, user_agent, EMPTY, xff, referer,
EMPTY, EMPTY, EMPTY, EMPTY, dg_hier_level_1, dg_hier_level_2, dg_hier_level_3,
dg_hier_level_4, vsys_name, log_source_name, EMPTY, source_uuid, dest_uuid, http_method.
value, tunnelid_imsi, monitor_tag_imei, parent_session_id, parent_start_time, tunnel.
value, inline_ml_verdict.value, content_version, sig_flags, EMPTY, EMPTY, http_headers,
url_category_list, rule_matched_uuid, http2_connection, dynusergroup_name, xff_ip.value,
source_device_category, source_device_profile, source_device_model, source_device_vendor,
source_device_osfamily, source_device_osversion, source_device_host, source_device_mac,
dest_device_category, dest_device_profile, dest_device_model, dest_device_vendor,
dest_device_osfamily, dest_device_osversion, dest_device_host, dest_device_mac, container_id,
pod_namespace, pod_name, source_edl, dest_edl, gp_host_id, endpoint_serial_number,
domain_edl, source_dynamic_address_group, dest_dynamic_address_group, partial_hash,
time_generated_high_res, EMPTY, EMPTY, nssai_network_slice_type.value

URL CEF Fields

Example URL log in CEF:

Mar 1 20:48:23 xxx.xx.x.xx 4377 <14>1 2021-03-01T20:48:23.048Z

stream-logfwd20-587718190-03011242-xynu-harness-zpqg
logforwarder - panwlogs - CEF:0|Palo Alto Networks|
LF|2.0|THREAT|url|1|ProfileToken=xxxxx dtz=UTC rt=Mar
01 2021 20:48:21 deviceExternalId=xxxxxxxxxxxxx
PanOSApplicationCategory=database PanOSApplicationContainer=
PanOSApplicationRisk=2 PanOSApplicationSubcategory=database
PanOSApplicationTechnology=client-server PanOSCaptivePortal=false
PanOSCloudHostname=xxxxx PanOSCortexDataLakeTenantID=xxxxxxxxxxxxx
PanOSDestinationDeviceClass= PanOSDestinationDeviceOS=
dntdom=xxxxx duser=xxxxx o"'"test duid= PanOSHTTPRefererFQDN=
PanOSHTTPRefererPort= PanOSHTTPRefererProtocol=
PanOSHTTPRefererURLPath= PanOSInboundInterfaceDetailsPort=0
PanOSInboundInterfaceDetailsSlot=0
PanOSInboundInterfaceDetailsType=unknown
PanOSInboundInterfaceDetailsUnit=0 PanOSIsClienttoServer=true
PanOSIsContainer=false PanOSIsDecryptMirror=false

PanOSIsDecrypted=false PanOSIsDuplicateLog=false
PanOSIsEncrypted=false PanOSIsIPV6=false PanOSIsMptcpOn=false
PanOSIsNonStandardDestinationPort=false PanOSIsPacketCapture=false
PanOSIsPhishing=false PanOSIsPrismaNetwork=false
PanOSIsPrismaUsers=false PanOSIsProxy=false
PanOSIsReconExcluded=false PanOSIsSaaSApplication=false
PanOSIsServertoClient=false PanOSIsSourceXForwarded=true
PanOSIsSystemReturn=true PanOSIsTransaction=false
PanOSIsTunnelInspected=false PanOSIsURLDenied=false
PanOSLogExported=false PanOSLogForwarded=true
PanOSLogSource=firewall PanOSLogSourceTimeZoneOffset=
PanOSNAT=false PanOSNonStandardDestinationPort=32350
PanOSOutboundInterfaceDetailsPort=2
PanOSOutboundInterfaceDetailsSlot=1
PanOSOutboundInterfaceDetailsType=ethernet
PanOSOutboundInterfaceDetailsUnit=0 PanOSPacket=
PanOSSanctionedStateofApp=false PanOSSeverity=Informational
PanOSSourceDeviceClass= PanOSSourceDeviceOS= sntdom=xxxxx
suser=xxxxx xxxxx suid= PanOSTunneledApplication=untunneled
PanOSURLDomain=?% PanOSUsers=xxxxx\\xxxxx xxxxx
PanOSVirtualSystemID=1 PanOSConfigVersion=10.0
start=Mar 01 2021 20:48:16 src=xxx.xx.x.xx
dst=xxx.xx.x.xx sourceTranslatedAddress=xxx.xx.x.xx
destinationTranslatedAddress=xxx.xx.x.xx cs1=allow-
business-apps cs1Label=Rule suser0=xxxxx\\xxxxx xxxxx
duser0=xxxxx\\xxxxx o"'"test app=maxdb cs3=vsys1
cs3Label=VirtualLocation cs4=ethernet4Zone-test4 cs4Label=FromZone
cs5=untrust cs5Label=ToZone deviceInboundInterface=unknown
deviceOutboundInterface=ethernet1/2 cs6=rs-logging
cs6Label=LogSetting cn1=980296 cn1Label=SessionID cnt=1 spt=32350
dpt=1532 sourceTranslatedPort=26236 destinationTranslatedPort=12016
proto=tcp act=block-url request=?% cs2=sports cs2Label=URLCategory
flexString2=server to client flexString2Label=DirectionOfAttack
externalId=xxxxxxxxxxxxx PanOSSourceLocation=west-coast
PanOSDestinationLocation=PK requestContext=application/
jpeg fileId=0 PanOSURLCounter=1 requestClientApplication=
PanOSX-Forwarded-For= PanOSReferer= PanOSDGHierarchyLevel1=11
PanOSDGHierarchyLevel2=0 PanOSDGHierarchyLevel3=0
PanOSDGHierarchyLevel4=0 PanOSVirtualSystemName= dvchost=xxxxx
PanOSSourceUUID= PanOSDestinationUUID= requestMethod=post
PanOSIMSI=1 PanOSIMEI=Navy Base PanOSParentSessionID=8802
PanOSParentStarttime=Mar 01 2021 20:48:10 PanOSTunnel=VXLAN
PanOSInlineMLVerdict=overflow PanOSContentVersion=50222
PanOSSigFlags=2 PanOSHTTPHeaders= PanOSURLCategoryList=sports,
11008,38340 PanOSRuleUUID=ec14df0b-c845-4435-87a2-d207730f5ae8
PanOSHTTP2Connection=8802 PanOSDynamicUserGroupName=
PanOSX-Forwarded-ForIP= PanOSSourceDeviceCategory=L-Phone
PanOSSourceDeviceProfile=l-profile PanOSSourceDeviceModel=Note
4G PanOSSourceDeviceVendor=Lenovo PanOSSourceDeviceOSFamily=K6
PanOSSourceDeviceOSVersion=Android v9 PanOSSourceDeviceHost=pan-505
PanOSSourceDeviceMac=596703749274 PanOSDestinationDeviceCategory=L-
Phone PanOSDestinationDeviceProfile=l-profile
PanOSDestinationDeviceModel=Note XT
PanOSDestinationDeviceVendor=Lenovo
PanOSDestinationDeviceOSFamily=K8
PanOSDestinationDeviceOSVersion=Android v8

PanOSDestinationDeviceHost=pan-506
PanOSDestinationDeviceMac=150083646537
PanOSContainerID=1873cc5c-0d31 PanOSContainerNameSpace=pns_default
PanOSContainerName=pan-dp-77754f4 PanOSSourceEDL=
PanOSDestinationEDL= PanOSHostID=xxxxxxxxxxxxxx
PanOSEndpointSerialNumber=xxxxxxxxxxxxxx
PanOSSourceDynamicAddressGroup= blue_dag
PanOSDestinationDynamicAddressGroup=
PanOSTimeGeneratedHighResolution=Mar 01 2021 20:48:16
PanOSNSSAINetworkSliceType=b5

The following table identifies the URL field names that the Log Forwarding app uses when you
forward logs using the CEF log format.

