Collect Palo Alto Networks firewall logs

Overview

This document describes how you can configure syslog and a Chronicle forwarder to collect Palo Alto Networks firewall logs. This document also explains how Palo Alto Networks firewall log fields map to Chronicle Unified Data Model (UDM) fields.

For an overview about Chronicle data ingestion, see Data ingestion to Chronicle.

An ingestion label identifies the parser which normalizes raw log data to structured UDM format. The information in this document applies to the parser with the PAN_FIREWALL ingestion label.

Before you begin

To understand the components deployed to collect Palo Alto Networks firewall logs, review the deployment architecture. Each customer deployment might differ from this representation and might be more complex.

The following diagram shows how you can configure syslog on a Palo Alto Networks firewall and install a Chronicle forwarder on a Linux server to forward log data to Chronicle. The parser supports logs written in the following data formats: Comma Separated Values (CSV), Common Event Format (CEF), and Log Event Extended Format (LEEF).
Verify the log formats and PAN-OS versions that the Chronicle parser supports. The following table lists the log formats and the corresponding PAN-OS versions that the Chronicle parser supports:

Log format PAN-OS version

CSV 10.1.3

CEF 10.0.0

LEEF 9.1.0
Verify the Palo Alto Networks firewall log types that the Chronicle parser supports. The Chronicle parser supports the following Palo Alto Networks firewall log types:
- Traffic
- Threat
- WildFire submissions
- Tunnel inspection
- Config
- System
- HIP match
- IP-Tag
- User-ID
- Decryption
- Authentication
- URL filtering
- Data filtering
- GlobalProtect
- Correlation
For more information about the Palo Alto Networks firewall log types, see PAN-OS log types.
Ensure that all systems in the deployment architecture are configured in the UTC time zone.
Before you use the Palo Alto Networks firewall Gold parser, review the changes in field mappings between the default parser and Gold parser listed in this document. As part of the migration, ensure that the rules, searches, dashboards, or other processes that depend on the original fields use the updated fields.

For example, in the default parser, the "category" log field is mapped to the "security_result.description" UDM field. In the PAN firewall Gold parser, the "category" log field is mapped to the "security_result.category_details" UDM field. If you migrate to PAN firewall Gold parser and use "category" in your rules, you need to modify the rules to use the "security_result.category_details" UDM field of the Gold parser.

Configure syslog and the Chronicle forwarder

To configure syslog and the Chronicle forwarder, complete the following steps:

To monitor CSV logs, configure the syslog server profile. For more information, see Configure the syslog server profile.

When you configure the syslog server profile, specify "Default" as the custom log format.
To monitor CEF logs, configure the Palo Alto Networks firewall to forward CEF logs. For more information, download the PAN-OS CEF Integration guide PDF and see the "Configuration of Palo Alto Networks NGFW to output CEF events" section.
To monitor LEEF logs, configure the syslog server profile. For more information, see Custom log forwarding in LEEF format.

Configure the Chronicle forwarder to send logs to Chronicle. For more information, see Installing and configuring the forwarder on Linux. The following is an example of a Chronicle forwarder configuration:

  - syslog:
      common:
        enabled: true
        data_type: PAN_FIREWALL
        batch_n_seconds: 10
        batch_n_bytes: 1048576
      tcp_address: 0.0.0.0:10518
      connection_timeout_sec: 60

Field mapping reference: PAN firewall logs fields to UDM fields

This section explains how the parser maps Palo Alto Networks firewall log fields to Chronicle UDM event fields for each log type.

The Chronicle label key refers to the name of the key mapped to Labels.key UDM field. For example, in the case of the "Virtual System" field, the field name is "cs3" in CEF format and is "VirtualSystem" in LEEF format. The UDM field "about.labels.key" contains the value "vsys" and the UDM field "about.labels.value" contains the value of that field.

Some of the CEF or LEEF field names do not have a name corresponding to the CSV field names. In such cases, if you add your own variable name in custom log format in the syslog profile, the parser does not map it to the UDM field.

Refer to the following sections for mapping reference of each log type:

System
Config
Threat/wildfire
Traffic
User ID
HIP match
IP tag
Decryption
Tunnel
Authentication
URL
Data
GlobalProtect
Correlation

System

The following table lists the log fields of the system log type and their corresponding UDM fields.

CSV field	CEF field	LEEF field	Chronicle label key	UDM field
Receive Time (receive_time or cef-formatted-receive_time)	rt	devTime		metadata.collected_timestamp, metadata.event_timestamp (if "Generate Time" is absent)
Serial Number (serial)	deviceExternalId	SerialNumber		intermediary.asset.hardware.serial_number
Type (type)	type (Header)	cat		metadata.product_event_type is set to "%{type} - %{subtype}".
Threat/Content Type (subtype)	subtype (Header)	Subtype		metadata.product_event_type is set to "%{type} - %{subtype}".
Generated Time (time_generated or cef-formatted-time_generated)				metadata.event_timestamp
Virtual System (vsys)	cs3	VirtualSystem	vsys	about.labels.key/value
Event ID (eventid)	cat		eventid	about.labels.key/value
Object (object)	fname	Filename	object	about.labels.key/value
Module (module)	flexString2	Module	module	about.labels.key/value
Severity (severity)	$number-of-severity(header)	Severity		security_result.severity and security_result.severity_details
Description (opaque)	msg	msg		metadata.description
Sequence Number (seqno)	externalId	sequence		metadata.product_log_id
Action Flags (actionflags)	PanOSActionFlags	ActionFlags	actionflags	about.labels.key/value
Device Group Hierarchy (dg_hier_level_1 to dg_hier_level_4)	PanOSDGl1	DeviceGroupHierarchyL1	dg_hier_level_1	about.labels.key/value
Device Group Hierarchy (dg_hier_level_2)	PanOSDGl2	DeviceGroupHierarchyL2	dg_hier_level_2	about.labels.key/value
Device Group Hierarchy (dg_hier_level_3)	PanOSDGl3	DeviceGroupHierarchyL3	dg_hier_level_3	about.labels.key/value
Device Group Hierarchy (dg_hier_level_4)	PanOSDGl4	DeviceGroupHierarchyL4	dg_hier_level_4	about.labels.key/value
Virtual System Name (vsys_name)	PanOSVsysName	vSrcName		principal.resource.name principal.resource.resource_type=VIRTUAL_MACHINE
Device Name (device_name)	dvchost	DeviceName		intermediary.hostname
High Resolution Timestamp (high_res_timestamp)	anOSTimeGeneratedHighResolution			metadata.collected_timestamp, metadata.event_timestamp (if "Generate Time" is absent)

Config

The following table lists the log fields of the config log type and their corresponding UDM fields.

CSV field	CEF field	LEEF field	Chronicle label key	UDM field
Receive Time (receive_time or cef-formatted-receive_time)	rt	devTime		metadata.collected_timestamp, metadata.event_timestamp (if "Generate Time" is absent)
Serial Number (serial)	deviceExternalId	SerialNumber		intermediary.asset.hardware.serial_number
Type (type)	type (Header)	cat		metadata.product_event_type
Threat/Content Type (subtype)	subtype (Header)			metadata.product_event_type
Generated Time (time_generated or cef-formatted-time_generated)				metadata.event_timestamp
Host (host)	shost	src		principal.ip/hostname
Virtual System (vsys)	cs3	VirtualSystem	vsys	about.labels.key/value
Command (cmd)	act	msg	cmd	metadata.description
Admin (admin)	duser	usrName		principal.user.userid
Client (client)	destinationServiceName	client		principal.application
Result (result)	Signature ID (Header)(reason)	Result		security_result.summary
Configuration Path (path)	msg	ConfigurationPath		principal.process.command_line
Before Change Detail (before_change_detail)	cs1	BeforeChangeDetail	before_change_detail	target.resource.attribute.labels.key/value
After Change Detail (after_change_detail)	cs2	AfterChangeDetail	after_change_detail	target.resource.attribute.labels.key/value
Sequence Number (seqno)	externalId	sequence		metadata.product_log_id
Action Flags (actionflags)	PanOSActionFlags	ActionFlags	actionflags	about.labels.key/value
Device Group Hierarchy (dg_hier_level_1 to dg_hier_level_4)	PanOSDGl1	DeviceGroupHierarchyL1	dg_hier_level_1	about.labels.key/value
Device Group Hierarchy (dg_hier_level_2)	PanOSDGl2	DeviceGroupHierarchyL2	dg_hier_level_2	about.labels.key/value
Device Group Hierarchy (dg_hier_level_3)	PanOSDGl3	DeviceGroupHierarchyL3	dg_hier_level_3	about.labels.key/value
Device Group Hierarchy (dg_hier_level_4)	PanOSDGl4	DeviceGroupHierarchyL4	dg_hier_level_4	about.labels.key/value
Virtual System Name (vsys_name)	PanOSVsysName	vSrcName		principal.resource.name principal.resource.resource_type=VIRTUAL_MACHINE
Device Name (device_name)	dvchost	DeviceName		intermediary.hostname
Device Group (dg_id)	PanOSFWDeviceGroup		dg_id	principal.asset.attribute.labels.key/value
Audit Comment (comment)	PanOSPolicyAuditComment		comment	about.labels.key/value

Threat/WildFire

The following table lists the log fields of the Threat/WildFire log type and their corresponding UDM fields.

