Collect Palo Alto Networks firewall logs
Overview
This document describes how you can configure syslog and a Google Security Operations forwarder to collect Palo Alto Networks firewall logs. This document also explains how Palo Alto Networks firewall log fields map to Google Security Operations Unified Data Model (UDM) fields.
For an overview about Google Security Operations data ingestion, see Data ingestion to Google Security Operations.
An ingestion label identifies the parser which normalizes raw log data to structured UDM format. The information in this document applies to the parser with the PAN_FIREWALL ingestion label.
Before you begin
To understand the components deployed to collect Palo Alto Networks firewall logs, review the deployment architecture. Each customer deployment might differ from this representation and might be more complex.
The following diagram shows how you can configure syslog on a Palo Alto Networks firewall and install a Google Security Operations forwarder on a Linux server to forward log data to Google Security Operations. The parser supports logs written in the following data formats: Comma Separated Values (CSV), Common Event Format (CEF), and Log Event Extended Format (LEEF).
Verify the log formats and PAN-OS versions that the Google Security Operations parser supports. The following table lists the log formats and the corresponding PAN-OS versions that the Google Security Operations parser supports:
Log format PAN-OS version CSV 10.1.3 CEF 10.0.0 LEEF 9.1.0 Verify the Palo Alto Networks firewall log types that the Google Security Operations parser supports. The Google Security Operations parser supports the following Palo Alto Networks firewall log types:
- Traffic
- Threat
- WildFire submissions
- Tunnel inspection
- Config
- System
- HIP match
- IP-Tag
- User-ID
- Decryption
- Authentication
- URL filtering
- Data filtering
- GlobalProtect
- Correlation
For more information about the Palo Alto Networks firewall log types, see PAN-OS log types.
Ensure that all systems in the deployment architecture are configured in the UTC time zone.
Before you use the Palo Alto Networks firewall Gold parser, review the changes in field mappings between the default parser and Gold parser listed in this document. As part of the migration, ensure that the rules, searches, dashboards, or other processes that depend on the original fields use the updated fields.
For example, in the default parser, the "category" log field is mapped to the "security_result.description" UDM field. In the PAN firewall Gold parser, the "category" log field is mapped to the "security_result.category_details" UDM field. If you migrate to PAN firewall Gold parser and use "category" in your rules, you need to modify the rules to use the "security_result.category_details" UDM field of the Gold parser.
Configure syslog and the Google Security Operations forwarder
To configure syslog and the Google Security Operations forwarder, complete the following steps:
To monitor CSV logs, configure the syslog server profile. For more information, see Configure the syslog server profile.
When you configure the syslog server profile, specify "Default" as the custom log format.
To monitor CEF logs, configure the Palo Alto Networks firewall to forward CEF logs. For more information, download the PAN-OS CEF Integration guide PDF and see the "Configuration of Palo Alto Networks NGFW to output CEF events" section.
To monitor LEEF logs, configure the syslog server profile. For more information, see Custom log forwarding in LEEF format.
Configure the Google Security Operations forwarder to send logs to Google Security Operations. For more information, see Installing and configuring the forwarder on Linux. The following is an example of a Google Security Operations forwarder configuration:
- syslog: common: enabled: true data_type: PAN_FIREWALL batch_n_seconds: 10 batch_n_bytes: 1048576 tcp_address: 0.0.0.0:10518 connection_timeout_sec: 60
Field mapping reference: PAN firewall logs fields to UDM fields
This section explains how the parser maps Palo Alto Networks firewall log fields to Google Security Operations UDM event fields for each log type.
The Google Security Operations label key refers to the name of the key mapped to Labels.key UDM field. For example, in the case of the "Virtual System" field, the field name is "cs3" in CEF format and is "VirtualSystem" in LEEF format. The UDM field "about.labels.key" contains the value "vsys" and the UDM field "about.labels.value" contains the value of that field.
Some of the CEF or LEEF field names do not have a name corresponding to the CSV field names. In such cases, if you add your own variable name in custom log format in the syslog profile, the parser does not map it to the UDM field.
Refer to the following sections for mapping reference of each log type:
- System
- Config
- Threat/wildfire
- Traffic
- User ID
- HIP match
- IP tag
- Decryption
- Tunnel
- Authentication
- URL
- Data
- GlobalProtect
- Correlation
System
The following table lists the log fields of the system log type and their corresponding UDM fields.
| CSV field | CEF field | LEEF field | Google Security Operations label key | UDM field |
|---|---|---|---|---|
| Receive Time (receive_time or cef-formatted-receive_time) | rt | devTime | metadata.collected_timestamp,
metadata.event_timestamp (if "Generate Time" is absent) |
|
| Serial Number (serial) | deviceExternalId | SerialNumber | intermediary.asset.hardware.serial_number | |
| Type (type) | type (Header) | cat | metadata.product_event_type is set to "%{type} - %{subtype}". | |
| Threat/Content Type (subtype) | subtype (Header) | Subtype | metadata.product_event_type is set to "%{type} - %{subtype}". | |
| Generated Time (time_generated or cef-formatted-time_generated) | metadata.event_timestamp | |||
| Virtual System (vsys) | cs3 | VirtualSystem | vsys | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| Event ID (eventid) | cat | eventid | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
|
| Object (object) | fname | Filename | object | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| Module (module) | flexString2 | Module | module | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| Severity (severity) | $number-of-severity(header) | Severity | security_result.severity and security_result.severity_details | |
| Description (opaque) | msg | msg | metadata.description | |
| principal_user_userid (This field is extracted from the msg field) | principal.user.userid | |||
| principal_ip3 (This field is extracted from the msg field) | principal.ip | |||
| Reason (This field is extracted from the msg field) | security_result.description | |||
| server_address (This field is extracted from the msg field.) | target.ip | |||
| server_profile (This field is extracted from the msg field.) | additional.fields.key and additional.fields.value.string_value | |||
| Sequence Number (seqno) | externalId | sequence | metadata.product_log_id | |
| Action Flags (actionflags) | PanOSActionFlags | ActionFlags | actionflags | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| Device Group Hierarchy (dg_hier_level_1 to dg_hier_level_4) | PanOSDGl1 | DeviceGroupHierarchyL1 | dg_hier_level_1 | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| Device Group Hierarchy (dg_hier_level_2) | PanOSDGl2 | DeviceGroupHierarchyL2 | dg_hier_level_2 | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| Device Group Hierarchy (dg_hier_level_3) | PanOSDGl3 | DeviceGroupHierarchyL3 | dg_hier_level_3 | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| Device Group Hierarchy (dg_hier_level_4) | PanOSDGl4 | DeviceGroupHierarchyL4 | dg_hier_level_4 | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| Virtual System Name (vsys_name) | PanOSVsysName | vSrcName | principal.resource.name
principal.resource.resource_type=VIRTUAL_MACHINE |
|
| Device Name (device_name) | dvchost | DeviceName | intermediary.hostname | |
| High Resolution Timestamp (high_res_timestamp) | anOSTimeGeneratedHighResolution | metadata.collected_timestamp,
metadata.event_timestamp (if "Generate Time" is absent) |
Config
The following table lists the log fields of the config log type and their corresponding UDM fields.
| CSV field | CEF field | LEEF field | Google Security Operations label key | UDM field |
|---|---|---|---|---|
| Receive Time (receive_time or cef-formatted-receive_time) | rt | devTime | metadata.collected_timestamp,
metadata.event_timestamp (if "Generate Time" is absent) |
|
| Serial Number (serial) | deviceExternalId | SerialNumber | intermediary.asset.hardware.serial_number | |
| Type (type) | type (Header) | cat | metadata.product_event_type | |
| Threat/Content Type (subtype) | subtype (Header) | metadata.product_event_type | ||
| Generated Time (time_generated or cef-formatted-time_generated) | metadata.event_timestamp | |||
| Host (host) | shost | src | principal.ip/hostname | |
| Virtual System (vsys) | cs3 | VirtualSystem | vsys | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| Command (cmd) | act | msg | cmd | metadata.description |
| Admin (admin) | duser | usrName | principal.user.userid | |
| Client (client) | destinationServiceName | client | principal.application | |
| Result (result) | Signature ID (Header)(reason) | Result | security_result.summary | |
| Configuration Path (path) | msg | ConfigurationPath | principal.process.command_line | |
| Before Change Detail (before_change_detail) | cs1 | BeforeChangeDetail | before_change_detail | target.resource.attribute.labels.key/value |
| After Change Detail (after_change_detail) | cs2 | AfterChangeDetail | after_change_detail | target.resource.attribute.labels.key/value |
| Sequence Number (seqno) | externalId | sequence | metadata.product_log_id | |
| Action Flags (actionflags) | PanOSActionFlags | ActionFlags | actionflags | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| Device Group Hierarchy (dg_hier_level_1 to dg_hier_level_4) | PanOSDGl1 | DeviceGroupHierarchyL1 | dg_hier_level_1 | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| Device Group Hierarchy (dg_hier_level_2) | PanOSDGl2 | DeviceGroupHierarchyL2 | dg_hier_level_2 | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| Device Group Hierarchy (dg_hier_level_3) | PanOSDGl3 | DeviceGroupHierarchyL3 | dg_hier_level_3 | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| Device Group Hierarchy (dg_hier_level_4) | PanOSDGl4 | DeviceGroupHierarchyL4 | dg_hier_level_4 | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| Virtual System Name (vsys_name) | PanOSVsysName | vSrcName | principal.resource.name
principal.resource.resource_type=VIRTUAL_MACHINE |
|
| Device Name (device_name) | dvchost | DeviceName | intermediary.hostname | |
| Device Group (dg_id) | PanOSFWDeviceGroup | dg_id | principal.asset.attribute.labels.key/value | |
| Audit Comment (comment) | PanOSPolicyAuditComment | comment | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
Threat/WildFire
The following table lists the log fields of the Threat/WildFire log type and their corresponding UDM fields.
