Collect Palo Alto Networks firewall logs

Supported in:

Overview

This document describes how you can configure syslog and a Google Security Operations forwarder to collect Palo Alto Networks firewall logs. This document also explains how Palo Alto Networks firewall log fields map to Google Security Operations Unified Data Model (UDM) fields.

For an overview about Google Security Operations data ingestion, see Data ingestion to Google Security Operations.

An ingestion label identifies the parser which normalizes raw log data to structured UDM format. The information in this document applies to the parser with the PAN_FIREWALL ingestion label.

Before you begin

  • To understand the components deployed to collect Palo Alto Networks firewall logs, review the deployment architecture. Each customer deployment might differ from this representation and might be more complex.

    The following diagram shows how you can configure syslog on a Palo Alto Networks firewall and install a Google Security Operations forwarder on a Linux server to forward log data to Google Security Operations. The parser supports logs written in the following data formats: Comma Separated Values (CSV), Common Event Format (CEF), and Log Event Extended Format (LEEF).

    Deployment architecture

  • Verify the log formats and PAN-OS versions that the Google Security Operations parser supports. The following table lists the log formats and the corresponding PAN-OS versions that the Google Security Operations parser supports:

    Log format PAN-OS version
    CSV 10.1.3
    CEF 10.0.0
    LEEF 9.1.0

  • Verify the Palo Alto Networks firewall log types that the Google Security Operations parser supports. The Google Security Operations parser supports the following Palo Alto Networks firewall log types:

    • Traffic
    • Threat
    • WildFire submissions
    • Tunnel inspection
    • Config
    • System
    • HIP match
    • IP-Tag
    • User-ID
    • Decryption
    • Authentication
    • URL filtering
    • Data filtering
    • GlobalProtect
    • Correlation

    For more information about the Palo Alto Networks firewall log types, see PAN-OS log types.

  • Ensure that all systems in the deployment architecture are configured in the UTC time zone.

  • Before you use the Palo Alto Networks firewall parser, review the changes in field mappings between the previous parser and the current Palo Alto Networks firewall parser. As part of the migration, ensure that the rules, searches, dashboards, or other processes that depend on the original fields use the updated fields.

    For example, in the previous parser version, the category log field is mapped to the security_result.description UDM field. In the current Palo Alto Networks firewall parser, the category log field is mapped to the security_result.category_details UDM field. If you migrate to the current Palo Alto Networks firewall parser and use the category field in your rules, you need to modify the rules to use the security_result.category_details UDM field of the current parser.

Configure syslog and the Google Security Operations forwarder

To configure syslog and the Google Security Operations forwarder, complete the following steps:

  1. To monitor CSV logs, configure the syslog server profile. For more information, see Configure the syslog server profile.

    When you configure the syslog server profile, specify "Default" as the custom log format.

  2. To monitor CEF logs, configure the Palo Alto Networks firewall to forward CEF logs. For more information, download the PAN-OS CEF Integration guide PDF and see the "Configuration of Palo Alto Networks NGFW to output CEF events" section.

  3. To monitor LEEF logs, configure the syslog server profile. For more information, see Custom log forwarding in LEEF format.

  4. Configure the Google Security Operations forwarder to send logs to Google Security Operations. For more information, see Installing and configuring the forwarder on Linux. The following is an example of a Google Security Operations forwarder configuration:

      - syslog:
          common:
            enabled: true
            data_type: PAN_FIREWALL
            batch_n_seconds: 10
            batch_n_bytes: 1048576
          tcp_address: 0.0.0.0:10518
          connection_timeout_sec: 60
    

Field mapping reference: PAN firewall logs fields to UDM fields

This section explains how the parser maps Palo Alto Networks firewall log fields to Google Security Operations UDM event fields for each log type.

The Google Security Operations label key refers to the name of the key mapped to Labels.key UDM field. For example, in the case of the "Virtual System" field, the field name is "cs3" in CEF format and is "VirtualSystem" in LEEF format. The UDM field "about.labels.key" contains the value "vsys" and the UDM field "about.labels.value" contains the value of that field.