CSV field	CEF field	LEEF field	Chronicle label key	UDM field
Receive Time (receive_time or cef-formatted-receive_time)	rt	devTime		metadata.collected_timestamp, metadata.event_timestamp (if "Generate Time" is absent)
Serial Number (serial #)	deviceExternalId	SerialNumber		intermediary.asset.hardware.serial_number
Type (type)	type (Header)	cat		metadata.product_event_type
Threat/Content Type (subtype)	cat/subtype (Header)	Subtype		metadata.product_event_type
Generate Time (time_generated or cef-formatted-time_generated)				metadata.event_timestamp
Source address (src)	src	src		principal.ip
Destination address (dst)	dst	dst		target.ip
NAT Source IP (natsrc)	sourceTranslatedAddress	srcPostNAT		principal.nat_ip
NAT Destination IP (natdst)	destinationTranslatedAddress	dstPostNAT		target.nat_ip
Rule Name (rule)	cs1	RuleName		security_result.rule_name
Source User (srcuser)	suser	SourceUser / usrName		principal.user.userid
Destination User (dstuser)	duser	DestinationUser		target.user.userid
Application (app)	app	Application		target.application
Virtual System (vsys)	cs3	VirtualSystem	vsys	about.labels.key/value
Source Zone (from)	cs4	SourceZone	from	principal.labels.key/value
Destination Zone (to)	cs5	DestinationZone	to	target.labels.key/value
Inbound Interface (inbound_if)	deviceInboundInterface	IngressInterface	inbound_if	principal.labels.key/value
Outbound Interface (outbound_if)	deviceOutboundInterface	EgressInterface	outbound_if	target.labels.key/value
Log Action (logset)	cs6	LogForwardingProfile	logset	about.labels.key/value
Session ID (sessionid)	cn1	SessionID		network.session_id
Repeat Count (repeatcnt)	cnt	RepeatCount	repeatcnt	about.labels.key/value
Source Port (sport)	spt	srcPort		principal.port
Destination Port (dport)	dpt	dstPort		target.port
NAT Source Port (natsport)	sourceTranslatedPort	srcPostNATPort		principal.nat_port
NAT Destination Port (natdport)	destinationTranslatedPort	dstPostNATPort		target.nat_port
Flags (flags)	flexString1	Flags	flags	about.labels.key/value
IP Protocol (proto)	proto	proto		network.ip_protocol
Action (action)	act	action		security_result.action_details security_result.action
URL/Filename (misc)	request	Miscellaneous		target.file.full_path (if subtype is 'file', 'virus', 'wildfire-virus', or 'wildfire' then `misc` field is mapped to target.file.full_path) target.url (if subtype is 'url' then `misc` field is mapped to target.url and target.hostname) target.hostname (if subtype is 'spyware' or 'vulnerability' then `misc` field is mapped to target.file.full_path and target.url)
Threat/Content Name (threatid)	cat	ThreatID		security_result.threat_name
Category (category)	cs2	URLCategory		security_result.category_details
Severity (severity)	number-of-severity(header)	Severity		security_result.severity and security_result.severity_details
Direction (direction)	flexString2	Direction		network.direction
Sequence Number (seqno)	externalId	sequence		metadata.product_log_id
Action Flags (actionflags)	PanOSActionFlags	ActionFlags	actionflags	about.labels.key/value
Source Country (srcloc)		SourceLocation		principal.location.country_or_region
Destination Country (dstloc)		DestinationLocation		target.location.country_or_region
Content Type (contenttype)		ContentType	contenttype	about.labels.key/value
PCAP ID (pcap_id)	fileId	PCAP_ID	pcap_id	about.labels.key/value
File Digest (filedigest)	fileHash	FileDigest		about.file.sha1/md5/sha256
Cloud (cloud)	filePath	Cloud	cloud	about.labels.key/value
URL Index (url_idx)		URLIndex	url_idx	about.labels.key/value
User Agent (user_agent)				network.http.user_agent
File Type (filetype)	fileType	FileType		about.file.mime_type
X-Forwarded-For (xff)				principal.ip
Referer (referer)				network.http.referral_url
Sender (sender)	suid	Sender		network.email.from
Subject (subject)	msg	Subject		network.email.subject
Recipient (recipient)	duid	Recipient		network.email.to
Report ID (reportid)	oldFileId	ReportID	reportid	about.labels.key/value
Device Group Hierarchy (dg_hier_level_1 to dg_hier_level_4)	PanOSDGl1	DeviceGroupHierarchyL1	dg_hier_level_1	about.labels.key/value
Device Group Hierarchy (dg_hier_level_2)	PanOSDGl2	DeviceGroupHierarchyL2	dg_hier_level_2	about.labels.key/value
Device Group Hierarchy (dg_hier_level_3)	PanOSDGl3	DeviceGroupHierarchyL3	dg_hier_level_3	about.labels.key/value
Device Group Hierarchy (dg_hier_level_4)	PanOSDGl4	DeviceGroupHierarchyL4	dg_hier_level_4	about.labels.key/value
Virtual System Name (vsys_name)	PanOSVsysName	vSrcName		principal.resource.name principal.resource.resource_type=VIRTUAL_MACHINE
Device Name (device_name)	dvchost	DeviceName		intermediary.hostname
Source VM UUID (src_uuid)	PanOSSrcUUID	SrcUUID		principal.user.product_object_id
Destination VM UUID (dst_uuid)	PanOSDstUUID	DstUUID		target.user.product_object_id
HTTP Method (http_method)		RequestMethod		network.http.method
Tunnel ID/IMSI (tunnel_id/imsi)	PanOSTunnelID	TunnelID	tunnel_id/imsi	about.labels.key/value
Monitor Tag/IMEI (monitortag/imei)	PanOSMonitorTag	MonitorTag	monitortag/imei	about.labels.key/value
Parent Session ID (parent_session_id)	PanOSParentSessionID	ParentSessionID	parent_session_id	about.labels.key/value
Parent Session Start Time (parent_start_time)	PanOSParentStartTime	ParentStartTime	parent_start_time	about.labels.key/value
Tunnel Type (tunnel)	PanOSTunnelType	TunnelType	tunnel	about.labels.key/value
Threat Category (thr_category)	PanOSThreatCategory	ThreatCategory	thr_category	security_result.detection_fields.key/value
Content Version (contentver)	PanOSContentVer	ContentVer	contentver	about.labels.key/value
SCTP Association ID (assoc_id)	PanOSAssocID		assoc_id	about.labels.key/value
Payload Protocol ID (ppid)	PanOSPPID		ppid	about.labels.key/value
HTTP Headers (http_headers)	PanOSHTTPHeader		http_headers	about.labels.key/value
URL Category List (url_category_list)	PanOSURLCatList		url_category_list	about.labels.key/value
Rule UUID (rule_uuid)	PanOSRuleUUID			security_result.rule_id
HTTP/2 Connection (http2_connection)	PanOSHTTP2Con		http2_connection	about.labels.key/value
Dynamic User Group Name (dynusergroup_name)	PanDynamicUsrgrp		dynusergroup_name	principal.labels.key/value
XFF Address (xff_ip)	PanXFFIP			principal.ip
Source Device Category (src_category)	PanSrcDeviceCat		src_category	principal.labels.key/value
Source Device Profile (src_profile)	PanSrcDeviceProf		src_profile	principal.labels.key/value
Source Device Model (src_model)	PanSrcDeviceModel		src_model	principal.labels.key/value
Source Device Vendor (src_vendor)	PanSrcDeviceVendor		src_vendor	principal.labels.key/value
Source Device OS Family (src_osfamily)	PanSrcDeviceOS		src_osfamily	principal.asset.platform_software.platform principal.labels.key/value
Source Device OS Version (src_osversion)	PanSrcDeviceOSv			principal.asset.software.version
Source Hostname (src_host)	PanSrcHostname			principal.hostname
Source MAC Address (src_mac)	PanSrcMac			principal.mac
Destination Device Category (dst_category)	PanDstDeviceCat		dst_category	target.labels.key/value
Destination Device Profile (dst_profile)	PanDstDeviceProf		dst_profile	target.labels.key/value
Destination Device Model (dst_model)	PanDstDeviceModel		dst_model	target.labels.key/value
Destination Device Vendor (dst_vendor)	PanDstDeviceVendor		dst_vendor	target.labels.key/value
Destination Device OS Family (dst_osfamily)	PanDstDeviceOS		dst_osfamily	target.labels.key/value
Destination Device OS Version (dst_osversion)	PanDstDeviceOSv			target.asset.software.version
Destination Hostname (dst_host)	PanDstHostname			target.hostname
Destination MAC Address (dst_mac)	PanDstMac			target.mac
Container ID (container_id)	PanContainerName		container_id	about.labels.key/value
POD Namespace (pod_namespace)	PanPODNamespace		pod_namespace	about.labels.key/value
POD Name (pod_name)	PanPODName		pod_name	about.labels.key/value
Source External Dynamic List (src_edl)	PanSrcEDL		src_edl	about.labels.key/value
Destination External Dynamic List (dst_edl)	PanDstEDL		dst_edl	about.labels.key/value
Host ID (hostid)	PanGPHostID		hostid	about.labels.key/value
User Device Serial Number (serialnumber)	PanEPSerial			principal.asset.hardware.serial_number
Domain EDL (domain_edl)	PanDomainEDL		domain_edl	about.labels.key/value
Source Dynamic Address Group (src_dag)	PanSrcDAG			principal.group.group_display_name
Destination Dynamic Address Group (dst_dag)	PanDstDAG			target.group.group_display_name
Partial Hash (partial_hash)	PanPartialHash		partial_hash	about.labels.key/value
High Resolution Timestamp (high_res timestamp)	PanTimeHighRes		high_res timestamp	metadata.collected_timestamp, metadata.event_timestamp (if "Generate Time" is absent)
Reason (reason)	PanReasonFilteringAction		reason	about.labels.key/value
Justification (justification)	PanJustification		justification	about.labels.key/value
A Slice Service Type (nssai_sst)	PanASServiceType		nssai_sst	about.labels.key/value
Application Subcategory (subcategory_of_app)			subcategory_of_app	about.labels.key/value
Application Category (category_of_app)			category_of_app	about.labels.key/value
Application Technology (technology_of_app)			technology_of_app	about.labels.key/value
Application Risk (risk_of_app)			risk_of_app	about.labels.key/value
Application Characteristic (characteristic_of_app)			characteristic_of_app	about.labels.key/value
Application Container (container_of_app)			container_of_app	about.labels.key/value
Application SaaS (is_saas_of_app)			is_saas_of_app	about.labels.key/value
Application Sanctioned State (sanctioned_state_of_app)			sanctioned_state_of_app	about.labels.key/value

Traffic

The following table lists the log fields of the traffic log type and their corresponding UDM fields.

