Collect Palo Alto Networks firewall logs
Overview
This document describes how you can configure syslog and a Chronicle forwarder to collect Palo Alto Networks firewall logs. This document also explains how Palo Alto Networks firewall log fields map to Chronicle Unified Data Model (UDM) fields.
For an overview about Chronicle data ingestion, see Data ingestion to Chronicle.
An ingestion label identifies the parser which normalizes raw log data to structured UDM format. The information in this document applies to the parser with the PAN_FIREWALL ingestion label.
Before you begin
To understand the components deployed to collect Palo Alto Networks firewall logs, review the deployment architecture. Each customer deployment might differ from this representation and might be more complex.
The following diagram shows how you can configure syslog on a Palo Alto Networks firewall and install a Chronicle forwarder on a Linux server to forward log data to Chronicle. The parser supports logs written in the following data formats: Comma Separated Values (CSV), Common Event Format (CEF), and Log Event Extended Format (LEEF).
Verify the log formats and PAN-OS versions that the Chronicle parser supports. The following table lists the log formats and the corresponding PAN-OS versions that the Chronicle parser supports:
Log format PAN-OS version CSV 10.1.3 CEF 10.0.0 LEEF 9.1.0 Verify the Palo Alto Networks firewall log types that the Chronicle parser supports. The Chronicle parser supports the following Palo Alto Networks firewall log types:
- Traffic
- Threat
- WildFire submissions
- Tunnel inspection
- Config
- System
- HIP match
- IP-Tag
- User-ID
- Decryption
- Authentication
- URL filtering
- Data filtering
- GlobalProtect
- Correlation
For more information about the Palo Alto Networks firewall log types, see PAN-OS log types.
Ensure that all systems in the deployment architecture are configured in the UTC time zone.
Before you use the Palo Alto Networks firewall Gold parser, review the changes in field mappings between the default parser and Gold parser listed in this document. As part of the migration, ensure that the rules, searches, dashboards, or other processes that depend on the original fields use the updated fields.
For example, in the default parser, the "category" log field is mapped to the "security_result.description" UDM field. In the PAN firewall Gold parser, the "category" log field is mapped to the "security_result.category_details" UDM field. If you migrate to PAN firewall Gold parser and use "category" in your rules, you need to modify the rules to use the "security_result.category_details" UDM field of the Gold parser.
Configure syslog and the Chronicle forwarder
To configure syslog and the Chronicle forwarder, complete the following steps:
To monitor CSV logs, configure the syslog server profile. For more information, see Configure the syslog server profile.
When you configure the syslog server profile, specify "Default" as the custom log format.
To monitor CEF logs, configure the Palo Alto Networks firewall to forward CEF logs. For more information, download the PAN-OS CEF Integration guide PDF and see the "Configuration of Palo Alto Networks NGFW to output CEF events" section.
To monitor LEEF logs, configure the syslog server profile. For more information, see Custom log forwarding in LEEF format.
Configure the Chronicle forwarder to send logs to Chronicle. For more information, see Installing and configuring the forwarder on Linux. The following is an example of a Chronicle forwarder configuration:
- syslog: common: enabled: true data_type: PAN_FIREWALL batch_n_seconds: 10 batch_n_bytes: 1048576 tcp_address: 0.0.0.0:10518 connection_timeout_sec: 60
Field mapping reference: PAN firewall logs fields to UDM fields
This section explains how the parser maps Palo Alto Networks firewall log fields to Chronicle UDM event fields for each log type.
The Chronicle label key refers to the name of the key mapped to Labels.key UDM field. For example, in the case of the "Virtual System" field, the field name is "cs3" in CEF format and is "VirtualSystem" in LEEF format. The UDM field "about.labels.key" contains the value "vsys" and the UDM field "about.labels.value" contains the value of that field.
Some of the CEF or LEEF field names do not have a name corresponding to the CSV field names. In such cases, if you add your own variable name in custom log format in the syslog profile, the parser does not map it to the UDM field.
Refer to the following sections for mapping reference of each log type:
- System
- Config
- Threat/wildfire
- Traffic
- User ID
- HIP match
- IP tag
- Decryption
- Tunnel
- Authentication
- URL
- Data
- GlobalProtect
- Correlation
System
The following table lists the log fields of the system log type and their corresponding UDM fields.
| CSV field | CEF field | LEEF field | Chronicle label key | UDM field |
|---|---|---|---|---|
| Receive Time (receive_time or cef-formatted-receive_time) | rt | devTime | metadata.collected_timestamp,
metadata.event_timestamp (if "Generate Time" is absent) |
|
| Serial Number (serial) | deviceExternalId | SerialNumber | intermediary.asset.hardware.serial_number | |
| Type (type) | type (Header) | cat | metadata.product_event_type is set to "%{type} - %{subtype}". | |
| Threat/Content Type (subtype) | subtype (Header) | Subtype | metadata.product_event_type is set to "%{type} - %{subtype}". | |
| Generated Time (time_generated or cef-formatted-time_generated) | metadata.event_timestamp | |||
| Virtual System (vsys) | cs3 | VirtualSystem | vsys | about.labels.key/value |
| Event ID (eventid) | cat | eventid | about.labels.key/value | |
| Object (object) | fname | Filename | object | about.labels.key/value |
| Module (module) | flexString2 | Module | module | about.labels.key/value |
| Severity (severity) | $number-of-severity(header) | Severity | security_result.severity and security_result.severity_details | |
| Description (opaque) | msg | msg | metadata.description | |
| Sequence Number (seqno) | externalId | sequence | metadata.product_log_id | |
| Action Flags (actionflags) | PanOSActionFlags | ActionFlags | actionflags | about.labels.key/value |
| Device Group Hierarchy (dg_hier_level_1 to dg_hier_level_4) | PanOSDGl1 | DeviceGroupHierarchyL1 | dg_hier_level_1 | about.labels.key/value |
| Device Group Hierarchy (dg_hier_level_2) | PanOSDGl2 | DeviceGroupHierarchyL2 | dg_hier_level_2 | about.labels.key/value |
| Device Group Hierarchy (dg_hier_level_3) | PanOSDGl3 | DeviceGroupHierarchyL3 | dg_hier_level_3 | about.labels.key/value |
| Device Group Hierarchy (dg_hier_level_4) | PanOSDGl4 | DeviceGroupHierarchyL4 | dg_hier_level_4 | about.labels.key/value |
| Virtual System Name (vsys_name) | PanOSVsysName | vSrcName | principal.resource.name
principal.resource.resource_type=VIRTUAL_MACHINE |
|
| Device Name (device_name) | dvchost | DeviceName | intermediary.hostname | |
| High Resolution Timestamp (high_res_timestamp) | anOSTimeGeneratedHighResolution | metadata.collected_timestamp,
metadata.event_timestamp (if "Generate Time" is absent) |
Config
The following table lists the log fields of the config log type and their corresponding UDM fields.
| CSV field | CEF field | LEEF field | Chronicle label key | UDM field |
|---|---|---|---|---|
| Receive Time (receive_time or cef-formatted-receive_time) | rt | devTime | metadata.collected_timestamp,
metadata.event_timestamp (if "Generate Time" is absent) |
|
| Serial Number (serial) | deviceExternalId | SerialNumber | intermediary.asset.hardware.serial_number | |
| Type (type) | type (Header) | cat | metadata.product_event_type | |
| Threat/Content Type (subtype) | subtype (Header) | metadata.product_event_type | ||
| Generated Time (time_generated or cef-formatted-time_generated) | metadata.event_timestamp | |||
| Host (host) | shost | src | principal.ip/hostname | |
| Virtual System (vsys) | cs3 | VirtualSystem | vsys | about.labels.key/value |
| Command (cmd) | act | msg | cmd | about.labels.key/value |
| Admin (admin) | duser | usrName | principal.user.userid | |
| Client (client) | destinationServiceName | client | principal.application | |
| Result (result) | Signature ID (Header)(reason) | Result | security_result.summary | |
| Configuration Path (path) | msg | ConfigurationPath | principal.process.command_line | |
| Before Change Detail (before_change_detail) | cs1 | BeforeChangeDetail | before_change_detail | target.resource.attribute.labels.key/value |
| After Change Detail (after_change_detail) | cs2 | AfterChangeDetail | after_change_detail | target.resource.attribute.labels.key/value |
| Sequence Number (seqno) | externalId | sequence | metadata.product_log_id | |
| Action Flags (actionflags) | PanOSActionFlags | ActionFlags | actionflags | about.labels.key/value |
| Device Group Hierarchy (dg_hier_level_1 to dg_hier_level_4) | PanOSDGl1 | DeviceGroupHierarchyL1 | dg_hier_level_1 | about.labels.key/value |
| Device Group Hierarchy (dg_hier_level_2) | PanOSDGl2 | DeviceGroupHierarchyL2 | dg_hier_level_2 | about.labels.key/value |
| Device Group Hierarchy (dg_hier_level_3) | PanOSDGl3 | DeviceGroupHierarchyL3 | dg_hier_level_3 | about.labels.key/value |
| Device Group Hierarchy (dg_hier_level_4) | PanOSDGl4 | DeviceGroupHierarchyL4 | dg_hier_level_4 | about.labels.key/value |
| Virtual System Name (vsys_name) | PanOSVsysName | vSrcName | principal.resource.name
principal.resource.resource_type=VIRTUAL_MACHINE |
|
| Device Name (device_name) | dvchost | DeviceName | intermediary.hostname | |
| Device Group (dg_id) | PanOSFWDeviceGroup | dg_id | principal.asset.attribute.labels.key/value | |
| Audit Comment (comment) | PanOSPolicyAuditComment | comment | about.labels.key/value |
Threat/WildFire
The following table lists the log fields of the Threat/WildFire log type and their corresponding UDM fields.