| CSV field | CEF field | LEEF field | Google Security Operations label key | UDM field |
|---|---|---|---|---|
| Receive Time (receive_time or cef-formatted-receive_time) | rt | devTime | metadata.collected_timestamp,
metadata.event_timestamp (if "Generate Time" is absent) |
|
| Serial Number (serial #) | deviceExternalId | SerialNumber | intermediary.asset.hardware.serial_number | |
| Type (type) | type (Header) | cat | metadata.product_event_type | |
| Threat/Content Type (subtype) | cat/subtype (Header) | Subtype | metadata.product_event_type | |
| Generate Time (time_generated or cef-formatted-time_generated) | metadata.event_timestamp | |||
| Source address (src) | src | src | principal.ip | |
| Destination address (dst) | dst | dst | target.ip | |
| NAT Source IP (natsrc) | sourceTranslatedAddress | srcPostNAT | principal.nat_ip | |
| NAT Destination IP (natdst) | destinationTranslatedAddress | dstPostNAT | target.nat_ip | |
| Rule Name (rule) | cs1 | RuleName | security_result.rule_name | |
| Source User (srcuser) | suser | SourceUser / usrName | principal.user.userid | |
| Destination User (dstuser) | duser | DestinationUser | target.user.userid | |
| Application (app) | app | Application | target.application | |
| Virtual System (vsys) | cs3 | VirtualSystem | vsys | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| Source Zone (from) | cs4 | SourceZone | from | principal.labels.key and principal.labels.value additional.fields.key and additional.fields.value.string_value |
| Destination Zone (to) | cs5 | DestinationZone | to | target.labels.key and target.labels.value additional.fields.key and additional.fields.value.string_value |
| Inbound Interface (inbound_if) | deviceInboundInterface | IngressInterface | inbound_if | principal.labels.key and principal.labels.value additional.fields.key and additional.fields.value.string_value |
| Outbound Interface (outbound_if) | deviceOutboundInterface | EgressInterface | outbound_if | target.labels.key and target.labels.value additional.fields.key and additional.fields.value.string_value |
| Log Action (logset) | cs6 | LogForwardingProfile | logset | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| Session ID (sessionid) | cn1 | SessionID | network.session_id | |
| Repeat Count (repeatcnt) | cnt | RepeatCount | repeatcnt | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| Source Port (sport) | spt | srcPort | principal.port | |
| Destination Port (dport) | dpt | dstPort | target.port | |
| NAT Source Port (natsport) | sourceTranslatedPort | srcPostNATPort | principal.nat_port | |
| NAT Destination Port (natdport) | destinationTranslatedPort | dstPostNATPort | target.nat_port | |
| Flags (flags) | flexString1 | Flags | flags | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| IP Protocol (proto) | proto | proto | network.ip_protocol | |
| Action (action) | act | action | security_result.action_details
security_result.action |
|
| URL/Filename (misc) | request | Miscellaneous | target.file.full_path (if subtype is 'file', 'virus', 'wildfire-virus', or 'wildfire' then `misc` field is mapped to target.file.full_path) target.url (if subtype is 'url' then `misc` field is mapped to target.url and target.hostname) target.hostname (if subtype is 'spyware' or 'vulnerability' then `misc` field is mapped to target.file.full_path and target.url) |
|
| Threat/Content Name (threatid) | cat | ThreatID | security_result.threat_name | |
| Category (category) | cs2 | URLCategory | security_result.category_details | |
| Severity (severity) | number-of-severity(header) | Severity | security_result.severity and security_result.severity_details | |
| Direction (direction) | flexString2 | Direction | network.direction | |
| Sequence Number (seqno) | externalId | sequence | metadata.product_log_id | |
| Action Flags (actionflags) | PanOSActionFlags | ActionFlags | actionflags | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| Source Country (srcloc) | SourceLocation | principal.location.country_or_region | ||
| Destination Country (dstloc) | DestinationLocation | target.location.country_or_region | ||
| Content Type (contenttype) | ContentType | contenttype | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
|
| PCAP ID (pcap_id) | fileId | PCAP_ID | pcap_id | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| File Digest (filedigest) | fileHash | FileDigest | about.file.sha1/md5/sha256 | |
| Cloud (cloud) | filePath | Cloud | cloud | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| URL Index (url_idx) | URLIndex | url_idx | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
|
| User Agent (user_agent) | network.http.user_agent | |||
| File Type (filetype) | fileType | FileType | about.file.mime_type | |
| X-Forwarded-For (xff) | principal.ip | |||
| Referer (referer) | network.http.referral_url | |||
| Sender (sender) | suid | Sender | network.email.from | |
| Subject (subject) | msg | Subject | network.email.subject | |
| Recipient (recipient) | duid | Recipient | network.email.to | |
| Report ID (reportid) | oldFileId | ReportID | reportid | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| Device Group Hierarchy (dg_hier_level_1 to dg_hier_level_4) | PanOSDGl1 | DeviceGroupHierarchyL1 | dg_hier_level_1 | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| Device Group Hierarchy (dg_hier_level_2) | PanOSDGl2 | DeviceGroupHierarchyL2 | dg_hier_level_2 | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| Device Group Hierarchy (dg_hier_level_3) | PanOSDGl3 | DeviceGroupHierarchyL3 | dg_hier_level_3 | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| Device Group Hierarchy (dg_hier_level_4) | PanOSDGl4 | DeviceGroupHierarchyL4 | dg_hier_level_4 | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| Virtual System Name (vsys_name) | PanOSVsysName | vSrcName | principal.resource.name
principal.resource.resource_type=VIRTUAL_MACHINE |
|
| Device Name (device_name) | dvchost | DeviceName | intermediary.hostname | |
| Source VM UUID (src_uuid) | PanOSSrcUUID | SrcUUID | principal.user.product_object_id | |
| Destination VM UUID (dst_uuid) | PanOSDstUUID | DstUUID | target.user.product_object_id | |
| HTTP Method (http_method) | RequestMethod | network.http.method | ||
| Tunnel ID/IMSI (tunnel_id/imsi) | PanOSTunnelID | TunnelID | tunnel_id/imsi | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| Monitor Tag/IMEI (monitortag/imei) | PanOSMonitorTag | MonitorTag | monitortag/imei | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| Parent Session ID (parent_session_id) | PanOSParentSessionID | ParentSessionID | parent_session_id | network.parent_session_id |
| Parent Session Start Time (parent_start_time) | PanOSParentStartTime | ParentStartTime | parent_start_time | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| Tunnel Type (tunnel) | PanOSTunnelType | TunnelType | tunnel | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| Threat Category (thr_category) | PanOSThreatCategory | ThreatCategory | thr_category | security_result.detection_fields.key/value |
| Content Version (contentver) | PanOSContentVer | ContentVer | contentver | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| SCTP Association ID (assoc_id) | PanOSAssocID | assoc_id | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
|
| Payload Protocol ID (ppid) | PanOSPPID | ppid | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
|
| HTTP Headers (http_headers) | PanOSHTTPHeader | http_headers | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
|
| URL Category List (url_category_list) | PanOSURLCatList | url_category_list | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
|
| Rule UUID (rule_uuid) | PanOSRuleUUID | security_result.rule_id | ||
| HTTP/2 Connection (http2_connection) | PanOSHTTP2Con | http2_connection | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
|
| Dynamic User Group Name (dynusergroup_name) | PanDynamicUsrgrp | dynusergroup_name | principal.labels.key and principal.labels.value additional.fields.key and additional.fields.value.string_value |
|
| XFF Address (xff_ip) | PanXFFIP | principal.ip | ||
| Source Device Category (src_category) | PanSrcDeviceCat | src_category | principal.labels.key and principal.labels.value additional.fields.key and additional.fields.value.string_value |
|
| Source Device Profile (src_profile) | PanSrcDeviceProf | src_profile | principal.labels.key and principal.labels.value additional.fields.key and additional.fields.value.string_value |
|
| Source Device Model (src_model) | PanSrcDeviceModel | src_model | principal.labels.key and principal.labels.value additional.fields.key and additional.fields.value.string_value |
|
| Source Device Vendor (src_vendor) | PanSrcDeviceVendor | src_vendor | principal.labels.key and principal.labels.value additional.fields.key and additional.fields.value.string_value |
|
| Source Device OS Family (src_osfamily) | PanSrcDeviceOS | src_osfamily | principal.asset.platform_software.platform principal.labels.key and principal.labels.value additional.fields.key and additional.fields.value.string_value |
|
| Source Device OS Version (src_osversion) | PanSrcDeviceOSv | principal.asset.software.version | ||
| Source Hostname (src_host) | PanSrcHostname | principal.hostname | ||
| Source MAC Address (src_mac) | PanSrcMac | principal.mac | ||
| Destination Device Category (dst_category) | PanDstDeviceCat | dst_category | target.labels.key and target.labels.value additional.fields.key and additional.fields.value.string_value |
|
| Destination Device Profile (dst_profile) | PanDstDeviceProf | dst_profile | target.labels.key and target.labels.value additional.fields.key and additional.fields.value.string_value |
|
| Destination Device Model (dst_model) | PanDstDeviceModel | dst_model | target.labels.key and target.labels.value additional.fields.key and additional.fields.value.string_value |
|
| Destination Device Vendor (dst_vendor) | PanDstDeviceVendor | dst_vendor | target.labels.key and target.labels.value additional.fields.key and additional.fields.value.string_value |
|
| Destination Device OS Family (dst_osfamily) | PanDstDeviceOS | dst_osfamily | target.labels.key and target.labels.value additional.fields.key and additional.fields.value.string_value |
|
| Destination Device OS Version (dst_osversion) | PanDstDeviceOSv | target.asset.software.version | ||
| Destination Hostname (dst_host) | PanDstHostname | target.hostname | ||
| Destination MAC Address (dst_mac) | PanDstMac | target.mac | ||
| Container ID (container_id) | PanContainerName | container_id | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
|
| POD Namespace (pod_namespace) | PanPODNamespace | pod_namespace | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
|
| POD Name (pod_name) | PanPODName | pod_name | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
|
| Source External Dynamic List (src_edl) | PanSrcEDL | src_edl | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
|
| Destination External Dynamic List (dst_edl) | PanDstEDL | dst_edl | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
|
| Host ID (hostid) | PanGPHostID | hostid | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
|
| User Device Serial Number (serialnumber) | PanEPSerial | principal.asset.hardware.serial_number | ||
| Domain EDL (domain_edl) | PanDomainEDL | domain_edl | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
|
| Source Dynamic Address Group (src_dag) | PanSrcDAG | principal.group.group_display_name | ||
| Destination Dynamic Address Group (dst_dag) | PanDstDAG | target.group.group_display_name | ||
| Partial Hash (partial_hash) | PanPartialHash | partial_hash | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
|
| High Resolution Timestamp (high_res timestamp) | PanTimeHighRes | high_res timestamp | metadata.collected_timestamp,
metadata.event_timestamp (if "Generate Time" is absent) |
|
| Reason (reason) | PanReasonFilteringAction | reason | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
|
| Justification (justification) | PanJustification | justification | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
|
| A Slice Service Type (nssai_sst) | PanASServiceType | nssai_sst | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
|
| Application Subcategory (subcategory_of_app) | subcategory_of_app | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
||
| Application Category (category_of_app) | category_of_app | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
||
| Application Technology (technology_of_app) | technology_of_app | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
||
| Application Risk (risk_of_app) | risk_of_app | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
||
| Application Characteristic (characteristic_of_app) | characteristic_of_app | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
||
| Application Container (container_of_app) | container_of_app | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
||
| Application SaaS (is_saas_of_app) | is_saas_of_app | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
||
| Application Sanctioned State (sanctioned_state_of_app) | sanctioned_state_of_app | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
Traffic
The following table lists the log fields of the traffic log type and their corresponding UDM fields.