CSV field	CEF field	LEEF field	Chronicle label key	UDM field
Receive Time (receive_time or cef-formatted-receive_time)	rt	devTime		metadata.collected_timestamp, metadata.event_timestamp (if "Generate Time" is absent)
Serial Number (serial)	deviceExternalId	SerialNumber		intermediary.asset.hardware.serial_number
Type (type)	type (Header)	cat/Type		metadata.product_event_type
Threat/Content Type (subtype)	subtype (Header)	Subtype		metadata.product_event_type
Generated Time (time_generated or cef-formatted-time_generated)	start			metadata.event_timestamp
Source Address (src)	src	src		principal.ip
Destination Address (dst)	dst	dst		target.ip
NAT Source IP (natsrc)	sourceTranslatedAddress	srcPostNAT		principal.nat_ip
NAT Destination IP (natdst)	destinationTranslatedAddress	dstPostNAT		target.nat_ip
Rule Name (rule)	cs1	RuleName		security_result.rule_name
Source User (srcuser)	suser	SourceUser		principal.user.userid
Destination User (dstuser)	duser	DestinationUser		target.user.userid
Application (app)	app	Application		target.application
Virtual System (vsys)	cs3	VirtualSystem	vsys	about.labels.key/value
Source Zone (from)	cs4	SourceZone	from	principal.labels.key/value
Destination Zone (to)	cs5	DestinationZone	to	target.labels.key/value
Inbound Interface (inbound_if)	deviceInboundInterface	IngressInterface	inbound_if	principal.labels.key/value
Outbound Interface (outbound_if)	deviceOutboundInterface	EgressInterface	outbound_if	target.labels.key/value
Log Action (logset)	cs6	LogForwardingProfile	logset	about.labels.key/value
Session ID (sessionid)	cn1	SessionID		network.session_id
Repeat Count (repeatcnt)	cnt	RepeatCount	repeatcnt	about.labels.key/value
Source Port (sport)	spt	srcPort		principal.port
Destination Port (dport)	dpt	dstPort		target.port
NAT Source Port (natsport)	sourceTranslatedPort	srcPostNATPort		principal.nat_port
NAT Destination Port (natdport)	destinationTranslatedPort	dstPostNATPort		target.nat_port
Flags (flags)	flexString1	Flags	flags	about.labels.key/value
IP Protocol (proto)	proto	proto		network.ip_protocol
Action (action)	act	action		security_result.action_details security_result.action
Bytes (bytes)	flexNumber1	totalBytes	bytes	about.labels.key/value
Bytes Sent (bytes_sent)	in	srcBytes		network.sent_bytes
Bytes Received (bytes_received)	out	dstBytes		network.received_bytes
Packets (packets)	cn2	totalPackets	packets	about.labels.key/value
Start Time (start)		StartTime	start	about.labels.key/value
Elapsed Time (elapsed)	cn3	ElapsedTime	elapsed	about.labels.key/value
Category (category)	cs2	URLCategory		security_result.category / security_result.category_details
Sequence Number (seqno)	externalId	sequence		metadata.product_log_id
Action Flags (actionflags)	PanOSActionFlags	ActionFlags	actionflags	about.labels.key/value
Source Country (srcloc)		SourceLocation		principal.location.country_or_region
Destination Country (dstloc)		DestinationLocation		target.location.country_or_region
Packets Sent (pkts_sent)	PanOSPacketsSent	srcPackets	pkts_sent	about.labels.key/value
Packets Received (pkts_received)	PanOSPacketsReceived	dstPackets	pkts_received	about.labels.key/value
Session End Reason (session_end_reason)	reason	SessionEndReason		security_result.summary
Device Group Hierarchy1 (dg_hier_level_1 to dg_hier_level_4)	PanOSDGl1	DeviceGroupHierarchyL1	dg_hier_level_1	about.labels.key/value
Device Group Hierarchy2 (dg_hier_level_2)	PanOSDGl2	DeviceGroupHierarchyL2	dg_hier_level_2	about.labels.key/value
Device Group Hierarchy3 (dg_hier_level_3)	PanOSDGl3	DeviceGroupHierarchyL3	dg_hier_level_3	about.labels.key/value
Device Group Hierarchy (dg_hier_level_4)	PanOSDGl4	DeviceGroupHierarchyL4	dg_hier_level_4	about.labels.key/value
Virtual System Name (vsys_name)	PanOSVsysName	vSrcName		principal.resource.name principal.resource.resource_type=VIRTUAL_MACHINE
Device Name (device_name)	dvchost	DeviceName		intermediary.hostname
Action Source (action_source)	cat	ActionSource	action_source	about.labels.key/value
Source VM UUID (src_uuid)	PanOSSrcUUID	SrcUUID		principal.asset.product_object_id
Destination VM UUID (dst_uuid)	PanOSDstUUID	DstUUID		target.asset.product_object_id
Tunnel ID/IMSI (tunnelid/imsi)	PanOSTunnelID	TunnelID	tunnelid/imsi	about.labels.key/value
Monitor Tag/IMEI (monitortag/imei)	PanOSMonitorTag	MonitorTag	monitortag/imei	about.labels.key/value
Parent Session ID (parent_session_id)	PanOSParentSessionID	ParentSessionID	parent_session_id	about.labels.key/value
Parent Start Time (parent_start_time)	PanOSParentStartTime	ParentStartTime	parent_start_time	about.labels.key/value
Tunnel Type (tunnel)	PanOSTunnelType	TunnelType	tunnel	about.labels.key/value
SCTP Association ID (assoc_id)	PanOSSCTPAssocID		assoc_id	about.labels.key/value
SCTP Chunks (chunks)	PanOSSCTPChunks		chunks	about.labels.key/value
SCTP Chunks Sent (chunks_sent)	PanOSSCTPChunkSent		chunks_sent	about.labels.key/value
SCTP Chunks Received (chunks_received)	PanOSSCTPChunksRcv		chunks_received	about.labels.key/value
Rule UUID (rule_uuid)	PanOSRuleUUID			security_result.rule_id
HTTP/2 Connection (http2_connection)	PanOSHTTP2Con		http2_connection	about.labels.key/value
App Flap Count (link_change_count)	PanLinkChange		link_change_count	about.labels.key/value
Policy ID (policy_id)	PanPolicyID		policy_id	about.labels.key/value
Link Switches (link_switches)	PanLinkDetail		link_switches	about.labels.key/value
SD-WAN Cluster (sdwan_cluster)	PanSDWANCluster		sdwan_cluster	about.labels.key/value
SD-WAN Device Type (sdwan_device_type)	PanSDWANDevice		sdwan_device_type	about.labels.key/value
SD-WAN Cluster Type (sdwan_cluster_type)	PanSDWANClustype		sdwan_cluster_type	about.labels.key/value
SD-WAN Site (sdwan_site)	PanSDWANSite		sdwan_site	about.labels.key/value
Dynamic User Group Name (dynusergroup_name)	PanDynamicUsrgrp		dynusergroup_name	about.labels.key/value
XFF Address (xff_ip)	PanXFFIP			principal.ip
Source Device Category (src_category)	PanSrcDeviceCat		src_category	principal.labels.key/value
Source Device Profile (src_profile)	PanSrcDeviceProf		src_profile	principal.labels.key/value
Source Device Model (src_model)	PanSrcDeviceModel		src_model	principal.labels.key/value
Source Device Vendor (src_vendor)	PanSrcDeviceVendor		src_vendor	principal.labels.key/value
Source Device OS Family (src_osfamily)	PanSrcDeviceOS			principal.asset.platform_software.platform principal.labels.key/value
Source Device OS Version (src_osversion)	PanSrcDeviceOSv			principal.asset.software.version
Source Hostname (src_host)	PanSrcHostname			principal.hostname
Source MAC Address (src_mac)	PanSrcMac			principal.mac
Destination Device Category (dst_category)	PanDstDeviceCat		dst_category	target.labels.key/value
Destination Device Profile (dst_profile)	PanDstDeviceProf		dst_profile	target.labels.key/value
Destination Device Model (dst_model)	PanDstDeviceModel		dst_model	target.labels.key/value
Destination Device Vendor (dst_vendor)	PanDstDeviceVendor		dst_vendor	target.labels.key/value
Destination Device OS Family (dst_osfamily)	PanDstDeviceOS		dst_osfamily	target.labels.key/value
Destination Device OS Version (dst_osversion)	PanDstDeviceOSv			target.asset.software.version
Destination Hostname (dst_host)	PanDstHostname			target.hostname
Destination MAC Address (dst_mac)	PanDstMac			target.mac
Container ID (container_id)	PanContainerName		container_id	about.labels.key/value
POD Namespace (pod_namespace)	PanPODNamespace		pod_namespace	about.labels.key/value
POD Name (pod_name)	PanPODName		pod_name	about.labels.key/value
Source External Dynamic List (src_edl)	PanSrcEDL		src_edl	principal.labels.key/value
Destination External Dynamic List (dst_edl)	PanDstEDL		dst_edl	target.labels.key/value
Host ID (hostid)	PanGPHostID		hostid	about.labels.key/value
User Device Serial Number (serialnumber)	PanEPSerial			principal.asset.hardware.serial_number
Source Dynamic Address Group (src_dag)	PanSrcDAG			principal.group.group_display_name
Destination Dynamic Address Group (dst_dag)	PanDstDAG			target.group.group_display_name
Session Owner (session_owner)	PanHASessionOwner		session_owner	about.labels.key/value
High Resolution Timestamp (high_res_timestamp)	PanTimeHighRes			metadata.collected_timestamp, metadata.event_timestamp (if "Generate Time" is absent)
A Slice Service Type (nsdsai_sst)	PanASServiceType		nsdsai_sst	about.labels.key/value
A Slice Differentiator (nsdsai_sd)	PanASServiceDiff		nsdsai_sd	about.labels.key/value
Application Subcategory (subcategory_of_app)			subcategory_of_app	about.labels.key/value
Application Category (category_of_app)			category_of_app	about.labels.key/value
Application Technology (technology_of_app)			technology_of_app	about.labels.key/value
Application Risk (risk_of_app)				security_result.severity
Application Characteristic (characteristic_of_app)			characteristic_of_app	about.labels.key/value
Application Container (container_of_app)			container_of_app	about.labels.key/value
Application SaaS (is_saas_of_app)			is_saas_of_app	about.labels.key/value
Application Sanctioned State (sanctioned_state_of_app)			sanctioned_state_of_app	about.labels.key/value
Application Subcategory (subcategory_of_app)			subcategory_of_app1	about.labels.key/value

User-ID

The following table lists the log fields of the user-id log type and their corresponding UDM fields.

CSV field	CEF field	LEEF field	Chronicle label key	UDM field
Receive Time (receive_time or cef-formatted-receive_time)	rt	devTime		metadata.collected_timestamp, metadata.event_timestamp (if "Generate Time" is absent)
Serial Number (serial)	deviceExternalId	SerialNumber		intermediary.asset.hardware.serial_number
Type (type)	type (Header)	cat		metadata.product_event_type
Threat/Content Type (subtype)	subtype (Header)	Subtype		metadata.product_event_type
Generated Time (time_generated or cef-formatted-time_generated)				metadata.event_timestamp
Virtual System (vsys)	cs3	VirtualSystem	vsys	about.labels.key/value
Source IP (ip)	src	src		principal.ip
User (user)	duser	usrName		target.user.userid target.administrative_domain target.user.email_addresses
Data Source Name (datasourcename)	cs4	DataSourceName	datasourcename	principal.labels.key/value
Event ID (eventid)		EventID	eventid	about.labels.key/value
Repeat Count (repeatcnt)	cnt	RepeatCount	repeatcnt	about.labels.key/value
Time Out Threshold (timeout)	cn3	TimeoutThreshold	timeout	about.labels.key/value
Source Port (beginport)	spt	srcPort		principal.port
Destination Port (endport)	dpt	dstPort		target.port
Data Source (datasource)	cs5	DataSource	datasource	principal.labels.key/value
Data Source Type (datasourcetype)	cs6	DataSourceType	datasourcetype	principal.labels.key/value
Sequence Number (seqno)	externalId	sequence		metadata.product_log_id
Action Flags (actionflags)	PanOSActionFlags	ActionFlags	actionflags	about.labels.key/value
Device Group Hierarchy (dg_hier_level_1)	PanOSDGl1	DeviceGroupHierarchyL1	dg_hier_level_1	about.labels.key/value
Device Group Hierarchy (dg_hier_level_2)	PanOSDGl2	DeviceGroupHierarchyL2	dg_hier_level_2	about.labels.key/value
Device Group Hierarchy (dg_hier_level_3)	PanOSDGl3	DeviceGroupHierarchyL3	dg_hier_level_3	about.labels.key/value
Device Group Hierarchy (dg_hier_level_4)	PanOSDGl4	DeviceGroupHierarchyL4	dg_hier_level_4	about.labels.key/value
Virtual System Name (vsys_name)	PanOSVsysName	vSrcName		principal.resource.name principal.resource.resource_type=VIRTUAL_MACHINE
Device Name (device_name)	dvchost	DeviceName		intermediary.hostname
Virtual System ID (vsys_id)	cn2	VirtualSystemID		principal.resource.resource_type=VIRTUAL_MACHINE and principal.resource.product_object_id
Factor Type (factortype)	cs1	FactorType	factortype	about.labels.key/value
Factor Completion Time (factorcompletiontime)	end	FactorCompletionTime	factorcompletiontime	about.labels.key/value
Factor Number (factorno)	cn1	FactorNumber	factorno	about.labels.key/value
User Group Flags (ugflags)	PanOSUGFlags		ugflags	about.labels.key/value
User by Source (userbysource)	PanOSUserBySource			principal.user.userid principal.administrative_domain principal.user.email_addresses
High Resolution Timestamp (high_res timestamp)	PanOSTimeGeneratedHighResolution			metadata.collected_timestamp, metadata.event_timestamp (if "Generate Time" is absent)

HIP match

The following table lists the log fields of the HIP match log type and their corresponding UDM fields.