| CSV field | CEF field | LEEF field | Chronicle label key | UDM field |
|---|---|---|---|---|
| Receive Time (receive_time or cef-formatted-receive_time) | rt | devTime | metadata.collected_timestamp,
metadata.event_timestamp (if "Generate Time" is absent) |
|
| Serial Number (serial #) | deviceExternalId | SerialNumber | intermediary.asset.hardware.serial_number | |
| Type (type) | type (Header) | cat | metadata.product_event_type | |
| Threat/Content Type (subtype) | cat/subtype (Header) | Subtype | metadata.product_event_type | |
| Generate Time (time_generated or cef-formatted-time_generated) | metadata.event_timestamp | |||
| Source address (src) | src | src | principal.ip | |
| Destination address (dst) | dst | dst | target.ip | |
| NAT Source IP (natsrc) | sourceTranslatedAddress | srcPostNAT | principal.nat_ip | |
| NAT Destination IP (natdst) | destinationTranslatedAddress | dstPostNAT | target.nat_ip | |
| Rule Name (rule) | cs1 | RuleName | security_result.rule_name | |
| Source User (srcuser) | suser | SourceUser / usrName | principal.user.userid | |
| Destination User (dstuser) | duser | DestinationUser | target.user.userid | |
| Application (app) | app | Application | target.application | |
| Virtual System (vsys) | cs3 | VirtualSystem | vsys | about.labels.key/value |
| Source Zone (from) | cs4 | SourceZone | from | principal.labels.key/value |
| Destination Zone (to) | cs5 | DestinationZone | to | target.labels.key/value |
| Inbound Interface (inbound_if) | deviceInboundInterface | IngressInterface | inbound_if | principal.labels.key/value |
| Outbound Interface (outbound_if) | deviceOutboundInterface | EgressInterface | outbound_if | target.labels.key/value |
| Log Action (logset) | cs6 | LogForwardingProfile | logset | about.labels.key/value |
| Session ID (sessionid) | cn1 | SessionID | network.session_id | |
| Repeat Count (repeatcnt) | cnt | RepeatCount | repeatcnt | about.labels.key/value |
| Source Port (sport) | spt | srcPort | principal.port | |
| Destination Port (dport) | dpt | dstPort | target.port | |
| NAT Source Port (natsport) | sourceTranslatedPort | srcPostNATPort | principal.nat_port | |
| NAT Destination Port (natdport) | destinationTranslatedPort | dstPostNATPort | target.nat_port | |
| Flags (flags) | flexString1 | Flags | flags | about.labels.key/value |
| IP Protocol (proto) | proto | proto | network.ip_protocol | |
| Action (action) | act | action | security_result.action_details
security_result.action |
|
| URL/Filename (misc) | request | Miscellaneous | target.file.full_path (if subtype is 'file', 'virus', 'wildfire-virus', or 'wildfire' then `misc` field is mapped to target.file.full_path) target.url (if subtype is 'url' then `misc` field is mapped to target.url and target.hostname) target.hostname (if subtype is 'spyware' or 'vulnerability' then `misc` field is mapped to target.file.full_path and target.url) |
|
| Threat/Content Name (threatid) | cat | ThreatID | security_result.threat_name | |
| Category (category) | cs2 | URLCategory | security_result.category_details | |
| Severity (severity) | number-of-severity(header) | Severity | security_result.severity and security_result.severity_details | |
| Direction (direction) | flexString2 | Direction | network.direction | |
| Sequence Number (seqno) | externalId | sequence | metadata.product_log_id | |
| Action Flags (actionflags) | PanOSActionFlags | ActionFlags | actionflags | about.labels.key/value |
| Source Country (srcloc) | SourceLocation | principal.location.country_or_region | ||
| Destination Country (dstloc) | DestinationLocation | target.location.country_or_region | ||
| Content Type (contenttype) | ContentType | contenttype | about.labels.key/value | |
| PCAP ID (pcap_id) | fileId | PCAP_ID | pcap_id | about.labels.key/value |
| File Digest (filedigest) | fileHash | FileDigest | about.file.sha1/md5/sha256 | |
| Cloud (cloud) | filePath | Cloud | cloud | about.labels.key/value |
| URL Index (url_idx) | URLIndex | url_idx | about.labels.key/value | |
| User Agent (user_agent) | network.http.user_agent | |||
| File Type (filetype) | fileType | FileType | about.file.mime_type | |
| X-Forwarded-For (xff) | principal.ip | |||
| Referer (referer) | network.http.referral_url | |||
| Sender (sender) | suid | Sender | network.email.from | |
| Subject (subject) | msg | Subject | network.email.subject | |
| Recipient (recipient) | duid | Recipient | network.email.to | |
| Report ID (reportid) | oldFileId | ReportID | reportid | about.labels.key/value |
| Device Group Hierarchy (dg_hier_level_1 to dg_hier_level_4) | PanOSDGl1 | DeviceGroupHierarchyL1 | dg_hier_level_1 | about.labels.key/value |
| Device Group Hierarchy (dg_hier_level_2) | PanOSDGl2 | DeviceGroupHierarchyL2 | dg_hier_level_2 | about.labels.key/value |
| Device Group Hierarchy (dg_hier_level_3) | PanOSDGl3 | DeviceGroupHierarchyL3 | dg_hier_level_3 | about.labels.key/value |
| Device Group Hierarchy (dg_hier_level_4) | PanOSDGl4 | DeviceGroupHierarchyL4 | dg_hier_level_4 | about.labels.key/value |
| Virtual System Name (vsys_name) | PanOSVsysName | vSrcName | principal.resource.name
principal.resource.resource_type=VIRTUAL_MACHINE |
|
| Device Name (device_name) | dvchost | DeviceName | intermediary.hostname | |
| Source VM UUID (src_uuid) | PanOSSrcUUID | SrcUUID | principal.user.product_object_id | |
| Destination VM UUID (dst_uuid) | PanOSDstUUID | DstUUID | target.user.product_object_id | |
| HTTP Method (http_method) | RequestMethod | network.http.method | ||
| Tunnel ID/IMSI (tunnel_id/imsi) | PanOSTunnelID | TunnelID | tunnel_id/imsi | about.labels.key/value |
| Monitor Tag/IMEI (monitortag/imei) | PanOSMonitorTag | MonitorTag | monitortag/imei | about.labels.key/value |
| Parent Session ID (parent_session_id) | PanOSParentSessionID | ParentSessionID | parent_session_id | about.labels.key/value |
| Parent Session Start Time (parent_start_time) | PanOSParentStartTime | ParentStartTime | parent_start_time | about.labels.key/value |
| Tunnel Type (tunnel) | PanOSTunnelType | TunnelType | tunnel | about.labels.key/value |
| Threat Category (thr_category) | PanOSThreatCategory | ThreatCategory | thr_category | security_result.detection_fields.key/value |
| Content Version (contentver) | PanOSContentVer | ContentVer | contentver | about.labels.key/value |
| SCTP Association ID (assoc_id) | PanOSAssocID | assoc_id | about.labels.key/value | |
| Payload Protocol ID (ppid) | PanOSPPID | ppid | about.labels.key/value | |
| HTTP Headers (http_headers) | PanOSHTTPHeader | http_headers | about.labels.key/value | |
| URL Category List (url_category_list) | PanOSURLCatList | url_category_list | about.labels.key/value | |
| Rule UUID (rule_uuid) | PanOSRuleUUID | security_result.rule_id | ||
| HTTP/2 Connection (http2_connection) | PanOSHTTP2Con | http2_connection | about.labels.key/value | |
| Dynamic User Group Name (dynusergroup_name) | PanDynamicUsrgrp | dynusergroup_name | principal.labels.key/value | |
| XFF Address (xff_ip) | PanXFFIP | principal.ip | ||
| Source Device Category (src_category) | PanSrcDeviceCat | src_category | principal.labels.key/value | |
| Source Device Profile (src_profile) | PanSrcDeviceProf | src_profile | principal.labels.key/value | |
| Source Device Model (src_model) | PanSrcDeviceModel | src_model | principal.labels.key/value | |
| Source Device Vendor (src_vendor) | PanSrcDeviceVendor | src_vendor | principal.labels.key/value | |
| Source Device OS Family (src_osfamily) | PanSrcDeviceOS | src_osfamily | principal.asset.platform_software.platform
principal.labels.key/value |
|
| Source Device OS Version (src_osversion) | PanSrcDeviceOSv | principal.asset.software.version | ||
| Source Hostname (src_host) | PanSrcHostname | principal.hostname | ||
| Source MAC Address (src_mac) | PanSrcMac | principal.mac | ||
| Destination Device Category (dst_category) | PanDstDeviceCat | dst_category | target.labels.key/value | |
| Destination Device Profile (dst_profile) | PanDstDeviceProf | dst_profile | target.labels.key/value | |
| Destination Device Model (dst_model) | PanDstDeviceModel | dst_model | target.labels.key/value | |
| Destination Device Vendor (dst_vendor) | PanDstDeviceVendor | dst_vendor | target.labels.key/value | |
| Destination Device OS Family (dst_osfamily) | PanDstDeviceOS | dst_osfamily | target.labels.key/value | |
| Destination Device OS Version (dst_osversion) | PanDstDeviceOSv | target.asset.software.version | ||
| Destination Hostname (dst_host) | PanDstHostname | target.hostname | ||
| Destination MAC Address (dst_mac) | PanDstMac | target.mac | ||
| Container ID (container_id) | PanContainerName | container_id | about.labels.key/value | |
| POD Namespace (pod_namespace) | PanPODNamespace | pod_namespace | about.labels.key/value | |
| POD Name (pod_name) | PanPODName | pod_name | about.labels.key/value | |
| Source External Dynamic List (src_edl) | PanSrcEDL | src_edl | about.labels.key/value | |
| Destination External Dynamic List (dst_edl) | PanDstEDL | dst_edl | about.labels.key/value | |
| Host ID (hostid) | PanGPHostID | hostid | about.labels.key/value | |
| User Device Serial Number (serialnumber) | PanEPSerial | principal.asset.hardware.serial_number | ||
| Domain EDL (domain_edl) | PanDomainEDL | domain_edl | about.labels.key/value | |
| Source Dynamic Address Group (src_dag) | PanSrcDAG | principal.group.group_display_name | ||
| Destination Dynamic Address Group (dst_dag) | PanDstDAG | target.group.group_display_name | ||
| Partial Hash (partial_hash) | PanPartialHash | partial_hash | about.labels.key/value | |
| High Resolution Timestamp (high_res timestamp) | PanTimeHighRes | high_res timestamp | metadata.collected_timestamp,
metadata.event_timestamp (if "Generate Time" is absent) |
|
| Reason (reason) | PanReasonFilteringAction | reason | about.labels.key/value | |
| Justification (justification) | PanJustification | justification | about.labels.key/value | |
| A Slice Service Type (nssai_sst) | PanASServiceType | nssai_sst | about.labels.key/value | |
| Application Subcategory (subcategory_of_app) | subcategory_of_app | about.labels.key/value | ||
| Application Category (category_of_app) | category_of_app | about.labels.key/value | ||
| Application Technology (technology_of_app) | technology_of_app | about.labels.key/value | ||
| Application Risk (risk_of_app) | risk_of_app | about.labels.key/value | ||
| Application Characteristic (characteristic_of_app) | characteristic_of_app | about.labels.key/value | ||
| Application Container (container_of_app) | container_of_app | about.labels.key/value | ||
| Application SaaS (is_saas_of_app) | is_saas_of_app | about.labels.key/value | ||
| Application Sanctioned State (sanctioned_state_of_app) | sanctioned_state_of_app | about.labels.key/value |
Traffic
The following table lists the log fields of the traffic log type and their corresponding UDM fields.