CEF Name Field Details

Header Type: Custom

PanOSDGHierarchyLevel1 Query Name: dg_hier_level_1

Header Type: Custom

CEF Name Field Details

PanOSIsDecryptMirror Query Name: is_decrypt_mirror

CEF Name Field Details

Header Type: Custom

CEF Name Field Details

PanOSContainerName Query Name: pod_name

CEF Name Field Details

PanOSSourceUUID Query Name: source_uuid

Header Type: Custom

CEF Name Field Details

PanOSX-Forwarded-ForIP Query Name: xff_ip.value

Header Type: Custom

URL EMAIL Fields

Example URL log in EMAIL:

TimeReceived=2021-02-22T04:52:19.000000Z
DeviceSN=xxxxxxxxxxxxx
LogType=THREAT
Subtype=url
ConfigVersion=10.0
TimeGenerated=2021-02-22T04:51:55.000000Z
SourceAddress=xxx.xx.x.xx
DestinationAddress=xxx.xx.x.xx
NATSource=xxx.xx.x.xx
NATDestination=
Rule=deny-time-wasters
SourceUser="xxxxx\xxxxx o\"'\"test"
DestinationUser="paloaltonetwork\xxxxx"
Application=rhapsody
VirtualLocation=vsys1
FromZone=ethernet4Zone-test2
ToZone=untrust
InboundInterface=unknown
OutboundInterface=ethernet1/3
LogSetting=rs-logging
SessionID=837029
RepeatCount=1
SourcePort=21038
DestinationPort=24789
NATSourcePort=27050
NATDestinationPort=432
Protocol=tcp
Action=reset-client
URL=?
URLCategory=travel
VendorSeverity=Informational
DirectionOfAttack=server to client
SequenceNo=2638701702
SourceLocation=US
DestinationLocation=dallas
ContentType=application/foo
PacketID=0
URLCounter=1
UserAgent=
X-Forwarded-For=
Referer=
DGHierarchyLevel1=11
DGHierarchyLevel2=0
DGHierarchyLevel3=0

DGHierarchyLevel4=0
VirtualSystemName=
DeviceName=xxxxx
SourceUUID=
DestinationUUID=
HTTPMethod=post
IMSI=36
IMEI=xxxxx
ParentSessionID=6142
ParentStarttime=2021-02-22T04:51:49.000000Z
Tunnel=VXLAN
InlineMLVerdict=overflow
ContentVersion=50222
SigFlags=2
HTTPHeaders=
URLCategoryList=travel,11008,47022
RuleUUID=2fb8efd4-2f01-421d-a113-097992777432
HTTP2Connection=837029
DynamicUserGroupName=
X-Forwarded-ForIP=
SourceDeviceCategory=A-Phone
SourceDeviceProfile=a-profile
SourceDeviceModel=720P/60
SourceDeviceVendor=Samsung
SourceDeviceOSFamily=M4500
SourceDeviceOSVersion=Android v8
SourceDeviceHost=pan-123
SourceDeviceMac=264989591511
DestinationDeviceCategory=A-Phone
DestinationDeviceProfile=a-profile
DestinationDeviceModel=iPhone
DestinationDeviceVendor=Apple
DestinationDeviceOSFamily=9
DestinationDeviceOSVersion=iOS 9
DestinationDeviceHost=pan-233
DestinationDeviceMac=743514319696
ContainerID=1873cc5c-0d31
ContainerNameSpace=pns_default
ContainerName=pan-dp-77754f4
SourceEDL=
DestinationEDL=
HostID=1010101010
EndpointSerialNumber=xxxxxxxxxxxxxx
SourceDynamicAddressGroup=
DestinationDynamicAddressGroup=
TimeGeneratedHighResolution=2021-02-22T04:51:55.231000Z
NSSAINetworkSliceType=38

The following table identifies the URL field names that the Log Forwarding app uses when you
forward logs using the EMAIL log format.