| CSV field | CEF field | LEEF field | Google Security Operations label key | UDM field |
|---|---|---|---|---|
| Receive Time (receive_time or cef-formatted-receive_time) | rt | devTime | metadata.collected_timestamp,
metadata.event_timestamp (if "Generate Time" is absent) |
|
| Serial Number (serial) | deviceExternalId | SerialNumber | intermediary.asset.hardware.serial_number | |
| Type (type) | type (Header) | cat/Type | metadata.product_event_type | |
| Threat/Content Type (subtype) | subtype (Header) | Subtype | metadata.product_event_type | |
| Generated Time (time_generated or cef-formatted-time_generated) | start | metadata.event_timestamp | ||
| Source Address (src) | src | src | principal.ip | |
| Destination Address (dst) | dst | dst | target.ip | |
| NAT Source IP (natsrc) | sourceTranslatedAddress | srcPostNAT | principal.nat_ip | |
| NAT Destination IP (natdst) | destinationTranslatedAddress | dstPostNAT | target.nat_ip | |
| Rule Name (rule) | cs1 | RuleName | security_result.rule_name | |
| Source User (srcuser) | suser | SourceUser | principal.user.userid | |
| Destination User (dstuser) | duser | DestinationUser | target.user.userid | |
| Application (app) | app | Application | target.application | |
| Virtual System (vsys) | cs3 | VirtualSystem | vsys | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| Source Zone (from) | cs4 | SourceZone | from | principal.labels.key and principal.labels.value additional.fields.key and additional.fields.value.string_value |
| Destination Zone (to) | cs5 | DestinationZone | to | target.labels.key and target.labels.value additional.fields.key and additional.fields.value.string_value |
| Inbound Interface (inbound_if) | deviceInboundInterface | IngressInterface | inbound_if | principal.labels.key and principal.labels.value additional.fields.key and additional.fields.value.string_value |
| Outbound Interface (outbound_if) | deviceOutboundInterface | EgressInterface | outbound_if | target.labels.key and target.labels.value additional.fields.key and additional.fields.value.string_value |
| Log Action (logset) | cs6 | LogForwardingProfile | logset | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| Session ID (sessionid) | cn1 | SessionID | network.session_id | |
| Repeat Count (repeatcnt) | cnt | RepeatCount | repeatcnt | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| Source Port (sport) | spt | srcPort | principal.port | |
| Destination Port (dport) | dpt | dstPort | target.port | |
| NAT Source Port (natsport) | sourceTranslatedPort | srcPostNATPort | principal.nat_port | |
| NAT Destination Port (natdport) | destinationTranslatedPort | dstPostNATPort | target.nat_port | |
| Flags (flags) | flexString1 | Flags | flags | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| IP Protocol (proto) | proto | proto | network.ip_protocol | |
| Action (action) | act | action | security_result.action_details
security_result.action |
|
| Bytes (bytes) | flexNumber1 | totalBytes | bytes | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| Bytes Sent (bytes_sent) | in | srcBytes | network.sent_bytes | |
| Bytes Received (bytes_received) | out | dstBytes | network.received_bytes | |
| Packets (packets) | cn2 | totalPackets | packets | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| Start Time (start) | StartTime | start | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
|
| Elapsed Time (elapsed) | cn3 | ElapsedTime | elapsed | network.session_duration.seconds |
| Category (category) | cs2 | URLCategory | security_result.category / security_result.category_details | |
| Sequence Number (seqno) | externalId | sequence | metadata.product_log_id | |
| Action Flags (actionflags) | PanOSActionFlags | ActionFlags | actionflags | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| Source Country (srcloc) | SourceLocation | principal.location.country_or_region | ||
| Destination Country (dstloc) | DestinationLocation | target.location.country_or_region | ||
| Packets Sent (pkts_sent) | PanOSPacketsSent | srcPackets | pkts_sent | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| Packets Received (pkts_received) | PanOSPacketsReceived | dstPackets | pkts_received | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| Session End Reason (session_end_reason) | reason | SessionEndReason | security_result.summary | |
| Device Group Hierarchy1 (dg_hier_level_1 to dg_hier_level_4) | PanOSDGl1 | DeviceGroupHierarchyL1 | dg_hier_level_1 | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| Device Group Hierarchy2 (dg_hier_level_2) | PanOSDGl2 | DeviceGroupHierarchyL2 | dg_hier_level_2 | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| Device Group Hierarchy3 (dg_hier_level_3) | PanOSDGl3 | DeviceGroupHierarchyL3 | dg_hier_level_3 | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| Device Group Hierarchy (dg_hier_level_4) | PanOSDGl4 | DeviceGroupHierarchyL4 | dg_hier_level_4 | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| Virtual System Name (vsys_name) | PanOSVsysName | vSrcName | principal.resource.name
principal.resource.resource_type=VIRTUAL_MACHINE |
|
| Device Name (device_name) | dvchost | DeviceName | intermediary.hostname | |
| Action Source (action_source) | cat | ActionSource | action_source | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| Source VM UUID (src_uuid) | PanOSSrcUUID | SrcUUID | principal.asset.product_object_id | |
| Destination VM UUID (dst_uuid) | PanOSDstUUID | DstUUID | target.asset.product_object_id | |
| Tunnel ID/IMSI (tunnelid/imsi) | PanOSTunnelID | TunnelID | tunnelid/imsi | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| Monitor Tag/IMEI (monitortag/imei) | PanOSMonitorTag | MonitorTag | monitortag/imei | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| Parent Session ID (parent_session_id) | PanOSParentSessionID | ParentSessionID | parent_session_id | network.parent_session_id |
| Parent Start Time (parent_start_time) | PanOSParentStartTime | ParentStartTime | parent_start_time | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| Tunnel Type (tunnel) | PanOSTunnelType | TunnelType | tunnel | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| SCTP Association ID (assoc_id) | PanOSSCTPAssocID | assoc_id | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
|
| SCTP Chunks (chunks) | PanOSSCTPChunks | chunks | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
|
| SCTP Chunks Sent (chunks_sent) | PanOSSCTPChunkSent | chunks_sent | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
|
| SCTP Chunks Received (chunks_received) | PanOSSCTPChunksRcv | chunks_received | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
|
| Rule UUID (rule_uuid) | PanOSRuleUUID | security_result.rule_id | ||
| HTTP/2 Connection (http2_connection) | PanOSHTTP2Con | http2_connection | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
|
| App Flap Count (link_change_count) | PanLinkChange | link_change_count | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
|
| Policy ID (policy_id) | PanPolicyID | policy_id | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
|
| Link Switches (link_switches) | PanLinkDetail | link_switches | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
|
| SD-WAN Cluster (sdwan_cluster) | PanSDWANCluster | sdwan_cluster | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
|
| SD-WAN Device Type (sdwan_device_type) | PanSDWANDevice | sdwan_device_type | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
|
| SD-WAN Cluster Type (sdwan_cluster_type) | PanSDWANClustype | sdwan_cluster_type | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
|
| SD-WAN Site (sdwan_site) | PanSDWANSite | sdwan_site | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
|
| Dynamic User Group Name (dynusergroup_name) | PanDynamicUsrgrp | dynusergroup_name | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
|
| XFF Address (xff_ip) | PanXFFIP | principal.ip | ||
| Source Device Category (src_category) | PanSrcDeviceCat | src_category | principal.labels.key and principal.labels.value additional.fields.key and additional.fields.value.string_value |
|
| Source Device Profile (src_profile) | PanSrcDeviceProf | src_profile | principal.labels.key and principal.labels.value additional.fields.key and additional.fields.value.string_value |
|
| Source Device Model (src_model) | PanSrcDeviceModel | src_model | principal.labels.key and principal.labels.value additional.fields.key and additional.fields.value.string_value |
|
| Source Device Vendor (src_vendor) | PanSrcDeviceVendor | src_vendor | principal.labels.key and principal.labels.value additional.fields.key and additional.fields.value.string_value |
|
| Source Device OS Family (src_osfamily) | PanSrcDeviceOS | principal.asset.platform_software.platform principal.labels.key and principal.labels.value additional.fields.key and additional.fields.value.string_value |
||
| Source Device OS Version (src_osversion) | PanSrcDeviceOSv | principal.asset.software.version | ||
| Source Hostname (src_host) | PanSrcHostname | principal.hostname | ||
| Source MAC Address (src_mac) | PanSrcMac | principal.mac | ||
| Destination Device Category (dst_category) | PanDstDeviceCat | dst_category | target.labels.key and target.labels.value additional.fields.key and additional.fields.value.string_value |
|
| Destination Device Profile (dst_profile) | PanDstDeviceProf | dst_profile | target.labels.key and target.labels.value additional.fields.key and additional.fields.value.string_value |
|
| Destination Device Model (dst_model) | PanDstDeviceModel | dst_model | target.labels.key and target.labels.value additional.fields.key and additional.fields.value.string_value |
|
| Destination Device Vendor (dst_vendor) | PanDstDeviceVendor | dst_vendor | target.labels.key and target.labels.value additional.fields.key and additional.fields.value.string_value |
|
| Destination Device OS Family (dst_osfamily) | PanDstDeviceOS | dst_osfamily | target.labels.key and target.labels.value additional.fields.key and additional.fields.value.string_value |
|
| Destination Device OS Version (dst_osversion) | PanDstDeviceOSv | target.asset.software.version | ||
| Destination Hostname (dst_host) | PanDstHostname | target.hostname | ||
| Destination MAC Address (dst_mac) | PanDstMac | target.mac | ||
| Container ID (container_id) | PanContainerName | container_id | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
|
| POD Namespace (pod_namespace) | PanPODNamespace | pod_namespace | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
|
| POD Name (pod_name) | PanPODName | pod_name | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
|
| Source External Dynamic List (src_edl) | PanSrcEDL | src_edl | principal.labels.key and principal.labels.value additional.fields.key and additional.fields.value.string_value |
|
| Destination External Dynamic List (dst_edl) | PanDstEDL | dst_edl | target.labels.key and target.labels.value additional.fields.key and additional.fields.value.string_value |
|
| Host ID (hostid) | PanGPHostID | hostid | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
|
| User Device Serial Number (serialnumber) | PanEPSerial | principal.asset.hardware.serial_number | ||
| Source Dynamic Address Group (src_dag) | PanSrcDAG | principal.group.group_display_name | ||
| Destination Dynamic Address Group (dst_dag) | PanDstDAG | target.group.group_display_name | ||
| Session Owner (session_owner) | PanHASessionOwner | session_owner | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
|
| High Resolution Timestamp (high_res_timestamp) | PanTimeHighRes | metadata.collected_timestamp,
metadata.event_timestamp (if "Generate Time" is absent) |
||
| A Slice Service Type (nsdsai_sst) | PanASServiceType | nsdsai_sst | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
|
| A Slice Differentiator (nsdsai_sd) | PanASServiceDiff | nsdsai_sd | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
|
| Application Subcategory (subcategory_of_app) | subcategory_of_app | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
||
| Application Category (category_of_app) | category_of_app | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
||
| Application Technology (technology_of_app) | technology_of_app | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
||
| Application Risk (risk_of_app) | security_result.severity | |||
| Application Characteristic (characteristic_of_app) | characteristic_of_app | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
||
| Application Container (container_of_app) | container_of_app | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
||
| Application SaaS (is_saas_of_app) | is_saas_of_app | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
||
| Application Sanctioned State (sanctioned_state_of_app) | sanctioned_state_of_app | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
||
| Application Subcategory (subcategory_of_app) | subcategory_of_app1 | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
User-ID
The following table lists the log fields of the user-id log type and their corresponding UDM fields.
| CSV field | CEF field | LEEF field | Google Security Operations label key | UDM field |
|---|---|---|---|---|
| Receive Time (receive_time or cef-formatted-receive_time) | rt | devTime | metadata.collected_timestamp,
metadata.event_timestamp (if "Generate Time" is absent) |
|
| Serial Number (serial) | deviceExternalId | SerialNumber | intermediary.asset.hardware.serial_number | |
| Type (type) | type (Header) | cat | metadata.product_event_type | |
| Threat/Content Type (subtype) | subtype (Header) | Subtype | metadata.product_event_type | |
| Generated Time (time_generated or cef-formatted-time_generated) | metadata.event_timestamp | |||
| Virtual System (vsys) | cs3 | VirtualSystem | vsys | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| Source IP (ip) | src | src | principal.ip | |
| User (user) | duser | usrName | target.user.userid
target.administrative_domain target.user.email_addresses |
|
| Data Source Name (datasourcename) | cs4 | DataSourceName | datasourcename | principal.labels.key and principal.labels.value additional.fields.key and additional.fields.value.string_value |
| Event ID (eventid) | EventID | eventid | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
|
| Repeat Count (repeatcnt) | cnt | RepeatCount | repeatcnt | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| Time Out Threshold (timeout) | cn3 | TimeoutThreshold | timeout | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| Source Port (beginport) | spt | srcPort | principal.port | |
| Destination Port (endport) | dpt | dstPort | target.port | |
| Data Source (datasource) | cs5 | DataSource | datasource | principal.labels.key and principal.labels.value additional.fields.key and additional.fields.value.string_value |
| Data Source Type (datasourcetype) | cs6 | DataSourceType | datasourcetype | principal.labels.key and principal.labels.value additional.fields.key and additional.fields.value.string_value |
| Sequence Number (seqno) | externalId | sequence | metadata.product_log_id | |
| Action Flags (actionflags) | PanOSActionFlags | ActionFlags | actionflags | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| Device Group Hierarchy (dg_hier_level_1) | PanOSDGl1 | DeviceGroupHierarchyL1 | dg_hier_level_1 | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| Device Group Hierarchy (dg_hier_level_2) | PanOSDGl2 | DeviceGroupHierarchyL2 | dg_hier_level_2 | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| Device Group Hierarchy (dg_hier_level_3) | PanOSDGl3 | DeviceGroupHierarchyL3 | dg_hier_level_3 | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| Device Group Hierarchy (dg_hier_level_4) | PanOSDGl4 | DeviceGroupHierarchyL4 | dg_hier_level_4 | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| Virtual System Name (vsys_name) | PanOSVsysName | vSrcName | principal.resource.name
principal.resource.resource_type=VIRTUAL_MACHINE |
|
| Device Name (device_name) | dvchost | DeviceName | intermediary.hostname | |
| Virtual System ID (vsys_id) | cn2 | VirtualSystemID | principal.resource.resource_type=VIRTUAL_MACHINE and principal.resource.product_object_id | |
| Factor Type (factortype) | cs1 | FactorType | factortype | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| Factor Completion Time (factorcompletiontime) | end | FactorCompletionTime | factorcompletiontime | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| Factor Number (factorno) | cn1 | FactorNumber | factorno | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| User Group Flags (ugflags) | PanOSUGFlags | ugflags | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
|
| User by Source (userbysource) | PanOSUserBySource | principal.user.userid
principal.administrative_domain principal.user.email_addresses |
||
| High Resolution Timestamp (high_res timestamp) | PanOSTimeGeneratedHighResolution | metadata.collected_timestamp,
metadata.event_timestamp (if "Generate Time" is absent) |
HIP match
The following table lists the log fields of the HIP match log type and their corresponding UDM fields.