| CSV field | CEF field | LEEF field | Chronicle label key | UDM field |
|---|---|---|---|---|
| Receive Time (receive_time or cef-formatted-receive_time) | rt | devTime | metadata.collected_timestamp,
metadata.event_timestamp (if "Generate Time" is absent) |
|
| Serial Number (serial) | deviceExternalId | SerialNumber | intermediary.asset.hardware.serial_number | |
| Type (type) | type (Header) | cat/Type | metadata.product_event_type | |
| Threat/Content Type (subtype) | subtype (Header) | Subtype | metadata.product_event_type | |
| Generated Time (time_generated or cef-formatted-time_generated) | start | metadata.event_timestamp | ||
| Source Address (src) | src | src | principal.ip | |
| Destination Address (dst) | dst | dst | target.ip | |
| NAT Source IP (natsrc) | sourceTranslatedAddress | srcPostNAT | principal.nat_ip | |
| NAT Destination IP (natdst) | destinationTranslatedAddress | dstPostNAT | target.nat_ip | |
| Rule Name (rule) | cs1 | RuleName | security_result.rule_name | |
| Source User (srcuser) | suser | SourceUser | principal.user.userid | |
| Destination User (dstuser) | duser | DestinationUser | target.user.userid | |
| Application (app) | app | Application | target.application | |
| Virtual System (vsys) | cs3 | VirtualSystem | vsys | about.labels.key/value |
| Source Zone (from) | cs4 | SourceZone | from | principal.labels.key/value |
| Destination Zone (to) | cs5 | DestinationZone | to | target.labels.key/value |
| Inbound Interface (inbound_if) | deviceInboundInterface | IngressInterface | inbound_if | principal.labels.key/value |
| Outbound Interface (outbound_if) | deviceOutboundInterface | EgressInterface | outbound_if | target.labels.key/value |
| Log Action (logset) | cs6 | LogForwardingProfile | logset | about.labels.key/value |
| Session ID (sessionid) | cn1 | SessionID | network.session_id | |
| Repeat Count (repeatcnt) | cnt | RepeatCount | repeatcnt | about.labels.key/value |
| Source Port (sport) | spt | srcPort | principal.port | |
| Destination Port (dport) | dpt | dstPort | target.port | |
| NAT Source Port (natsport) | sourceTranslatedPort | srcPostNATPort | principal.nat_port | |
| NAT Destination Port (natdport) | destinationTranslatedPort | dstPostNATPort | target.nat_port | |
| Flags (flags) | flexString1 | Flags | flags | about.labels.key/value |
| IP Protocol (proto) | proto | proto | network.ip_protocol | |
| Action (action) | act | action | security_result.action_details
security_result.action |
|
| Bytes (bytes) | flexNumber1 | totalBytes | bytes | about.labels.key/value |
| Bytes Sent (bytes_sent) | in | srcBytes | network.received_bytes | |
| Bytes Received (bytes_received) | out | dstBytes | network.sent_bytes | |
| Packets (packets) | cn2 | totalPackets | packets | about.labels.key/value |
| Start Time (start) | StartTime | start | about.labels.key/value | |
| Elapsed Time (elapsed) | cn3 | ElapsedTime | elapsed | about.labels.key/value |
| Category (category) | cs2 | URLCategory | security_result.category / security_result.category_details | |
| Sequence Number (seqno) | externalId | sequence | metadata.product_log_id | |
| Action Flags (actionflags) | PanOSActionFlags | ActionFlags | actionflags | about.labels.key/value |
| Source Country (srcloc) | SourceLocation | principal.location.country_or_region | ||
| Destination Country (dstloc) | DestinationLocation | target.location.country_or_region | ||
| Packets Sent (pkts_sent) | PanOSPacketsSent | srcPackets | pkts_sent | about.labels.key/value |
| Packets Received (pkts_received) | PanOSPacketsReceived | dstPackets | pkts_received | about.labels.key/value |
| Session End Reason (session_end_reason) | reason | SessionEndReason | security_result.summary | |
| Device Group Hierarchy1 (dg_hier_level_1 to dg_hier_level_4) | PanOSDGl1 | DeviceGroupHierarchyL1 | dg_hier_level_1 | about.labels.key/value |
| Device Group Hierarchy2 (dg_hier_level_2) | PanOSDGl2 | DeviceGroupHierarchyL2 | dg_hier_level_2 | about.labels.key/value |
| Device Group Hierarchy3 (dg_hier_level_3) | PanOSDGl3 | DeviceGroupHierarchyL3 | dg_hier_level_3 | about.labels.key/value |
| Device Group Hierarchy (dg_hier_level_4) | PanOSDGl4 | DeviceGroupHierarchyL4 | dg_hier_level_4 | about.labels.key/value |
| Virtual System Name (vsys_name) | PanOSVsysName | vSrcName | principal.resource.name
principal.resource.resource_type=VIRTUAL_MACHINE |
|
| Device Name (device_name) | dvchost | DeviceName | intermediary.hostname | |
| Action Source (action_source) | cat | ActionSource | action_source | about.labels.key/value |
| Source VM UUID (src_uuid) | PanOSSrcUUID | SrcUUID | principal.asset.product_object_id | |
| Destination VM UUID (dst_uuid) | PanOSDstUUID | DstUUID | target.asset.product_object_id | |
| Tunnel ID/IMSI (tunnelid/imsi) | PanOSTunnelID | TunnelID | tunnelid/imsi | about.labels.key/value |
| Monitor Tag/IMEI (monitortag/imei) | PanOSMonitorTag | MonitorTag | monitortag/imei | about.labels.key/value |
| Parent Session ID (parent_session_id) | PanOSParentSessionID | ParentSessionID | parent_session_id | about.labels.key/value |
| Parent Start Time (parent_start_time) | PanOSParentStartTime | ParentStartTime | parent_start_time | about.labels.key/value |
| Tunnel Type (tunnel) | PanOSTunnelType | TunnelType | tunnel | about.labels.key/value |
| SCTP Association ID (assoc_id) | PanOSSCTPAssocID | assoc_id | about.labels.key/value | |
| SCTP Chunks (chunks) | PanOSSCTPChunks | chunks | about.labels.key/value | |
| SCTP Chunks Sent (chunks_sent) | PanOSSCTPChunkSent | chunks_sent | about.labels.key/value | |
| SCTP Chunks Received (chunks_received) | PanOSSCTPChunksRcv | chunks_received | about.labels.key/value | |
| Rule UUID (rule_uuid) | PanOSRuleUUID | security_result.rule_id | ||
| HTTP/2 Connection (http2_connection) | PanOSHTTP2Con | http2_connection | about.labels.key/value | |
| App Flap Count (link_change_count) | PanLinkChange | link_change_count | about.labels.key/value | |
| Policy ID (policy_id) | PanPolicyID | policy_id | about.labels.key/value | |
| Link Switches (link_switches) | PanLinkDetail | link_switches | about.labels.key/value | |
| SD-WAN Cluster (sdwan_cluster) | PanSDWANCluster | sdwan_cluster | about.labels.key/value | |
| SD-WAN Device Type (sdwan_device_type) | PanSDWANDevice | sdwan_device_type | about.labels.key/value | |
| SD-WAN Cluster Type (sdwan_cluster_type) | PanSDWANClustype | sdwan_cluster_type | about.labels.key/value | |
| SD-WAN Site (sdwan_site) | PanSDWANSite | sdwan_site | about.labels.key/value | |
| Dynamic User Group Name (dynusergroup_name) | PanDynamicUsrgrp | dynusergroup_name | about.labels.key/value | |
| XFF Address (xff_ip) | PanXFFIP | principal.ip | ||
| Source Device Category (src_category) | PanSrcDeviceCat | src_category | principal.labels.key/value | |
| Source Device Profile (src_profile) | PanSrcDeviceProf | src_profile | principal.labels.key/value | |
| Source Device Model (src_model) | PanSrcDeviceModel | src_model | principal.labels.key/value | |
| Source Device Vendor (src_vendor) | PanSrcDeviceVendor | src_vendor | principal.labels.key/value | |
| Source Device OS Family (src_osfamily) | PanSrcDeviceOS | principal.asset.platform_software.platform
principal.labels.key/value |
||
| Source Device OS Version (src_osversion) | PanSrcDeviceOSv | principal.asset.software.version | ||
| Source Hostname (src_host) | PanSrcHostname | principal.hostname | ||
| Source MAC Address (src_mac) | PanSrcMac | principal.mac | ||
| Destination Device Category (dst_category) | PanDstDeviceCat | dst_category | target.labels.key/value | |
| Destination Device Profile (dst_profile) | PanDstDeviceProf | dst_profile | target.labels.key/value | |
| Destination Device Model (dst_model) | PanDstDeviceModel | dst_model | target.labels.key/value | |
| Destination Device Vendor (dst_vendor) | PanDstDeviceVendor | dst_vendor | target.labels.key/value | |
| Destination Device OS Family (dst_osfamily) | PanDstDeviceOS | dst_osfamily | target.labels.key/value | |
| Destination Device OS Version (dst_osversion) | PanDstDeviceOSv | target.asset.software.version | ||
| Destination Hostname (dst_host) | PanDstHostname | target.hostname | ||
| Destination MAC Address (dst_mac) | PanDstMac | target.mac | ||
| Container ID (container_id) | PanContainerName | container_id | about.labels.key/value | |
| POD Namespace (pod_namespace) | PanPODNamespace | pod_namespace | about.labels.key/value | |
| POD Name (pod_name) | PanPODName | pod_name | about.labels.key/value | |
| Source External Dynamic List (src_edl) | PanSrcEDL | src_edl | principal.labels.key/value | |
| Destination External Dynamic List (dst_edl) | PanDstEDL | dst_edl | target.labels.key/value | |
| Host ID (hostid) | PanGPHostID | hostid | about.labels.key/value | |
| User Device Serial Number (serialnumber) | PanEPSerial | principal.asset.hardware.serial_number | ||
| Source Dynamic Address Group (src_dag) | PanSrcDAG | principal.group.group_display_name | ||
| Destination Dynamic Address Group (dst_dag) | PanDstDAG | target.group.group_display_name | ||
| Session Owner (session_owner) | PanHASessionOwner | session_owner | about.labels.key/value | |
| High Resolution Timestamp (high_res_timestamp) | PanTimeHighRes | metadata.collected_timestamp,
metadata.event_timestamp (if "Generate Time" is absent) |
||
| A Slice Service Type (nsdsai_sst) | PanASServiceType | nsdsai_sst | about.labels.key/value | |
| A Slice Differentiator (nsdsai_sd) | PanASServiceDiff | nsdsai_sd | about.labels.key/value | |
| Application Subcategory (subcategory_of_app) | subcategory_of_app | about.labels.key/value | ||
| Application Category (category_of_app) | category_of_app | about.labels.key/value | ||
| Application Technology (technology_of_app) | technology_of_app | about.labels.key/value | ||
| Application Risk (risk_of_app) | security_result.severity | |||
| Application Characteristic (characteristic_of_app) | characteristic_of_app | about.labels.key/value | ||
| Application Container (container_of_app) | container_of_app | about.labels.key/value | ||
| Application SaaS (is_saas_of_app) | is_saas_of_app | about.labels.key/value | ||
| Application Sanctioned State (sanctioned_state_of_app) | sanctioned_state_of_app | about.labels.key/value | ||
| Application Subcategory (subcategory_of_app) | subcategory_of_app1 | about.labels.key/value |
User-ID
The following table lists the log fields of the user-id log type and their corresponding UDM fields.
| CSV field | CEF field | LEEF field | Chronicle label key | UDM field |
|---|---|---|---|---|
| Receive Time (receive_time or cef-formatted-receive_time) | rt | devTime | metadata.collected_timestamp,
metadata.event_timestamp (if "Generate Time" is absent) |
|
| Serial Number (serial) | deviceExternalId | SerialNumber | intermediary.asset.hardware.serial_number | |
| Type (type) | type (Header) | cat | metadata.product_event_type | |
| Threat/Content Type (subtype) | subtype (Header) | Subtype | metadata.product_event_type | |
| Generated Time (time_generated or cef-formatted-time_generated) | metadata.event_timestamp | |||
| Virtual System (vsys) | cs3 | VirtualSystem | vsys | about.labels.key/value |
| Source IP (ip) | src | src | principal.ip | |
| User (user) | duser | usrName | target.user.userid
target.administrative_domain target.user.email_addresses |
|
| Data Source Name (datasourcename) | cs4 | DataSourceName | datasourcename | principal.labels.key/value |
| Event ID (eventid) | EventID | eventid | about.labels.key/value | |
| Repeat Count (repeatcnt) | cnt | RepeatCount | repeatcnt | about.labels.key/value |
| Time Out Threshold (timeout) | cn3 | TimeoutThreshold | timeout | about.labels.key/value |
| Source Port (beginport) | spt | srcPort | principal.port | |
| Destination Port (endport) | dpt | dstPort | target.port | |
| Data Source (datasource) | cs5 | DataSource | datasource | principal.labels.key/value |
| Data Source Type (datasourcetype) | cs6 | DataSourceType | datasourcetype | principal.labels.key/value |
| Sequence Number (seqno) | externalId | sequence | metadata.product_log_id | |
| Action Flags (actionflags) | PanOSActionFlags | ActionFlags | actionflags | about.labels.key/value |
| Device Group Hierarchy (dg_hier_level_1) | PanOSDGl1 | DeviceGroupHierarchyL1 | dg_hier_level_1 | about.labels.key/value |
| Device Group Hierarchy (dg_hier_level_2) | PanOSDGl2 | DeviceGroupHierarchyL2 | dg_hier_level_2 | about.labels.key/value |
| Device Group Hierarchy (dg_hier_level_3) | PanOSDGl3 | DeviceGroupHierarchyL3 | dg_hier_level_3 | about.labels.key/value |
| Device Group Hierarchy (dg_hier_level_4) | PanOSDGl4 | DeviceGroupHierarchyL4 | dg_hier_level_4 | about.labels.key/value |
| Virtual System Name (vsys_name) | PanOSVsysName | vSrcName | principal.resource.name
principal.resource.resource_type=VIRTUAL_MACHINE |
|
| Device Name (device_name) | dvchost | DeviceName | intermediary.hostname | |
| Virtual System ID (vsys_id) | cn2 | VirtualSystemID | principal.resource.resource_type=VIRTUAL_MACHINE and principal.resource.product_object_id | |
| Factor Type (factortype) | cs1 | FactorType | factortype | about.labels.key/value |
| Factor Completion Time (factorcompletiontime) | end | FactorCompletionTime | factorcompletiontime | about.labels.key/value |
| Factor Number (factorno) | cn1 | FactorNumber | factorno | about.labels.key/value |
| User Group Flags (ugflags) | PanOSUGFlags | ugflags | about.labels.key/value | |
| User by Source (userbysource) | PanOSUserBySource | principal.user.userid
principal.administrative_domain principal.user.email_addresses |
||
| High Resolution Timestamp (high_res timestamp) | PanOSTimeGeneratedHighResolution | metadata.collected_timestamp,
metadata.event_timestamp (if "Generate Time" is absent) |
HIP match
The following table lists the log fields of the HIP match log type and their corresponding UDM fields.