Some of the CEF or LEEF field names do not have a name corresponding to the CSV field names. In such cases, if you add your own variable name in custom log format in the syslog profile, the parser does not map it to the UDM field.

Refer to the following sections for mapping reference of each log type:

System

The following table lists the log fields of the system log type and their corresponding UDM fields.

CSV field CEF field LEEF field Google Security Operations label key UDM field
Receive Time (receive_time or cef-formatted-receive_time) rt devTime metadata.collected_timestamp,

metadata.event_timestamp (if "Generate Time" is absent)

Serial Number (serial) deviceExternalId SerialNumber intermediary.asset.hardware.serial_number
Type (type) type (Header) cat metadata.product_event_type is set to "%{type} - %{subtype}".
Threat/Content Type (subtype) subtype (Header) Subtype metadata.product_event_type is set to "%{type} - %{subtype}".
Generated Time (time_generated or cef-formatted-time_generated) metadata.event_timestamp
Virtual System (vsys) cs3 VirtualSystem vsys

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Event ID (eventid) cat eventid

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Object (object) fname Filename object

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Module (module) flexString2 Module module

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Severity (severity) $number-of-severity(header) Severity security_result.severity and security_result.severity_details
Description (opaque) msg msg metadata.description
principal_user_userid (This field is extracted from the msg field) principal.user.userid
principal_ip3 (This field is extracted from the msg field) principal.ip
Reason (This field is extracted from the msg field) security_result.description
server_address (This field is extracted from the msg field.) target.ip
server_profile (This field is extracted from the msg field.) additional.fields.key and additional.fields.value.string_value
Sequence Number (seqno) externalId sequence metadata.product_log_id
Action Flags (actionflags) PanOSActionFlags ActionFlags actionflags

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Device Group Hierarchy (dg_hier_level_1 to dg_hier_level_4) PanOSDGl1 DeviceGroupHierarchyL1 dg_hier_level_1

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Device Group Hierarchy (dg_hier_level_2) PanOSDGl2 DeviceGroupHierarchyL2 dg_hier_level_2

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Device Group Hierarchy (dg_hier_level_3) PanOSDGl3 DeviceGroupHierarchyL3 dg_hier_level_3

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Device Group Hierarchy (dg_hier_level_4) PanOSDGl4 DeviceGroupHierarchyL4 dg_hier_level_4

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Virtual System Name (vsys_name) PanOSVsysName vSrcName principal.resource.name

principal.resource.resource_type=VIRTUAL_MACHINE

Device Name (device_name) dvchost DeviceName intermediary.hostname
High Resolution Timestamp (high_res_timestamp) anOSTimeGeneratedHighResolution metadata.collected_timestamp,

metadata.event_timestamp (if "Generate Time" is absent)

Config

The following table lists the log fields of the config log type and their corresponding UDM fields.

CSV field CEF field LEEF field Google Security Operations label key UDM field
Receive Time (receive_time or cef-formatted-receive_time) rt devTime metadata.collected_timestamp,

metadata.event_timestamp (if "Generate Time" is absent)

Serial Number (serial) deviceExternalId SerialNumber intermediary.asset.hardware.serial_number
Type (type) type (Header) cat metadata.product_event_type
Threat/Content Type (subtype) subtype (Header) metadata.product_event_type
Generated Time (time_generated or cef-formatted-time_generated) metadata.event_timestamp
Host (host) shost src principal.ip/hostname
Virtual System (vsys) cs3 VirtualSystem vsys