CSV field	CEF field	LEEF field	Chronicle label key	UDM field
Receive Time (receive_time or cef-formatted-receive_time)	rt	devTime		metadata.collected_timestamp, metadata.event_timestamp (if "Generate Time" is absent)
Serial Number (serial)	deviceExternalId	SerialNumber		intermediary.asset.hardware.serial_number
Type (type)	type (Header)	cat		metadata.product_event_type
Threat/Content Type (subtype)	subtype (Header)	Subtype
Generated Time (time_generated or cef-formatted-time_generated)	start	startTime		metadata.event_timestamp
Source User (srcuser)	suser	usrName		principal.user.userid
Virtual System (vsys)	cs3	VirtualSystem	vsys	about.labels.key/value
Machine Name (machinename)	shost	identHostName		principal.hostname
Operating System (os)	cs2	OS		principal.asset.platform_software.platform
Source Address (src)	src	identsrc		principal.ip
HIP (matchname)	cat	HIP	matchname	about.labels.key/value
Repeat Count (repeatcnt)	cnt	RepeatCount	repeatcnt	about.labels.key/value
HIP Type (matchtype)	Device Event Class ID (Header)	HIPType	matchtype
Sequence Number (seqno)	externalId	sequence		metadata.product_log_id
Action Flags (actionflags)	PanOSActionFlags	ActionFlags	actionflags	about.labels.key/value
Device Group Hierarchy (dg_hier_level_1)	PanOSDGl1	DeviceGroupHierarchyL1	dg_hier_level_1	about.labels.key/value
Device Group Hierarchy (dg_hier_level_2)	PanOSDGl2	DeviceGroupHierarchyL2	dg_hier_level_2	about.labels.key/value
Device Group Hierarchy (dg_hier_level_3)	PanOSDGl3	DeviceGroupHierarchyL3	dg_hier_level_3	about.labels.key/value
Device Group Hierarchy (dg_hier_level_4)	PanOSDGl4	DeviceGroupHierarchyL4	dg_hier_level_4	about.labels.key/value
Virtual System Name (vsys_name)	PanOSVsysName	vSrcName		principal.resource.name principal.resource.resource_type=VIRTUAL_MACHINE
Device Name (device_name)	dvchost	DeviceName		intermediary.hostname
Virtual System ID (vsys_id)	cn2	VirtualSystemID		principal.resource.resource_type=VIRTUAL_MACHINE and principal.resource.product_object_id
IPv6 System Address (srcipv6)	c6a2	srcipv6		principal.asset.ip
Host ID (hostid)	PanOSHostID			principal.asset.product_object_id
User Device Serial Number (serialnumber)	PanOSEndpointSerialNumber			principal.asset.hardware.serial_number
Device MAC Address (mac)	PanOSEndpointMac			principal.asset.mac
High Resolution Timestamp (high_res_timestamp)	PanOSTimeGeneratedHighResolution			metadata.collected_timestamp, metadata.event_timestamp (if "Generate Time" is absent)

IP tag

The following table lists the log fields of the IP tag log type and their corresponding UDM fields.

CSV field	CEF field	LEEF field	Chronicle label key	UDM field
Receive Time (receive_time or cef-formatted-receive_time)	rt	devTime		metadata.collected_timestamp, metadata.event_timestamp (if "Generate Time" is absent)
Serial Number (serial)	deviceExternalId	SerialNumber		intermediary.asset.hardware.serial_number
Type (type)	type (Header)	cat		metadata.product_event_type
Threat/Content Type (subtype)	subtype (Header)	Subtype		metadata.product_event_type
Generated Time (time_generated or cef-formatted-time_generated)		GenerateTime		metadata.event_timestamp
Virtual System (vsys)	cs3	VirtualSystem	vsys	about.labels.key/value
Source IP (ip)	src	src		principal.ip
Tag Name (tag_name)	PanOSTagName	TagName	tag_name	principal.labels.key/value
Event ID (event_id)	PanOSEventID	EventID	event_id	about.labels.key/value
Repeat Count (repeatcnt)	cnt	RepeatCount	repeatcnt	about.labels.key/value
Timeout (timeout)	PanOSTimeout	TimeoutThreshold	timeout	about.labels.key/value
Data Source Name (datasourcename)	PanOSDataSourceName	DataSourceName	datasourcename	principal.labels.key/value
Data Source Type (datasource_type)	PanOSDataSourceType	DataSource	datasource_type	principal.labels.key/value
Data Source Subtype (datasource_subtype)	PanOSDataSourceSubType	DataSourceType	datasource_subtype	principal.labels.key/value
Sequence Number (seqno)	externalId	sequence		metadata.product_log_id
Action Flags (actionflags)	PanOSActionFlags	ActionFlags	actionflags	about.labels.key/value
Device Group Hierarchy (dg_hier_level_1)	PanOSDGl1	DeviceGroupHierarchyL1	dg_hier_level_1	about.labels.key/value
Device Group Hierarchy (dg_hier_level_2)	PanOSDGl2	DeviceGroupHierarchyL2	dg_hier_level_2	about.labels.key/value
Device Group Hierarchy (dg_hier_level_3)	PanOSDGl3	DeviceGroupHierarchyL3	dg_hier_level_3	about.labels.key/value
Device Group Hierarchy (dg_hier_level_4)	PanOSDGl4	DeviceGroupHierarchyL4	dg_hier_level_4	about.labels.key/value
Virtual System Name (vsys_name)	PanOsVsysName	vSrcName		principal.resource.name principal.resource.resource_type=VIRTUAL_MACHINE
Device Name (device_name)	dvchost	DeviceName		intermediary.hostname
Virtual System ID (vsys_id)	cn2	VirtualSystemID		principal.resource.resource_type=VIRTUAL_MACHINE and principal.resource.product_object_id
High Resolution Timestamp (high_res timestamp)	PanOSTimeGeneratedHighResolution			metadata.collected_timestamp, metadata.event_timestamp (if "Generate Time" is absent)

Decryption

The following table lists the log fields of the decryption log type and their corresponding UDM fields.