| CSV field | CEF field | LEEF field | Google Security Operations label key | UDM field |
|---|---|---|---|---|
| Receive Time (receive_time or cef-formatted-receive_time) | rt | devTime | metadata.collected_timestamp,
metadata.event_timestamp (if "Generate Time" is absent) |
|
| Serial Number (serial) | deviceExternalId | SerialNumber | intermediary.asset.hardware.serial_number | |
| Type (type) | type (Header) | cat | metadata.product_event_type | |
| Threat/Content Type (subtype) | subtype (Header) | Subtype | ||
| Generated Time (time_generated or cef-formatted-time_generated) | start | startTime | metadata.event_timestamp | |
| Source User (srcuser) | suser | usrName | principal.user.userid | |
| Virtual System (vsys) | cs3 | VirtualSystem | vsys | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| Machine Name (machinename) | shost | identHostName | principal.hostname | |
| Operating System (os) | cs2 | OS | principal.asset.platform_software.platform | |
| Source Address (src) | src | identsrc | principal.ip | |
| HIP (matchname) | cat | HIP | matchname | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| Repeat Count (repeatcnt) | cnt | RepeatCount | repeatcnt | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| HIP Type (matchtype) | Device Event Class ID (Header) | HIPType | matchtype | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| Sequence Number (seqno) | externalId | sequence | metadata.product_log_id | |
| Action Flags (actionflags) | PanOSActionFlags | ActionFlags | actionflags | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| Device Group Hierarchy (dg_hier_level_1) | PanOSDGl1 | DeviceGroupHierarchyL1 | dg_hier_level_1 | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| Device Group Hierarchy (dg_hier_level_2) | PanOSDGl2 | DeviceGroupHierarchyL2 | dg_hier_level_2 | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| Device Group Hierarchy (dg_hier_level_3) | PanOSDGl3 | DeviceGroupHierarchyL3 | dg_hier_level_3 | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| Device Group Hierarchy (dg_hier_level_4) | PanOSDGl4 | DeviceGroupHierarchyL4 | dg_hier_level_4 | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| Virtual System Name (vsys_name) | PanOSVsysName | vSrcName | principal.resource.name
principal.resource.resource_type=VIRTUAL_MACHINE |
|
| Device Name (device_name) | dvchost | DeviceName | intermediary.hostname | |
| Virtual System ID (vsys_id) | cn2 | VirtualSystemID | principal.resource.resource_type=VIRTUAL_MACHINE and principal.resource.product_object_id | |
| IPv6 System Address (srcipv6) | c6a2 | srcipv6 | principal.asset.ip | |
| Host ID (hostid) | PanOSHostID | principal.asset.product_object_id | ||
| User Device Serial Number (serialnumber) | PanOSEndpointSerialNumber | principal.asset.hardware.serial_number | ||
| Device MAC Address (mac) | PanOSEndpointMac | principal.asset.mac | ||
| High Resolution Timestamp (high_res_timestamp) | PanOSTimeGeneratedHighResolution | metadata.collected_timestamp,
metadata.event_timestamp (if "Generate Time" is absent) |
IP tag
The following table lists the log fields of the IP tag log type and their corresponding UDM fields.
| CSV field | CEF field | LEEF field | Google Security Operations label key | UDM field |
|---|---|---|---|---|
| Receive Time (receive_time or cef-formatted-receive_time) | rt | devTime | metadata.collected_timestamp,
metadata.event_timestamp (if "Generate Time" is absent) |
|
| Serial Number (serial) | deviceExternalId | SerialNumber | intermediary.asset.hardware.serial_number | |
| Type (type) | type (Header) | cat | metadata.product_event_type | |
| Threat/Content Type (subtype) | subtype (Header) | Subtype | metadata.product_event_type | |
| Generated Time (time_generated or cef-formatted-time_generated) | GenerateTime | metadata.event_timestamp | ||
| Virtual System (vsys) | cs3 | VirtualSystem | vsys | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| Source IP (ip) | src | src | principal.ip | |
| Tag Name (tag_name) | PanOSTagName | TagName | tag_name | principal.labels.key and principal.labels.value additional.fields.key and additional.fields.value.string_value |
| Event ID (event_id) | PanOSEventID | EventID | event_id | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| Repeat Count (repeatcnt) | cnt | RepeatCount | repeatcnt | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| Timeout (timeout) | PanOSTimeout | TimeoutThreshold | timeout | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| Data Source Name (datasourcename) | PanOSDataSourceName | DataSourceName | datasourcename | principal.labels.key and principal.labels.value additional.fields.key and additional.fields.value.string_value |
| Data Source Type (datasource_type) | PanOSDataSourceType | DataSource | datasource_type | principal.labels.key and principal.labels.value additional.fields.key and additional.fields.value.string_value |
| Data Source Subtype (datasource_subtype) | PanOSDataSourceSubType | DataSourceType | datasource_subtype | principal.labels.key and principal.labels.value additional.fields.key and additional.fields.value.string_value |
| Sequence Number (seqno) | externalId | sequence | metadata.product_log_id | |
| Action Flags (actionflags) | PanOSActionFlags | ActionFlags | actionflags | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| Device Group Hierarchy (dg_hier_level_1) | PanOSDGl1 | DeviceGroupHierarchyL1 | dg_hier_level_1 | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| Device Group Hierarchy (dg_hier_level_2) | PanOSDGl2 | DeviceGroupHierarchyL2 | dg_hier_level_2 | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| Device Group Hierarchy (dg_hier_level_3) | PanOSDGl3 | DeviceGroupHierarchyL3 | dg_hier_level_3 | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| Device Group Hierarchy (dg_hier_level_4) | PanOSDGl4 | DeviceGroupHierarchyL4 | dg_hier_level_4 | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| Virtual System Name (vsys_name) | PanOsVsysName | vSrcName | principal.resource.name
principal.resource.resource_type=VIRTUAL_MACHINE |
|
| Device Name (device_name) | dvchost | DeviceName | intermediary.hostname | |
| Virtual System ID (vsys_id) | cn2 | VirtualSystemID | principal.resource.resource_type=VIRTUAL_MACHINE and principal.resource.product_object_id | |
| High Resolution Timestamp (high_res timestamp) | PanOSTimeGeneratedHighResolution | metadata.collected_timestamp,
metadata.event_timestamp (if "Generate Time" is absent) |
Decryption
The following table lists the log fields of the decryption log type and their corresponding UDM fields.
| CSV field | CEF field | LEEF field | Google Security Operations label key | UDM field |
|---|---|---|---|---|
| Receive Time (receive_time or cef-formatted-receive_time) | rt | metadata.collected_timestamp,
metadata.event_timestamp (if "Generate Time" is absent) |
||
| Serial Number (serial) | PanOSDeviceSN | intermediary.asset.hardware.serial_number | ||
| Type (type) | type (Header) | metadata.product_event_type | ||
| Threat/Content Type (subtype) | subtype (Header) | metadata.product_event_type | ||
| Config Version (config_ver) | PanOSConfigVersion | config_ver | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
|
| Generate Time (time_generated) | PanOSLogTimeStamp | metadata.event_timestamp | ||
| Source Address (src) | src | principal.ip | ||
| Destination Address (dst) | dst | target.ip | ||
| NAT Source IP (natsrc) | sourceTranslatedAddress | principa.nat_ip | ||
| NAT Destination IP (natdst) | destinationTranslatedAddress | target.nat_ip | ||
| Rule (rule) | cs1 | security_result.rule_name | ||
| Source User (srcuser) | suser | principal.user.userid | ||
| Destination User (dstuser) | duser | target.user.userid | ||
| Application (app) | app | target.application | ||
| Virtual System (vsys) | cs3 | vsys | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
|
| Source Zone (from) | cs4 | from | principal.labels.key and principal.labels.value additional.fields.key and additional.fields.value.string_value |
|
| Destination Zone (to) | cs5 | to | target.labels.key and target.labels.value additional.fields.key and additional.fields.value.string_value |
|
| Inbound Interface (inbound_if) | deviceInboundInterface | inbound_if | principal.labels.key and principal.labels.value additional.fields.key and additional.fields.value.string_value |
|
| Outbound Interface (outbound_if) | deviceOutboundInterface | outbound_if | target.labels.key and target.labels.value additional.fields.key and additional.fields.value.string_value |
|
| Log Action (logset) | cs6 | logset | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
|
| Time Logged (time_received) | PanOSTimeReceivedManagementPlane | - | ||
| Session ID (sessionid) | cn1 | network.session_id | ||
| Repeat Count (repeatcnt) | PanOSCountOfRepeats/RepeatCount | repeatcnt | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
|
| Source Port (sport) | spt | principal.port | ||
| Destination Port (dport) | dpt | target.port | ||
| NAT Source Port (natsport) | sourceTranslatedPort | principal.nat_port | ||
| NAT Destination Port (natdport) | destinationTranslatedPort | target.nat_port | ||
| Flags (flags) | flexString1 | flags | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
|
| IP Protocol (proto) | proto | network.ip_protocol | ||
| Action (action) | act | security_result.action_details
security_result.action |
||
| Tunnel (tunnel) | PanOSTunnel | tunnel | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
|
| Source VM UUID (src_uuid) | PanOSSourceUUID | principal.asset.asset_id | ||
| Destination VM UUID (dst_uuid) | PanOSDestinationUUID | target.asset.asset_id | ||
| UUID for rule (rule_uuid) | PanOSRuleUUID | security_result.rule_id | ||
| Stage for Client to Firewall (hs_stage_c2f) | PanOSClientToFirewall | hs_stage_c2f | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
|
| Stage for Firewall to Server (hs_stage_f2s) | PanOSFirewallToServer | hs_stage_f2s | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
|
| TLS Version (tls_version) | PanOSTLSVersion | network.tls.version | ||
| Key Exchange Algorithm (tls_keyxchg) | PanOSTLSKeyExchange | tls_keyxchg | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
|
| Encryption Algorithm (tls_enc) | PanOSTLSEncryptionAlgorithm | tls_enc | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
|
| Hash Algorithm (tls_auth) | PanOSTLSAuth | tls_auth | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
|
| Policy Name (policy_name) | PanOSPolicyName | policy_name | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
|
| Elliptic Curve (ec_curve) | PanOSEllipticCurve | network.tls.curve | ||
| Error Index (err_index) | PanOSErrorIndex | err_index | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
|
| Root Status (root_status) | PanOSRootStatus | root_status | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
|
| Chain Status (chain_status) | PanOSChainStatus | chain_status | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
|
| Proxy Type (proxy_type) | PanOSProxyType | proxy_type | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
|
| Certificate Serial Number (cert_serial) | PanOSCertificateSerial | network.tls.server.certificate.serial | ||
| Certificate Fingerprint (fingerprint) | PanOSFingerprint | network.tls.server.certificate.md5/sha1/sha256 | ||
| Certificate Start Date (notbefore) | PanOSTimeNotBefore | network.tls.server.certificate.not_before | ||
| Certificate End Date (notafter) | PanOSTimeNotAfter | network.tls.server.certificate.not_after | ||
| Certificate Version (cert_ver) | PanOSCertificateVersion | network.tls.server.certificate.version | ||
| Certificate Size (cert_size) | PanOSCertificateSize | cert_size | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
|
| Common Name Length (cn_len) | PanOSCommonNameLength | cn_len | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
|
| Issuer Common Name Length (issuer_len) | PanOSIssuerNameLength | issuer_len | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
|
| Root Common Name Length (rootcn_len) | PanOSRootCNLength | rootcn_len | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
|
| SNI Length (sni_len) | PanOSSNILength | sni_len | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
|
| Certificate Flags (cert_flags) | PanOSCertificateFlags | cert_flags | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
|
| Subject Common Name (cn) | PanOSCommonName | cn | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
|
| Issuer Common Name (issuer_cn) | PanOSIssuerCommonName | network.tls.server.certificate.issuer | ||
| Root Common Name (root_cn) | PanOSRootCommonName | root_cn | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
|
| Server Name Indication
(sni) |
network.tls.client.server_name | |||
| Error (error) | PanOSErrorMessage | error | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
|
| Container ID (container_id) | PanOSContainerID | container_id | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
|
| POD Namespace (pod_namespace) | PanOSContainerNameSpace | pod_namespace | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
|
| POD Name (pod_name) | PanOSContainerName | pod_name | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
|
| Source External Dynamic List (src_edl) | PanOSSourceEDL | src_edl | principal.labels.key and principal.labels.value additional.fields.key and additional.fields.value.string_value |
|
| Destination External Dynamic List (dst_edl) | PanOSDestinationEDL | dst_edl | target.labels.key and target.labels.value additional.fields.key and additional.fields.value.string_value |
|
| Source Dynamic Address Group (src_dag) | PanOSSourceDynamicAddressGroup | principal.group.group_display_name | ||
| Destination Dynamic Address Group (dst_dag) | PanOSDestinationDynamicAddressGroup | target.group.group_display_name | ||
| High Resolution Timestamp (high_res_timestamp) | PanOSTimeGeneratedHighResolution | metadata.collected_timestamp,