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Command (cmd) act msg cmd metadata.description
Admin (admin) duser usrName principal.user.userid
Client (client) destinationServiceName client principal.application
Result (result) Signature ID (Header)(reason) Result security_result.summary
Configuration Path (path) msg ConfigurationPath principal.process.command_line
Before Change Detail (before_change_detail) cs1 BeforeChangeDetail before_change_detail target.resource.attribute.labels.key/value
After Change Detail (after_change_detail) cs2 AfterChangeDetail after_change_detail target.resource.attribute.labels.key/value
Sequence Number (seqno) externalId sequence metadata.product_log_id
Action Flags (actionflags) PanOSActionFlags ActionFlags actionflags

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Device Group Hierarchy (dg_hier_level_1 to dg_hier_level_4) PanOSDGl1 DeviceGroupHierarchyL1 dg_hier_level_1

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Device Group Hierarchy (dg_hier_level_2) PanOSDGl2 DeviceGroupHierarchyL2 dg_hier_level_2

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Device Group Hierarchy (dg_hier_level_3) PanOSDGl3 DeviceGroupHierarchyL3 dg_hier_level_3

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Device Group Hierarchy (dg_hier_level_4) PanOSDGl4 DeviceGroupHierarchyL4 dg_hier_level_4

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Virtual System Name (vsys_name) PanOSVsysName vSrcName principal.resource.name

principal.resource.resource_type=VIRTUAL_MACHINE

Device Name (device_name) dvchost DeviceName intermediary.hostname
Device Group (dg_id) PanOSFWDeviceGroup dg_id principal.asset.attribute.labels.key/value
Audit Comment (comment) PanOSPolicyAuditComment comment

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Threat/WildFire

The following table lists the log fields of the Threat/WildFire log type and their corresponding UDM fields.

CSV field CEF field LEEF field Google Security Operations label key UDM field
Receive Time (receive_time or cef-formatted-receive_time) rt devTime metadata.collected_timestamp,

metadata.event_timestamp (if "Generate Time" is absent)

Serial Number (serial #) deviceExternalId SerialNumber intermediary.asset.hardware.serial_number
Type (type) type (Header) cat metadata.product_event_type
Threat/Content Type (subtype) cat/subtype (Header) Subtype metadata.product_event_type
Generate Time (time_generated or cef-formatted-time_generated) metadata.event_timestamp
Source address (src) src src principal.ip
Destination address (dst) dst dst target.ip
NAT Source IP (natsrc) sourceTranslatedAddress srcPostNAT principal.nat_ip
NAT Destination IP (natdst) destinationTranslatedAddress dstPostNAT target.nat_ip
Rule Name (rule) cs1 RuleName security_result.rule_name
Source User (srcuser) suser SourceUser / usrName principal.user.userid
Destination User (dstuser) duser DestinationUser target.user.userid
Application (app) app Application target.application
Virtual System (vsys) cs3 VirtualSystem vsys

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Source Zone (from) cs4 SourceZone from

principal.labels.key and principal.labels.value

additional.fields.key and additional.fields.value.string_value

Destination Zone (to) cs5 DestinationZone to

target.labels.key and target.labels.value

additional.fields.key and additional.fields.value.string_value

Inbound Interface (inbound_if) deviceInboundInterface IngressInterface inbound_if

principal.labels.key and principal.labels.value

additional.fields.key and additional.fields.value.string_value

Outbound Interface (outbound_if) deviceOutboundInterface EgressInterface outbound_if

target.labels.key and target.labels.value

additional.fields.key and additional.fields.value.string_value

Log Action (logset) cs6 LogForwardingProfile logset

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Session ID (sessionid) cn1 SessionID network.session_id
Repeat Count (repeatcnt) cnt RepeatCount repeatcnt

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Source Port (sport) spt srcPort principal.port
Destination Port (dport) dpt dstPort target.port
NAT Source Port (natsport) sourceTranslatedPort srcPostNATPort principal.nat_port
NAT Destination Port (natdport) destinationTranslatedPort dstPostNATPort target.nat_port
Flags (flags) flexString1 Flags flags