EMAIL Name Query Name

Action action.value

EMAIL Name Query Name

Application app

ApplicationCategory app_category

ApplicationSubcategory app_sub_category

CloudHostname cloud_hostname

CloudReportID cloud_reportid

ConfigVersion config_version.value

ContainerID container_id

ApplicationContainer container_of_app

ContentType content_type

ContentVersion content_version

RepeatCount count_of_repeats

CortexDataLakeTenantID customer_id

DestinationDeviceCategory dest_device_category

DestinationDeviceClass dest_device_class

DestinationDeviceHost dest_device_host

DestinationDeviceMac dest_device_mac

DestinationDeviceModel dest_device_model

DestinationDeviceOS dest_device_os

DestinationDeviceOSFamily dest_device_osfamily

DestinationDeviceOSVersion dest_device_osversion

DestinationDeviceProfile dest_device_profile

DestinationDeviceVendor dest_device_vendor

DestinationDynamicAddressGroup dest_dynamic_address_group

EMAIL Name Query Name

DestinationEDL dest_edl

DestinationAddress dest_ip.value

DestinationLocation dest_location

DestinationPort dest_port

DestinationUser dest_user

DestinationUserDomain dest_user_info.domain

DestinationUserName dest_user_info.name

DestinationUserUUID dest_user_info.uuid

DestinationUUID dest_uuid

DGHierarchyLevel1 dg_hier_level_1

DGHierarchyLevel2 dg_hier_level_2

DGHierarchyLevel3 dg_hier_level_3

DGHierarchyLevel4 dg_hier_level_4

DirectionOfAttack direction_of_attack.value

DynamicUserGroupName dynusergroup_name

EndpointSerialNumber endpoint_serial_number

FileURL file_url

FlowType flow_type.value

FromZone from_zone

HostID gp_host_id

HTTP2Connection http2_connection

HTTPHeaders http_headers

HTTPMethod http_method.value

EMAIL Name Query Name

InboundInterface inbound_if.value

InboundInterfaceDetailsPort inbound_if_details.port

InboundInterfaceDetailsSlot inbound_if_details.slot

InboundInterfaceDetailsType inbound_if_details.type.value

InboundInterfaceDetailsUnit inbound_if_details.unit

InlineMLVerdict inline_ml_verdict.value

CaptivePortal is_captive_portal

IsClienttoServer is_client_to_server

IsContainer is_container

IsDecryptMirror is_decrypt_mirror

IsDecrypted is_decrypted

IsDuplicateLog is_dup_log

IsEncrypted is_encrypted

LogExported is_exported

LogForwarded is_forwarded

IsIPV6 is_ipv6

IsMptcpOn is_mptcp_on

NAT is_nat

IsNonStandardDestinationPort is_non_std_dest_port

IsPacketCapture is_packet_capture

IsPhishing is_phishing

IsPrismaNetwork is_prisma_branch

IsPrismaUsers is_prisma_mobile

EMAIL Name Query Name

IsProxy is_proxy

IsReconExcluded is_recon_excluded

IsSaaSApplication is_saas_app

IsServertoClient is_server_to_client

IsSourceXForwarded is_source_x_fwded

IsSystemReturn is_sym_return

IsTransaction is_transaction

IsTunnelInspected is_tunnel_inspected

IsURLDenied is_url_denied

Location location

LogSetting log_set

LogSource log_source

LogSourceGroupID log_source_group_id

DeviceSN log_source_id

DeviceName log_source_name

LogSourceTimeZoneOffset log_source_tz_offset

TimeReceived log_time

LogType log_type.value

IMEI monitor_tag_imei

NATDestination nat_dest.value

NATDestinationPort nat_dest_port

NATSource nat_source.value

NATSourcePort nat_source_port

EMAIL Name Query Name

NonStandardDestinationPort non_standard_dest_port

NSSAINetworkSliceType nssai_network_slice_type.value

OutboundInterface outbound_if.value

OutboundInterfaceDetailsPort outbound_if_details.port

OutboundInterfaceDetailsSlot outbound_if_details.slot

OutboundInterfaceDetailsType outbound_if_details.type.value

OutboundInterfaceDetailsUnit outbound_if_details.unit

PanoramaSN panorama_serial

ParentSessionID parent_session_id

ParentStarttime parent_start_time

Packet pcap

PacketID pcap_id

PlatformType platform_type

ContainerName pod_name

ContainerNameSpace pod_namespace

Protocol protocol.value

Referer referer

HTTPRefererFQDN referer_fqdn

HTTPRefererPort referer_port

HTTPRefererProtocol referer_protocol.value

HTTPRefererURLPath referer_url_path

ApplicationRisk risk_of_app

Rule rule_matched

EMAIL Name Query Name

RuleUUID rule_matched_uuid

SanctionedStateOfApp, sanctioned_state_of_app
SanctionedStateofApp

SequenceNo sequence_no

SessionID session_id

Severity severity

SigFlags sig_flags

SourceDeviceCategory source_device_category

SourceDeviceClass source_device_class

SourceDeviceHost source_device_host

SourceDeviceMac source_device_mac

SourceDeviceModel source_device_model

SourceDeviceOS source_device_os

SourceDeviceOSFamily source_device_osfamily

SourceDeviceOSVersion source_device_osversion

SourceDeviceProfile source_device_profile

SourceDeviceVendor source_device_vendor

SourceDynamicAddressGroup source_dynamic_address_group

SourceEDL source_edl

SourceAddress source_ip.value

SourceLocation source_location

SourcePort source_port

SourceUser source_user

SourceUserDomain source_user_info.domain

EMAIL Name Query Name

SourceUserName source_user_info.name

SourceUserUUID source_user_info.uuid

SourceUUID source_uuid

Subtype sub_type.value

ApplicationTechnology technology_of_app

TimeGenerated time_generated

TimeGeneratedHighResolution time_generated_high_res

ToZone to_zone

Tunnel tunnel.value

TunneledApplication tunneled_app

IMSI tunnelid_imsi

URL uri

URLCategory url_category.value

URLCategoryList url_category_list

URLDomain url_domain

URLCounter url_idx

UserAgent user_agent

Users users

VendorName vendor_name

VendorSeverity vendor_severity.value

VirtualLocation vsys

VirtualSystemID vsys_id

VirtualSystemName vsys_name

EMAIL Name Query Name

X-Forwarded-For xff

X-Forwarded-ForIP xff_ip.value

URL HTTPS Fields

The following table identifies the URL field names that the Log Forwarding app uses when you
forward logs using the HTTPS log format.

HTTPS Name Query Name

Action action.value

Application app

ApplicationCategory app_category

ApplicationSubcategory app_sub_category

CloudHostname cloud_hostname

CloudReportID cloud_reportid

ConfigVersion config_version.value

ContainerID container_id

ApplicationContainer container_of_app

ContentType content_type

ContentVersion content_version

RepeatCount count_of_repeats

CortexDataLakeTenantID customer_id

DestinationDeviceCategory dest_device_category

DestinationDeviceClass dest_device_class

DestinationDeviceHost dest_device_host

DestinationDeviceMac dest_device_mac

HTTPS Name Query Name

DestinationDeviceModel dest_device_model

DestinationDeviceOS dest_device_os

DestinationDeviceOSFamily dest_device_osfamily

DestinationDeviceOSVersion dest_device_osversion

DestinationDeviceProfile dest_device_profile

DestinationDeviceVendor dest_device_vendor

DestinationDynamicAddressGroup dest_dynamic_address_group

DestinationEDL dest_edl

DestinationAddress dest_ip.value

DestinationLocation dest_location

DestinationPort dest_port

DestinationUser dest_user

DestinationUserDomain dest_user_info.domain

DestinationUserName dest_user_info.name

DestinationUserUUID dest_user_info.uuid

DestinationUUID dest_uuid

DGHierarchyLevel1 dg_hier_level_1

DGHierarchyLevel2 dg_hier_level_2

DGHierarchyLevel3 dg_hier_level_3

DGHierarchyLevel4 dg_hier_level_4

DirectionOfAttack direction_of_attack.value

DynamicUserGroupName dynusergroup_name

EndpointSerialNumber endpoint_serial_number

HTTPS Name Query Name

FileURL file_url

FlowType flow_type.value

FromZone from_zone

HostID gp_host_id

HTTP2Connection http2_connection

HTTPHeaders http_headers

HTTPMethod http_method.value

InboundInterface inbound_if.value

InboundInterfaceDetailsPort inbound_if_details.port

InboundInterfaceDetailsSlot inbound_if_details.slot

InboundInterfaceDetailsType inbound_if_details.type.value

InboundInterfaceDetailsUnit inbound_if_details.unit

InlineMLVerdict inline_ml_verdict.value

CaptivePortal is_captive_portal

IsClienttoServer is_client_to_server

IsContainer is_container

IsDecryptMirror is_decrypt_mirror

IsDecrypted is_decrypted

IsDuplicateLog is_dup_log

IsEncrypted is_encrypted

LogExported is_exported

LogForwarded is_forwarded

IsIPV6 is_ipv6

HTTPS Name Query Name

IsMptcpOn is_mptcp_on

NAT is_nat

IsNonStandardDestinationPort is_non_std_dest_port

IsPacketCapture is_packet_capture

IsPhishing is_phishing

IsPrismaNetwork is_prisma_branch

IsPrismaUsers is_prisma_mobile

IsProxy is_proxy

IsReconExcluded is_recon_excluded

IsSaaSApplication is_saas_app

IsServertoClient is_server_to_client

IsSourceXForwarded is_source_x_fwded

IsSystemReturn is_sym_return

IsTransaction is_transaction

IsTunnelInspected is_tunnel_inspected

IsURLDenied is_url_denied

Location location

LogSetting log_set

LogSource log_source

LogSourceGroupID log_source_group_id

DeviceSN log_source_id

DeviceName log_source_name

LogSourceTimeZoneOffset log_source_tz_offset

HTTPS Name Query Name

TimeReceived log_time

LogType log_type.value

IMEI monitor_tag_imei

NATDestination nat_dest.value

NATDestinationPort nat_dest_port

NATSource nat_source.value

NATSourcePort nat_source_port

NonStandardDestinationPort non_standard_dest_port

NSSAINetworkSliceType nssai_network_slice_type.value

OutboundInterface outbound_if.value

OutboundInterfaceDetailsPort outbound_if_details.port

OutboundInterfaceDetailsSlot outbound_if_details.slot

OutboundInterfaceDetailsType outbound_if_details.type.value

OutboundInterfaceDetailsUnit outbound_if_details.unit

PanoramaSN panorama_serial

ParentSessionID parent_session_id

ParentStarttime parent_start_time

Packet pcap

PacketID pcap_id

PlatformType platform_type

ContainerName pod_name

ContainerNameSpace pod_namespace

Protocol protocol.value

HTTPS Name Query Name

Referer referer

HTTPRefererFQDN referer_fqdn

HTTPRefererPort referer_port

HTTPRefererProtocol referer_protocol.value

HTTPRefererURLPath referer_url_path

ApplicationRisk risk_of_app

Rule rule_matched

RuleUUID rule_matched_uuid

SanctionedStateOfApp, sanctioned_state_of_app
SanctionedStateofApp

SequenceNo sequence_no

SessionID session_id

Severity severity

SigFlags sig_flags

SourceDeviceCategory source_device_category

SourceDeviceClass source_device_class

SourceDeviceHost source_device_host

SourceDeviceMac source_device_mac

SourceDeviceModel source_device_model

SourceDeviceOS source_device_os

SourceDeviceOSFamily source_device_osfamily

SourceDeviceOSVersion source_device_osversion

SourceDeviceProfile source_device_profile

SourceDeviceVendor source_device_vendor

HTTPS Name Query Name

SourceDynamicAddressGroup source_dynamic_address_group

SourceEDL source_edl

SourceAddress source_ip.value

SourceLocation source_location

SourcePort source_port

SourceUser source_user

SourceUserDomain source_user_info.domain

SourceUserName source_user_info.name

SourceUserUUID source_user_info.uuid

SourceUUID source_uuid

Subtype sub_type.value

ApplicationTechnology technology_of_app

TimeGenerated time_generated

TimeGeneratedHighResolution time_generated_high_res

ToZone to_zone

Tunnel tunnel.value

TunneledApplication tunneled_app

IMSI tunnelid_imsi

URL uri

URLCategory url_category.value

URLCategoryList url_category_list

URLDomain url_domain

URLCounter url_idx

HTTPS Name Query Name

UserAgent user_agent

Users users

VendorName vendor_name

VendorSeverity vendor_severity.value

VirtualLocation vsys

VirtualSystemID vsys_id

VirtualSystemName vsys_name

X-Forwarded-For xff

X-Forwarded-ForIP xff_ip.value

URL LEEF Fields

Example URL log in LEEF:

Sep 21 01:52:01 gke-standard-cluster-2-pool-3-f004381a-0gw6

2646 <14>1 2021-09-21T01:52:01.328Z stream-logfwd20-
d324e775--09201841-lxtx-harness-w8bx logforwarder - panwlogs
- LEEF:2.0|Palo Alto Networks|Next Generation Firewall|
10.1|sports| |TimeReceived=2021-09-21T01:52:00.000000Z
DeviceSN=xxxxxxxxxxxxx cat=threat SubType=url
ConfigVersion=10.1 devTime=2021-09-21T01:51:58.000000Z
src=fe80:abcd:76cc:9802:d202:b3ff:fe1e:8329
dst=fe80:0:e426:5678:b202:b3ff:fe1e:8329 srcPostNAT=xxx.xx.x.xx
dstPostNAT=xxx.xx.x.xx Rule=deny-time-wasters usrName=xxxxx
\xxxxx o"'"test DestinationUser=paloaltonetwork
\xxxxx Application=aerofs VirtualLocation=vsys1
FromZone=ethernet4Zone-test3 ToZone=ethernet4Zone-test1
InboundInterface=ethernet1/1OutboundInterface=ethernet1/2
LogSetting=rs-logging SessionID=631434 RepeatCount=1 srcPort=29176
dstPort=20350 srcPostNATPort=2932 dstPostNATPort=7181 proto=tcp
Action=reset-both URL=www.this.is.another.wannabe.long.url.com/
and/it/is/getting/there/by/adding/some/junk/at/the/end/of/the/url/
dsakjhfskdjhfksjdhfkhk235hk2jh2kjhkhk23jhk5jh2435kjh45k3jh5k3j4h5k3h45kjh34kj5hk
VendorSeverity=Critical DirectionOfAttack=client to
server SequenceNo=7003061085140561391 SourceLocation=AU
DestinationLocation=west-coast ContentType=text/xml PacketID=0
URLCounter=1 UserAgent= identSrc= Referer= DGHierarchyLevel1=11
DGHierarchyLevel2=0 DGHierarchyLevel3=0DGHierarchyLevel4=0
VirtualSystemName= DeviceName=xxxxx SourceUUID=
DestinationUUID= HTTPMethod=get IMSI=0 IMEI= ParentSessionID=0
ParentStarttime=1970-01-01T00:00:00.000000Z Tunnel=N/A
InlineMLVerdict=unknown ContentVersion=50207 SigFlags=0

HTTPHeaders= URLCategoryList=sports,travel,health-and-
medicine RuleUUID=2fb8efd4-2f01-421d-a113-097992777432
HTTP2Connection=0 DynamicUserGroupName= X-Forwarded-
ForIP= SourceDeviceCategory=X-Phone SourceDeviceProfile=x-
profile SourceDeviceModel=Redmi SourceDeviceVendor=Xiaomi
SourceDeviceOSFamily=5 Plus SourceDeviceOSVersion=Android
v8.2 SourceDeviceHost=pan-603 SourceDeviceMac=645701225660
DestinationDeviceCategory=X-Phone DestinationDeviceProfile=x-
profile DestinationDeviceModel=MI DestinationDeviceVendor=Xiaomi
DestinationDeviceOSFamily=A1 DestinationDeviceOSVersion=Android
v9.1 DestinationDeviceHost=pan-622 DestinationDeviceMac=207974153661
ContainerID=1873cc5c-0d31 ContainerNameSpace=pns_default
ContainerName=pan-dp-77754f4 SourceEDL= DestinationEDL=
HostID=1010101010 EndpointSerialNumber=xxxxxxxxxxxxxx
SourceDynamicAddressGroup= DestinationDynamicAddressGroup=
TimeGeneratedHighResolution=2021-09-21T01:51:58.764000Z
NSSAINetworkSliceType=cf devTimeFormat=YYYY-MM-DD'T'HH:mm:ss.SSSZ

The following table identifies the URL field names that the Log Forwarding app uses when you
forward logs using the LEEF log format.