metadata.event_timestamp (if "Generate Time" is absent) |
||
| Source Device Category (src_category) | PanOSSourceDeviceCategory | src_category | principal.labels.key and principal.labels.value additional.fields.key and additional.fields.value.string_value |
|
| Source Device Profile (src_profile) | PanOSSourceDeviceProfile | src_profile | principal.labels.key and principal.labels.value additional.fields.key and additional.fields.value.string_value |
|
| Source Device Model (src_model) | PanOSSourceDeviceModel | src_model | principal.labels.key and principal.labels.value additional.fields.key and additional.fields.value.string_value |
|
| Source Device Vendor (src_vendor) | PanOSSourceDeviceVendor | src_vendor | principal.labels.key and principal.labels.value additional.fields.key and additional.fields.value.string_value |
|
| Source Device OS Family (src_osfamily) | PanOSSourceDeviceOSFamily | principal.asset.platform_software.platform principal.labels.key and principal.labels.value |
||
| Source Device OS Version (src_osversion) | PanOSSourceDeviceOSVersion | principal.asset.software.version | ||
| Source Hostname (src_host) | PanOSSourceDeviceHost | principal.hostname | ||
| Source MAC Address (src_mac) | PanOSSourceDeviceMac | principal.mac | ||
| Destination Device Category (dst_category) | PanOSDestinationDeviceCategory | dst_category | target.labels.key and target.labels.value additional.fields.key and additional.fields.value.string_value |
|
| Destination Device Profile (dst_profile) | PanOSDestinationDeviceProfile | dst_profile | target.labels.key and target.labels.value additional.fields.key and additional.fields.value.string_value |
|
| Destination Device Model (dst_model) | PanOSDestinationDeviceModel | dst_model | target.labels.key and target.labels.value additional.fields.key and additional.fields.value.string_value |
|
| Destination Device Vendor (dst_vendor) | PanOSDestinationDeviceVendor | dst_vendor | target.labels.key and target.labels.value additional.fields.key and additional.fields.value.string_value |
|
| Destination Device OS Family (dst_osfamily) | PanOSDestinationDeviceOSFamily | dst_osfamily | target.labels.key and target.labels.value additional.fields.key and additional.fields.value.string_value |
|
| Destination Device OS Version (dst_osversion) | PanOSDestinationDeviceOSVersion | target.asset.software.version | ||
| Destination Hostname (dst_host) | PanOSDestinationDeviceHost | target.hostname | ||
| Destination MAC Address (dst_mac) | PanOSDestinationDeviceMac | target.mac | ||
| Sequence Number (seqno) | PanOSLogTypeSeqNo | metadata.product_log_id | ||
| Action Flags (actionflags) | PanOSActionFlags | actionflags | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
|
| Device Group Hierarchy (dg_hier_level_1) | DeviceGroupHierarchyL1 | dg_hier_level_1 | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
|
| Device Group Hierarchy (dg_hier_level_2) | DeviceGroupHierarchyL2 | dg_hier_level_2 | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
|
| Device Group Hierarchy (dg_hier_level_3) | DeviceGroupHierarchyL3 | dg_hier_level_3 | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
|
| Device Group Hierarchy (dg_hier_level_4) | DeviceGroupHierarchyL4 | dg_hier_level_4 | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
|
| Virtual System Name (vsys_name) | principal.resource.name
principal.resource.resource_type=VIRTUAL_MACHINE |
|||
| Device Name (device_name) | intermediary.hostname | |||
| Virtual System ID (vsys_id) | principal.resource.resource_type=VIRTUAL_MACHINE and principal.resource.product_object_id | |||
| Application Subcategory (subcategory_of_app) | subcategory_of_app | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
||
| Application Category (category_of_app) | category_of_app | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
||
| Application Technology (technology_of_app) | technology_of_app | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
||
| Application Risk (risk_of_app) | security_result.severity | |||
| Application Characteristic (characteristic_of_app) | characteristic_of_app | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
||
| Application Container (container_of_app) | container_of_app | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
||
| Application SaaS (is_saas_of_app) | is_saas_of_app | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
||
| Application Sanctioned State (sanctioned_state_of_app) | sanctioned_state_of_app | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
Tunnel
The following table lists the log fields of the tunnel log type and their corresponding UDM fields.
| CSV field | CEF field | LEEF field | Google Security Operations label key | UDM field |
|---|---|---|---|---|
| Receive Time (receive_time or cef-formatted-receive_time) | rt | devTime | metadata.collected_timestamp,
metadata.event_timestamp (if "Generate Time" is absent) |
|
| Serial Number (serial) | deviceExternalId | SerialNumber | intermediary.asset.hardware.serial_number | |
| Type (type) | type (Header) | cat | metadata.product_event_type | |
| Threat/Content Type (subtype) | subtype (Header) | Subtype | metadata.product_event_type | |
| Generated Time (time_generated or cef-formatted-time_generated) | metadata.event_timestamp | |||
| Source Address (src) | src | src | principal.ip | |
| Destination Address (dst) | dst | dst | target.ip | |
| NAT Source IP (natsrc) | sourceTranslatedAddress | srcPostNAT | principal.nat_ip | |
| NAT Destination IP (natdst) | destinationTranslatedAddress | dstPostNAT | target.nat_ip | |
| Rule Name (rule) | cs1 | RuleName | security_result.rule_name | |
| Source User (srcuser) | suser | SourceUser / usrName | principal.user.userid | |
| Destination User (dstuser) | duser | DestinationUser | target.user.userid | |
| Application (app) | app | Application | network.application_protocol | |
| Virtual System (vsys) | cs3 | VirtualSystem | vsys | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| Source Zone (from) | cs4 | SourceZone | from | principal.labels.key and principal.labels.value additional.fields.key and additional.fields.value.string_value |
| Destination Zone (to) | cs5 | DestinationZone | to | target.labels.key and target.labels.value additional.fields.key and additional.fields.value.string_value |
| Inbound Interface (inbound_if) | deviceInboundInterface | IngressInterface | inbound_if | principal.labels.key and principal.labels.value additional.fields.key and additional.fields.value.string_value |
| Outbound Interface (outbound_if) | deviceOutboundInterface | EgressInterface | outbound_if | target.labels.key and target.labels.value additional.fields.key and additional.fields.value.string_value |
| Log Action (logset) | cs6 | LogForwardingProfile | logset | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| Session ID (sessionid) | cn1 | SessionID | network.session_id | |
| Repeat Count (repeatcnt) | cnt | RepeatCount | repeatcnt | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| Source Port (sport) | spt | srcPort | principal.port | |
| Destination Port (dport) | dpt | dstPort | target.port | |
| NAT Source Port (natsport) | sourceTranslatedPort | srcPostNATPort | principal.nat_port | |
| NAT Destination Port (natdport) | destinationTranslatedPort | dstPostNATPort | target.nat_port | |
| Flags (flags) | flexString1 | Flags | flags | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| IP Protocol (proto) | proto | proto | network.ip_protocol | |
| Action (action) | act | action | security_result.action_details
security_result.action |
|
| Severity (severity) | security_result.severity and security_result.severity_details | |||
| Sequence Number (seqno) | externalId | sequence | metadata.product_log_id | |
| Action Flags (actionflags) | PanOSActionFlags | ActionFlags | actionflags | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| Source Location (srcloc) | principal.location.country_or_region | |||
| Destination Location (dstloc) | target.location.country_or_region | |||
| Device Group Hierarchy (dg_hier_level_1) | PanOSDGl1 | DeviceGroupHierarchyL1 | dg_hier_level_1 | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| Device Group Hierarchy (dg_hier_level_2) | PanOSDGl2 | DeviceGroupHierarchyL2 | dg_hier_level_2 | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| Device Group Hierarchy (dg_hier_level_3) | PanOSDGl3 | DeviceGroupHierarchyL3 | dg_hier_level_3 | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| Device Group Hierarchy (dg_hier_level_4) | PanOSDGl4 | DeviceGroupHierarchyL4 | dg_hier_level_4 | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| Virtual System Name (vsys_name) | PanOSVsysName | vSrcName | principal.resource.name
principal.resource.resource_type=VIRTUAL_MACHINE |
|
| Device Name (device_name) | dvchost | DeviceName | intermediary.hostname | |
| Tunnel ID (tunnelid) | PanOSTunnelID | TunnelID | tunnelid | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| Monitor Tag (monitortag) | PanOSMonitorTag | MonitorTag | monitortag | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| Parent Session ID (parent_session_id) | PanOSParentSessionID | ParentSessionID | parent_session_id | network.parent_session_id |
| Parent Start Time (parent_start_time) | PanOSParentStartTime | ParentStartTime | parent_start_time | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| Tunnel Type (tunnel) | cs2 | TunnelType | tunnel | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| Bytes (bytes) | flexNumber1 | totalBytes | bytes | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| Bytes Sent (bytes_sent) | in | srcBytes | network.sent_bytes | |
| Bytes Received (bytes_received) | out | dstBytes | network.received_bytes | |
| Packets (packets) | cn2 | totalPackets | packets | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| Packets Sent (pkts_sent) | PanOSPacketsSent | srcPackets | pkts_sent | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| Packets Received (pkts_received) | PanOSPacketsReceived | dstPackets | pkts_received | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| Maximum Encapsulation (max_encap) | flexNumber2 | MaximumEncapsulation | max_encap | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| Unknown Protocol (unknown_proto) | cfp1 | UnknownProtocol | unknown_proto | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| Strict Checking (strict_check) | cfp2 | StrictChecking | strict_check | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| Tunnel Fragment (tunnel_fragment) | PanOSTunnelFragment | TunnelFragment | tunnel_fragment | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| Sessions Created (sessions_created) | cfp3 | SessionsCreated | sessions_created | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| Sessions Closed (sessions_closed) | cfp4 | SessionsClosed | sessions_closed | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| Session End Reason (session_end_reason) | reason | SessionEndReason | security_result.summary | |
| Action Source (action_source) | cat | ActionSource | action_source | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| Start Time (start) | startTime | start | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
|
| Elapsed Time (elapsed) | cn3 | ElapsedTime | elapsed | network.session_duration.seconds |
| Tunnel Inspection Rule (tunnel_insp_rule) | PanOSTunneInspectionRule | security_result.rule_name = "Tunnel Inspection Rule: %{PanOSTunnelInspectionRule}" | ||
| Remote User IP (remote_user_ip) | PanOSRmtUserIP | target.ip | ||
| Remote User ID (remote_user_id) | PanOSRmtUserID | remote_user_id | target.labels.key and target.labels.value additional.fields.key and additional.fields.value.string_value |
|
| Security Rule UUID (rule_uuid) | PanOSRuleUUID | security_result.rule_id | ||
| PCAP ID (pcap_id) | PanOSPcapID | pcap_id | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
|
| Dynamic User Group Name (dynusergroup_name) | PanDynamicUsrgrp | principal.group.group_display_name | ||
| Source External Dynamic List (src_edl) | PanOSSourceEDL | src_edl | principal.labels.key and principal.labels.value additional.fields.key and additional.fields.value.string_value |
|
| Destination External Dynamic List (dst_edl) | PanOSDestinationEDL | dst_edl | target.labels.key and target.labels.value additional.fields.key and additional.fields.value.string_value |
|
| High Resolution Timestamp (high_res timestamp) | PanOSTimeGeneratedHighResolution | metadata.collected_timestamp,
metadata.event_timestamp (if "Generate Time" is absent) |
||
| A Slice Differentiator (nssai_sd) | nssai_sd | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
||
| A Slice Service Type (nssai_sd) | nssai_sd1 | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
||
| PDU Session ID (pdu_session_id) | pdu_session_id | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
||
| Application Subcategory (subcategory_of_app) | subcategory_of_app | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
||
| Application Category (category_of_app) | category_of_app | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
||
| Application Technology (technology_of_app) | technology_of_app | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
||
| Application Risk (risk_of_app) | risk_of_app | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
||
| Application Characteristic (characteristic_of_app) | characteristic_of_app | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
||
| Application Container (container_of_app) | container_of_app | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
||
| Application SaaS (is_saas_of_app) | is_saas_of_app | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
||
| Application Sanctioned State (sanctioned_state_of_app) | sanctioned_state_of_app | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
Authentication
The following table lists the log fields of the authentication log type and their corresponding UDM fields.