CSV field	CEF field	LEEF field	Chronicle label key	UDM field
Receive Time (receive_time or cef-formatted-receive_time)	rt			metadata.collected_timestamp, metadata.event_timestamp (if "Generate Time" is absent)
Serial Number (serial)	PanOSDeviceSN			intermediary.asset.hardware.serial_number
Type (type)	type (Header)			metadata.product_event_type
Threat/Content Type (subtype)	subtype (Header)			metadata.product_event_type
Config Version (config_ver)	PanOSConfigVersion		config_ver	about.labels.key/value
Generate Time (time_generated)	PanOSLogTimeStamp			metadata.event_timestamp
Source Address (src)	src			principal.ip
Destination Address (dst)	dst			target.ip
NAT Source IP (natsrc)	sourceTranslatedAddress			principa.nat_ip
NAT Destination IP (natdst)	destinationTranslatedAddress			target.nat_ip
Rule (rule)	cs1			security_result.rule_name
Source User (srcuser)	suser			principal.user.userid
Destination User (dstuser)	duser			target.user.userid
Application (app)	app			target.application
Virtual System (vsys)	cs3		vsys	about.labels.key/value
Source Zone (from)	cs4		from	principal.labels.key/value
Destination Zone (to)	cs5		to	target.labels.key/value
Inbound Interface (inbound_if)	deviceInboundInterface		inbound_if	principal.labels.key/value
Outbound Interface (outbound_if)	deviceOutboundInterface		outbound_if	target.labels.key/value
Log Action (logset)	cs6		logset	about.labels.key/value
Time Logged (time_received)	PanOSTimeReceivedManagementPlane			-
Session ID (sessionid)	cn1			network.session_id
Repeat Count (repeatcnt)	PanOSCountOfRepeats		repeatcnt	about.labels.key/value
Source Port (sport)	spt			principal.port
Destination Port (dport)	dpt			target.port
NAT Source Port (natsport)	sourceTranslatedPort			principal.nat_port
NAT Destination Port (natdport)	destinationTranslatedPort			target.nat_port
Flags (flags)	flexString1		flags	about.labels.key/value
IP Protocol (proto)	proto			network.ip_protocol
Action (action)	act			security_result.action_details security_result.action
Tunnel (tunnel)	PanOSTunnel		tunnel	about.labels.key/value
Source VM UUID (src_uuid)	PanOSSourceUUID			principal.asset.asset_id
Destination VM UUID (dst_uuid)	PanOSDestinationUUID			target.asset.asset_id
UUID for rule (rule_uuid)	PanOSRuleUUID			security_result.rule_id
Stage for Client to Firewall (hs_stage_c2f)	PanOSClientToFirewall		hs_stage_c2f	about.labels.key/value
Stage for Firewall to Server (hs_stage_f2s)	PanOSFirewallToServer		hs_stage_f2s	about.labels.key/value
TLS Version (tls_version)	PanOSTLSVersion			network.tls.version
Key Exchange Algorithm (tls_keyxchg)	PanOSTLSKeyExchange		tls_keyxchg	about.labels.key/value
Encryption Algorithm (tls_enc)	PanOSTLSEncryptionAlgorithm		tls_enc	about.labels.key/value
Hash Algorithm (tls_auth)	PanOSTLSAuth		tls_auth	about.labels.key/value
Policy Name (policy_name)	PanOSPolicyName		policy_name	about.labels.key/value
Elliptic Curve (ec_curve)	PanOSEllipticCurve			network.tls.curve
Error Index (err_index)	PanOSErrorIndex		err_index	about.labels.key/value
Root Status (root_status)	PanOSRootStatus		root_status	about.labels.key/value
Chain Status (chain_status)	PanOSChainStatus		chain_status	about.labels.key/value
Proxy Type (proxy_type)	PanOSProxyType		proxy_type	about.labels.key/value
Certificate Serial Number (cert_serial)	PanOSCertificateSerial			network.tls.server.certificate.serial
Certificate Fingerprint (fingerprint)	PanOSFingerprint			network.tls.server.certificate.md5/sha1/sha256
Certificate Start Date (notbefore)	PanOSTimeNotBefore			network.tls.server.certificate.not_before
Certificate End Date (notafter)	PanOSTimeNotAfter			network.tls.server.certificate.not_after
Certificate Version (cert_ver)	PanOSCertificateVersion			network.tls.server.certificate.version
Certificate Size (cert_size)	PanOSCertificateSize		cert_size	about.labels.key/value
Common Name Length (cn_len)	PanOSCommonNameLength		cn_len	about.labels.key/value
Issuer Common Name Length (issuer_len)	PanOSIssuerNameLength		issuer_len	about.labels.key/value
Root Common Name Length (rootcn_len)	PanOSRootCNLength		rootcn_len	about.labels.key/value
SNI Length (sni_len)	PanOSSNILength		sni_len	about.labels.key/value
Certificate Flags (cert_flags)	PanOSCertificateFlags		cert_flags	about.labels.key/value
Subject Common Name (cn)	PanOSCommonName		cn	about.labels.key/value
Issuer Common Name (issuer_cn)	PanOSIssuerCommonName			network.tls.server.certificate.issuer
Root Common Name (root_cn)	PanOSRootCommonName		root_cn	about.labels.key/value
Server Name Indication (sni)				network.tls.client.server_name
Error (error)	PanOSErrorMessage		error	about.labels.key/value
Container ID (container_id)	PanOSContainerID		container_id	about.labels.key/value
POD Namespace (pod_namespace)	PanOSContainerNameSpace		pod_namespace	about.labels.key/value
POD Name (pod_name)	PanOSContainerName		pod_name	about.labels.key/value
Source External Dynamic List (src_edl)	PanOSSourceEDL		src_edl	principal.labels.key/value
Destination External Dynamic List (dst_edl)	PanOSDestinationEDL		dst_edl	target.labels.key/value
Source Dynamic Address Group (src_dag)	PanOSSourceDynamicAddressGroup			principal.group.group_display_name
Destination Dynamic Address Group (dst_dag)	PanOSDestinationDynamicAddressGroup			target.group.group_display_name
High Resolution Timestamp (high_res_timestamp)	PanOSTimeGeneratedHighResolution			metadata.collected_timestamp, metadata.event_timestamp (if "Generate Time" is absent)
Source Device Category (src_category)	PanOSSourceDeviceCategory		src_category	principal.labels.key/value
Source Device Profile (src_profile)	PanOSSourceDeviceProfile		src_profile	principal.labels.key/value
Source Device Model (src_model)	PanOSSourceDeviceModel		src_model	principal.labels.key/value
Source Device Vendor (src_vendor)	PanOSSourceDeviceVendor		src_vendor	principal.labels.key/value
Source Device OS Family (src_osfamily)	PanOSSourceDeviceOSFamily			principal.asset.platform_software.platform principal.labels.key/value
Source Device OS Version (src_osversion)	PanOSSourceDeviceOSVersion			principal.asset.software.version
Source Hostname (src_host)	PanOSSourceDeviceHost			principal.hostname
Source MAC Address (src_mac)	PanOSSourceDeviceMac			principal.mac
Destination Device Category (dst_category)	PanOSDestinationDeviceCategory		dst_category	target.labels.key/value
Destination Device Profile (dst_profile)	PanOSDestinationDeviceProfile		dst_profile	target.labels.key/value
Destination Device Model (dst_model)	PanOSDestinationDeviceModel		dst_model	target.labels.key/value
Destination Device Vendor (dst_vendor)	PanOSDestinationDeviceVendor		dst_vendor	target.labels.key/value
Destination Device OS Family (dst_osfamily)	PanOSDestinationDeviceOSFamily		dst_osfamily	target.labels.key/value
Destination Device OS Version (dst_osversion)	PanOSDestinationDeviceOSVersion			target.asset.software.version
Destination Hostname (dst_host)	PanOSDestinationDeviceHost			target.hostname
Destination MAC Address (dst_mac)	PanOSDestinationDeviceMac			target.mac
Sequence Number (seqno)	PanOSLogTypeSeqNo			metadata.product_log_id
Action Flags (actionflags)	PanOSActionFlags		actionflags	about.labels.key/value
Device Group Hierarchy (dg_hier_level_1)		DeviceGroupHierarchyL1	dg_hier_level_1	about.labels.key/value
Device Group Hierarchy (dg_hier_level_2)		DeviceGroupHierarchyL2	dg_hier_level_2	about.labels.key/value
Device Group Hierarchy (dg_hier_level_3)		DeviceGroupHierarchyL3	dg_hier_level_3	about.labels.key/value
Device Group Hierarchy (dg_hier_level_4)		DeviceGroupHierarchyL4	dg_hier_level_4	about.labels.key/value
Virtual System Name (vsys_name)				principal.resource.name principal.resource.resource_type=VIRTUAL_MACHINE
Device Name (device_name)				intermediary.hostname
Virtual System ID (vsys_id)				principal.resource.resource_type=VIRTUAL_MACHINE and principal.resource.product_object_id
Application Subcategory (subcategory_of_app)			subcategory_of_app	about.labels.key/value
Application Category (category_of_app)			category_of_app	about.labels.key/value
Application Technology (technology_of_app)			technology_of_app	about.labels.key/value
Application Risk (risk_of_app)				security_result.severity
Application Characteristic (characteristic_of_app)			characteristic_of_app	about.labels.key/value
Application Container (container_of_app)			container_of_app	about.labels.key/value
Application SaaS (is_saas_of_app)			is_saas_of_app	about.labels.key/value
Application Sanctioned State (sanctioned_state_of_app)			sanctioned_state_of_app	about.labels.key/value

Tunnel

The following table lists the log fields of the tunnel log type and their corresponding UDM fields.

CSV field	CEF field	LEEF field	Chronicle label key	UDM field
Receive Time (receive_time or cef-formatted-receive_time)	rt	devTime		metadata.collected_timestamp, metadata.event_timestamp (if "Generate Time" is absent)
Serial Number (serial)	deviceExternalId	SerialNumber		intermediary.asset.hardware.serial_number
Type (type)	type (Header)	cat		metadata.product_event_type
Threat/Content Type (subtype)	subtype (Header)	Subtype		metadata.product_event_type
Generated Time (time_generated or cef-formatted-time_generated)				metadata.event_timestamp
Source Address (src)	src	src		principal.ip
Destination Address (dst)	dst	dst		target.ip
NAT Source IP (natsrc)	sourceTranslatedAddress	srcPostNAT		principal.nat_ip
NAT Destination IP (natdst)	destinationTranslatedAddress	dstPostNAT		target.nat_ip
Rule Name (rule)	cs1	RuleName		security_result.rule_name
Source User (srcuser)	suser	SourceUser / usrName		principal.user.userid
Destination User (dstuser)	duser	DestinationUser		target.user.userid
Application (app)	app	Application		network.application_protocol
Virtual System (vsys)	cs3	VirtualSystem	vsys	about.labels.key/value
Source Zone (from)	cs4	SourceZone	from	principal.labels.key/value
Destination Zone (to)	cs5	DestinationZone	to	target.labels.key/value
Inbound Interface (inbound_if)	deviceInboundInterface	IngressInterface	inbound_if	principal.labels.key/value
Outbound Interface (outbound_if)	deviceOutboundInterface	EgressInterface	outbound_if	target.labels.key/value
Log Action (logset)	cs6	LogForwardingProfile	logset	about.labels.key/value
Session ID (sessionid)	cn1	SessionID		network.session_id
Repeat Count (repeatcnt)	cnt	RepeatCount	repeatcnt	about.labels.key/value
Source Port (sport)	spt	srcPort		principal.port
Destination Port (dport)	dpt	dstPort		target.port
NAT Source Port (natsport)	sourceTranslatedPort	srcPostNATPort		principal.nat_port
NAT Destination Port (natdport)	destinationTranslatedPort	dstPostNATPort		target.nat_port
Flags (flags)	flexString1	Flags	flags	about.labels.key/value
IP Protocol (proto)	proto	proto		network.ip_protocol
Action (action)	act	action		security_result.action_details security_result.action
Severity (severity)				security_result.severity and security_result.severity_details
Sequence Number (seqno)	externalId	sequence		metadata.product_log_id
Action Flags (actionflags)	PanOSActionFlags	ActionFlags	actionflags	about.labels.key/value
Source Location (srcloc)				principal.location.country_or_region
Destination Location (dstloc)				target.location.country_or_region
Device Group Hierarchy (dg_hier_level_1)	PanOSDGl1	DeviceGroupHierarchyL1	dg_hier_level_1	about.labels.key/value
Device Group Hierarchy (dg_hier_level_2)	PanOSDGl2	DeviceGroupHierarchyL2	dg_hier_level_2	about.labels.key/value
Device Group Hierarchy (dg_hier_level_3)	PanOSDGl3	DeviceGroupHierarchyL3	dg_hier_level_3	about.labels.key/value
Device Group Hierarchy (dg_hier_level_4)	PanOSDGl4	DeviceGroupHierarchyL4	dg_hier_level_4	about.labels.key/value
Virtual System Name (vsys_name)	PanOSVsysName	vSrcName		principal.resource.name principal.resource.resource_type=VIRTUAL_MACHINE
Device Name (device_name)	dvchost	DeviceName		intermediary.hostname
Tunnel ID (tunnelid)	PanOSTunnelID	TunnelID	tunnelid	about.labels.key/value
Monitor Tag (monitortag)	PanOSMonitorTag	MonitorTag	monitortag	about.labels.key/value
Parent Session ID (parent_session_id)	PanOSParentSessionID	ParentSessionID	parent_session_id	about.labels.key/value
Parent Start Time (parent_start_time)	PanOSParentStartTime	ParentStartTime	parent_start_time	about.labels.key/value
Tunnel Type (tunnel)	cs2	TunnelType	tunnel	about.labels.key/value
Bytes (bytes)	flexNumber1	totalBytes	bytes	about.labels.key/value
Bytes Sent (bytes_sent)	in	srcBytes		network.sent_bytes
Bytes Received (bytes_received)	out	dstBytes		network.received_bytes
Packets (packets)	cn2	totalPackets	packets	about.labels.key/value
Packets Sent (pkts_sent)	PanOSPacketsSent	srcPackets	pkts_sent	about.labels.key/value
Packets Received (pkts_received)	PanOSPacketsReceived	dstPackets	pkts_received	about.labels.key/value
Maximum Encapsulation (max_encap)	flexNumber2	MaximumEncapsulation	max_encap	about.labels.key/value
Unknown Protocol (unknown_proto)	cfp1	UnknownProtocol	unknown_proto	about.labels.key/value
Strict Checking (strict_check)	cfp2	StrictChecking	strict_check	about.labels.key/value
Tunnel Fragment (tunnel_fragment)	PanOSTunnelFragment	TunnelFragment	tunnel_fragment	about.labels.key/value
Sessions Created (sessions_created)	cfp3	SessionsCreated	sessions_created	about.labels.key/value
Sessions Closed (sessions_closed)	cfp4	SessionsClosed	sessions_closed	about.labels.key/value
Session End Reason (session_end_reason)	reason	SessionEndReason		security_result.summary
Action Source (action_source)	cat	ActionSource	action_source	about.labels.key/value
Start Time (start)		startTime	start	about.labels.key/value
Elapsed Time (elapsed)	cn3	ElapsedTime	elapsed	about.labels.key/value
Tunnel Inspection Rule (tunnel_insp_rule)	PanOSTunneInspectionRule			security_result.rule_name = "Tunnel Inspection Rule: %{PanOSTunnelInspectionRule}"
Remote User IP (remote_user_ip)	PanOSRmtUserIP			target.ip
Remote User ID (remote_user_id)	PanOSRmtUserID		remote_user_id	target.labels.key/value
Security Rule UUID (rule_uuid)	PanOSRuleUUID			security_result.rule_id
PCAP ID (pcap_id)	PanOSPcapID		pcap_id	about.labels.key/value
Dynamic User Group Name (dynusergroup_name)	PanDynamicUsrgrp			principal.group.group_display_name
Source External Dynamic List (src_edl)	PanOSSourceEDL		src_edl	principal.labels.key/value
Destination External Dynamic List (dst_edl)	PanOSDestinationEDL		dst_edl	target.labels.key/value
High Resolution Timestamp (high_res timestamp)	PanOSTimeGeneratedHighResolution			metadata.collected_timestamp, metadata.event_timestamp (if "Generate Time" is absent)
A Slice Differentiator (nssai_sd)			nssai_sd	about.labels.key/value
A Slice Service Type (nssai_sd)			nssai_sd1	about.labels.key/value
PDU Session ID (pdu_session_id)			pdu_session_id	about.labels.key/value
Application Subcategory (subcategory_of_app)			subcategory_of_app	about.labels.key/value
Application Category (category_of_app)			category_of_app	about.labels.key/value
Application Technology (technology_of_app)			technology_of_app	about.labels.key/value
Application Risk (risk_of_app)			risk_of_app	about.labels.key/value
Application Characteristic (characteristic_of_app)			characteristic_of_app	about.labels.key/value
Application Container (container_of_app)			container_of_app	about.labels.key/value
Application SaaS (is_saas_of_app)			is_saas_of_app	about.labels.key/value
Application Sanctioned State (sanctioned_state_of_app)			sanctioned_state_of_app	about.labels.key/value

Authentication

The following table lists the log fields of the authentication log type and their corresponding UDM fields.