| CSV field | CEF field | LEEF field | Chronicle label key | UDM field |
|---|---|---|---|---|
| Receive Time (receive_time or cef-formatted-receive_time) | rt | devTime | metadata.collected_timestamp,
metadata.event_timestamp (if "Generate Time" is absent) |
|
| Serial Number (serial) | deviceExternalId | SerialNumber | intermediary.asset.hardware.serial_number | |
| Type (type) | type (Header) | cat | metadata.product_event_type | |
| Threat/Content Type (subtype) | subtype (Header) | Subtype | ||
| Generated Time (time_generated or cef-formatted-time_generated) | start | startTime | metadata.event_timestamp | |
| Source User (srcuser) | suser | usrName | principal.user.userid | |
| Virtual System (vsys) | cs3 | VirtualSystem | vsys | about.labels.key/value |
| Machine Name (machinename) | shost | identHostName | principal.hostname | |
| Operating System (os) | cs2 | OS | principal.asset.platform_software.platform | |
| Source Address (src) | src | identsrc | principal.ip | |
| HIP (matchname) | cat | HIP | matchname | about.labels.key/value |
| Repeat Count (repeatcnt) | cnt | RepeatCount | repeatcnt | about.labels.key/value |
| HIP Type (matchtype) | Device Event Class ID (Header) | HIPType | matchtype | |
| Sequence Number (seqno) | externalId | sequence | metadata.product_log_id | |
| Action Flags (actionflags) | PanOSActionFlags | ActionFlags | actionflags | about.labels.key/value |
| Device Group Hierarchy (dg_hier_level_1) | PanOSDGl1 | DeviceGroupHierarchyL1 | dg_hier_level_1 | about.labels.key/value |
| Device Group Hierarchy (dg_hier_level_2) | PanOSDGl2 | DeviceGroupHierarchyL2 | dg_hier_level_2 | about.labels.key/value |
| Device Group Hierarchy (dg_hier_level_3) | PanOSDGl3 | DeviceGroupHierarchyL3 | dg_hier_level_3 | about.labels.key/value |
| Device Group Hierarchy (dg_hier_level_4) | PanOSDGl4 | DeviceGroupHierarchyL4 | dg_hier_level_4 | about.labels.key/value |
| Virtual System Name (vsys_name) | PanOSVsysName | vSrcName | principal.resource.name
principal.resource.resource_type=VIRTUAL_MACHINE |
|
| Device Name (device_name) | dvchost | DeviceName | intermediary.hostname | |
| Virtual System ID (vsys_id) | cn2 | VirtualSystemID | principal.resource.resource_type=VIRTUAL_MACHINE and principal.resource.product_object_id | |
| IPv6 System Address (srcipv6) | c6a2 | srcipv6 | principal.asset.ip | |
| Host ID (hostid) | PanOSHostID | principal.asset.product_object_id | ||
| User Device Serial Number (serialnumber) | PanOSEndpointSerialNumber | principal.asset.hardware.serial_number | ||
| Device MAC Address (mac) | PanOSEndpointMac | principal.asset.mac | ||
| High Resolution Timestamp (high_res_timestamp) | PanOSTimeGeneratedHighResolution | metadata.collected_timestamp,
metadata.event_timestamp (if "Generate Time" is absent) |
IP tag
The following table lists the log fields of the IP tag log type and their corresponding UDM fields.
| CSV field | CEF field | LEEF field | Chronicle label key | UDM field |
|---|---|---|---|---|
| Receive Time (receive_time or cef-formatted-receive_time) | rt | devTime | metadata.collected_timestamp,
metadata.event_timestamp (if "Generate Time" is absent) |
|
| Serial Number (serial) | deviceExternalId | SerialNumber | intermediary.asset.hardware.serial_number | |
| Type (type) | type (Header) | cat | metadata.product_event_type | |
| Threat/Content Type (subtype) | subtype (Header) | Subtype | metadata.product_event_type | |
| Generated Time (time_generated or cef-formatted-time_generated) | GenerateTime | metadata.event_timestamp | ||
| Virtual System (vsys) | cs3 | VirtualSystem | vsys | about.labels.key/value |
| Source IP (ip) | src | src | principal.ip | |
| Tag Name (tag_name) | PanOSTagName | TagName | tag_name | principal.labels.key/value |
| Event ID (event_id) | PanOSEventID | EventID | event_id | about.labels.key/value |
| Repeat Count (repeatcnt) | cnt | RepeatCount | repeatcnt | about.labels.key/value |
| Timeout (timeout) | PanOSTimeout | TimeoutThreshold | timeout | about.labels.key/value |
| Data Source Name (datasourcename) | PanOSDataSourceName | DataSourceName | datasourcename | principal.labels.key/value |
| Data Source Type (datasource_type) | PanOSDataSourceType | DataSource | datasource_type | principal.labels.key/value |
| Data Source Subtype (datasource_subtype) | PanOSDataSourceSubType | DataSourceType | datasource_subtype | principal.labels.key/value |
| Sequence Number (seqno) | externalId | sequence | metadata.product_log_id | |
| Action Flags (actionflags) | PanOSActionFlags | ActionFlags | actionflags | about.labels.key/value |
| Device Group Hierarchy (dg_hier_level_1) | PanOSDGl1 | DeviceGroupHierarchyL1 | dg_hier_level_1 | about.labels.key/value |
| Device Group Hierarchy (dg_hier_level_2) | PanOSDGl2 | DeviceGroupHierarchyL2 | dg_hier_level_2 | about.labels.key/value |
| Device Group Hierarchy (dg_hier_level_3) | PanOSDGl3 | DeviceGroupHierarchyL3 | dg_hier_level_3 | about.labels.key/value |
| Device Group Hierarchy (dg_hier_level_4) | PanOSDGl4 | DeviceGroupHierarchyL4 | dg_hier_level_4 | about.labels.key/value |
| Virtual System Name (vsys_name) | PanOsVsysName | vSrcName | principal.resource.name
principal.resource.resource_type=VIRTUAL_MACHINE |
|
| Device Name (device_name) | dvchost | DeviceName | intermediary.hostname | |
| Virtual System ID (vsys_id) | cn2 | VirtualSystemID | principal.resource.resource_type=VIRTUAL_MACHINE and principal.resource.product_object_id | |
| High Resolution Timestamp (high_res timestamp) | PanOSTimeGeneratedHighResolution | metadata.collected_timestamp,
metadata.event_timestamp (if "Generate Time" is absent) |
Decryption
The following table lists the log fields of the decryption log type and their corresponding UDM fields.
| CSV field | CEF field | LEEF field | Chronicle label key | UDM field |
|---|---|---|---|---|
| Receive Time (receive_time or cef-formatted-receive_time) | rt | metadata.collected_timestamp,
metadata.event_timestamp (if "Generate Time" is absent) |
||
| Serial Number (serial) | PanOSDeviceSN | intermediary.asset.hardware.serial_number | ||
| Type (type) | type (Header) | metadata.product_event_type | ||
| Threat/Content Type (subtype) | subtype (Header) | metadata.product_event_type | ||
| Config Version (config_ver) | PanOSConfigVersion | config_ver | about.labels.key/value | |
| Generate Time (time_generated) | PanOSLogTimeStamp | metadata.event_timestamp | ||
| Source Address (src) | src | principal.ip | ||
| Destination Address (dst) | dst | target.ip | ||
| NAT Source IP (natsrc) | sourceTranslatedAddress | principa.nat_ip | ||
| NAT Destination IP (natdst) | destinationTranslatedAddress | target.nat_ip | ||
| Rule (rule) | cs1 | security_result.rule_name | ||
| Source User (srcuser) | suser | principal.user.userid | ||
| Destination User (dstuser) | duser | target.user.userid | ||
| Application (app) | app | target.application | ||
| Virtual System (vsys) | cs3 | vsys | about.labels.key/value | |
| Source Zone (from) | cs4 | from | principal.labels.key/value | |
| Destination Zone (to) | cs5 | to | target.labels.key/value | |
| Inbound Interface (inbound_if) | deviceInboundInterface | inbound_if | principal.labels.key/value | |
| Outbound Interface (outbound_if) | deviceOutboundInterface | outbound_if | target.labels.key/value | |
| Log Action (logset) | cs6 | logset | about.labels.key/value | |
| Time Logged (time_received) | PanOSTimeReceivedManagementPlane | - | ||
| Session ID (sessionid) | cn1 | network.session_id | ||
| Repeat Count (repeatcnt) | PanOSCountOfRepeats | repeatcnt | about.labels.key/value | |
| Source Port (sport) | spt | principal.port | ||
| Destination Port (dport) | dpt | target.port | ||
| NAT Source Port (natsport) | sourceTranslatedPort | principal.nat_port | ||
| NAT Destination Port (natdport) | destinationTranslatedPort | target.nat_port | ||
| Flags (flags) | flexString1 | flags | about.labels.key/value | |
| IP Protocol (proto) | proto | network.ip_protocol | ||
| Action (action) | act | security_result.action_details
security_result.action |
||
| Tunnel (tunnel) | PanOSTunnel | tunnel | about.labels.key/value | |
| Source VM UUID (src_uuid) | PanOSSourceUUID | principal.asset.asset_id | ||
| Destination VM UUID (dst_uuid) | PanOSDestinationUUID | target.asset.asset_id | ||
| UUID for rule (rule_uuid) | PanOSRuleUUID | security_result.rule_id | ||
| Stage for Client to Firewall (hs_stage_c2f) | PanOSClientToFirewall | hs_stage_c2f | about.labels.key/value | |
| Stage for Firewall to Server (hs_stage_f2s) | PanOSFirewallToServer | hs_stage_f2s | about.labels.key/value | |
| TLS Version (tls_version) | PanOSTLSVersion | network.tls.version | ||
| Key Exchange Algorithm (tls_keyxchg) | PanOSTLSKeyExchange | tls_keyxchg | about.labels.key/value | |
| Encryption Algorithm (tls_enc) | PanOSTLSEncryptionAlgorithm | tls_enc | about.labels.key/value | |
| Hash Algorithm (tls_auth) | PanOSTLSAuth | tls_auth | about.labels.key/value | |
| Policy Name (policy_name) | PanOSPolicyName | policy_name | about.labels.key/value | |
| Elliptic Curve (ec_curve) | PanOSEllipticCurve | network.tls.curve | ||
| Error Index (err_index) | PanOSErrorIndex | err_index | about.labels.key/value | |
| Root Status (root_status) | PanOSRootStatus | root_status | about.labels.key/value | |
| Chain Status (chain_status) | PanOSChainStatus | chain_status | about.labels.key/value | |
| Proxy Type (proxy_type) | PanOSProxyType | proxy_type | about.labels.key/value | |
| Certificate Serial Number (cert_serial) | PanOSCertificateSerial | network.tls.server.certificate.serial | ||
| Certificate Fingerprint (fingerprint) | PanOSFingerprint | network.tls.server.certificate.md5/sha1/sha256 | ||
| Certificate Start Date (notbefore) | PanOSTimeNotBefore | network.tls.server.certificate.not_before | ||
| Certificate End Date (notafter) | PanOSTimeNotAfter | network.tls.server.certificate.not_after | ||
| Certificate Version (cert_ver) | PanOSCertificateVersion | network.tls.server.certificate.version | ||
| Certificate Size (cert_size) | PanOSCertificateSize | cert_size | about.labels.key/value | |
| Common Name Length (cn_len) | PanOSCommonNameLength | cn_len | about.labels.key/value | |
| Issuer Common Name Length (issuer_len) | PanOSIssuerNameLength | issuer_len | about.labels.key/value | |
| Root Common Name Length (rootcn_len) | PanOSRootCNLength | rootcn_len | about.labels.key/value | |
| SNI Length (sni_len) | PanOSSNILength | sni_len | about.labels.key/value | |
| Certificate Flags (cert_flags) | PanOSCertificateFlags | cert_flags | about.labels.key/value | |
| Subject Common Name (cn) | PanOSCommonName | cn | about.labels.key/value | |
| Issuer Common Name (issuer_cn) | PanOSIssuerCommonName | network.tls.server.certificate.issuer | ||
| Root Common Name (root_cn) | PanOSRootCommonName | root_cn | about.labels.key/value | |
| Server Name Indication
(sni) |
network.tls.client.server_name | |||
| Error (error) | PanOSErrorMessage | error | about.labels.key/value | |
| Container ID (container_id) | PanOSContainerID | container_id | about.labels.key/value | |
| POD Namespace (pod_namespace) | PanOSContainerNameSpace | pod_namespace | about.labels.key/value | |
| POD Name (pod_name) | PanOSContainerName | pod_name | about.labels.key/value | |
| Source External Dynamic List (src_edl) | PanOSSourceEDL | src_edl | principal.labels.key/value | |
| Destination External Dynamic List (dst_edl) | PanOSDestinationEDL | dst_edl | target.labels.key/value | |
| Source Dynamic Address Group (src_dag) | PanOSSourceDynamicAddressGroup | principal.group.group_display_name | ||