| CSV field | CEF field | LEEF field | Google Security Operations label key | UDM field |
|---|---|---|---|---|
| Receive Time (receive_time or cef-formatted-receive_time) | rt | devTime | metadata.collected_timestamp,
metadata.event_timestamp (if "Generate Time" is absent) |
|
| Serial Number (serial) | deviceExternalId | SerialNumber | intermediary.asset.hardware.serial_number | |
| Type (type) | type (Header) | cat | metadata.product_event_type | |
| Threat/Content Type (subtype) | subtype (Header) | Subtype | metadata.product_event_type | |
| Generated Time (time_generated or cef-formatted-time_generated) | metadata.event_timestamp | |||
| Virtual System (vsys) | cs3 | VirtualSystem | vsys | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| Source IP (ip) | src | src | principal.ip | |
| User (user) | duser | usrName | target.user.userid | |
| Normalize User (normalize_user) | cs2 | NormalizeUser | target.user.user_display_name | |
| Object (object) | fname | ObjectName | object | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| Authentication Policy (authpolicy) | cs4 | AuthPolicy | authpolicy | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| Repeat Count (repeatcnt) | cnt | RepeatCount | repeatcnt | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| Authentication ID (authid) | cn2 | AuthenticationID | authid | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| Vendor (vendor) | flexString2 | Vendor | vendor | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| Log Action (logset) | cs6 | LogForwardingProfile | logset | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| Server Profile (serverprofile) | cs1 | ServerProfile | serverprofile | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| Description (desc) | PanOSDesc | AdditionalAuthInfo | security_result.description | |
| Client Type (clienttype) | cs5 | ClientType | clienttype | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| Event Type (event) | msg | msg | extensions.auth.auth_details | |
| Factor Number (factorno) | cn1 | FactorNumber | factorno | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| Sequence Number (seqno) | externalId | sequence | metadata.product_log_id | |
| Action Flags (actionflags) | PanOSActionFlags | ActionFlags | actionflags | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| Device Group Hierarchy (dg_hier_level_1) | PanOSDGl1 | DeviceGroupHierarchyL1 | dg_hier_level_1 | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| Device Group Hierarchy (dg_hier_level_2) | PanOSDGl2 | DeviceGroupHierarchyL2 | dg_hier_level_2 | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| Device Group Hierarchy (dg_hier_level_3) | PanOSDGl3 | DeviceGroupHierarchyL3 | dg_hier_level_3 | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| Device Group Hierarchy (dg_hier_level_4) | PanOSDGl4 | DeviceGroupHierarchyL4 | dg_hier_level_4 | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| Virtual System Name (vsys_name) | PanOSVsysName | vSrcName | principal.resource.name
principal.resource.resource_type=VIRTUAL_MACHINE |
|
| Device Name (device_name) | dvchost | DeviceName | intermediary.hostname | |
| Virtual System ID (vsys_id) | principal.resource.resource_type=VIRTUAL_MACHINE and principal.resource.product_object_id | |||
| Authentication Protocol (authproto) | authproto | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
||
| UUID for rule (rule_uuid) | PanOSRuleUUID/RuleUUID | security_result.rule_id | ||
| High Resolution Timestamp (high_res _timestamp) | PanOSTimeGeneratedHighResolution | metadata.collected_timestamp,
metadata.event_timestamp (if "Generate Time" is absent) |
||
| Source Device Category (src_category) | PanOSSourceDeviceCategory | src_category | principal.labels.key and principal.labels.value additional.fields.key and additional.fields.value.string_value |
|
| Source Device Profile (src_profile) | PanOSSourceDeviceProfile | src_profile | principal.labels.key and principal.labels.value additional.fields.key and additional.fields.value.string_value |
|
| Source Device Model (src_model) | PanOSSourceDeviceModel | src_model | principal.labels.key and principal.labels.value additional.fields.key and additional.fields.value.string_value |
|
| Source Device Vendor (src_vendor) | PanOSSourceDeviceVendor | src_vendor | principal.labels.key and principal.labels.value additional.fields.key and additional.fields.value.string_value |
|
| Source Device OS Family (src_osfamily) | PanOSSourceDeviceOSFamily | principal.asset.platform_software.platform principal.labels.key and principal.labels.value additional.fields.key and additional.fields.value.string_value |
||
| Source Device OS Version (src_osversion) | PanOSSourceDeviceOSVersion | principal.asset.software.version | ||
| Source Hostname (src_host) | PanOSSourceHostname | principal.hostname | ||
| Source MAC Address (src_mac) | PanOSSourceMac | principal.asset.mac | ||
| Region (region) | PanOSTrafficOriginRegion | principal.location.country_or_region | ||
| User Agent (user_agent) | PanOSHTTPUserAgent | network.http.user_agent | ||
| Session ID(sessionid) | PanOSTrafficSessionID | network.session_id |
URL
The following table lists the log fields of the URL log type and their corresponding UDM fields.
| CSV field | CEF field | LEEF field | Google Security Operations label key | UDM field |
|---|---|---|---|---|
| Receive Time (cef-formatted-receive_time) | rt | devTime | metadata.collected_timestamp,
metadata.event_timestamp (if "Generate Time" is absent) |
|
| Serial # (serial) | deviceExternalId | SerialNumber | intermediary.asset.hardware.serial_number | |
| Type (type) | type (Header) | cat | metadata.product_event_type | |
| Threat/Content Type (subtype) | subtype (Header) | Subtype | metadata.product_event_type | |
| Generate Time | metadata.event_timestamp | |||
| Source address (src) | src | src | principal.ip | |
| Destination address (dst) | dst | dst | target.ip | |
| NAT Source IP (natsrc) | sourceTranslatedAddress | srcPostNAT | principal.nat_ip | |
| NAT Destination IP (natdst) | destinationTranslatedAddress | dstPostNAT | target.nat_ip | |
| Rule (rule) | cs1 | RuleName | security_result.rule_name | |
| Source User (srcuser) | suser | SourceUser | principal.user.userid | |
| Destination User (dstuser) | duser | DestinationUser | target.user.userid | |
| Application (app) | app | Application | network.application_protocol | |
| Virtual System (vsys) | cs3 | VirtualSystem | vsys | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| Source Zone (from) | cs4 | SourceZone | from | principal.labels.key and principal.labels.value additional.fields.key and additional.fields.value.string_value |
| Destination Zone (to) | cs5 | DestinationZone | to | target.labels.key and target.labels.value additional.fields.key and additional.fields.value.string_value |
| Inbound Interface (inbound_if) | deviceInboundInterface | IngressInterface | inbound_if | principal.labels.key and principal.labels.value additional.fields.key and additional.fields.value.string_value |
| Outbound Interface (outbound_if) | deviceOutboundInterface | EgressInterface | outbound_if | target.labels.key and target.labels.value additional.fields.key and additional.fields.value.string_value |
| Log Action (logset) | cs6 | LogForwardingProfile | logset | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| Time Logged | time_logged | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
||
| Session ID (sessionid) | cn1 | SessionID | network.session_id | |
| Repeat Count (repeatcnt) | cnt | RepeatCount | repeatcnt | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| Source Port (sport) | spt | srcPort | principal.port | |
| Destination Port (dport) | dpt | dstPort | target.port | |
| NAT Source Port (natsport) | sourceTranslatedPort | srcPostNATPort | principal.nat_port | |
| NAT Destination Port (natdport) | destinationTranslatedPort | dstPostNATPort | target.nat_port | |
| Flags (flags) | flexString1 | Flags | flags | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| IP Protocol (proto) | proto | proto | network.ip_protocol | |
| Action (action) | act | action | security_result.action_details
security_result.action |
|
| URL/Filename (misc) | Miscellaneous | target.file.full_path
target.url |
||
| Threat/Content Name (threatid) | cat | ThreatID | security_result.threat_id | |
| Category (category) | cs2 | URLCategory | category | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| Severity (severity) | number-of-severity (Header) | Severity | security_result.severity
security_result.severity_details |
|
| Direction (direction) | flexString2 | Direction | network.direction | |
| Sequence Number (seqno) | externalId | sequence | metadata.product_log_id | |
| Action Flags (actionflags) | PanOSActionFlags | ActionFlags | actionflags | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| Source Country (srcloc) | SourceLocation | principal.location.country_or_region | ||
| Destination Country (dstloc) | DestinationLocation | target.location.country_or_region | ||
| contenttype (contenttype) | requestContext | ContentType | contenttype | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| pcap_id (pcap_id) | fileId | PCAP_ID | pcap_id | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| filedigest (filedigest) | FileDigest | about.file.sha1/md5/sha256 | ||
| cloud (cloud) | Cloud | cloud | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
|
| url_idx (url_idx) | URLIndex | url_idx | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
|
| user_agent (user_agent) | requestClientApplication | UserAgent | network.http.user_agent | |
| filetype (filetype) | about.file.mime_type | |||
| xff (xff) | PanOSXForwarderfor | identSrc | xff | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| referer (referer) | PanOSReferer | Referer | network.http.referral_url | |
| sender (sender) | network.email.from | |||
| subject (subject) | Subject | network.email.subject | ||
| recipient (recipient) | network.email.to | |||
| reportid (reportid) | reportid | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
||
| DG Hierarchy Level 1 (dg_hier_level_1) | PanOSDGl1 | DeviceGroupHierarchyL1 | dg_hier_level_1 | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| DG Hierarchy Level 2 (dg_hier_level_2) | PanOSDGl2 | DeviceGroupHierarchyL2 | dg_hier_level_2 | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| DG Hierarchy Level 3 (dg_hier_level_3) | PanOSDGl3 | DeviceGroupHierarchyL3 | dg_hier_level_3 | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| DG Hierarchy Level 4 (dg_hier_level_4) | PanOSDGl4 | DeviceGroupHierarchyL4 | dg_hier_level_4 | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| Virtual System Name (vsys_name) | PanOSVsysName | vSrcName | principal.resource.name
principal.resource.resource_type=VIRTUAL_MACHINE |
|
| Device Name (device_name) | dvchost | DeviceName | intermediary.hostname | |
| file_url (file_url) | about.url | |||
| Source VM UUID (src_uuid) | SrcUUID | principal.asset.asset_id | ||
| Destination VM UUID (dst_uuid) | DstUUID | target.asset.asset_id | ||
| http_method (http_method) | requestMethod | RequestMethod | network.http.method | |
| Tunnel ID/IMSI (tunnelid) | PanOSTunnelID | TunnelID | tunnelid | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| Monitor Tag/IMEI (monitortag) | PanOSMonitorTag | MonitorTag | monitortag | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| Parent Session ID (parent_session_id) | PanOSParentSessionID | ParentSessionID | parent_session_id | network.parent_session_id |
| Parent Session Start Time (parent_start_time) | PanOSParentStartTime | ParentStartTime | parent_start_time | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| Tunnel (tunnel) | PanOSTunnelType | TunnelType | tunnel | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| thr_category (thr_category) | PanOSThreatCategory | ThreatCategory | thr_category | security_result.detection_fields.key/value |
| contentver (contentver) | PanOSContentVer | ContentVer | contentver | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| sig_flags (sig_flags) | sig_flags | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
||
| SCTP Association ID (assoc_id) | PanOSAssocID | assoc_id | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
|
| Payload Protocol ID (ppid) | PanOSPPID | ppid | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
|
| http_headers (http_headers) | PanOSHTTPHeader | http_headers | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
|
| URL Category List (url_category_list) | PanOSURLCatList | url_category_list | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
|
| UUID for rule (rule_uuid) | PanOSRuleUUID | rule_uuid | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
|
| HTTP/2 Connection (http2_connection) | PanOSHTTP2Con | http2_connection | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
|
| dynusergroup_name (dynusergroup_name) | PanDynamicUsrgrp | dynusergroup_name | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
|
| XFF address (xff_ip) | PanXFFIP | principal.ip | ||