CSV field	CEF field	LEEF field	Chronicle label key	UDM field
Receive Time (receive_time or cef-formatted-receive_time)	rt	devTime		metadata.collected_timestamp, metadata.event_timestamp (if "Generate Time" is absent)
Serial Number (serial)	deviceExternalId	SerialNumber		intermediary.asset.hardware.serial_number
Type (type)	type (Header)	cat		metadata.product_event_type
Threat/Content Type (subtype)	subtype (Header)	Subtype		metadata.product_event_type
Generated Time (time_generated or cef-formatted-time_generated)				metadata.event_timestamp
Virtual System (vsys)	cs3	VirtualSystem	vsys	about.labels.key/value
Source IP (ip)	src	src		principal.ip
User (user)	duser	usrName		target.user.userid
Normalize User (normalize_user)	cs2	NormalizeUser		target.user.user_display_name
Object (object)	fname	ObjectName	object	about.labels.key/value
Authentication Policy (authpolicy)	cs4	AuthPolicy	authpolicy	about.labels.key/value
Repeat Count (repeatcnt)	cnt	RepeatCount	repeatcnt	about.labels.key/value
Authentication ID (authid)	cn2	AuthenticationID	authid	about.labels.key/value
Vendor (vendor)	flexString2	Vendor	vendor	about.labels.key/value
Log Action (logset)	cs6	LogForwardingProfile	logset	about.labels.key/value
Server Profile (serverprofile)	cs1	ServerProfile	serverprofile	about.labels.key/value
Description (desc)	PanOSDesc	AdditionalAuthInfo		security_result.description
Client Type (clienttype)	cs5	ClientType	clienttype	about.labels.key/value
Event Type (event)	msg	msg		extensions.auth.auth_details
Factor Number (factorno)	cn1	FactorNumber	factorno	about.labels.key/value
Sequence Number (seqno)	externalId	sequence		metadata.product_log_id
Action Flags (actionflags)	PanOSActionFlags	ActionFlags	actionflags	about.labels.key/value
Device Group Hierarchy (dg_hier_level_1)	PanOSDGl1	DeviceGroupHierarchyL1	dg_hier_level_1	about.labels.key/value
Device Group Hierarchy (dg_hier_level_2)	PanOSDGl2	DeviceGroupHierarchyL2	dg_hier_level_2	about.labels.key/value
Device Group Hierarchy (dg_hier_level_3)	PanOSDGl3	DeviceGroupHierarchyL3	dg_hier_level_3	about.labels.key/value
Device Group Hierarchy (dg_hier_level_4)	PanOSDGl4	DeviceGroupHierarchyL4	dg_hier_level_4	about.labels.key/value
Virtual System Name (vsys_name)	PanOSVsysName	vSrcName		principal.resource.name principal.resource.resource_type=VIRTUAL_MACHINE
Device Name (device_name)	dvchost	DeviceName		intermediary.hostname
Virtual System ID (vsys_id)				principal.resource.resource_type=VIRTUAL_MACHINE and principal.resource.product_object_id
Authentication Protocol (authproto)			authproto	about.labels.key/value
UUID for rule (rule_uuid)	PanOSRuleUUID			security_result.rule_id
High Resolution Timestamp (high_res _timestamp)	PanOSTimeGeneratedHighResolution			metadata.collected_timestamp, metadata.event_timestamp (if "Generate Time" is absent)
Source Device Category (src_category)	PanOSSourceDeviceCategory		src_category	principal.labels.key/value
Source Device Profile (src_profile)	PanOSSourceDeviceProfile		src_profile	principal.labels.key/value
Source Device Model (src_model)	PanOSSourceDeviceModel		src_model	principal.labels.key/value
Source Device Vendor (src_vendor)	PanOSSourceDeviceVendor		src_vendor	principal.labels.key/value
Source Device OS Family (src_osfamily)	PanOSSourceDeviceOSFamily			principal.asset.platform_software.platform principal.labels.key/value
Source Device OS Version (src_osversion)	PanOSSourceDeviceOSVersion			principal.asset.software.version
Source Hostname (src_host)	PanOSSourceHostname			principal.hostname
Source MAC Address (src_mac)	PanOSSourceMac			principal.asset.mac
Region (region)	PanOSTrafficOriginRegion			principal.location.country_or_region
User Agent (user_agent)	PanOSHTTPUserAgent			network.http.user_agent
Session ID(sessionid)	PanOSTrafficSessionID			network.session_id

URL

The following table lists the log fields of the URL log type and their corresponding UDM fields.