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

IP Protocol (proto) proto proto network.ip_protocol
Action (action) act action security_result.action_details

security_result.action

URL/Filename (misc) request Miscellaneous

target.file.full_path (if subtype is 'file', 'virus', 'wildfire-virus', or 'wildfire' then `misc` field is mapped to target.file.full_path)

target.url (if subtype is 'url' then `misc` field is mapped to target.url and target.hostname)

target.hostname (if subtype is 'spyware' or 'vulnerability' then `misc` field is mapped to target.file.full_path and target.url)

Threat/Content Name (threatid) cat ThreatID security_result.threat_name
Category (category) cs2 URLCategory security_result.category_details
Severity (severity) number-of-severity(header) Severity security_result.severity and security_result.severity_details
Direction (direction) flexString2 Direction network.direction
Sequence Number (seqno) externalId sequence metadata.product_log_id
Action Flags (actionflags) PanOSActionFlags ActionFlags actionflags

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Source Country (srcloc) SourceLocation principal.location.country_or_region
Destination Country (dstloc) DestinationLocation target.location.country_or_region
Content Type (contenttype) ContentType contenttype

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

PCAP ID (pcap_id) fileId PCAP_ID pcap_id

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

File Digest (filedigest) fileHash FileDigest about.file.sha1/md5/sha256
Cloud (cloud) filePath Cloud cloud

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

URL Index (url_idx) URLIndex url_idx

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

User Agent (user_agent) network.http.user_agent
File Type (filetype) fileType FileType about.file.mime_type
X-Forwarded-For (xff) principal.ip
Referer (referer) network.http.referral_url
Sender (sender) suid Sender network.email.from
Subject (subject) msg Subject network.email.subject
Recipient (recipient) duid Recipient network.email.to
Report ID (reportid) oldFileId ReportID reportid

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Device Group Hierarchy (dg_hier_level_1 to dg_hier_level_4) PanOSDGl1 DeviceGroupHierarchyL1 dg_hier_level_1

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Device Group Hierarchy (dg_hier_level_2) PanOSDGl2 DeviceGroupHierarchyL2 dg_hier_level_2

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Device Group Hierarchy (dg_hier_level_3) PanOSDGl3 DeviceGroupHierarchyL3 dg_hier_level_3

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Device Group Hierarchy (dg_hier_level_4) PanOSDGl4 DeviceGroupHierarchyL4 dg_hier_level_4

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Virtual System Name (vsys_name) PanOSVsysName vSrcName principal.resource.name

principal.resource.resource_type=VIRTUAL_MACHINE

Device Name (device_name) dvchost DeviceName intermediary.hostname
Source VM UUID (src_uuid) PanOSSrcUUID SrcUUID principal.user.product_object_id
Destination VM UUID (dst_uuid) PanOSDstUUID DstUUID target.user.product_object_id
HTTP Method (http_method) RequestMethod network.http.method
Tunnel ID/IMSI (tunnel_id/imsi) PanOSTunnelID TunnelID tunnel_id/imsi

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Monitor Tag/IMEI (monitortag/imei) PanOSMonitorTag MonitorTag monitortag/imei

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Parent Session ID (parent_session_id) PanOSParentSessionID ParentSessionID parent_session_id network.parent_session_id
Parent Session Start Time (parent_start_time) PanOSParentStartTime ParentStartTime parent_start_time

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Tunnel Type (tunnel) PanOSTunnelType TunnelType tunnel

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Threat Category (thr_category) PanOSThreatCategory ThreatCategory thr_category security_result.detection_fields.key/value
Content Version (contentver) PanOSContentVer ContentVer contentver

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

SCTP Association ID (assoc_id) PanOSAssocID assoc_id

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Payload Protocol ID (ppid) PanOSPPID ppid

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

HTTP Headers (http_headers) PanOSHTTPHeader http_headers

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

URL Category List (url_category_list) PanOSURLCatList url_category_list

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Rule UUID (rule_uuid) PanOSRuleUUID security_result.rule_id
HTTP/2 Connection (http2_connection) PanOSHTTP2Con http2_connection