| Destination Dynamic Address Group (dst_dag) | PanOSDestinationDynamicAddressGroup | target.group.group_display_name | ||
| High Resolution Timestamp (high_res_timestamp) | PanOSTimeGeneratedHighResolution | metadata.collected_timestamp,
metadata.event_timestamp (if "Generate Time" is absent) |
||
| Source Device Category (src_category) | PanOSSourceDeviceCategory | src_category | principal.labels.key/value | |
| Source Device Profile (src_profile) | PanOSSourceDeviceProfile | src_profile | principal.labels.key/value | |
| Source Device Model (src_model) | PanOSSourceDeviceModel | src_model | principal.labels.key/value | |
| Source Device Vendor (src_vendor) | PanOSSourceDeviceVendor | src_vendor | principal.labels.key/value | |
| Source Device OS Family (src_osfamily) | PanOSSourceDeviceOSFamily | principal.asset.platform_software.platform
principal.labels.key/value |
||
| Source Device OS Version (src_osversion) | PanOSSourceDeviceOSVersion | principal.asset.software.version | ||
| Source Hostname (src_host) | PanOSSourceDeviceHost | principal.hostname | ||
| Source MAC Address (src_mac) | PanOSSourceDeviceMac | principal.mac | ||
| Destination Device Category (dst_category) | PanOSDestinationDeviceCategory | dst_category | target.labels.key/value | |
| Destination Device Profile (dst_profile) | PanOSDestinationDeviceProfile | dst_profile | target.labels.key/value | |
| Destination Device Model (dst_model) | PanOSDestinationDeviceModel | dst_model | target.labels.key/value | |
| Destination Device Vendor (dst_vendor) | PanOSDestinationDeviceVendor | dst_vendor | target.labels.key/value | |
| Destination Device OS Family (dst_osfamily) | PanOSDestinationDeviceOSFamily | dst_osfamily | target.labels.key/value | |
| Destination Device OS Version (dst_osversion) | PanOSDestinationDeviceOSVersion | target.asset.software.version | ||
| Destination Hostname (dst_host) | PanOSDestinationDeviceHost | target.hostname | ||
| Destination MAC Address (dst_mac) | PanOSDestinationDeviceMac | target.mac | ||
| Sequence Number (seqno) | PanOSLogTypeSeqNo | metadata.product_log_id | ||
| Action Flags (actionflags) | PanOSActionFlags | actionflags | about.labels.key/value | |
| Device Group Hierarchy (dg_hier_level_1) | DeviceGroupHierarchyL1 | dg_hier_level_1 | about.labels.key/value | |
| Device Group Hierarchy (dg_hier_level_2) | DeviceGroupHierarchyL2 | dg_hier_level_2 | about.labels.key/value | |
| Device Group Hierarchy (dg_hier_level_3) | DeviceGroupHierarchyL3 | dg_hier_level_3 | about.labels.key/value | |
| Device Group Hierarchy (dg_hier_level_4) | DeviceGroupHierarchyL4 | dg_hier_level_4 | about.labels.key/value | |
| Virtual System Name (vsys_name) | principal.resource.name
principal.resource.resource_type=VIRTUAL_MACHINE |
|||
| Device Name (device_name) | intermediary.hostname | |||
| Virtual System ID (vsys_id) | principal.resource.resource_type=VIRTUAL_MACHINE and principal.resource.product_object_id | |||
| Application Subcategory (subcategory_of_app) | subcategory_of_app | about.labels.key/value | ||
| Application Category (category_of_app) | category_of_app | about.labels.key/value | ||
| Application Technology (technology_of_app) | technology_of_app | about.labels.key/value | ||
| Application Risk (risk_of_app) | security_result.severity | |||
| Application Characteristic (characteristic_of_app) | characteristic_of_app | about.labels.key/value | ||
| Application Container (container_of_app) | container_of_app | about.labels.key/value | ||
| Application SaaS (is_saas_of_app) | is_saas_of_app | about.labels.key/value | ||
| Application Sanctioned State (sanctioned_state_of_app) | sanctioned_state_of_app | about.labels.key/value |
Tunnel
The following table lists the log fields of the tunnel log type and their corresponding UDM fields.
| CSV field | CEF field | LEEF field | Chronicle label key | UDM field |
|---|---|---|---|---|
| Receive Time (receive_time or cef-formatted-receive_time) | rt | devTime | metadata.collected_timestamp,
metadata.event_timestamp (if "Generate Time" is absent) |
|
| Serial Number (serial) | deviceExternalId | SerialNumber | intermediary.asset.hardware.serial_number | |
| Type (type) | type (Header) | cat | metadata.product_event_type | |
| Threat/Content Type (subtype) | subtype (Header) | Subtype | metadata.product_event_type | |
| Generated Time (time_generated or cef-formatted-time_generated) | metadata.event_timestamp | |||
| Source Address (src) | src | src | principal.ip | |
| Destination Address (dst) | dst | dst | target.ip | |
| NAT Source IP (natsrc) | sourceTranslatedAddress | srcPostNAT | principal.nat_ip | |
| NAT Destination IP (natdst) | destinationTranslatedAddress | dstPostNAT | target.nat_ip | |
| Rule Name (rule) | cs1 | RuleName | security_result.rule_name | |
| Source User (srcuser) | suser | SourceUser / usrName | principal.user.userid | |
| Destination User (dstuser) | duser | DestinationUser | target.user.userid | |
| Application (app) | app | Application | network.application_protocol | |
| Virtual System (vsys) | cs3 | VirtualSystem | vsys | about.labels.key/value |
| Source Zone (from) | cs4 | SourceZone | from | principal.labels.key/value |
| Destination Zone (to) | cs5 | DestinationZone | to | target.labels.key/value |
| Inbound Interface (inbound_if) | deviceInboundInterface | IngressInterface | inbound_if | principal.labels.key/value |
| Outbound Interface (outbound_if) | deviceOutboundInterface | EgressInterface | outbound_if | target.labels.key/value |
| Log Action (logset) | cs6 | LogForwardingProfile | logset | about.labels.key/value |
| Session ID (sessionid) | cn1 | SessionID | network.session_id | |
| Repeat Count (repeatcnt) | cnt | RepeatCount | repeatcnt | about.labels.key/value |
| Source Port (sport) | spt | srcPort | principal.port | |
| Destination Port (dport) | dpt | dstPort | target.port | |
| NAT Source Port (natsport) | sourceTranslatedPort | srcPostNATPort | principal.nat_port | |
| NAT Destination Port (natdport) | destinationTranslatedPort | dstPostNATPort | target.nat_port | |
| Flags (flags) | flexString1 | Flags | flags | about.labels.key/value |
| IP Protocol (proto) | proto | proto | network.ip_protocol | |
| Action (action) | act | action | security_result.action_details
security_result.action |
|
| Severity (severity) | security_result.severity and security_result.severity_details | |||
| Sequence Number (seqno) | externalId | sequence | metadata.product_log_id | |
| Action Flags (actionflags) | PanOSActionFlags | ActionFlags | actionflags | about.labels.key/value |
| Source Location (srcloc) | principal.location.country_or_region | |||
| Destination Location (dstloc) | target.location.country_or_region | |||
| Device Group Hierarchy (dg_hier_level_1) | PanOSDGl1 | DeviceGroupHierarchyL1 | dg_hier_level_1 | about.labels.key/value |
| Device Group Hierarchy (dg_hier_level_2) | PanOSDGl2 | DeviceGroupHierarchyL2 | dg_hier_level_2 | about.labels.key/value |
| Device Group Hierarchy (dg_hier_level_3) | PanOSDGl3 | DeviceGroupHierarchyL3 | dg_hier_level_3 | about.labels.key/value |
| Device Group Hierarchy (dg_hier_level_4) | PanOSDGl4 | DeviceGroupHierarchyL4 | dg_hier_level_4 | about.labels.key/value |
| Virtual System Name (vsys_name) | PanOSVsysName | vSrcName | principal.resource.name
principal.resource.resource_type=VIRTUAL_MACHINE |
|
| Device Name (device_name) | dvchost | DeviceName | intermediary.hostname | |
| Tunnel ID (tunnelid) | PanOSTunnelID | TunnelID | tunnelid | about.labels.key/value |
| Monitor Tag (monitortag) | PanOSMonitorTag | MonitorTag | monitortag | about.labels.key/value |
| Parent Session ID (parent_session_id) | PanOSParentSessionID | ParentSessionID | parent_session_id | about.labels.key/value |
| Parent Start Time (parent_start_time) | PanOSParentStartTime | ParentStartTime | parent_start_time | about.labels.key/value |
| Tunnel Type (tunnel) | cs2 | TunnelType | tunnel | about.labels.key/value |
| Bytes (bytes) | flexNumber1 | totalBytes | bytes | about.labels.key/value |
| Bytes Sent (bytes_sent) | in | srcBytes | network.received_bytes | |
| Bytes Received (bytes_received) | out | dstBytes | network.sent_bytes | |
| Packets (packets) | cn2 | totalPackets | packets | about.labels.key/value |
| Packets Sent (pkts_sent) | PanOSPacketsSent | srcPackets | pkts_sent | about.labels.key/value |
| Packets Received (pkts_received) | PanOSPacketsReceived | dstPackets | pkts_received | about.labels.key/value |
| Maximum Encapsulation (max_encap) | flexNumber2 | MaximumEncapsulation | max_encap | about.labels.key/value |
| Unknown Protocol (unknown_proto) | cfp1 | UnknownProtocol | unknown_proto | about.labels.key/value |
| Strict Checking (strict_check) | cfp2 | StrictChecking | strict_check | about.labels.key/value |
| Tunnel Fragment (tunnel_fragment) | PanOSTunnelFragment | TunnelFragment | tunnel_fragment | about.labels.key/value |
| Sessions Created (sessions_created) | cfp3 | SessionsCreated | sessions_created | about.labels.key/value |
| Sessions Closed (sessions_closed) | cfp4 | SessionsClosed | sessions_closed | about.labels.key/value |
| Session End Reason (session_end_reason) | reason | SessionEndReason | security_result.summary | |
| Action Source (action_source) | cat | ActionSource | action_source | about.labels.key/value |
| Start Time (start) | startTime | start | about.labels.key/value | |
| Elapsed Time (elapsed) | cn3 | ElapsedTime | elapsed | about.labels.key/value |
| Tunnel Inspection Rule (tunnel_insp_rule) | PanOSTunneInspectionRule | security_result.rule_name = "Tunnel Inspection Rule: %{PanOSTunnelInspectionRule}" | ||
| Remote User IP (remote_user_ip) | PanOSRmtUserIP | target.ip | ||
| Remote User ID (remote_user_id) | PanOSRmtUserID | remote_user_id | target.labels.key/value | |
| Security Rule UUID (rule_uuid) | PanOSRuleUUID | security_result.rule_id | ||
| PCAP ID (pcap_id) | PanOSPcapID | pcap_id | about.labels.key/value | |
| Dynamic User Group Name (dynusergroup_name) | PanDynamicUsrgrp | principal.group.group_display_name | ||
| Source External Dynamic List (src_edl) | PanOSSourceEDL | src_edl | principal.labels.key/value | |
| Destination External Dynamic List (dst_edl) | PanOSDestinationEDL | dst_edl | target.labels.key/value | |
| High Resolution Timestamp (high_res timestamp) | PanOSTimeGeneratedHighResolution | metadata.collected_timestamp,
metadata.event_timestamp (if "Generate Time" is absent) |
||
| A Slice Differentiator (nssai_sd) | nssai_sd | about.labels.key/value | ||
| A Slice Service Type (nssai_sd) | nssai_sd1 | about.labels.key/value | ||
| PDU Session ID (pdu_session_id) | pdu_session_id | about.labels.key/value | ||
| Application Subcategory (subcategory_of_app) | subcategory_of_app | about.labels.key/value | ||
| Application Category (category_of_app) | category_of_app | about.labels.key/value | ||
| Application Technology (technology_of_app) | technology_of_app | about.labels.key/value | ||
| Application Risk (risk_of_app) | risk_of_app | about.labels.key/value | ||
| Application Characteristic (characteristic_of_app) | characteristic_of_app | about.labels.key/value | ||
| Application Container (container_of_app) | container_of_app | about.labels.key/value | ||
| Application SaaS (is_saas_of_app) | is_saas_of_app | about.labels.key/value | ||
| Application Sanctioned State (sanctioned_state_of_app) | sanctioned_state_of_app | about.labels.key/value |
Authentication
The following table lists the log fields of the authentication log type and their corresponding UDM fields.