LEEF Name Query Name Field Type

Action action.value Custom

Application app Custom

ApplicationCategory app_category Custom

ApplicationSubcategory app_sub_category Custom

CloudHostname cloud_hostname Custom

CloudReportID cloud_reportid Custom

ConfigVersion config_version.value Custom

ContainerID container_id Custom

ApplicationContainer container_of_app Custom

ContentType content_type Custom

ContentVersion content_version Custom

LEEF Name Query Name Field Type

RepeatCount count_of_repeats Custom

CortexDataLakeTenantID customer_id Custom

DestinationDeviceCategory dest_device_category Custom

DestinationDeviceClass dest_device_class Custom

DestinationDeviceHost dest_device_host Custom

DestinationDeviceMac dest_device_mac Custom

DestinationDeviceModel dest_device_model Custom

DestinationDeviceOS dest_device_os Custom

DestinationDeviceOSFamily dest_device_osfamily Custom

DestinationDeviceOSVersion dest_device_osversion Custom

DestinationDeviceProfile dest_device_profile Custom

DestinationDeviceVendor dest_device_vendor Custom

DestinationDynamicAddressGroup dest_dynamic_address_group Custom

DestinationEDL dest_edl Custom

dst dest_ip.value Predefined

DestinationLocation dest_location Custom

dstPort dest_port Predefined

DestinationUser dest_user Custom

DestinationUserDomain dest_user_info.domain Custom

DestinationUserName dest_user_info.name Custom

DestinationUserUUID dest_user_info.uuid Custom

DestinationUUID dest_uuid Custom

DGHierarchyLevel1 dg_hier_level_1 Custom

LEEF Name Query Name Field Type

DGHierarchyLevel2 dg_hier_level_2 Custom

DGHierarchyLevel3 dg_hier_level_3 Custom

DGHierarchyLevel4 dg_hier_level_4 Custom

DirectionOfAttack direction_of_attack.value Custom

DynamicUserGroupName dynusergroup_name Custom

EndpointSerialNumber endpoint_serial_number Custom

FileURL file_url Custom

FlowType flow_type.value Custom

FromZone from_zone Custom

HostID gp_host_id Custom

HTTP2Connection http2_connection Custom

HTTPHeaders http_headers Custom

HTTPMethod http_method.value Custom

InboundInterface inbound_if.value Custom

InboundInterfaceDetailsPort inbound_if_details.port Custom

InboundInterfaceDetailsSlot inbound_if_details.slot Custom

InboundInterfaceDetailsType inbound_if_details.type.value Custom

InboundInterfaceDetailsUnit inbound_if_details.unit Custom

InlineMLVerdict inline_ml_verdict.value Custom

CaptivePortal is_captive_portal Custom

IsClienttoServer is_client_to_server Custom

IsContainer is_container Custom

IsDecryptMirror is_decrypt_mirror Custom

LEEF Name Query Name Field Type

IsDecrypted is_decrypted Custom

IsDuplicateLog is_dup_log Custom

IsEncrypted is_encrypted Custom

LogExported is_exported Custom

LogForwarded is_forwarded Custom

IsIPV6 is_ipv6 Custom

IsMptcpOn is_mptcp_on Custom

NAT is_nat Custom

IsNonStandardDestinationPort is_non_std_dest_port Custom

IsPacketCapture is_packet_capture Custom

IsPhishing is_phishing Custom

IsPrismaNetwork is_prisma_branch Custom

IsPrismaUsers is_prisma_mobile Custom

IsProxy is_proxy Custom

IsReconExcluded is_recon_excluded Custom

IsSaaSApplication is_saas_app Custom

IsServertoClient is_server_to_client Custom

IsSourceXForwarded is_source_x_fwded Custom

IsSystemReturn is_sym_return Custom

IsTransaction is_transaction Custom

IsTunnelInspected is_tunnel_inspected Custom

IsURLDenied is_url_denied Custom

Location location Custom

LEEF Name Query Name Field Type

LogSetting log_set Custom

LogSource log_source Custom

LogSourceGroupID log_source_group_id Custom

DeviceSN log_source_id Custom

DeviceName log_source_name Custom

LogSourceTimeZoneOffset log_source_tz_offset Custom

TimeReceived log_time Custom

cat log_type.value Predefined

IMEI monitor_tag_imei Custom

dstPostNAT nat_dest.value Predefined

dstPostNATPort nat_dest_port Predefined

srcPostNAT nat_source.value Predefined

srcPostNATPort nat_source_port Predefined

NonStandardDestinationPort non_standard_dest_port Custom

NSSAINetworkSliceType nssai_network_slice_type.value Custom

OutboundInterface outbound_if.value Custom

OutboundInterfaceDetailsPort outbound_if_details.port Custom

OutboundInterfaceDetailsSlot outbound_if_details.slot Custom

OutboundInterfaceDetailsType outbound_if_details.type.value Custom

OutboundInterfaceDetailsUnit outbound_if_details.unit Custom

PanoramaSN panorama_serial Custom

ParentSessionID parent_session_id Custom

ParentStarttime parent_start_time Custom

LEEF Name Query Name Field Type

Packet pcap Custom

PacketID pcap_id Custom

PlatformType platform_type Custom

ContainerName pod_name Custom

ContainerNameSpace pod_namespace Custom

proto protocol.value Predefined

Referer referer Custom

HTTPRefererFQDN referer_fqdn Custom

HTTPRefererPort referer_port Custom

HTTPRefererProtocol referer_protocol.value Custom

HTTPRefererURLPath referer_url_path Custom

ApplicationRisk risk_of_app Custom

Rule rule_matched Custom

RuleUUID rule_matched_uuid Custom

SanctionedStateofApp sanctioned_state_of_app Custom

SequenceNo sequence_no Custom

SessionID session_id Custom

Severity severity Custom

SigFlags sig_flags Custom

SourceDeviceCategory source_device_category Custom

SourceDeviceClass source_device_class Custom

SourceDeviceHost source_device_host Custom

SourceDeviceMac source_device_mac Custom

LEEF Name Query Name Field Type

SourceDeviceModel source_device_model Custom

SourceDeviceOS source_device_os Custom

SourceDeviceOSFamily source_device_osfamily Custom

SourceDeviceOSVersion source_device_osversion Custom

SourceDeviceProfile source_device_profile Custom

SourceDeviceVendor source_device_vendor Custom

SourceDynamicAddressGroup source_dynamic_address_group Custom

SourceEDL source_edl Custom

src source_ip.value Predefined

SourceLocation source_location Custom

srcPort source_port Predefined

usrName source_user Predefined

SourceUserDomain source_user_info.domain Custom

SourceUserName source_user_info.name Custom

SourceUserUUID source_user_info.uuid Custom

SourceUUID source_uuid Custom

SubType sub_type.value Custom

ApplicationTechnology technology_of_app Custom

devTime time_generated Predefined

TimeGeneratedHighResolution time_generated_high_res Custom

ToZone to_zone Custom

Tunnel tunnel.value Custom

TunneledApplication tunneled_app Custom

LEEF Name Query Name Field Type

IMSI tunnelid_imsi Custom

URL uri Custom

EventID url_category.value Header

URLCategoryList url_category_list Custom

URLDomain url_domain Custom

URLCounter url_idx Custom

UserAgent user_agent Custom

Users users Custom

Vendor vendor_name Header

VendorSeverity vendor_severity.value Custom

VirtualLocation vsys Custom

VirtualSystemID vsys_id Custom

VirtualSystemName vsys_name Custom

identSrc xff Predefined

X-Forwarded-ForIP xff_ip.value Custom

UserID
User ID logs contain IP address-to-username mappings, authentication timestamps, the sources of
the IP-to-username mappings, and so forth.
Next-generation firewalls can be configured to perform IP-to-username mappings for a network
session. This mapping requires a variety of techniques so that users in all locations, regardless of
access method or operating system, can be identified by the firewall. In addition to allowing the
firewall to map an IP address to a username, this integration also allow the firewall to recognize
when a user has logged in or logged out of a networked resource.
User-ID logs are generated whenever a user authentication event occurs using a resource to
which the firewall has visibility. For example, a User-ID agent can be installed on the network so
that the firewall has visibility to authentication events on domain controllers, Microsoft Exchange
servers, or even Windows clients.
See the following for information related to supported log formats:
• UserID Syslog Default Field Order
• UserID CEF Fields
• UserID EMAIL Fields
• UserID HTTPS Fields
• UserID LEEF Fields

USERID Field Description

(Display Name)

auth_completion_time Time when the authentication was completed. This

string contains a timestamp value that is the number of
(AUTH COMPLETION TIME)
microseconds since the Unix epoch.
Syslog field name: Syslog Field Order
CEF field name: end
EMAIL field name: AuthCompletionTime
HTTPS field name: AuthCompletionTime
LEEF field name: AuthCompletionTime

auth_factor_num Indicates the use of primary authentication (1) or

additional factors (2, 3).
(AUTH FACTOR NO)
Syslog field name: Syslog Field Order
CEF field name: cn1
EMAIL field name: AuthFactorNo
HTTPS field name: AuthFactorNo

USERID Field Description

(Display Name)
LEEF field name: AuthFactorNo

authenticated_user_info.domain Domain to which the user who is being authenticated

belongs.
(AUTHENTICATED USER DOMAIN)
CEF field name: dntdom
EMAIL field name: AuthenticatedUserDomain
HTTPS field name: AuthenticatedUserDomain
LEEF field name: AuthenticatedUserDomain

authenticated_user_info.name Name of the user who is being authenticated.

(AUTHENTICATED USER NAME) CEF field name: duser
EMAIL field name: AuthenticatedUserName
HTTPS field name: AuthenticatedUserName
LEEF field name: AuthenticatedUserName

authenticated_user_info.uuid Unique identifier assigned to the user who is being

authenticated.
(AUTHENTICATED USER UUID)
CEF field name: duid
EMAIL field name: AuthenticatedUserUUID
HTTPS field name: AuthenticatedUserUUID
LEEF field name: AuthenticatedUserUUID

config_version.value Version number of the firewall operating system that

count_of_repeats Number of sessions with same Source IP, Destination

IP, Application, and Content/Threat Type seen for the
(REPEAT COUNT)
summary interval.
Syslog field name: Syslog Field Order
CEF field name: cnt

USERID Field Description

(Display Name)
EMAIL field name: All of the following: RepeatCount,
CountofRepeats
HTTPS field name: All of the following: RepeatCount,
CountofRepeats
LEEF field name: CountofRepeats

customer_id The ID that uniquely identifies the Cortex Data Lake

dest_port Network traffic's destination port. If this value is 0, then

dg_hier_level_1 A sequence of identification numbers that indicate the

dg_hier_level_2 A sequence of identification numbers that indicate the

USERID Field Description

(Display Name)
LEEF field name: DGHierarchyLevel2

dg_hier_level_3 A sequence of identification numbers that indicate the

dg_hier_level_4 A sequence of identification numbers that indicate the

event_id The event's unique identifier.

(EVENT ID) Syslog field name: Syslog Field Order
CEF field name: cat
EMAIL field name: EventID
HTTPS field name: EventID
LEEF field name: EventIdName

is_dup_log Indicates whether this log data is available in multiple

is_duplicate_user Indicates whether duplicate users were found in a user

user End user being authenticated.