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Dynamic User Group Name (dynusergroup_name) PanDynamicUsrgrp dynusergroup_name

principal.labels.key and principal.labels.value

additional.fields.key and additional.fields.value.string_value

XFF Address (xff_ip) PanXFFIP principal.ip
Source Device Category (src_category) PanSrcDeviceCat src_category

principal.labels.key and principal.labels.value

additional.fields.key and additional.fields.value.string_value

Source Device Profile (src_profile) PanSrcDeviceProf src_profile

principal.labels.key and principal.labels.value

additional.fields.key and additional.fields.value.string_value

Source Device Model (src_model) PanSrcDeviceModel src_model

principal.labels.key and principal.labels.value

additional.fields.key and additional.fields.value.string_value

Source Device Vendor (src_vendor) PanSrcDeviceVendor src_vendor

principal.labels.key and principal.labels.value

additional.fields.key and additional.fields.value.string_value

Source Device OS Family (src_osfamily) PanSrcDeviceOS src_osfamily

principal.asset.platform_software.platform

principal.labels.key and principal.labels.value

additional.fields.key and additional.fields.value.string_value

Source Device OS Version (src_osversion) PanSrcDeviceOSv principal.asset.software.version
Source Hostname (src_host) PanSrcHostname principal.hostname
Source MAC Address (src_mac) PanSrcMac principal.mac
Destination Device Category (dst_category) PanDstDeviceCat dst_category

target.labels.key and target.labels.value

additional.fields.key and additional.fields.value.string_value

Destination Device Profile (dst_profile) PanDstDeviceProf dst_profile

target.labels.key and target.labels.value

additional.fields.key and additional.fields.value.string_value

Destination Device Model (dst_model) PanDstDeviceModel dst_model

target.labels.key and target.labels.value

additional.fields.key and additional.fields.value.string_value

Destination Device Vendor (dst_vendor) PanDstDeviceVendor dst_vendor

target.labels.key and target.labels.value

additional.fields.key and additional.fields.value.string_value

Destination Device OS Family (dst_osfamily) PanDstDeviceOS dst_osfamily

target.labels.key and target.labels.value

additional.fields.key and additional.fields.value.string_value

Destination Device OS Version (dst_osversion) PanDstDeviceOSv target.asset.software.version
Destination Hostname (dst_host) PanDstHostname target.hostname
Destination MAC Address (dst_mac) PanDstMac target.mac
Container ID (container_id) PanContainerName container_id

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

POD Namespace (pod_namespace) PanPODNamespace pod_namespace

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

POD Name (pod_name) PanPODName pod_name

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Source External Dynamic List (src_edl) PanSrcEDL src_edl

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Destination External Dynamic List (dst_edl) PanDstEDL dst_edl

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Host ID (hostid) PanGPHostID hostid

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

User Device Serial Number (serialnumber) PanEPSerial principal.asset.hardware.serial_number
Domain EDL (domain_edl) PanDomainEDL domain_edl

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Source Dynamic Address Group (src_dag) PanSrcDAG principal.group.group_display_name
Destination Dynamic Address Group (dst_dag) PanDstDAG target.group.group_display_name
Partial Hash (partial_hash) PanPartialHash partial_hash

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

High Resolution Timestamp (high_res timestamp) PanTimeHighRes high_res timestamp metadata.collected_timestamp,

metadata.event_timestamp (if "Generate Time" is absent)

Reason (reason) PanReasonFilteringAction reason

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Justification (justification) PanJustification justification

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

A Slice Service Type (nssai_sst) PanASServiceType nssai_sst

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Application Subcategory (subcategory_of_app) subcategory_of_app

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Application Category (category_of_app) category_of_app

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Application Technology (technology_of_app) technology_of_app

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Application Risk (risk_of_app) risk_of_app

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Application Characteristic (characteristic_of_app) characteristic_of_app

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Application Container (container_of_app) container_of_app

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Application SaaS (is_saas_of_app) is_saas_of_app

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Application Sanctioned State (sanctioned_state_of_app) sanctioned_state_of_app

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Traffic

The following table lists the log fields of the traffic log type and their corresponding UDM fields.