| CSV field | CEF field | LEEF field | Chronicle label key | UDM field |
|---|---|---|---|---|
| Receive Time (receive_time or cef-formatted-receive_time) | rt | devTime | metadata.collected_timestamp,
metadata.event_timestamp (if "Generate Time" is absent) |
|
| Serial Number (serial) | deviceExternalId | SerialNumber | intermediary.asset.hardware.serial_number | |
| Type (type) | type (Header) | cat | metadata.product_event_type | |
| Threat/Content Type (subtype) | subtype (Header) | Subtype | metadata.product_event_type | |
| Generated Time (time_generated or cef-formatted-time_generated) | metadata.event_timestamp | |||
| Virtual System (vsys) | cs3 | VirtualSystem | vsys | about.labels.key/value |
| Source IP (ip) | src | src | principal.ip | |
| User (user) | duser | usrName | target.user.userid | |
| Normalize User (normalize_user) | cs2 | NormalizeUser | target.user.user_display_name | |
| Object (object) | fname | ObjectName | object | about.labels.key/value |
| Authentication Policy (authpolicy) | cs4 | AuthPolicy | authpolicy | about.labels.key/value |
| Repeat Count (repeatcnt) | cnt | RepeatCount | repeatcnt | about.labels.key/value |
| Authentication ID (authid) | cn2 | AuthenticationID | authid | about.labels.key/value |
| Vendor (vendor) | flexString2 | Vendor | vendor | about.labels.key/value |
| Log Action (logset) | cs6 | LogForwardingProfile | logset | about.labels.key/value |
| Server Profile (serverprofile) | cs1 | ServerProfile | serverprofile | about.labels.key/value |
| Description (desc) | PanOSDesc | AdditionalAuthInfo | security_result.description | |
| Client Type (clienttype) | cs5 | ClientType | clienttype | about.labels.key/value |
| Event Type (event) | msg | msg | extensions.auth.auth_details | |
| Factor Number (factorno) | cn1 | FactorNumber | factorno | about.labels.key/value |
| Sequence Number (seqno) | externalId | sequence | metadata.product_log_id | |
| Action Flags (actionflags) | PanOSActionFlags | ActionFlags | actionflags | about.labels.key/value |
| Device Group Hierarchy (dg_hier_level_1) | PanOSDGl1 | DeviceGroupHierarchyL1 | dg_hier_level_1 | about.labels.key/value |
| Device Group Hierarchy (dg_hier_level_2) | PanOSDGl2 | DeviceGroupHierarchyL2 | dg_hier_level_2 | about.labels.key/value |
| Device Group Hierarchy (dg_hier_level_3) | PanOSDGl3 | DeviceGroupHierarchyL3 | dg_hier_level_3 | about.labels.key/value |
| Device Group Hierarchy (dg_hier_level_4) | PanOSDGl4 | DeviceGroupHierarchyL4 | dg_hier_level_4 | about.labels.key/value |
| Virtual System Name (vsys_name) | PanOSVsysName | vSrcName | principal.resource.name
principal.resource.resource_type=VIRTUAL_MACHINE |
|
| Device Name (device_name) | dvchost | DeviceName | intermediary.hostname | |
| Virtual System ID (vsys_id) | principal.resource.resource_type=VIRTUAL_MACHINE and principal.resource.product_object_id | |||
| Authentication Protocol (authproto) | authproto | about.labels.key/value | ||
| UUID for rule (rule_uuid) | PanOSRuleUUID | security_result.rule_id | ||
| High Resolution Timestamp (high_res _timestamp) | PanOSTimeGeneratedHighResolution | metadata.collected_timestamp,
metadata.event_timestamp (if "Generate Time" is absent) |
||
| Source Device Category (src_category) | PanOSSourceDeviceCategory | src_category | principal.labels.key/value | |
| Source Device Profile (src_profile) | PanOSSourceDeviceProfile | src_profile | principal.labels.key/value | |
| Source Device Model (src_model) | PanOSSourceDeviceModel | src_model | principal.labels.key/value | |
| Source Device Vendor (src_vendor) | PanOSSourceDeviceVendor | src_vendor | principal.labels.key/value | |
| Source Device OS Family (src_osfamily) | PanOSSourceDeviceOSFamily | principal.asset.platform_software.platform
principal.labels.key/value |
||
| Source Device OS Version (src_osversion) | PanOSSourceDeviceOSVersion | principal.asset.software.version | ||
| Source Hostname (src_host) | PanOSSourceHostname | principal.hostname | ||
| Source MAC Address (src_mac) | PanOSSourceMac | principal.asset.mac | ||
| Region (region) | PanOSTrafficOriginRegion | principal.location.country_or_region | ||
| User Agent (user_agent) | PanOSHTTPUserAgent | network.http.user_agent | ||
| Session ID(sessionid) | PanOSTrafficSessionID | network.session_id |
URL
The following table lists the log fields of the URL log type and their corresponding UDM fields.
| CSV field | CEF field | LEEF field | Chronicle label key | UDM field |
|---|---|---|---|---|
| Receive Time (cef-formatted-receive_time) | rt | devTime | metadata.collected_timestamp,
metadata.event_timestamp (if "Generate Time" is absent) |
|
| Serial # (serial) | deviceExternalId | SerialNumber | intermediary.asset.hardware.serial_number | |
| Type (type) | type (Header) | cat | metadata.product_event_type | |
| Threat/Content Type (subtype) | subtype (Header) | Subtype | metadata.product_event_type | |
| Generate Time | metadata.event_timestamp | |||
| Source address (src) | src | src | principal.ip | |
| Destination address (dst) | dst | dst | target.ip | |
| NAT Source IP (natsrc) | sourceTranslatedAddress | srcPostNAT | principal.nat_ip | |
| NAT Destination IP (natdst) | destinationTranslatedAddress | dstPostNAT | target.nat_ip | |
| Rule (rule) | cs1 | RuleName | security_result.rule_name | |
| Source User (srcuser) | suser | SourceUser | principal.user.userid | |
| Destination User (dstuser) | duser | DestinationUser | target.user.userid | |
| Application (app) | app | Application | network.application_protocol | |
| Virtual System (vsys) | cs3 | VirtualSystem | vsys | about.labels.key/value |
| Source Zone (from) | cs4 | SourceZone | from | principal.labels.key/value |
| Destination Zone (to) | cs5 | DestinationZone | to | target.labels.key/value |
| Inbound Interface (inbound_if) | deviceInboundInterface | IngressInterface | inbound_if | principal.labels.key/value |
| Outbound Interface (outbound_if) | deviceOutboundInterface | EgressInterface | outbound_if | target.labels.key/value |
| Log Action (logset) | cs6 | LogForwardingProfile | logset | about.labels.key/value |
| Time Logged | time_logged | about.labels.key/value | ||
| Session ID (sessionid) | cn1 | SessionID | network.session_id | |
| Repeat Count (repeatcnt) | cnt | RepeatCount | repeatcnt | about.labels.key/value |
| Source Port (sport) | spt | srcPort | principal.port | |
| Destination Port (dport) | dpt | dstPort | target.port | |
| NAT Source Port (natsport) | sourceTranslatedPort | srcPostNATPort | principal.nat_port | |
| NAT Destination Port (natdport) | destinationTranslatedPort | dstPostNATPort | target.nat_port | |
| Flags (flags) | flexString1 | Flags | flags | about.labels.key/value |
| IP Protocol (proto) | proto | proto | network.ip_protocol | |
| Action (action) | act | action | security_result.action_details
security_result.action |
|
| URL/Filename (misc) | Miscellaneous | target.file.full_path
target.url |
||
| Threat/Content Name (threatid) | cat | ThreatID | security_result.threat_id | |
| Category (category) | cs2 | URLCategory | category | about.labels.key/value |
| Severity (severity) | number-of-severity (Header) | Severity | security_result.severity
security_result.severity_details |
|
| Direction (direction) | flexString2 | Direction | network.direction | |
| Sequence Number (seqno) | externalId | sequence | metadata.product_log_id | |
| Action Flags (actionflags) | PanOSActionFlags | ActionFlags | actionflags | about.labels.key/value |
| Source Country (srcloc) | SourceLocation | principal.location.country_or_region | ||
| Destination Country (dstloc) | DestinationLocation | target.location.country_or_region | ||
| contenttype (contenttype) | requestContext | ContentType | contenttype | about.labels.key/value |
| pcap_id (pcap_id) | fileId | PCAP_ID | pcap_id | about.labels.key/value |
| filedigest (filedigest) | FileDigest | about.file.sha1/md5/sha256 | ||
| cloud (cloud) | Cloud | cloud | about.labels.key/value | |
| url_idx (url_idx) | URLIndex | url_idx | about.labels.key/value | |
| user_agent (user_agent) | requestClientApplication | UserAgent | network.http.user_agent | |
| filetype (filetype) | about.file.mime_type | |||
| xff (xff) | PanOSXForwarderfor | identSrc | xff | about.labels.key/value |
| referer (referer) | PanOSReferer | Referer | network.http.referral_url | |
| sender (sender) | network.email.from | |||
| subject (subject) | Subject | network.email.subject | ||
| recipient (recipient) | network.email.to | |||
| reportid (reportid) | reportid | about.labels.key/value | ||
| DG Hierarchy Level 1 (dg_hier_level_1) | PanOSDGl1 | DeviceGroupHierarchyL1 | dg_hier_level_1 | about.labels.key/value |
| DG Hierarchy Level 2 (dg_hier_level_2) | PanOSDGl2 | DeviceGroupHierarchyL2 | dg_hier_level_2 | about.labels.key/value |
| DG Hierarchy Level 3 (dg_hier_level_3) | PanOSDGl3 | DeviceGroupHierarchyL3 | dg_hier_level_3 | about.labels.key/value |
| DG Hierarchy Level 4 (dg_hier_level_4) | PanOSDGl4 | DeviceGroupHierarchyL4 | dg_hier_level_4 | about.labels.key/value |
| Virtual System Name (vsys_name) | PanOSVsysName | vSrcName | principal.resource.name
principal.resource.resource_type=VIRTUAL_MACHINE |
|
| Device Name (device_name) | dvchost | DeviceName | intermediary.hostname | |
| file_url (file_url) | about.url | |||
| Source VM UUID (src_uuid) | SrcUUID | principal.asset.asset_id | ||
| Destination VM UUID (dst_uuid) | DstUUID | target.asset.asset_id | ||
| http_method (http_method) | requestMethod | RequestMethod | network.http.method | |
| Tunnel ID/IMSI (tunnelid) | PanOSTunnelID | TunnelID | tunnelid | about.labels.key/value |
| Monitor Tag/IMEI (monitortag) | PanOSMonitorTag | MonitorTag | monitortag | about.labels.key/value |
| Parent Session ID (parent_session_id) | PanOSParentSessionID | ParentSessionID | parent_session_id | about.labels.key/value |
| Parent Session Start Time (parent_start_time) | PanOSParentStartTime | ParentStartTime | parent_start_time | about.labels.key/value |
| Tunnel (tunnel) | PanOSTunnelType | TunnelType | tunnel | about.labels.key/value |
| thr_category (thr_category) | PanOSThreatCategory | ThreatCategory | thr_category | security_result.detection_fields.key/value |
| contentver (contentver) | PanOSContentVer | ContentVer | contentver | about.labels.key/value |
| sig_flags (sig_flags) | sig_flags | about.labels.key/value | ||
| SCTP Association ID (assoc_id) | PanOSAssocID | assoc_id | about.labels.key/value | |
| Payload Protocol ID (ppid) | PanOSPPID | ppid | about.labels.key/value | |
| http_headers (http_headers) | PanOSHTTPHeader | http_headers | about.labels.key/value | |
| URL Category List (url_category_list) | PanOSURLCatList | url_category_list | about.labels.key/value | |