| Source Device Category (src_category) | PanSrcDeviceCat | src_category | principal.labels.key and principal.labels.value additional.fields.key and additional.fields.value.string_value |
|
| Source Device Profile (src_profile) | PanSrcDeviceProf | src_profile | principal.labels.key and principal.labels.value additional.fields.key and additional.fields.value.string_value |
|
| Source Device Model (src_model) | PanSrcDeviceModel | src_model | principal.labels.key and principal.labels.value additional.fields.key and additional.fields.value.string_value |
|
| Source Device Vendor (src_vendor) | PanSrcDeviceVendor | src_vendor | principal.labels.key and principal.labels.value additional.fields.key and additional.fields.value.string_value |
|
| Source Device OS Family (src_osfamily) | PanSrcDeviceOS | principal.asset.platform_software.platform principal.labels.key and principal.labels.value additional.fields.key and additional.fields.value.string_value |
||
| Source Device OS Version (src_osversion) | PanSrcDeviceOSv | principal.asset.software.version | ||
| Source Hostname (src_host) | PanSrcHostname | src_host | principal.labels.key and principal.labels.value additional.fields.key and additional.fields.value.string_value |
|
| Source Mac Address (src_mac) | PanSrcMac | principal.mac | ||
| Destination Device Category (dst_category) | PanDstDeviceCat | dst_category | target.labels.key and target.labels.value additional.fields.key and additional.fields.value.string_value |
|
| Destination Device Profile (dst_profile) | PanDstDeviceProf | dst_profile | target.labels.key and target.labels.value additional.fields.key and additional.fields.value.string_value |
|
| Destination Device Model (dst_model) | PanDstDeviceModel | dst_model | target.labels.key and target.labels.value additional.fields.key and additional.fields.value.string_value |
|
| Destination Device Vendor (dst_vendor) | PanDstDeviceVendor | dst_vendor | target.labels.key and target.labels.value additional.fields.key and additional.fields.value.string_value |
|
| Destination Device OS Family (dst_osfamily) | PanDstDeviceOS | target.asset.platform_software.platform
target.labels.key and target.labels.value |
||
| Destination Device OS Version (dst_osversion) | PanDstDeviceOSv | target.asset.software.version | ||
| Destination Hostname (dst_host) | PanPODNamespace | target.hostname | ||
| Destination Mac Address (dst_mac) | PanDstMac | target.mac | ||
| Container ID (container_id) | PanContainerName | container_id | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
|
| POD Namespace (pod_namespace) | PanPODNamespace | pod_namespace | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
|
| POD Name (pod_name) | PanPODName | pod_name | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
|
| Source External Dynamic List (src_edl) | PanSrcEDL | src_edl | principal.labels.key and principal.labels.value additional.fields.key and additional.fields.value.string_value |
|
| Destination External Dynamic List (dst_edl) | PanDstEDL | dst_edl | target.labels.key and target.labels.value additional.fields.key and additional.fields.value.string_value |
|
| Host ID (hostid) | PanGPHostID | hostid | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
|
| Serial Number (serialnumber) | PanEPSerial | principal.asset.hardware.serial_number | ||
| domain_edl (domain_edl) | PanDomainEDL | domain_edl | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
|
| Source Dynamic Address Group (src_dag) | PanSrcDAG | principal.group.group_display_name | ||
| Destination Dynamic Address Group (dst_dag) | PanDstDAG | target.group.group_display_name | ||
| partial_hash (partial_hash) | PanPartialHash | partial_hash | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
|
| High Res Timestamp (high_res_timestamp) | PanTimeHighRes | metadata.collected_timestamp,
metadata.event_timestamp (if "Generate Time" is absent) |
||
| Reason (reason) | PanReasonFilteringAction | reason | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
|
| justification (justification) | PanJustification | justification | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
|
| nssai_sst (nssai_sst) | PanASServiceType | nssai_sst | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
|
| Subcategory of app (subcategory_of_app) | subcategory_of_app | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
||
| Category of app (category_of_app) | category_of_app | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
||
| Technology of app (technology_of_app) | technology_of_app | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
||
| Risk of app (risk_of_app) | risk_of_app | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
||
| Characteristic of app (characteristic_of_app) | characteristic_of_app | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
||
| Container of app (container_of_app) | container_of_app | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
||
| Tunneled app (tunneled_app) | tunneled_app | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
||
| SaaS of app (is_saas_of_app) | is_saas_of_app | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
||
| Sanctioned State of app (sanctioned_state_of_app) | sanctioned_state_of_app | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
Data
The following table lists the log fields of the data log type and their corresponding UDM fields.
| CSV field | CEF field | LEEF field | Google Security Operations label key | UDM field |
|---|---|---|---|---|
| Receive Time (cef-formatted-receive_time) | rt | devTime | metadata.collected_timestamp,
metadata.event_timestamp (if "Generate Time" is absent) |
|
| Serial # (serial) | deviceExternalId | SerialNumber | intermediary.asset.hardware.serial_number | |
| Type (type) | type (Header) | cat | metadata.product_event_type | |
| Threat/Content Type (subtype) | subtype (Header) | Subtype | metadata.product_event_type | |
| Generate Time | metadata.event_timestamp | |||
| Source address (src) | src | src | principal.ip | |
| Destination address (dst) | dst | dst | target.ip | |
| NAT Source IP (natsrc) | sourceTranslatedAddress | srcPostNAT | principal.nat_ip | |
| NAT Destination IP (natdst) | destinationTranslatedAddress | dstPostNAT | target.nat_ip | |
| Rule (rule) | cs1 | RuleName | security_result.rule_name | |
| Source User (srcuser) | suser | SourceUser | principal.user.userid | |
| Destination User (dstuser) | duser | DestinationUser | target.user.userid | |
| Application (app) | app | Application | network.application_protocol | |
| Virtual System (vsys) | cs3 | VirtualSystem | vsys | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| Source Zone (from) | cs4 | SourceZone | from | principal.labels.key and principal.labels.value additional.fields.key and additional.fields.value.string_value |
| Destination Zone (to) | cs5 | DestinationZone | to | target.labels.key and target.labels.value additional.fields.key and additional.fields.value.string_value |
| Inbound Interface (inbound_if) | deviceInboundInterface | IngressInterface | inbound_if | principal.labels.key and principal.labels.value additional.fields.key and additional.fields.value.string_value |
| Outbound Interface (outbound_if) | deviceOutboundInterface | EgressInterface | outbound_if | target.labels.key and target.labels.value additional.fields.key and additional.fields.value.string_value |
| Log Action (logset) | cs6 | LogForwardingProfile | logset | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| Time Logged | time_logged | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
||
| Session ID (sessionid) | cn1 | SessionID | network.session_id | |
| Repeat Count (repeatcnt) | cnt | RepeatCount | repeatcnt | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| Source Port (sport) | spt | srcPort | principal.port | |
| Destination Port (dport) | dpt | dstPort | target.port | |
| NAT Source Port (natsport) | sourceTranslatedPort | srcPostNATPort | principal.nat_port | |
| NAT Destination Port (natdport) | destinationTranslatedPort | dstPostNATPort | target.nat_port | |
| Flags (flags) | flexString1 | Flags | flags | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| IP Protocol (proto) | proto | proto | network.ip_protocol | |
| Action (action) | act | action | security_result.action_details
security_result.action |
|
| URL/Filename (misc) | Miscellaneous | target.file.full_path
target.url |
||
| Threat/Content Name (threatid) | cat | ThreatID | security_result.threat_id | |
| Category (category) | cs2 | URLCategory | category | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| Severity (severity) | number-of-severity (Header) | Severity | security_result.severity
security_result.severity_details |
|
| Direction (direction) | flexString2 | Direction | network.direction | |
| Sequence Number (seqno) | externalId | sequence | metadata.product_log_id | |
| Action Flags (actionflags) | PanOSActionFlags | ActionFlags | actionflags | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| Source Country (srcloc) | SourceLocation | principal.location.country_or_region | ||
| Destination Country (dstloc) | DestinationLocation | target.location.country_or_region | ||
| contenttype (contenttype) | ContentType | contenttype | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
|
| pcap_id (pcap_id) | fileId | PCAP_ID | pcap_id | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| filedigest (filedigest) | FileDigest | about.file.sha1/md5/sha256 | ||
| cloud (cloud) | Cloud | cloud | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
|
| url_idx (url_idx) | URLIndex | url_idx | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
|
| user_agent (user_agent) | network.http.user_agent | |||
| filetype (filetype) | about.file.mime_type | |||
| xff (xff) | xff | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
||
| referer (referer) | network.http.referral_url | |||
| sender (sender) | network.email.from | |||
| subject (subject) | Subject | network.email.subject | ||
| recipient (recipient) | network.email.to | |||
| reportid (reportid) | reportid | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
||
| DG Hierarchy Level 1 (dg_hier_level_1) | PanOSDGl1 | DeviceGroupHierarchyL1 | dg_hier_level_1 | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| DG Hierarchy Level 2 (dg_hier_level_2) | PanOSDGl2 | DeviceGroupHierarchyL2 | dg_hier_level_2 | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| DG Hierarchy Level 3 (dg_hier_level_3) | PanOSDGl3 | DeviceGroupHierarchyL3 | dg_hier_level_3 | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| DG Hierarchy Level 4 (dg_hier_level_4) | PanOSDGl4 | DeviceGroupHierarchyL4 | dg_hier_level_4 | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| Virtual System Name (vsys_name) | PanOSVsysName | vSrcName | principal.resource.name
principal.resource.resource_type=VIRTUAL_MACHINE |
|
| Device Name (device_name) | dvchost | DeviceName | intermediary.hostname | |
| file_url (file_url) | about.url | |||
| Source VM UUID (src_uuid) | SrcUUID | principal.asset.asset_id | ||
| Destination VM UUID (dst_uuid) | DstUUID | target.asset.asset_id | ||
| http_method (http_method) | RequestMethod | network.http.method | ||
| Tunnel ID/IMSI (tunnelid) | PanOSTunnelID | TunnelID | tunnelid | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| Monitor Tag/IMEI (monitortag) | PanOSMonitorTag | MonitorTag | monitortag | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| Parent Session ID (parent_session_id) | PanOSParentSessionID | ParentSessionID | parent_session_id | network.parent_session_id |
| Parent Session Start Time (parent_start_time) | PanOSParentStartTime | ParentStartTime | parent_start_time | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| Tunnel (tunnel) | PanOSTunnelType | TunnelType | tunnel | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| thr_category (thr_category) | PanOSThreatCategory | ThreatCategory | thr_category | security_result.detection_fields.key/value |
| contentver (contentver) | PanOSContentVer | ContentVer | contentver | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
| sig_flags (sig_flags) | sig_flags | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
||
| SCTP Association ID (assoc_id) | PanOSAssocID | assoc_id | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
|
| Payload Protocol ID (ppid) | PanOSPPID | ppid | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
|
| http_headers (http_headers) | PanOSHTTPHeader | http_headers | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
|
| URL Category List (url_category_list) | url_category_list | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
||
| UUID for rule (rule_uuid) | PanOSRuleUUID | rule_uuid | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
|
| HTTP/2 Connection (http2_connection) | http2_connection | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
||
| dynusergroup_name (dynusergroup_name) | dynusergroup_name | principal.labels.key and principal.labels.value additional.fields.key and additional.fields.value.string_value |
||
| XFF address (xff_ip) | principal.ip | |||
| Source Device Category (src_category) | src_category | principal.labels.key and principal.labels.value additional.fields.key and additional.fields.value.string_value |