CSV field	CEF field	LEEF field	Chronicle label key	UDM field
Receive Time (cef-formatted-receive_time)	rt	devTime		metadata.collected_timestamp, metadata.event_timestamp (if "Generate Time" is absent)
Serial # (serial)	deviceExternalId	SerialNumber		intermediary.asset.hardware.serial_number
Type (type)	type (Header)	cat		metadata.product_event_type
Threat/Content Type (subtype)	subtype (Header)	Subtype		metadata.product_event_type
Generate Time				metadata.event_timestamp
Source address (src)	src	src		principal.ip
Destination address (dst)	dst	dst		target.ip
NAT Source IP (natsrc)	sourceTranslatedAddress	srcPostNAT		principal.nat_ip
NAT Destination IP (natdst)	destinationTranslatedAddress	dstPostNAT		target.nat_ip
Rule (rule)	cs1	RuleName		security_result.rule_name
Source User (srcuser)	suser	SourceUser		principal.user.userid
Destination User (dstuser)	duser	DestinationUser		target.user.userid
Application (app)	app	Application		network.application_protocol
Virtual System (vsys)	cs3	VirtualSystem	vsys	about.labels.key/value
Source Zone (from)	cs4	SourceZone	from	principal.labels.key/value
Destination Zone (to)	cs5	DestinationZone	to	target.labels.key/value
Inbound Interface (inbound_if)	deviceInboundInterface	IngressInterface	inbound_if	principal.labels.key/value
Outbound Interface (outbound_if)	deviceOutboundInterface	EgressInterface	outbound_if	target.labels.key/value
Log Action (logset)	cs6	LogForwardingProfile	logset	about.labels.key/value
Time Logged			time_logged	about.labels.key/value
Session ID (sessionid)	cn1	SessionID		network.session_id
Repeat Count (repeatcnt)	cnt	RepeatCount	repeatcnt	about.labels.key/value
Source Port (sport)	spt	srcPort		principal.port
Destination Port (dport)	dpt	dstPort		target.port
NAT Source Port (natsport)	sourceTranslatedPort	srcPostNATPort		principal.nat_port
NAT Destination Port (natdport)	destinationTranslatedPort	dstPostNATPort		target.nat_port
Flags (flags)	flexString1	Flags	flags	about.labels.key/value
IP Protocol (proto)	proto	proto		network.ip_protocol
Action (action)	act	action		security_result.action_details security_result.action
URL/Filename (misc)		Miscellaneous		target.file.full_path target.url
Threat/Content Name (threatid)	cat	ThreatID		security_result.threat_id
Category (category)	cs2	URLCategory	category	about.labels.key/value
Severity (severity)	number-of-severity (Header)	Severity		security_result.severity security_result.severity_details
Direction (direction)	flexString2	Direction		network.direction
Sequence Number (seqno)	externalId	sequence		metadata.product_log_id
Action Flags (actionflags)	PanOSActionFlags	ActionFlags	actionflags	about.labels.key/value
Source Country (srcloc)		SourceLocation		principal.location.country_or_region
Destination Country (dstloc)		DestinationLocation		target.location.country_or_region
contenttype (contenttype)	requestContext	ContentType	contenttype	about.labels.key/value
pcap_id (pcap_id)	fileId	PCAP_ID	pcap_id	about.labels.key/value
filedigest (filedigest)		FileDigest		about.file.sha1/md5/sha256
cloud (cloud)		Cloud	cloud	about.labels.key/value
url_idx (url_idx)		URLIndex	url_idx	about.labels.key/value
user_agent (user_agent)	requestClientApplication	UserAgent		network.http.user_agent
filetype (filetype)				about.file.mime_type
xff (xff)	PanOSXForwarderfor	identSrc	xff	about.labels.key/value
referer (referer)	PanOSReferer	Referer		network.http.referral_url
sender (sender)				network.email.from
subject (subject)		Subject		network.email.subject
recipient (recipient)				network.email.to
reportid (reportid)			reportid	about.labels.key/value
DG Hierarchy Level 1 (dg_hier_level_1)	PanOSDGl1	DeviceGroupHierarchyL1	dg_hier_level_1	about.labels.key/value
DG Hierarchy Level 2 (dg_hier_level_2)	PanOSDGl2	DeviceGroupHierarchyL2	dg_hier_level_2	about.labels.key/value
DG Hierarchy Level 3 (dg_hier_level_3)	PanOSDGl3	DeviceGroupHierarchyL3	dg_hier_level_3	about.labels.key/value
DG Hierarchy Level 4 (dg_hier_level_4)	PanOSDGl4	DeviceGroupHierarchyL4	dg_hier_level_4	about.labels.key/value
Virtual System Name (vsys_name)	PanOSVsysName	vSrcName		principal.resource.name principal.resource.resource_type=VIRTUAL_MACHINE
Device Name (device_name)	dvchost	DeviceName		intermediary.hostname
file_url (file_url)				about.url
Source VM UUID (src_uuid)		SrcUUID		principal.asset.asset_id
Destination VM UUID (dst_uuid)		DstUUID		target.asset.asset_id
http_method (http_method)	requestMethod	RequestMethod		network.http.method
Tunnel ID/IMSI (tunnelid)	PanOSTunnelID	TunnelID	tunnelid	about.labels.key/value
Monitor Tag/IMEI (monitortag)	PanOSMonitorTag	MonitorTag	monitortag	about.labels.key/value
Parent Session ID (parent_session_id)	PanOSParentSessionID	ParentSessionID	parent_session_id	about.labels.key/value
Parent Session Start Time (parent_start_time)	PanOSParentStartTime	ParentStartTime	parent_start_time	about.labels.key/value
Tunnel (tunnel)	PanOSTunnelType	TunnelType	tunnel	about.labels.key/value
thr_category (thr_category)	PanOSThreatCategory	ThreatCategory	thr_category	security_result.detection_fields.key/value
contentver (contentver)	PanOSContentVer	ContentVer	contentver	about.labels.key/value
sig_flags (sig_flags)			sig_flags	about.labels.key/value
SCTP Association ID (assoc_id)	PanOSAssocID		assoc_id	about.labels.key/value
Payload Protocol ID (ppid)	PanOSPPID		ppid	about.labels.key/value
http_headers (http_headers)	PanOSHTTPHeader		http_headers	about.labels.key/value
URL Category List (url_category_list)	PanOSURLCatList		url_category_list	about.labels.key/value
UUID for rule (rule_uuid)	PanOSRuleUUID		rule_uuid	about.labels.key/value
HTTP/2 Connection (http2_connection)	PanOSHTTP2Con		http2_connection	about.labels.key/value
dynusergroup_name (dynusergroup_name)	PanDynamicUsrgrp		dynusergroup_name	about.labels.key/value
XFF address (xff_ip)	PanXFFIP			principal.ip
Source Device Category (src_category)	PanSrcDeviceCat		src_category	principal.labels.key/value
Source Device Profile (src_profile)	PanSrcDeviceProf		src_profile	principal.labels.key/value
Source Device Model (src_model)	PanSrcDeviceModel		src_model	principal.labels.key/value
Source Device Vendor (src_vendor)	PanSrcDeviceVendor		src_vendor	principal.labels.key/value
Source Device OS Family (src_osfamily)	PanSrcDeviceOS			principal.asset.platform_software.platform principal.labels.key/value
Source Device OS Version (src_osversion)	PanSrcDeviceOSv			principal.asset.software.version
Source Hostname (src_host)	PanSrcHostname		src_host	principal.labels.key/value
Source Mac Address (src_mac)	PanSrcMac			principal.mac
Destination Device Category (dst_category)	PanDstDeviceCat		dst_category	target.labels.key/value
Destination Device Profile (dst_profile)	PanDstDeviceProf		dst_profile	target.labels.key/value
Destination Device Model (dst_model)	PanDstDeviceModel		dst_model	target.labels.key/value
Destination Device Vendor (dst_vendor)	PanDstDeviceVendor		dst_vendor	target.labels.key/value
Destination Device OS Family (dst_osfamily)	PanDstDeviceOS			target.asset.platform_software.platform target.labels.key/value
Destination Device OS Version (dst_osversion)	PanDstDeviceOSv			target.asset.software.version
Destination Hostname (dst_host)	PanPODNamespace			target.hostname
Destination Mac Address (dst_mac)	PanDstMac			target.mac
Container ID (container_id)	PanContainerName		container_id	about.labels.key/value
POD Namespace (pod_namespace)	PanPODNamespace		pod_namespace	about.labels.key/value
POD Name (pod_name)	PanPODName		pod_name	about.labels.key/value
Source External Dynamic List (src_edl)	PanSrcEDL		src_edl	principal.labels.key/value
Destination External Dynamic List (dst_edl)	PanDstEDL		dst_edl	target.labels.key/value
Host ID (hostid)	PanGPHostID		hostid	about.labels.key/value
Serial Number (serialnumber)	PanEPSerial			principal.asset.hardware.serial_number
domain_edl (domain_edl)	PanDomainEDL		domain_edl	about.labels.key/value
Source Dynamic Address Group (src_dag)	PanSrcDAG			principal.group.group_display_name
Destination Dynamic Address Group (dst_dag)	PanDstDAG			target.group.group_display_name
partial_hash (partial_hash)	PanPartialHash		partial_hash	about.labels.key/value
High Res Timestamp (high_res_timestamp)	PanTimeHighRes			metadata.collected_timestamp, metadata.event_timestamp (if "Generate Time" is absent)
Reason (reason)	PanReasonFilteringAction		reason	about.labels.key/value
justification (justification)	PanJustification		justification	about.labels.key/value
nssai_sst (nssai_sst)	PanASServiceType		nssai_sst	about.labels.key/value
Subcategory of app (subcategory_of_app)			subcategory_of_app	about.labels.key/value
Category of app (category_of_app)			category_of_app	about.labels.key/value
Technology of app (technology_of_app)			technology_of_app	about.labels.key/value
Risk of app (risk_of_app)			risk_of_app	about.labels.key/value
Characteristic of app (characteristic_of_app)			characteristic_of_app	about.labels.key/value
Container of app (container_of_app)			container_of_app	about.labels.key/value
Tunneled app (tunneled_app)			tunneled_app	about.labels.key/value
SaaS of app (is_saas_of_app)			is_saas_of_app	about.labels.key/value
Sanctioned State of app (sanctioned_state_of_app)			sanctioned_state_of_app	about.labels.key/value

Data

The following table lists the log fields of the data log type and their corresponding UDM fields.

CSV field	CEF field	LEEF field	Chronicle label key	UDM field
Receive Time (cef-formatted-receive_time)	rt	devTime		metadata.collected_timestamp, metadata.event_timestamp (if "Generate Time" is absent)
Serial # (serial)	deviceExternalId	SerialNumber		intermediary.asset.hardware.serial_number
Type (type)	type (Header)	cat		metadata.product_event_type
Threat/Content Type (subtype)	subtype (Header)	Subtype		metadata.product_event_type
Generate Time				metadata.event_timestamp
Source address (src)	src	src		principal.ip
Destination address (dst)	dst	dst		target.ip
NAT Source IP (natsrc)	sourceTranslatedAddress	srcPostNAT		principal.nat_ip
NAT Destination IP (natdst)	destinationTranslatedAddress	dstPostNAT		target.nat_ip
Rule (rule)	cs1	RuleName		security_result.rule_name
Source User (srcuser)	suser	SourceUser		principal.user.userid
Destination User (dstuser)	duser	DestinationUser		target.user.userid
Application (app)	app	Application		network.application_protocol
Virtual System (vsys)	cs3	VirtualSystem	vsys	about.labels.key/value
Source Zone (from)	cs4	SourceZone	from	principal.labels.key/value
Destination Zone (to)	cs5	DestinationZone	to	target.labels.key/value
Inbound Interface (inbound_if)	deviceInboundInterface	IngressInterface	inbound_if	principal.labels.key/value
Outbound Interface (outbound_if)	deviceOutboundInterface	EgressInterface	outbound_if	target.labels.key/value
Log Action (logset)	cs6	LogForwardingProfile	logset	about.labels.key/value
Time Logged			time_logged	about.labels.key/value
Session ID (sessionid)	cn1	SessionID		network.session_id
Repeat Count (repeatcnt)	cnt	RepeatCount	repeatcnt	about.labels.key/value
Source Port (sport)	spt	srcPort		principal.port
Destination Port (dport)	dpt	dstPort		target.port
NAT Source Port (natsport)	sourceTranslatedPort	srcPostNATPort		principal.nat_port
NAT Destination Port (natdport)	destinationTranslatedPort	dstPostNATPort		target.nat_port
Flags (flags)	flexString1	Flags	flags	about.labels.key/value
IP Protocol (proto)	proto	proto		network.ip_protocol
Action (action)	act	action		security_result.action_details security_result.action
URL/Filename (misc)		Miscellaneous		target.file.full_path target.url
Threat/Content Name (threatid)	cat	ThreatID		security_result.threat_id
Category (category)	cs2	URLCategory	category	about.labels.key/value
Severity (severity)	number-of-severity (Header)	Severity		security_result.severity security_result.severity_details
Direction (direction)	flexString2	Direction		network.direction
Sequence Number (seqno)	externalId	sequence		metadata.product_log_id
Action Flags (actionflags)	PanOSActionFlags	ActionFlags	actionflags	about.labels.key/value
Source Country (srcloc)		SourceLocation		principal.location.country_or_region
Destination Country (dstloc)		DestinationLocation		target.location.country_or_region
contenttype (contenttype)		ContentType	contenttype	about.labels.key/value
pcap_id (pcap_id)	fileId	PCAP_ID	pcap_id	about.labels.key/value
filedigest (filedigest)		FileDigest		about.file.sha1/md5/sha256
cloud (cloud)		Cloud	cloud	about.labels.key/value
url_idx (url_idx)		URLIndex	url_idx	about.labels.key/value
user_agent (user_agent)				network.http.user_agent
filetype (filetype)				about.file.mime_type
xff (xff)			xff	about.labels.key/value
referer (referer)				network.http.referral_url
sender (sender)				network.email.from
subject (subject)		Subject		network.email.subject
recipient (recipient)				network.email.to
reportid (reportid)			reportid	about.labels.key/value
DG Hierarchy Level 1 (dg_hier_level_1)	PanOSDGl1	DeviceGroupHierarchyL1	dg_hier_level_1	about.labels.key/value
DG Hierarchy Level 2 (dg_hier_level_2)	PanOSDGl2	DeviceGroupHierarchyL2	dg_hier_level_2	about.labels.key/value
DG Hierarchy Level 3 (dg_hier_level_3)	PanOSDGl3	DeviceGroupHierarchyL3	dg_hier_level_3	about.labels.key/value
DG Hierarchy Level 4 (dg_hier_level_4)	PanOSDGl4	DeviceGroupHierarchyL4	dg_hier_level_4	about.labels.key/value
Virtual System Name (vsys_name)	PanOSVsysName	vSrcName		principal.resource.name principal.resource.resource_type=VIRTUAL_MACHINE
Device Name (device_name)	dvchost	DeviceName		intermediary.hostname
file_url (file_url)				about.url
Source VM UUID (src_uuid)		SrcUUID		principal.asset.asset_id
Destination VM UUID (dst_uuid)		DstUUID		target.asset.asset_id
http_method (http_method)		RequestMethod		network.http.method
Tunnel ID/IMSI (tunnelid)	PanOSTunnelID	TunnelID	tunnelid	about.labels.key/value
Monitor Tag/IMEI (monitortag)	PanOSMonitorTag	MonitorTag	monitortag	about.labels.key/value
Parent Session ID (parent_session_id)	PanOSParentSessionID	ParentSessionID	parent_session_id	about.labels.key/value
Parent Session Start Time (parent_start_time)	PanOSParentStartTime	ParentStartTime	parent_start_time	about.labels.key/value
Tunnel (tunnel)	PanOSTunnelType	TunnelType	tunnel	about.labels.key/value
thr_category (thr_category)	PanOSThreatCategory	ThreatCategory	thr_category	security_result.detection_fields.key/value
contentver (contentver)	PanOSContentVer	ContentVer	contentver	about.labels.key/value
sig_flags (sig_flags)			sig_flags	about.labels.key/value
SCTP Association ID (assoc_id)	PanOSAssocID		assoc_id	about.labels.key/value
Payload Protocol ID (ppid)	PanOSPPID		ppid	about.labels.key/value
http_headers (http_headers)	PanOSHTTPHeader		http_headers	about.labels.key/value
URL Category List (url_category_list)			url_category_list	about.labels.key/value
UUID for rule (rule_uuid)	PanOSRuleUUID		rule_uuid	about.labels.key/value
HTTP/2 Connection (http2_connection)			http2_connection	about.labels.key/value
dynusergroup_name (dynusergroup_name)			dynusergroup_name	principal.labels.key/value
XFF address (xff_ip)				principal.ip
Source Device Category (src_category)			src_category	principal.labels.key/value
Source Device Profile (src_profile)			src_profile	principal.labels.key/value
Source Device Model (src_model)			src_model	principal.labels.key/value
Source Device Vendor (src_vendor)			src_vendor	principal.labels.key/value
Source Device OS Family (src_osfamily)				principal.asset.platform_software.platform principal.labels.key/value
Source Device OS Version (src_osversion)				principal.asset.software.version
Source Hostname (src_host)			src_host	principal.labels.key/value
Source Mac Address (src_mac)				principal.mac
Destination Device Category (dst_category)			dst_category	target.labels.key/value
Destination Device Profile (dst_profile)			dst_profile	target.labels.key/value
Destination Device Model (dst_model)			dst_model	target.labels.key/value
Destination Device Vendor (dst_vendor)			dst_vendor	target.labels.key/value
Destination Device OS Family (dst_osfamily)				target.asset.platform_software.platform target.labels.key/value
Destination Device OS Version (dst_osversion)				target.asset.software.version
Destination Hostname (dst_host)				target.hostname
Destination Mac Address (dst_mac)				target.mac
Container ID (container_id)			container_id	about.labels.key/value
POD Namespace (pod_namespace)			pod_namespace	about.labels.key/value
POD Name (pod_name)			pod_name	about.labels.key/value
Source External Dynamic List (src_edl)			src_edl	principal.labels.key/value
Destination External Dynamic List (dst_edl)			dst_edl	target.labels.key/value
Host ID (hostid)			hostid	about.labels.key/value
Serial Number (serialnumber)				principal.asset.hardware.serial_number
domain_edl (domain_edl)			domain_edl	about.labels.key/value
Source Dynamic Address Group (src_dag)				principal.group.group_display_name
Destination Dynamic Address Group (dst_dag)				target.group.group_display_name
partial_hash (partial_hash)			partial_hash	about.labels.key/value
High Res Timestamp (high_res_timestamp)				metadata.collected_timestamp, metadata.event_timestamp (if "Generate Time" is absent)
Reason (reason)			reason	about.labels.key/value
justification (justification)			justification	about.labels.key/value
nssai_sst (nssai_sst)			nssai_sst	about.labels.key/value
Subcategory of app (subcategory_of_app)			subcategory_of_app	about.labels.key/value
Category of app (category_of_app)			category_of_app	about.labels.key/value
Technology of app (technology_of_app)			technology_of_app	about.labels.key/value
Risk of app (risk_of_app)			risk_of_app	about.labels.key/value
Characteristic of app (characteristic_of_app)			characteristic_of_app	about.labels.key/value
Container of app (container_of_app)			container_of_app	about.labels.key/value
Tunneled app (tunneled_app)			tunneled_app	about.labels.key/value
SaaS of app (is_saas_of_app)			is_saas_of_app	about.labels.key/value
Sanctioned State of app (sanctioned_state_of_app)			sanctioned_state_of_app	about.labels.key/value