| UUID for rule (rule_uuid) | PanOSRuleUUID | rule_uuid | about.labels.key/value | |
| HTTP/2 Connection (http2_connection) | PanOSHTTP2Con | http2_connection | about.labels.key/value | |
| dynusergroup_name (dynusergroup_name) | PanDynamicUsrgrp | dynusergroup_name | about.labels.key/value | |
| XFF address (xff_ip) | PanXFFIP | principal.ip | ||
| Source Device Category (src_category) | PanSrcDeviceCat | src_category | principal.labels.key/value | |
| Source Device Profile (src_profile) | PanSrcDeviceProf | src_profile | principal.labels.key/value | |
| Source Device Model (src_model) | PanSrcDeviceModel | src_model | principal.labels.key/value | |
| Source Device Vendor (src_vendor) | PanSrcDeviceVendor | src_vendor | principal.labels.key/value | |
| Source Device OS Family (src_osfamily) | PanSrcDeviceOS | principal.asset.platform_software.platform
principal.labels.key/value |
||
| Source Device OS Version (src_osversion) | PanSrcDeviceOSv | principal.asset.software.version | ||
| Source Hostname (src_host) | PanSrcHostname | src_host | principal.labels.key/value | |
| Source Mac Address (src_mac) | PanSrcMac | principal.mac | ||
| Destination Device Category (dst_category) | PanDstDeviceCat | dst_category | target.labels.key/value | |
| Destination Device Profile (dst_profile) | PanDstDeviceProf | dst_profile | target.labels.key/value | |
| Destination Device Model (dst_model) | PanDstDeviceModel | dst_model | target.labels.key/value | |
| Destination Device Vendor (dst_vendor) | PanDstDeviceVendor | dst_vendor | target.labels.key/value | |
| Destination Device OS Family (dst_osfamily) | PanDstDeviceOS | target.asset.platform_software.platform
target.labels.key/value |
||
| Destination Device OS Version (dst_osversion) | PanDstDeviceOSv | target.asset.software.version | ||
| Destination Hostname (dst_host) | PanPODNamespace | target.hostname | ||
| Destination Mac Address (dst_mac) | PanDstMac | target.mac | ||
| Container ID (container_id) | PanContainerName | container_id | about.labels.key/value | |
| POD Namespace (pod_namespace) | PanPODNamespace | pod_namespace | about.labels.key/value | |
| POD Name (pod_name) | PanPODName | pod_name | about.labels.key/value | |
| Source External Dynamic List (src_edl) | PanSrcEDL | src_edl | principal.labels.key/value | |
| Destination External Dynamic List (dst_edl) | PanDstEDL | dst_edl | target.labels.key/value | |
| Host ID (hostid) | PanGPHostID | hostid | about.labels.key/value | |
| Serial Number (serialnumber) | PanEPSerial | principal.asset.hardware.serial_number | ||
| domain_edl (domain_edl) | PanDomainEDL | domain_edl | about.labels.key/value | |
| Source Dynamic Address Group (src_dag) | PanSrcDAG | principal.group.group_display_name | ||
| Destination Dynamic Address Group (dst_dag) | PanDstDAG | target.group.group_display_name | ||
| partial_hash (partial_hash) | PanPartialHash | partial_hash | about.labels.key/value | |
| High Res Timestamp (high_res_timestamp) | PanTimeHighRes | metadata.collected_timestamp,
metadata.event_timestamp (if "Generate Time" is absent) |
||
| Reason (reason) | PanReasonFilteringAction | reason | about.labels.key/value | |
| justification (justification) | PanJustification | justification | about.labels.key/value | |
| nssai_sst (nssai_sst) | PanASServiceType | nssai_sst | about.labels.key/value | |
| Subcategory of app (subcategory_of_app) | subcategory_of_app | about.labels.key/value | ||
| Category of app (category_of_app) | category_of_app | about.labels.key/value | ||
| Technology of app (technology_of_app) | technology_of_app | about.labels.key/value | ||
| Risk of app (risk_of_app) | risk_of_app | about.labels.key/value | ||
| Characteristic of app (characteristic_of_app) | characteristic_of_app | about.labels.key/value | ||
| Container of app (container_of_app) | container_of_app | about.labels.key/value | ||
| Tunneled app (tunneled_app) | tunneled_app | about.labels.key/value | ||
| SaaS of app (is_saas_of_app) | is_saas_of_app | about.labels.key/value | ||
| Sanctioned State of app (sanctioned_state_of_app) | sanctioned_state_of_app | about.labels.key/value |
Data
The following table lists the log fields of the data log type and their corresponding UDM fields.
| CSV field | CEF field | LEEF field | Chronicle label key | UDM field |
|---|---|---|---|---|
| Receive Time (cef-formatted-receive_time) | rt | devTime | metadata.collected_timestamp,
metadata.event_timestamp (if "Generate Time" is absent) |
|
| Serial # (serial) | deviceExternalId | SerialNumber | intermediary.asset.hardware.serial_number | |
| Type (type) | type (Header) | cat | metadata.product_event_type | |
| Threat/Content Type (subtype) | subtype (Header) | Subtype | metadata.product_event_type | |
| Generate Time | metadata.event_timestamp | |||
| Source address (src) | src | src | principal.ip | |
| Destination address (dst) | dst | dst | target.ip | |
| NAT Source IP (natsrc) | sourceTranslatedAddress | srcPostNAT | principal.nat_ip | |
| NAT Destination IP (natdst) | destinationTranslatedAddress | dstPostNAT | target.nat_ip | |
| Rule (rule) | cs1 | RuleName | security_result.rule_name | |
| Source User (srcuser) | suser | SourceUser | principal.user.userid | |
| Destination User (dstuser) | duser | DestinationUser | target.user.userid | |
| Application (app) | app | Application | network.application_protocol | |
| Virtual System (vsys) | cs3 | VirtualSystem | vsys | about.labels.key/value |
| Source Zone (from) | cs4 | SourceZone | from | principal.labels.key/value |
| Destination Zone (to) | cs5 | DestinationZone | to | target.labels.key/value |
| Inbound Interface (inbound_if) | deviceInboundInterface | IngressInterface | inbound_if | principal.labels.key/value |
| Outbound Interface (outbound_if) | deviceOutboundInterface | EgressInterface | outbound_if | target.labels.key/value |
| Log Action (logset) | cs6 | LogForwardingProfile | logset | about.labels.key/value |
| Time Logged | time_logged | about.labels.key/value | ||
| Session ID (sessionid) | cn1 | SessionID | network.session_id | |
| Repeat Count (repeatcnt) | cnt | RepeatCount | repeatcnt | about.labels.key/value |
| Source Port (sport) | spt | srcPort | principal.port | |
| Destination Port (dport) | dpt | dstPort | target.port | |
| NAT Source Port (natsport) | sourceTranslatedPort | srcPostNATPort | principal.nat_port | |
| NAT Destination Port (natdport) | destinationTranslatedPort | dstPostNATPort | target.nat_port | |
| Flags (flags) | flexString1 | Flags | flags | about.labels.key/value |
| IP Protocol (proto) | proto | proto | network.ip_protocol | |
| Action (action) | act | action | security_result.action_details
security_result.action |
|
| URL/Filename (misc) | Miscellaneous | target.file.full_path
target.url |
||
| Threat/Content Name (threatid) | cat | ThreatID | security_result.threat_id | |
| Category (category) | cs2 | URLCategory | category | about.labels.key/value |
| Severity (severity) | number-of-severity (Header) | Severity | security_result.severity
security_result.severity_details |
|
| Direction (direction) | flexString2 | Direction | network.direction | |
| Sequence Number (seqno) | externalId | sequence | metadata.product_log_id | |
| Action Flags (actionflags) | PanOSActionFlags | ActionFlags | actionflags | about.labels.key/value |
| Source Country (srcloc) | SourceLocation | principal.location.country_or_region | ||
| Destination Country (dstloc) | DestinationLocation | target.location.country_or_region | ||
| contenttype (contenttype) | ContentType | contenttype | about.labels.key/value | |
| pcap_id (pcap_id) | fileId | PCAP_ID | pcap_id | about.labels.key/value |
| filedigest (filedigest) | FileDigest | about.file.sha1/md5/sha256 | ||
| cloud (cloud) | Cloud | cloud | about.labels.key/value | |
| url_idx (url_idx) | URLIndex | url_idx | about.labels.key/value | |
| user_agent (user_agent) | network.http.user_agent | |||
| filetype (filetype) | about.file.mime_type | |||
| xff (xff) | xff | about.labels.key/value | ||
| referer (referer) | network.http.referral_url | |||
| sender (sender) | network.email.from | |||
| subject (subject) | Subject | network.email.subject | ||
| recipient (recipient) | network.email.to | |||
| reportid (reportid) | reportid | about.labels.key/value | ||
| DG Hierarchy Level 1 (dg_hier_level_1) | PanOSDGl1 | DeviceGroupHierarchyL1 | dg_hier_level_1 | about.labels.key/value |
| DG Hierarchy Level 2 (dg_hier_level_2) | PanOSDGl2 | DeviceGroupHierarchyL2 | dg_hier_level_2 | about.labels.key/value |
| DG Hierarchy Level 3 (dg_hier_level_3) | PanOSDGl3 | DeviceGroupHierarchyL3 | dg_hier_level_3 | about.labels.key/value |
| DG Hierarchy Level 4 (dg_hier_level_4) | PanOSDGl4 | DeviceGroupHierarchyL4 | dg_hier_level_4 | about.labels.key/value |
| Virtual System Name (vsys_name) | PanOSVsysName | vSrcName | principal.resource.name
principal.resource.resource_type=VIRTUAL_MACHINE |
|
| Device Name (device_name) | dvchost | DeviceName | intermediary.hostname | |
| file_url (file_url) | about.url | |||
| Source VM UUID (src_uuid) | SrcUUID | principal.asset.asset_id | ||
| Destination VM UUID (dst_uuid) | DstUUID | target.asset.asset_id | ||
| http_method (http_method) | RequestMethod | network.http.method | ||
| Tunnel ID/IMSI (tunnelid) | PanOSTunnelID | TunnelID | tunnelid | about.labels.key/value |
| Monitor Tag/IMEI (monitortag) | PanOSMonitorTag | MonitorTag | monitortag | about.labels.key/value |
| Parent Session ID (parent_session_id) | PanOSParentSessionID | ParentSessionID | parent_session_id | about.labels.key/value |
| Parent Session Start Time (parent_start_time) | PanOSParentStartTime | ParentStartTime | parent_start_time | about.labels.key/value |
| Tunnel (tunnel) | PanOSTunnelType | TunnelType | tunnel | about.labels.key/value |
| thr_category (thr_category) | PanOSThreatCategory | ThreatCategory | thr_category | security_result.detection_fields.key/value |
| contentver (contentver) | PanOSContentVer | ContentVer | contentver | about.labels.key/value |
| sig_flags (sig_flags) | sig_flags | about.labels.key/value | ||
| SCTP Association ID (assoc_id) | PanOSAssocID | assoc_id | about.labels.key/value | |
| Payload Protocol ID (ppid) | PanOSPPID | ppid | about.labels.key/value | |
| http_headers (http_headers) | PanOSHTTPHeader | http_headers | about.labels.key/value | |
| URL Category List (url_category_list) | url_category_list | about.labels.key/value | ||
| UUID for rule (rule_uuid) | PanOSRuleUUID | rule_uuid | about.labels.key/value | |
| HTTP/2 Connection (http2_connection) | http2_connection | about.labels.key/value | ||
| dynusergroup_name (dynusergroup_name) | dynusergroup_name | principal.labels.key/value | ||
| XFF address (xff_ip) | principal.ip | |||
| Source Device Category (src_category) | src_category | principal.labels.key/value | ||