||
| Source Device Profile (src_profile) | src_profile | principal.labels.key and principal.labels.value additional.fields.key and additional.fields.value.string_value |
||
| Source Device Model (src_model) | src_model | principal.labels.key and principal.labels.value additional.fields.key and additional.fields.value.string_value |
||
| Source Device Vendor (src_vendor) | src_vendor | principal.labels.key and principal.labels.value additional.fields.key and additional.fields.value.string_value |
||
| Source Device OS Family (src_osfamily) | principal.asset.platform_software.platform principal.labels.key and principal.labels.value additional.fields.key and additional.fields.value.string_value |
|||
| Source Device OS Version (src_osversion) | principal.asset.software.version | |||
| Source Hostname (src_host) | src_host | principal.labels.key and principal.labels.value additional.fields.key and additional.fields.value.string_value |
||
| Source Mac Address (src_mac) | principal.mac | |||
| Destination Device Category (dst_category) | dst_category | target.labels.key and target.labels.value additional.fields.key and additional.fields.value.string_value |
||
| Destination Device Profile (dst_profile) | dst_profile | target.labels.key and target.labels.value additional.fields.key and additional.fields.value.string_value |
||
| Destination Device Model (dst_model) | dst_model | target.labels.key and target.labels.value additional.fields.key and additional.fields.value.string_value |
||
| Destination Device Vendor (dst_vendor) | dst_vendor | target.labels.key and target.labels.value additional.fields.key and additional.fields.value.string_value |
||
| Destination Device OS Family (dst_osfamily) | target.asset.platform_software.platform
target.labels.key and target.labels.value |
|||
| Destination Device OS Version (dst_osversion) | target.asset.software.version | |||
| Destination Hostname (dst_host) | target.hostname | |||
| Destination Mac Address (dst_mac) | target.mac | |||
| Container ID (container_id) | container_id | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
||
| POD Namespace (pod_namespace) | pod_namespace | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
||
| POD Name (pod_name) | pod_name | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
||
| Source External Dynamic List (src_edl) | src_edl | principal.labels.key and principal.labels.value additional.fields.key and additional.fields.value.string_value |
||
| Destination External Dynamic List (dst_edl) | dst_edl | target.labels.key and target.labels.value additional.fields.key and additional.fields.value.string_value |
||
| Host ID (hostid) | hostid | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
||
| Serial Number (serialnumber) | principal.asset.hardware.serial_number | |||
| domain_edl (domain_edl) | domain_edl | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
||
| Source Dynamic Address Group (src_dag) | principal.group.group_display_name | |||
| Destination Dynamic Address Group (dst_dag) | target.group.group_display_name | |||
| partial_hash (partial_hash) | partial_hash | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
||
| High Res Timestamp (high_res_timestamp) | metadata.collected_timestamp,
metadata.event_timestamp (if "Generate Time" is absent) |
|||
| Reason (reason) | reason | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
||
| justification (justification) | justification | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
||
| nssai_sst (nssai_sst) | nssai_sst | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
||
| Subcategory of app (subcategory_of_app) | subcategory_of_app | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
||
| Category of app (category_of_app) | category_of_app | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
||
| Technology of app (technology_of_app) | technology_of_app | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
||
| Risk of app (risk_of_app) | risk_of_app | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
||
| Characteristic of app (characteristic_of_app) | characteristic_of_app | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
||
| Container of app (container_of_app) | container_of_app | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
||
| Tunneled app (tunneled_app) | tunneled_app | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
||
| SaaS of app (is_saas_of_app) | is_saas_of_app | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
||
| Sanctioned State of app (sanctioned_state_of_app) | sanctioned_state_of_app | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
GlobalProtect
The following table lists the log fields of the GlobalProtect log type and their corresponding UDM fields.
| CSV field | CEF field | LEEF field | Google Security Operations label key | UDM field |
|---|---|---|---|---|
| Receive Time (receive_time) | rt | received_time | metadata.event_timestamp | |
| Serial # (serial) | PanOSDeviceSN | intermediary_asset_hardware_serial_number | intermediary.asset.hardware.serial_number | |
| Type (type) | type (Header) | metadata.product_event_type | ||
| Threat/Content Type (subtype) | subtype (Header) | Subtype | metadata.product_event_type | |
| Generate Time (time_generated) | PanOSLogTimeStamp | generated_timestamp | metadata.event_timestamp | |
| Virtual System (vsys) | PanOSVirtualSystem | vsys | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
|
| Event ID (eventid) | PanOSEventID | event_id | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
|
| Stage (stage) | PanOSStage | stage | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
|
| Authentication Method (auth_method) | PanOSAuthMethod | extension_auth_auth_details | extensions.auth.auth_details | |
| Tunnel Type (tunnel_type) | PanOSTunnelType | tunnel | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
|
| Source User (srcuser) | PanOSSourceUserName | src_user | principal.user.email_address
principal.user.userid principal.administrative_domain |
|
| Source Region (srcregion) | PanOSSourceRegion | src_region | principal.location.country_or_region | |
| Machine Name (machinename) | PanOSEndpointDeviceName | machine_name | principal.hostname | |
| Public IP (public_ip) | PanOSPublicIPv4 | principal.nat_ip | ||
| Public IPv6 (public_ipv6) | PanOSPublicIPv6 | principal.nat_ip | ||
| Private IP (private_ip) | PanOSPrivateIPv4 | principal.ip | ||
| Private IPv6 (private_ipv6) | PanOSPrivateIPv6 | principal.ip | ||
| Host ID (hostid) | PanOSHostID | hostid | principal.asset.asset_id | |
| Serial Number (serialnumber) | PanOSDeviceSN | principal.asset.hardware.serial_number | ||
| Client Version (client_ver) | PanOSGlobalProtectClientVersion | client_ver | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
|
| Client OS (client_os) | PanOSEndpointOSType | principal.asset.platform_software.platform(enum) | ||
| Client OS Version (client_os_ver) | PanOSEndpointOSVersion | principal.asset.platform_software.platform_version | ||
| Repeat Count (repeatcnt) | PanOSCountOfRepeats | repeatcnt | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
|
| Reason (reason) | PanOSQuarantineReason | security_result.summary | ||
| Error (error) | PanOSConnectionError | error | security_result.description | |
| Description (opaque) | PanOSDescription | security_result.description | ||
| Status (status) | PanOSEventStatus | status | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
|
| Location (location) | PanOSGPGatewayLocation | target.location.country_or_region | ||
| Login Duration (login_duration) | PanOSLoginDuration | network.session_duration | ||
| Connect Method (connect_method) | PanOSConnectionMethod | connect_method | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
|
| Error Code (error_code) | PanOSConnectionErrorID | error_code | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
|
| Portal (portal) | PanOSPortal | portal | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
|
| Sequence Number (seqno) | PanOSSequenceNo | metadata.product_log_id | ||
| Action Flags (actionflags) | PanOSActionFlags | actionflags | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
|
| High Resolution Timestamp (high_res_timestamp) | anOSTimeGeneratedHighResolution | metadata.collected_timestamp,
metadata.event_timestamp (if "Generate Time" is absent) |
||
| Gateway Selection Method (selection_type) | PanOSGatewaySelectionType | selection_type | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
|
| SSL Response Time (response_time) | PanOSSSLResponseTime | response_time | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
|
| Gateway Priority (priority) | PanOSGatewayPriority | priority | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
|
| Attempted Gateways (attempted_gateways) | PanOSAttemptedGateways | attempted_gateways | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
|
| Gateway Name (gateway) | PanOSAttemptedGateways | gateway | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
|
| Device Group Hierarchy (dg_hier_level_1) | dg_hier_level_1 | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
||
| Device Group Hierarchy (dg_hier_level_2) | dg_hier_level_2 | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
||
| Device Group Hierarchy (dg_hier_level_3) | dg_hier_level_3 | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
||
| Device Group Hierarchy (dg_hier_level_4) | dg_hier_level_4 | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
||
| Virtual System Name (vsys_name) | principal.resource.name
principal.resource.resource_type=VIRTUAL_MACHINE |
|||
| Device Name (device_name) | target.hostname | |||
| Virtual System ID (vsys_id) | principal.resource.resource_type=VIRTUAL_MACHINE and principal.resource.product_object_id |
Correlation
The following table lists the log fields of the Correlation log type and their corresponding UDM fields.
| CSV field | CEF field | LEEF field | Google Security Operations label key | UDM field |
|---|---|---|---|---|
| Generated Time (time_generated or cef-formatted-time_generated) | startTime | generated_timestamp | metadata.event_timestamp | |
| Source Address (src) | src | principal.ip | ||
| Source User (srcuser) | SourceUser / usrName | principal.user.userid | ||
| Virtual System (vsys) | VirtualSystem | vsys | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
|
| Category (category) | security_result.category_details | |||
| Severity (severity) | Severity | security_result.severity and security_result.severity_details | ||
| Device Group Hierarchy Level 1 | DeviceGroupHierarchyL1 | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
||
| Device Group Hierarchy Level 2 | DeviceGroupHierarchyL2 | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
||
| Device Group Hierarchy Level 3 | DeviceGroupHierarchyL3 | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
||
| Device Group Hierarchy Level 4 | DeviceGroupHierarchyL4 | about.labels.key and about.labels.value additional.fields.key and additional.fields.value.string_value |
||
| Virtual System Name (vsys_name) | vSrcName | principal.resource.name
principal.resource.resource_type=VIRTUAL_MACHINE |
||
| Device Name (device_name) | DeviceName | intermediary.hostname | ||
| Virtual System ID (vsys_id) | VirtualSystemID | principal.resource.resource_type=VIRTUAL_MACHINE and principal.resource.product_object_id | ||
| Object Name (objectname) | ObjectName | target.resource.name | ||
| Object ID (object_id) | ObjectID | target.resource.product_object_id |
Field mapping reference: Log types to UDM event type
The following table lists the Palo Alto Networks firewall log types and their corresponding UDM event types.
| Log type | UDM event type |
| Traffic | NETWORK_CONNECTION |
| Threat | NETWORK_CONNECTION |
| URL Filtering | NETWORK_CONNECTION |
| WildFire | NETWORK_CONNECTION
WildFire submissions logs are a subtype of Threat log type and use the same syslog format. |
| Data Filtering | NETWORK_CONNECTION |
| Tunnel | NETWORK_CONNECTION |
| Config | SETTING_MODIFICATION/SETTING_CREATION/SETTING_DELETION/SETTING_UNCATEGORIZED
The value of the "Command (cmd)" field determines the UDM event type mapping. If the cmd field value is add or clone, SETTING_CREATION is set. If the cmd field value is delete, SETTING_DELETION is set. If the cmd field value is edit, move, rename, set, or commit, SETTING_MODIFICATION is set. If the cmd field value does not contain any values, then SETTING_UNCATEGORIZED is set. |
| System |
If the subtype value is "dhcp", then NETWORK_DHCP is set. If the subtype value is "auth", then USER_LOGIN is set. If the description value is "logged in", then USER_LOGIN is set. If the description value is "logged out", then USER_LOGOUT is set. For other values of the subtype, GENERIC_EVENT is set. |
| HIP Match | NETWORK_CONNECTION |
| IP Tag | GENERIC_EVENT |
| User-ID | USER_LOGIN/USER_LOGOUT/USER_UNCATEGORIZED
If subtype value is "login", then USER_LOGIN is set. If subtype value is "logout", then USER_LOGOUT is set. If subtype does not contain any value, then USER_UNCATEGORIZED is set. |
| Decryption | NETWORK_CONNECTION |
| Authentication | GENERIC_EVENT |