GlobalProtect

The following table lists the log fields of the GlobalProtect log type and their corresponding UDM fields.

CSV field	CEF field	LEEF field	Chronicle label key	UDM field
Receive Time (receive_time)	rt		received_time	metadata.event_timestamp
Serial # (serial)	PanOSDeviceSN		intermediary_asset_hardware_serial_number	intermediary.asset.hardware.serial_number
Type (type)	type (Header)			metadata.product_event_type
Threat/Content Type (subtype)	subtype (Header)	Subtype		metadata.product_event_type
Generate Time (time_generated)	PanOSLogTimeStamp		generated_timestamp	metadata.event_timestamp
Virtual System (vsys)	PanOSVirtualSystem		vsys	about.labels.key/value
Event ID (eventid)	PanOSEventID		event_id	about.labels.key/value
Stage (stage)	PanOSStage		stage	about.labels.key/value
Authentication Method (auth_method)	PanOSAuthMethod		extension_auth_auth_details	extensions.auth.auth_details
Tunnel Type (tunnel_type)	PanOSTunnelType		tunnel	about.labels.key/value
Source User (srcuser)	PanOSSourceUserName		src_user	principal.user.email_address principal.user.userid principal.administrative_domain
Source Region (srcregion)	PanOSSourceRegion		src_region	principal.location.country_or_region
Machine Name (machinename)	PanOSEndpointDeviceName		machine_name	principal.hostname
Public IP (public_ip)	PanOSPublicIPv4			principal.nat_ip
Public IPv6 (public_ipv6)	PanOSPublicIPv6			principal.nat_ip
Private IP (private_ip)	PanOSPrivateIPv4			principal.ip
Private IPv6 (private_ipv6)	PanOSPrivateIPv6			principal.ip
Host ID (hostid)	PanOSHostID		hostid	principal.asset.asset_id
Serial Number (serialnumber)	PanOSDeviceSN			principal.asset.hardware.serial_number
Client Version (client_ver)	PanOSGlobalProtectClientVersion		client_ver	about.labels.key/value
Client OS (client_os)	PanOSEndpointOSType			principal.asset.platform_software.platform(enum)
Client OS Version (client_os_ver)	PanOSEndpointOSVersion			principal.asset.platform_software.platform_version
Repeat Count (repeatcnt)	PanOSCountOfRepeats		repeatcnt	about.labels.key/value
Reason (reason)	PanOSQuarantineReason			security_result.summary
Error (error)	PanOSConnectionError		error	security_result.description
Description (opaque)	PanOSDescription			security_result.description
Status (status)	PanOSEventStatus		status	about.labels.key/value
Location (location)	PanOSGPGatewayLocation			target.location.country_or_region
Login Duration (login_duration)	PanOSLoginDuration			network.session_duration
Connect Method (connect_method)	PanOSConnectionMethod		connect_method	about.labels.key/value
Error Code (error_code)	PanOSConnectionErrorID		error_code	about.labels.key/value
Portal (portal)	PanOSPortal		portal	about.labels.key/value
Sequence Number (seqno)	PanOSSequenceNo			metadata.product_log_id
Action Flags (actionflags)	PanOSActionFlags		actionflags	about.labels.key/value
High Resolution Timestamp (high_res_timestamp)	anOSTimeGeneratedHighResolution			metadata.collected_timestamp, metadata.event_timestamp (if "Generate Time" is absent)
Gateway Selection Method (selection_type)	PanOSGatewaySelectionType		selection_type	about.labels.key/value
SSL Response Time (response_time)	PanOSSSLResponseTime		response_time	about.labels.key/value
Gateway Priority (priority)	PanOSGatewayPriority		priority	about.labels.key/value
Attempted Gateways (attempted_gateways)	PanOSAttemptedGateways		attempted_gateways	about.labels.key/value
Gateway Name (gateway)	PanOSAttemptedGateways		gateway	about.labels.key/value
Device Group Hierarchy (dg_hier_level_1)			dg_hier_level_1	about.labels.key/value
Device Group Hierarchy (dg_hier_level_2)			dg_hier_level_2	about.labels.key/value
Device Group Hierarchy (dg_hier_level_3)			dg_hier_level_3	about.labels.key/value
Device Group Hierarchy (dg_hier_level_4)			dg_hier_level_4	about.labels.key/value
Virtual System Name (vsys_name)				principal.resource.name principal.resource.resource_type=VIRTUAL_MACHINE
Device Name (device_name)				target.hostname
Virtual System ID (vsys_id)				principal.resource.resource_type=VIRTUAL_MACHINE and principal.resource.product_object_id

Correlation

The following table lists the log fields of the Correlation log type and their corresponding UDM fields.

CSV field	LEEF field	Chronicle label key	UDM field
Generated Time (time_generated or cef-formatted-time_generated)	startTime	generated_timestamp	metadata.event_timestamp
Source Address (src)	src		principal.ip
Source User (srcuser)	SourceUser / usrName		principal.user.userid
Virtual System (vsys)	VirtualSystem	vsys	about.labels.key/value
Category (category)			security_result.category_details
Severity (severity)	Severity		security_result.severity and security_result.severity_details
Device Group Hierarchy Level 1	DeviceGroupHierarchyL1		about.labels.key/value
Device Group Hierarchy Level 2	DeviceGroupHierarchyL2		about.labels.key/value
Device Group Hierarchy Level 3	DeviceGroupHierarchyL3		about.labels.key/value
Device Group Hierarchy Level 4	DeviceGroupHierarchyL4		about.labels.key/value
Virtual System Name (vsys_name)	vSrcName		principal.resource.name principal.resource.resource_type=VIRTUAL_MACHINE
Device Name (device_name)	DeviceName		intermediary.hostname
Virtual System ID (vsys_id)	VirtualSystemID		principal.resource.resource_type=VIRTUAL_MACHINE and principal.resource.product_object_id
Object Name (objectname)	ObjectName		target.resource.name
Object ID (object_id)	ObjectID		target.resource.product_object_id

Field mapping reference: Log types to UDM event type

The following table lists the Palo Alto Networks firewall log types and their corresponding UDM event types.

Log type	UDM event type
Traffic	NETWORK_CONNECTION
Threat	NETWORK_CONNECTION
URL Filtering	NETWORK_CONNECTION
WildFire	NETWORK_CONNECTION WildFire submissions logs are a subtype of Threat log type and use the same syslog format.
Data Filtering	NETWORK_CONNECTION
Tunnel	NETWORK_CONNECTION
Config	SETTING_MODIFICATION/SETTING_CREATION/SETTING_DELETION/SETTING_UNCATEGORIZED The value of the "Command (cmd)" field determines the UDM event type mapping. If the cmd field value is add or clone, SETTING_CREATION is set. If the cmd field value is delete, SETTING_DELETION is set. If the cmd field value is edit, move, rename, set, or commit, SETTING_MODIFICATION is set. If the cmd field value does not contain any values, then SETTING_UNCATEGORIZED is set.
System	If the value of subtype is dhcp, then NETWORK_DHCP is set. For other values, GENERIC_EVENT is set.
HIP Match	NETWORK_CONNECTION
IP Tag	GENERIC_EVENT
User-ID	USER_LOGIN/USER_LOGOUT/USER_UNCATEGORIZED If subtype value is "login", then USER_LOGIN is set. If subtype value is "logout", then USER_LOGOUT is set. If subtype does not contain any value, then USER_UNCATEGORIZED is set.
Decryption	NETWORK_CONNECTION
Authentication	GENERIC_EVENT

What's next

Data ingestion to Chronicle

Log format	PAN-OS version
CSV	10.1.3
CEF	10.0.0
LEEF	9.1.0