| Source Device Profile (src_profile) | src_profile | principal.labels.key/value | ||
| Source Device Model (src_model) | src_model | principal.labels.key/value | ||
| Source Device Vendor (src_vendor) | src_vendor | principal.labels.key/value | ||
| Source Device OS Family (src_osfamily) | principal.asset.platform_software.platform
principal.labels.key/value |
|||
| Source Device OS Version (src_osversion) | principal.asset.software.version | |||
| Source Hostname (src_host) | src_host | principal.labels.key/value | ||
| Source Mac Address (src_mac) | principal.mac | |||
| Destination Device Category (dst_category) | dst_category | target.labels.key/value | ||
| Destination Device Profile (dst_profile) | dst_profile | target.labels.key/value | ||
| Destination Device Model (dst_model) | dst_model | target.labels.key/value | ||
| Destination Device Vendor (dst_vendor) | dst_vendor | target.labels.key/value | ||
| Destination Device OS Family (dst_osfamily) | target.asset.platform_software.platform
target.labels.key/value |
|||
| Destination Device OS Version (dst_osversion) | target.asset.software.version | |||
| Destination Hostname (dst_host) | target.hostname | |||
| Destination Mac Address (dst_mac) | target.mac | |||
| Container ID (container_id) | container_id | about.labels.key/value | ||
| POD Namespace (pod_namespace) | pod_namespace | about.labels.key/value | ||
| POD Name (pod_name) | pod_name | about.labels.key/value | ||
| Source External Dynamic List (src_edl) | src_edl | principal.labels.key/value | ||
| Destination External Dynamic List (dst_edl) | dst_edl | target.labels.key/value | ||
| Host ID (hostid) | hostid | about.labels.key/value | ||
| Serial Number (serialnumber) | principal.asset.hardware.serial_number | |||
| domain_edl (domain_edl) | domain_edl | about.labels.key/value | ||
| Source Dynamic Address Group (src_dag) | principal.group.group_display_name | |||
| Destination Dynamic Address Group (dst_dag) | target.group.group_display_name | |||
| partial_hash (partial_hash) | partial_hash | about.labels.key/value | ||
| High Res Timestamp (high_res_timestamp) | metadata.collected_timestamp,
metadata.event_timestamp (if "Generate Time" is absent) |
|||
| Reason (reason) | reason | about.labels.key/value | ||
| justification (justification) | justification | about.labels.key/value | ||
| nssai_sst (nssai_sst) | nssai_sst | about.labels.key/value | ||
| Subcategory of app (subcategory_of_app) | subcategory_of_app | about.labels.key/value | ||
| Category of app (category_of_app) | category_of_app | about.labels.key/value | ||
| Technology of app (technology_of_app) | technology_of_app | about.labels.key/value | ||
| Risk of app (risk_of_app) | risk_of_app | about.labels.key/value | ||
| Characteristic of app (characteristic_of_app) | characteristic_of_app | about.labels.key/value | ||
| Container of app (container_of_app) | container_of_app | about.labels.key/value | ||
| Tunneled app (tunneled_app) | tunneled_app | about.labels.key/value | ||
| SaaS of app (is_saas_of_app) | is_saas_of_app | about.labels.key/value | ||
| Sanctioned State of app (sanctioned_state_of_app) | sanctioned_state_of_app | about.labels.key/value |
GlobalProtect
The following table lists the log fields of the GlobalProtect log type and their corresponding UDM fields.
| CSV field | CEF field | LEEF field | Chronicle label key | UDM field |
|---|---|---|---|---|
| Receive Time (receive_time) | rt | received_time | metadata.event_timestamp | |
| Serial # (serial) | PanOSDeviceSN | intermediary_asset_hardware_serial_number | intermediary.asset.hardware.serial_number | |
| Type (type) | type (Header) | metadata.product_event_type | ||
| Threat/Content Type (subtype) | subtype (Header) | Subtype | metadata.product_event_type | |
| Generate Time (time_generated) | PanOSLogTimeStamp | generated_timestamp | metadata.event_timestamp | |
| Virtual System (vsys) | PanOSVirtualSystem | vsys | about.labels.key/value | |
| Event ID (eventid) | PanOSEventID | event_id | about.labels.key/value | |
| Stage (stage) | PanOSStage | stage | about.labels.key/value | |
| Authentication Method (auth_method) | PanOSAuthMethod | extension_auth_auth_details | extensions.auth.auth_details | |
| Tunnel Type (tunnel_type) | PanOSTunnelType | tunnel | about.labels.key/value | |
| Source User (srcuser) | PanOSSourceUserName | src_user | principal.user.email_address
principal.user.userid principal.administrative_domain |
|
| Source Region (srcregion) | PanOSSourceRegion | src_region | principal.location.country_or_region | |
| Machine Name (machinename) | PanOSEndpointDeviceName | machine_name | principal.hostname | |
| Public IP (public_ip) | PanOSPublicIPv4 | principal.nat_ip | ||
| Public IPv6 (public_ipv6) | PanOSPublicIPv6 | principal.nat_ip | ||
| Private IP (private_ip) | PanOSPrivateIPv4 | principal.ip | ||
| Private IPv6 (private_ipv6) | PanOSPrivateIPv6 | principal.ip | ||
| Host ID (hostid) | PanOSHostID | hostid | principal.asset.asset_id | |
| Serial Number (serialnumber) | PanOSDeviceSN | principal.asset.hardware.serial_number | ||
| Client Version (client_ver) | PanOSGlobalProtectClientVersion | client_ver | about.labels.key/value | |
| Client OS (client_os) | PanOSEndpointOSType | principal.asset.platform_software.platform(enum) | ||
| Client OS Version (client_os_ver) | PanOSEndpointOSVersion | principal.asset.platform_software.platform_version | ||
| Repeat Count (repeatcnt) | PanOSCountOfRepeats | repeatcnt | about.labels.key/value | |
| Reason (reason) | PanOSQuarantineReason | security_result.summary | ||
| Error (error) | PanOSConnectionError | error | security_result.description | |
| Description (opaque) | PanOSDescription | security_result.description | ||
| Status (status) | PanOSEventStatus | status | about.labels.key/value | |
| Location (location) | PanOSGPGatewayLocation | target.location.country_or_region | ||
| Login Duration (login_duration) | PanOSLoginDuration | network.session_duration | ||
| Connect Method (connect_method) | PanOSConnectionMethod | connect_method | about.labels.key/value | |
| Error Code (error_code) | PanOSConnectionErrorID | error_code | about.labels.key/value | |
| Portal (portal) | PanOSPortal | portal | about.labels.key/value | |
| Sequence Number (seqno) | PanOSSequenceNo | metadata.product_log_id | ||
| Action Flags (actionflags) | PanOSActionFlags | actionflags | about.labels.key/value | |
| High Resolution Timestamp (high_res_timestamp) | anOSTimeGeneratedHighResolution | metadata.collected_timestamp,
metadata.event_timestamp (if "Generate Time" is absent) |
||
| Gateway Selection Method (selection_type) | PanOSGatewaySelectionType | selection_type | about.labels.key/value | |
| SSL Response Time (response_time) | PanOSSSLResponseTime | response_time | about.labels.key/value | |
| Gateway Priority (priority) | PanOSGatewayPriority | priority | about.labels.key/value | |
| Attempted Gateways (attempted_gateways) | PanOSAttemptedGateways | attempted_gateways | about.labels.key/value | |
| Gateway Name (gateway) | PanOSAttemptedGateways | gateway | about.labels.key/value | |
| Device Group Hierarchy (dg_hier_level_1) | dg_hier_level_1 | about.labels.key/value | ||
| Device Group Hierarchy (dg_hier_level_2) | dg_hier_level_2 | about.labels.key/value | ||
| Device Group Hierarchy (dg_hier_level_3) | dg_hier_level_3 | about.labels.key/value | ||
| Device Group Hierarchy (dg_hier_level_4) | dg_hier_level_4 | about.labels.key/value | ||
| Virtual System Name (vsys_name) | principal.resource.name
principal.resource.resource_type=VIRTUAL_MACHINE |
|||
| Device Name (device_name) | target.hostname | |||
| Virtual System ID (vsys_id) | principal.resource.resource_type=VIRTUAL_MACHINE and principal.resource.product_object_id |
Correlation
The following table lists the log fields of the Correlation log type and their corresponding UDM fields.
| CSV field | CEF field | LEEF field | Chronicle label key | UDM field |
|---|---|---|---|---|
| Generated Time (time_generated or cef-formatted-time_generated) | startTime | generated_timestamp | metadata.event_timestamp | |
| Source Address (src) | src | principal.ip | ||
| Source User (srcuser) | SourceUser / usrName | principal.user.userid | ||
| Virtual System (vsys) | VirtualSystem | vsys | about.labels.key/value | |
| Category (category) | security_result.category_details | |||
| Severity (severity) | Severity | security_result.severity and security_result.severity_details | ||
| Device Group Hierarchy Level 1 | DeviceGroupHierarchyL1 | about.labels.key/value | ||
| Device Group Hierarchy Level 2 | DeviceGroupHierarchyL2 | about.labels.key/value | ||
| Device Group Hierarchy Level 3 | DeviceGroupHierarchyL3 | about.labels.key/value | ||
| Device Group Hierarchy Level 4 | DeviceGroupHierarchyL4 | about.labels.key/value | ||
| Virtual System Name (vsys_name) | vSrcName | principal.resource.name
principal.resource.resource_type=VIRTUAL_MACHINE |
||
| Device Name (device_name) | DeviceName | intermediary.hostname | ||
| Virtual System ID (vsys_id) | VirtualSystemID | principal.resource.resource_type=VIRTUAL_MACHINE and principal.resource.product_object_id | ||
| Object Name (objectname) | ObjectName | target.resource.name | ||
| Object ID (object_id) | ObjectID | target.resource.product_object_id |
Field mapping reference: Log types to UDM event type
The following table lists the Palo Alto Networks firewall log types and their corresponding UDM event types.
| Log type | UDM event type |
| Traffic | NETWORK_CONNECTION |
| Threat | NETWORK_CONNECTION |
| URL Filtering | NETWORK_CONNECTION |
| WildFire | NETWORK_CONNECTION
WildFire submissions logs are a subtype of Threat log type and use the same syslog format. |
| Data Filtering | NETWORK_CONNECTION |
| Tunnel | NETWORK_CONNECTION |
| Config | SETTING_MODIFICATION/SETTING_CREATION/SETTING_DELETION/SETTING_UNCATEGORIZED
The value of the "Command (cmd)" field determines the UDM event type mapping. If the cmd field value is add or clone, SETTING_CREATION is set. If the cmd field value is delete, SETTING_DELETION is set. If the cmd field value is edit, move, rename, set, or commit, SETTING_MODIFICATION is set. If the cmd field value does not contain any values, then SETTING_UNCATEGORIZED is set. |
| System |
If the value of subtype is dhcp, then NETWORK_DHCP is set. For other values, GENERIC_EVENT is set. |
| HIP Match | NETWORK_CONNECTION |
| IP Tag | GENERIC_EVENT |
| User-ID | USER_LOGIN/USER_LOGOUT/USER_UNCATEGORIZED
If subtype value is "login", then USER_LOGIN is set. If subtype value is "logout", then USER_LOGOUT is set. If subtype does not contain any value, then USER_UNCATEGORIZED is set. |
| Decryption | NETWORK_CONNECTION |
| Authentication | GENERIC_EVENT |