(USER) Syslog field name: Syslog Field Order
CEF field name: duser
EMAIL field name: User
HTTPS field name: User
LEEF field name: usrName

user_group_found Indicates whether the user could be mapped to a group.

USERID Field Description

(Display Name)
(USER GROUP FOUND) CEF field name: PanOSUserGroupFound
EMAIL field name: UserGroupFound
HTTPS field name: UserGroupFound
LEEF field name: UserGroupFound

user_identified_by_source_as The user name as sent by the data source.

(USER IDENTIFIED BY SOURCE) Syslog field name: Syslog Field Order
CEF field name: PanOSUserIdentifiedBySource
EMAIL field name: UserIdentifiedBySource
HTTPS field name: UserIdentifiedBySource
LEEF field name: UserIdentifiedBySource

vendor_name Identifies the vendor that produced the data.

(VENDOR NAME) CEF field name: Device Vendor
EMAIL field name: VendorName
HTTPS field name: VendorName
LEEF field name: Vendor

vsys String representation of the unique identifier for a

vsys_id A unique identifier for a virtual system on a Palo Alto

Networks firewall.
(VIRTUAL SYSTEM ID)
Syslog field name: Syslog Field Order
CEF field name: cn2
EMAIL field name: VirtualSystemID
HTTPS field name: VirtualSystemID
LEEF field name: VirtualSystemID

USERID Field Description

(Display Name)

vsys_name The name of the virtual system associated with the

UserID Syslog Default Field Order

Example UserID log in Syslog:

Oct 13 01:23:58 gke-standard-cluster-2-pool-1-6ea9f13a-

g2z7 498 <142>1 2020-10-13T01:23:58.167Z stream-
logfwd20-156653024-10121421-eq28-harness-16kn logforwarder -
panwlogs - 1,2020-10-13T01:23:50.000000Z,007051000113358,USERID,
login,10.0,2020-10-13T01:23:34.000000Z,vsys1,::c28:7141:ffff:0,
"xxxxx\xxxxx o"xxxxxxxxxx"'"xxxxxxxxxx"test",fake-data-source-95,
1694498816,16777216,-1694302208,63502,60246,server_session_monitor,
exchange_server,551324,-9223372036854775808,0,0,0,0,,PA-VM,
1,xxxxx,2050-04-13T10:41:35.000000Z,1,64,xxxxxxxxxxxxxx,,
2020-10-13T01:23:35.350000Z

UserID CEF Fields

Example UserID log in CEF:

Mar 1 21:06:03 xxx.xx.x.xx 1324 <14>1 2021-03-01T21:06:03.844Z

rt=Mar 01 2021 21:06:02 deviceExternalId=xxxxxxxxxxxxx

PanOSConfigVersion= dntdom=paloaltonetwork duser=xxxxx duid=
PanOSCortexDataLakeTenantID=xxxxxxxxxxxxx PanOSIsDuplicateLog=false
PanOSIsDuplicateUser= PanOSIsPrismaNetworks=false
PanOSIsPrismaUsers=false PanOSLogExported=false
PanOSLogForwarded=true PanOSLogSource=firewall
PanOSLogSourceTimeZoneOffset= PanOSUserGroupFound= start=Mar
01 2021 21:06:02 cs3=vsys1 cs3Label=VirtualLocation
src=xxx.xx.x.xx dst=xxx.xx.x.xx duser0=paloaltonetworks\
\xxxxx cs4=fake-data-source-169 cs4Label=MappingDataSourceName
cat=0 cnt=1 cn3=3531 cn3Label=MappingTimeout spt=21015
dpt=49760 cs5=probing cs5Label=MappingDataSource
cs6=netbios_probing cs6Label=MappingDataSourceType
externalId=xxxxxxxxxxxxx PanOSDGHierarchyLevel1=12
PanOSDGHierarchyLevel2=0 PanOSDGHierarchyLevel3=0
PanOSDGHierarchyLevel4=0 PanOSVirtualSystemName= dvchost=PA-5220
cn2=1 cn2Label=VirtualSystemID cs1=xxxxx cs1Label=MFAFactorType
end=Jul 09 2019 18:15:44 cn1=3 cn1Label=AuthFactorNo
PanOSUGFlags=0x100 PanOSUserIdentifiedBySource=xxxxxxxxxxxxxx
PanOSTag= PanOSTimeGeneratedHighResolution=Jul 25 2019 23:30:12

The following table identifies the UserID field names that the Log Forwarding app uses when you
forward logs using the CEF log format.

CEF Name Field Details

end Query Name: auth_completion_time

Header Type: Predefined

cn1 Query Name: auth_factor_num

Header Type: Predefined
Label: cn1Label
Label Text: AuthFactorNo

dntdom Query Name: authenticated_user_info.domain

Header Type: Predefined
Max Length: 255

duser Query Name: authenticated_user_info.name

Header Type: Predefined
Max Length: 255

duid Query Name: authenticated_user_info.uuid

Header Type: Predefined
Max Length: 255

CEF Name Field Details

PanOSConfigVersion Query Name: config_version.value

Header Type: Custom

Header Type: Predefined
Max Length: 40

src and dst, or c6a2 and c6a3 Query Name: source_ip.value

Header Type: Predefined
Label: || c6a2Label && c6a3Label
Label Text: || Source IPv6 Address &&
Destination IPv6 Address

Example UserID log in EMAIL:

TimeReceived=2021-02-23T02:43:57.000000Z
DeviceSN=xxxxxxxxxxxxx
LogType=USERID
Subtype=logout
ConfigVersion=
TimeGenerated=2021-02-23T02:43:57.000000Z
VirtualLocation=vsys1
SourceIP=xxxxxxxxxxxx
User="paloaltonetworks\xxxxx"
MappingDataSourceName=fake-data-source-169
EventID=0
CountofRepeats=1
MappingTimeout=3531
SourcePort=21015
DestinationPort=49760
MappingDataSource=probing
MappingDataSourceType=netbios_probing
SequenceNo=6711379990526558750
DGHierarchyLevel1=12
DGHierarchyLevel2=0
DGHierarchyLevel3=0
DGHierarchyLevel4=0
VirtualSystemName=
DeviceName=PA-5220
VirtualSystemID=1
MFAFactorType=xxxxx
AuthCompletionTime=2019-07-09T18:15:44.000000Z
AuthFactorNo=3
UGFlags=0x100
UserIdentifiedBySource=xxxxxxxxxxxxxx
Tag=
TimeGeneratedHighResolution=2019-07-25T23:30:12.000000Z

The following table identifies the UserID field names that the Log Forwarding app uses when you
forward logs using the EMAIL log format.

EMAIL Name Query Name

AuthCompletionTime auth_completion_time

EMAIL Name Query Name

AuthFactorNo auth_factor_num

AuthenticatedUserDomain authenticated_user_info.domain

AuthenticatedUserName authenticated_user_info.name

AuthenticatedUserUUID authenticated_user_info.uuid

ConfigVersion config_version.value

RepeatCount, CountofRepeats count_of_repeats

CortexDataLakeTenantID customer_id

DestinationPort dest_port

DGHierarchyLevel1 dg_hier_level_1

DGHierarchyLevel2 dg_hier_level_2

DGHierarchyLevel3 dg_hier_level_3

DGHierarchyLevel4 dg_hier_level_4

EventID event_id

IsDuplicateLog is_dup_log

IsDuplicateUser is_duplicate_user

LogExported is_exported

LogForwarded is_forwarded

IsPrismaNetworks is_prisma_branch

IsPrismaUsers is_prisma_mobile

LogSource log_source

LogSourceGroupID log_source_group_id

DeviceSN log_source_id

DeviceName log_source_name

EMAIL Name Query Name

LogSourceTimeZoneOffset log_source_tz_offset

TimeReceived log_time

LogType log_type.value

MappingDataSource mapping_data_source.value

MappingDataSourceName mapping_data_source_name

MappingDataSourceType mapping_data_source_type.value

MappingTimeout mapping_timeout

MFAFactorType mfa_factor_type

PanoramaSN panorama_serial

PlatformType platform_type

SequenceNo sequence_no

SourceIP source_ip.value

SourcePort source_port

Subtype sub_type.value

Tag tag_name

TimeGenerated time_generated

TimeGeneratedHighResolution time_generated_high_res

UGFlags ug_flags

User user

UserGroupFound user_group_found

UserIdentifiedBySource user_identified_by_source_as

VendorName vendor_name

VirtualLocation vsys

EMAIL Name Query Name

VirtualSystemID vsys_id

VirtualSystemName vsys_name

UserID HTTPS Fields

The following table identifies the UserID field names that the Log Forwarding app uses when you
forward logs using the HTTPS log format.