CSV field CEF field LEEF field Google Security Operations label key UDM field
Receive Time (receive_time or cef-formatted-receive_time) rt devTime metadata.collected_timestamp,

metadata.event_timestamp (if "Generate Time" is absent)

Serial Number (serial) deviceExternalId SerialNumber intermediary.asset.hardware.serial_number
Type (type) type (Header) cat/Type metadata.product_event_type
Threat/Content Type (subtype) subtype (Header) Subtype metadata.product_event_type
Generated Time (time_generated or cef-formatted-time_generated) start metadata.event_timestamp
Source Address (src) src src principal.ip
Destination Address (dst) dst dst target.ip
NAT Source IP (natsrc) sourceTranslatedAddress srcPostNAT principal.nat_ip
NAT Destination IP (natdst) destinationTranslatedAddress dstPostNAT target.nat_ip
Rule Name (rule) cs1 RuleName security_result.rule_name
Source User (srcuser) suser SourceUser principal.user.userid
Destination User (dstuser) duser DestinationUser target.user.userid
Application (app) app Application target.application
Virtual System (vsys) cs3 VirtualSystem vsys

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Source Zone (from) cs4 SourceZone from

principal.labels.key and principal.labels.value

additional.fields.key and additional.fields.value.string_value

Destination Zone (to) cs5 DestinationZone to

target.labels.key and target.labels.value

additional.fields.key and additional.fields.value.string_value

Inbound Interface (inbound_if) deviceInboundInterface IngressInterface inbound_if

principal.labels.key and principal.labels.value

additional.fields.key and additional.fields.value.string_value

Outbound Interface (outbound_if) deviceOutboundInterface EgressInterface outbound_if

target.labels.key and target.labels.value

additional.fields.key and additional.fields.value.string_value

Log Action (logset) cs6 LogForwardingProfile logset

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Session ID (sessionid) cn1 SessionID network.session_id
Repeat Count (repeatcnt) cnt RepeatCount repeatcnt

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Source Port (sport) spt srcPort principal.port
Destination Port (dport) dpt dstPort target.port
NAT Source Port (natsport) sourceTranslatedPort srcPostNATPort principal.nat_port
NAT Destination Port (natdport) destinationTranslatedPort dstPostNATPort target.nat_port
Flags (flags) flexString1 Flags flags

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

IP Protocol (proto) proto proto network.ip_protocol
Action (action) act action security_result.action_details

security_result.action

Bytes (bytes) flexNumber1 totalBytes bytes

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Bytes Sent (bytes_sent) in srcBytes network.sent_bytes
Bytes Received (bytes_received) out dstBytes network.received_bytes
Packets (packets) cn2 totalPackets packets

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Start Time (start) StartTime start

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Elapsed Time (elapsed) cn3 ElapsedTime elapsed network.session_duration.seconds
Category (category) cs2 URLCategory security_result.category / security_result.category_details
Sequence Number (seqno) externalId sequence metadata.product_log_id
Action Flags (actionflags) PanOSActionFlags ActionFlags actionflags

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Source Country (srcloc) SourceLocation principal.location.country_or_region
Destination Country (dstloc) DestinationLocation target.location.country_or_region
Packets Sent (pkts_sent) PanOSPacketsSent srcPackets pkts_sent

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Packets Received (pkts_received) PanOSPacketsReceived dstPackets pkts_received

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Session End Reason (session_end_reason) reason SessionEndReason security_result.summary
Device Group Hierarchy1 (dg_hier_level_1 to dg_hier_level_4) PanOSDGl1 DeviceGroupHierarchyL1 dg_hier_level_1

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Device Group Hierarchy2 (dg_hier_level_2) PanOSDGl2 DeviceGroupHierarchyL2 dg_hier_level_2