HTTPS Name Query Name

AuthCompletionTime auth_completion_time

AuthFactorNo auth_factor_num

AuthenticatedUserDomain authenticated_user_info.domain

AuthenticatedUserName authenticated_user_info.name

AuthenticatedUserUUID authenticated_user_info.uuid

ConfigVersion config_version.value

RepeatCount, CountofRepeats count_of_repeats

CortexDataLakeTenantID customer_id

DestinationPort dest_port

DGHierarchyLevel1 dg_hier_level_1

DGHierarchyLevel2 dg_hier_level_2

DGHierarchyLevel3 dg_hier_level_3

DGHierarchyLevel4 dg_hier_level_4

EventID event_id

IsDuplicateLog is_dup_log

IsDuplicateUser is_duplicate_user

LogExported is_exported

HTTPS Name Query Name

LogForwarded is_forwarded

IsPrismaNetworks is_prisma_branch

IsPrismaUsers is_prisma_mobile

LogSource log_source

LogSourceGroupID log_source_group_id

DeviceSN log_source_id

DeviceName log_source_name

LogSourceTimeZoneOffset log_source_tz_offset

TimeReceived log_time

LogType log_type.value

MappingDataSource mapping_data_source.value

MappingDataSourceName mapping_data_source_name

MappingDataSourceType mapping_data_source_type.value

MappingTimeout mapping_timeout

MFAFactorType mfa_factor_type

PanoramaSN panorama_serial

PlatformType platform_type

SequenceNo sequence_no

SourceIP source_ip.value

SourcePort source_port

Subtype sub_type.value

Tag tag_name

TimeGenerated time_generated

HTTPS Name Query Name

TimeGeneratedHighResolution time_generated_high_res

UGFlags ug_flags

User user

UserGroupFound user_group_found

UserIdentifiedBySource user_identified_by_source_as

VendorName vendor_name

VirtualLocation vsys

VirtualSystemID vsys_id

VirtualSystemName vsys_name

UserID LEEF Fields

Example UserID log in LEEF:

Sep 21 01:47:20 xxx.xx.x.xx 2368 <14>1 2021-09-21T01:47:20.990Z

stream-logfwd20-b7167985--09201842-8zwj-harness-cc98
logforwarder - panwlogs - LEEF:2.0|Palo Alto Networks|
Next Generation Firewall|10.1|2| |profileToken=Palotoken
VirtualSystemID=1 AuthFactorNo=3 DeviceName=PA-5220 dstPort=49760
MappingDataSourceType=netbios_probing MappingDataSource=probing
SequenceNo=6711379990526558750 MFAFactorType=xxxxx LogExported=false
src=xxx.xx.x.xx VirtualSystemName= DeviceSN=xxxxxxxxxxxxx
TimeGeneratedHighResolution= usrName="paloaltonetworks
\\xxxxx" UserIdentifiedBySource=xxxxxxxxxxxxxx
IsDuplicateUser= TimeReceived=2020-10-13T03:31:40.000000Z
MappingDataSourceName=fake-data-source-169 UGFlags=256
IsPrismaNetworks=false AuthenticatedUserUUID=
AuthCompletionTime=2019-07-09T18:15:44.000000Z IsDuplicateLog=false
UserGroupFound= LogForwarded=true CountofRepeats=1
EventID=0 VirtualLocation=vsys1 MappingTimeout=3531
AuthenticatedUserName=xxxxx LogSource=firewall
devTime=2020-10-13T03:31:40.000000Z Vendor=Palo Alto
Networks AuthenticatedUserDomain=paloaltonetwork Tag=
LogSourceTimeZoneOffset= cat=logout srcPort=21015
CortexDataLakeTenantID=xxxxxxxxxxxxx IsPrismaUsers=false
LogType=USERID devTimeFormat=YYYY-MM-DDTHH:MM:SSZ

The following table identifies the UserID field names that the Log Forwarding app uses when you
forward logs using the LEEF log format.

LEEF Name Query Name Field Type

AuthCompletionTime auth_completion_time Custom

AuthFactorNo auth_factor_num Custom

AuthenticatedUserDomain authenticated_user_info.domain Custom

AuthenticatedUserName authenticated_user_info.name Custom

AuthenticatedUserUUID authenticated_user_info.uuid Custom

ConfigVersion config_version.value Custom

CountofRepeats count_of_repeats Custom

CortexDataLakeTenantID customer_id Custom

dstPort dest_port Predefined

DGHierarchyLevel1 dg_hier_level_1 Custom

DGHierarchyLevel2 dg_hier_level_2 Custom

DGHierarchyLevel3 dg_hier_level_3 Custom

DGHierarchyLevel4 dg_hier_level_4 Custom

EventIdName event_id Custom

IsDuplicateLog is_dup_log Custom

IsDuplicateUser is_duplicate_user Custom

LogExported is_exported Custom

LogForwarded is_forwarded Custom

IsPrismaNetworks is_prisma_branch Custom

IsPrismaUsers is_prisma_mobile Custom

LEEF Name Query Name Field Type

LogSource log_source Custom

LogSourceGroupID log_source_group_id Custom

DeviceSN log_source_id Custom

DeviceName log_source_name Custom

LogSourceTimeZoneOffset log_source_tz_offset Custom

TimeReceived log_time Custom

cat log_type.value Predefined

MappingDataSource mapping_data_source.value Custom

MappingDataSourceName mapping_data_source_name Custom

MappingDataSourceType mapping_data_source_type.value Custom

MappingTimeout mapping_timeout Custom

MFAFactorType mfa_factor_type Custom

PanoramaSN panorama_serial Custom

PlatformType platform_type Custom

SequenceNo sequence_no Custom

src source_ip.value Predefined

srcPort source_port Predefined

EventID sub_type.value Header

Tag tag_name Custom

devTime time_generated Predefined

TimeGeneratedHighResolution time_generated_high_res Custom

UGFlags ug_flags Custom

usrName user Predefined

LEEF Name Query Name Field Type

UserGroupFound user_group_found Custom

UserIdentifiedBySource user_identified_by_source_as Custom

Vendor vendor_name Header

VirtualLocation vsys Custom

VirtualSystemID vsys_id Custom

VirtualSystemName vsys_name Custom

Cortex Data Lake: Getting Started Guide
No ratings yet
Cortex Data Lake: Getting Started Guide
40 pages
Enterprise DLP Administration
No ratings yet
Enterprise DLP Administration
368 pages
Enterprise DLP Administration
No ratings yet
Enterprise DLP Administration
404 pages
Cortex XDR XQL Language Reference
No ratings yet
Cortex XDR XQL Language Reference
96 pages
EDU 262 X36 LabGuide - Consigas
No ratings yet
EDU 262 X36 LabGuide - Consigas
126 pages
Cortex XDR Pro Admin
No ratings yet
Cortex XDR Pro Admin
506 pages
Cortex XDR Pro Admin
No ratings yet
Cortex XDR Pro Admin
974 pages
Cortex XDR Pro Admin
No ratings yet
Cortex XDR Pro Admin
1,048 pages
Cortex XDR Pro Admin
No ratings yet
Cortex XDR Pro Admin
326 pages
Pan Os Cli Quick Start
No ratings yet
Pan Os Cli Quick Start
68 pages
Pcsae Study Guide 2021
No ratings yet
Pcsae Study Guide 2021
115 pages
Pan Os Cli Quick Start
No ratings yet
Pan Os Cli Quick Start
66 pages
Parallel Sysplex Overview
No ratings yet
Parallel Sysplex Overview
88 pages
Edb Pem Ent Feat
No ratings yet
Edb Pem Ent Feat
204 pages
Palo Alto Networks Certified Network Security Engineer (Pcnse) Study Guide
No ratings yet
Palo Alto Networks Certified Network Security Engineer (Pcnse) Study Guide
278 pages
Advanced Palo Alto Lab Guide
100% (1)
Advanced Palo Alto Lab Guide
26 pages
Pan Os Cli Quick Start 7
No ratings yet
Pan Os Cli Quick Start 7
744 pages
Pan Os Cli Quick Start
No ratings yet
Pan Os Cli Quick Start
82 pages
PCNSE Datasheet
No ratings yet
PCNSE Datasheet
9 pages
Using The Rational Administrator
No ratings yet
Using The Rational Administrator
102 pages
App XPalo Alto Cortex XDRPDF
No ratings yet
App XPalo Alto Cortex XDRPDF
2 pages
PCNSE - Study-Guide
100% (1)
PCNSE - Study-Guide
366 pages
Pcnse Study Guide v9
No ratings yet
Pcnse Study Guide v9
294 pages
EDU 311 80a Student Lab Guide - 08
100% (2)
EDU 311 80a Student Lab Guide - 08
39 pages
PAN-OS CLI Quick Start
No ratings yet
PAN-OS CLI Quick Start
64 pages
Advanced Logging and Threat Analytics
No ratings yet
Advanced Logging and Threat Analytics
14 pages
PCSAE Guide
No ratings yet
PCSAE Guide
95 pages
Cortex XDR Learning Guide
No ratings yet
Cortex XDR Learning Guide
3 pages
Admin Tool
No ratings yet
Admin Tool
472 pages
Paloalto
No ratings yet
Paloalto
271 pages
EDU 210 11.0 M02 Initial Config
No ratings yet
EDU 210 11.0 M02 Initial Config
35 pages
Pcnse Study Guide Beta
No ratings yet
Pcnse Study Guide Beta
357 pages
HP Storageworks XP Disk/Cache Partition User Guide: Part Number: T1722-96007 Sixth Edition: June 2006
No ratings yet
HP Storageworks XP Disk/Cache Partition User Guide: Part Number: T1722-96007 Sixth Edition: June 2006
34 pages
Pan-Os-Cli-Quick-Start - 10.0
No ratings yet
Pan-Os-Cli-Quick-Start - 10.0
126 pages
Palo Alto Networks Platforms
No ratings yet
Palo Alto Networks Platforms
8 pages
Pan Os Cli Quick Start
No ratings yet
Pan Os Cli Quick Start
56 pages
Cortex XDR Setup Guide: September 2019
No ratings yet
Cortex XDR Setup Guide: September 2019
28 pages
Pan Os Cli Quick Start 6
No ratings yet
Pan Os Cli Quick Start 6
886 pages
Pan Os Cli Quick Start PDF
No ratings yet
Pan Os Cli Quick Start PDF
78 pages
EDU-210-8.1-Lab Guide PDF
0% (1)
EDU-210-8.1-Lab Guide PDF
167 pages
Services Programs Lab Requirements
No ratings yet
Services Programs Lab Requirements
14 pages
NetSecGeneralist Datasheet
No ratings yet
NetSecGeneralist Datasheet
6 pages
PCNSA Datasheet
No ratings yet
PCNSA Datasheet
6 pages
Palo Alto Lab
100% (1)
Palo Alto Lab
87 pages
Palo Alto CLi Cheat Sheet
No ratings yet
Palo Alto CLi Cheat Sheet
12 pages
Cortex XDR Admin
100% (1)
Cortex XDR Admin
138 pages
PC 811 AdministratorGuide
No ratings yet
PC 811 AdministratorGuide
494 pages
Pcnse Study Guide PDF
No ratings yet
Pcnse Study Guide PDF
344 pages
CL 213 Bstud
No ratings yet
CL 213 Bstud
503 pages
Pcnse Study Guide
100% (2)
Pcnse Study Guide
226 pages
PCNSE 10.1 Domain #1 - Planning and Core Concepts
0% (1)
PCNSE 10.1 Domain #1 - Planning and Core Concepts
107 pages
Infoblox Deployment Guide Nios Integration With Radius
No ratings yet
Infoblox Deployment Guide Nios Integration With Radius
12 pages
Datentransfer - GB - Datapilot 4110
No ratings yet
Datentransfer - GB - Datapilot 4110
16 pages
MBA Network Security Insights
No ratings yet
MBA Network Security Insights
22 pages
CS6411 Network Lab Manual - 2013 - Regulation PDF
No ratings yet
CS6411 Network Lab Manual - 2013 - Regulation PDF
71 pages
Can't Connect To Client - Status 58
No ratings yet
Can't Connect To Client - Status 58
8 pages
Catalog of Coolmay 2018 V 5.4
No ratings yet
Catalog of Coolmay 2018 V 5.4
23 pages
Srs
No ratings yet
Srs
13 pages
s71500 System Manual en-US en-US
No ratings yet
s71500 System Manual en-US en-US
14 pages
APP Connect Questions
No ratings yet
APP Connect Questions
6 pages
1.5 Intro To C2
No ratings yet
1.5 Intro To C2
10 pages
Users Manual: Brother Communication Software Ver 2.1.1
No ratings yet
Users Manual: Brother Communication Software Ver 2.1.1
27 pages
Guide de Configuration Réseau
No ratings yet
Guide de Configuration Réseau
6 pages
Manual Driver USB To RS232
No ratings yet
Manual Driver USB To RS232
1 page
Layer 1 Protocols
100% (1)
Layer 1 Protocols
6 pages
Gigabyte GA-H61M-S1
No ratings yet
Gigabyte GA-H61M-S1
29 pages
Take-Home Assignment in Computer Communications: EDA 344/DIT423-Chalmers and Gothenburg University
No ratings yet
Take-Home Assignment in Computer Communications: EDA 344/DIT423-Chalmers and Gothenburg University
1 page
Manet Brochure
No ratings yet
Manet Brochure
10 pages
WL-R200 Series Router Datasheet
No ratings yet
WL-R200 Series Router Datasheet
4 pages
Visio-9 - Cement - Silos - & - Packing - Local - Net - Configuration - Rev 04
No ratings yet
Visio-9 - Cement - Silos - & - Packing - Local - Net - Configuration - Rev 04
1 page
Online Eye Care System DFD Patient
No ratings yet
Online Eye Care System DFD Patient
4 pages
Types and Concepts of Computer Networks
No ratings yet
Types and Concepts of Computer Networks
12 pages
Cisco Skills For All
No ratings yet
Cisco Skills For All
2 pages
7941 Doc Ve pg3 en
No ratings yet
7941 Doc Ve pg3 en
4 pages
Book Oracle RAC
100% (2)
Book Oracle RAC
124 pages
Network Protocols GE Training r1
No ratings yet
Network Protocols GE Training r1
31 pages
Pci Vulnerability Report
No ratings yet
Pci Vulnerability Report
14 pages
bIq362jBTIayw5z - 7aDnkQ - Completed Example of An Incident Report Analysis
No ratings yet
bIq362jBTIayw5z - 7aDnkQ - Completed Example of An Incident Report Analysis
2 pages
6.3.1.2 Packet Tracer - Layer 2 Security
No ratings yet
6.3.1.2 Packet Tracer - Layer 2 Security
4 pages
LTE and GSM UMTS Interworking Award Solutions PDF
No ratings yet
LTE and GSM UMTS Interworking Award Solutions PDF
257 pages
Cyber Security 500 MCQs
No ratings yet
Cyber Security 500 MCQs
101 pages