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Device Group Hierarchy3 (dg_hier_level_3) PanOSDGl3 DeviceGroupHierarchyL3 dg_hier_level_3

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Device Group Hierarchy (dg_hier_level_4) PanOSDGl4 DeviceGroupHierarchyL4 dg_hier_level_4

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Virtual System Name (vsys_name) PanOSVsysName vSrcName principal.resource.name

principal.resource.resource_type=VIRTUAL_MACHINE

Device Name (device_name) dvchost DeviceName intermediary.hostname
Action Source (action_source) cat ActionSource action_source

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Source VM UUID (src_uuid) PanOSSrcUUID SrcUUID principal.asset.product_object_id
Destination VM UUID (dst_uuid) PanOSDstUUID DstUUID target.asset.product_object_id
Tunnel ID/IMSI (tunnelid/imsi) PanOSTunnelID TunnelID tunnelid/imsi

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Monitor Tag/IMEI (monitortag/imei) PanOSMonitorTag MonitorTag monitortag/imei

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Parent Session ID (parent_session_id) PanOSParentSessionID ParentSessionID parent_session_id network.parent_session_id
Parent Start Time (parent_start_time) PanOSParentStartTime ParentStartTime parent_start_time

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Tunnel Type (tunnel) PanOSTunnelType TunnelType tunnel

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

SCTP Association ID (assoc_id) PanOSSCTPAssocID assoc_id

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

SCTP Chunks (chunks) PanOSSCTPChunks chunks

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

SCTP Chunks Sent (chunks_sent) PanOSSCTPChunkSent chunks_sent

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

SCTP Chunks Received (chunks_received) PanOSSCTPChunksRcv chunks_received

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Rule UUID (rule_uuid) PanOSRuleUUID security_result.rule_id
HTTP/2 Connection (http2_connection) PanOSHTTP2Con http2_connection

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

App Flap Count (link_change_count) PanLinkChange link_change_count

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Policy ID (policy_id) PanPolicyID policy_id

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Link Switches (link_switches) PanLinkDetail link_switches

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

SD-WAN Cluster (sdwan_cluster) PanSDWANCluster sdwan_cluster

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

SD-WAN Device Type (sdwan_device_type) PanSDWANDevice sdwan_device_type

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

SD-WAN Cluster Type (sdwan_cluster_type) PanSDWANClustype sdwan_cluster_type

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

SD-WAN Site (sdwan_site) PanSDWANSite sdwan_site

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Dynamic User Group Name (dynusergroup_name) PanDynamicUsrgrp dynusergroup_name

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

XFF Address (xff_ip) PanXFFIP principal.ip
Source Device Category (src_category) PanSrcDeviceCat src_category

principal.labels.key and principal.labels.value

additional.fields.key and additional.fields.value.string_value

Source Device Profile (src_profile) PanSrcDeviceProf src_profile

principal.labels.key and principal.labels.value

additional.fields.key and additional.fields.value.string_value

Source Device Model (src_model) PanSrcDeviceModel src_model

principal.labels.key and principal.labels.value

additional.fields.key and additional.fields.value.string_value

Source Device Vendor (src_vendor) PanSrcDeviceVendor src_vendor

principal.labels.key and principal.labels.value

additional.fields.key and additional.fields.value.string_value

Source Device OS Family (src_osfamily) PanSrcDeviceOS

principal.asset.platform_software.platform

principal.labels.key and principal.labels.value

additional.fields.key and additional.fields.value.string_value

Source Device OS Version (src_osversion) PanSrcDeviceOSv principal.asset.software.version
Source Hostname (src_host) PanSrcHostname principal.hostname
Source MAC Address (src_mac) PanSrcMac principal.mac
Destination Device Category (dst_category) PanDstDeviceCat dst_category

target.labels.key and target.labels.value

additional.fields.key and additional.fields.value.string_value

Destination Device Profile (dst_profile) PanDstDeviceProf dst_profile

target.labels.key and target.labels.value

additional.fields.key and additional.fields.value.string_value

Destination Device Model (dst_model) PanDstDeviceModel dst_model

target.labels.key and target.labels.value

additional.fields.key and additional.fields.value.string_value

Destination Device Vendor (dst_vendor) PanDstDeviceVendor dst_vendor

target.labels.key and target.labels.value

additional.fields.key and additional.fields.value.string_value

Destination Device OS Family (dst_osfamily) PanDstDeviceOS dst_osfamily

target.labels.key and target.labels.value

additional.fields.key and additional.fields.value.string_value

Destination Device OS Version (dst_osversion) PanDstDeviceOSv target.asset.software.version
Destination Hostname (dst_host) PanDstHostname target.hostname
Destination MAC Address (dst_mac) PanDstMac target.mac
Container ID (container_id) PanContainerName container_id

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

POD Namespace (pod_namespace) PanPODNamespace pod_namespace

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

POD Name (pod_name) PanPODName pod_name

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Source External Dynamic List (src_edl) PanSrcEDL src_edl

principal.labels.key and principal.labels.value

additional.fields.key and additional.fields.value.string_value

Destination External Dynamic List (dst_edl) PanDstEDL dst_edl

target.labels.key and target.labels.value

additional.fields.key and additional.fields.value.string_value

Host ID (hostid) PanGPHostID hostid

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

User Device Serial Number (serialnumber) PanEPSerial principal.asset.hardware.serial_number
Source Dynamic Address Group (src_dag) PanSrcDAG principal.group.group_display_name
Destination Dynamic Address Group (dst_dag) PanDstDAG target.group.group_display_name
Session Owner (session_owner) PanHASessionOwner session_owner

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

High Resolution Timestamp (high_res_timestamp) PanTimeHighRes metadata.collected_timestamp,

metadata.event_timestamp (if "Generate Time" is absent)

A Slice Service Type (nsdsai_sst) PanASServiceType nsdsai_sst

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

A Slice Differentiator (nsdsai_sd) PanASServiceDiff nsdsai_sd

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Application Subcategory (subcategory_of_app) subcategory_of_app

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Application Category (category_of_app) category_of_app

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Application Technology (technology_of_app) technology_of_app

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Application Risk (risk_of_app) security_result.severity
Application Characteristic (characteristic_of_app) characteristic_of_app

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Application Container (container_of_app) container_of_app

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Application SaaS (is_saas_of_app) is_saas_of_app

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Application Sanctioned State (sanctioned_state_of_app) sanctioned_state_of_app

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Application Subcategory (subcategory_of_app) subcategory_of_app1

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

User-ID

The following table lists the log fields of the user-id log type and their corresponding UDM fields.

CSV field CEF field LEEF field Google Security Operations label key UDM field
Receive Time (receive_time or cef-formatted-receive_time) rt devTime metadata.collected_timestamp,

metadata.event_timestamp (if "Generate Time" is absent)

Serial Number (serial) deviceExternalId SerialNumber intermediary.asset.hardware.serial_number
Type (type) type (Header) cat metadata.product_event_type
Threat/Content Type (subtype) subtype (Header) Subtype metadata.product_event_type
Generated Time (time_generated or cef-formatted-time_generated) metadata.event_timestamp
Virtual System (vsys) cs3 VirtualSystem vsys

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Source IP (ip) src src principal.ip
User (user) duser usrName target.user.userid

target.administrative_domain

target.user.email_addresses

Data Source Name (datasourcename) cs4 DataSourceName datasourcename

principal.labels.key and principal.labels.value

additional.fields.key and additional.fields.value.string_value

Event ID (eventid) EventID eventid

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Repeat Count (repeatcnt) cnt RepeatCount repeatcnt

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Time Out Threshold (timeout) cn3 TimeoutThreshold timeout

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Source Port (beginport) spt srcPort principal.port
Destination Port (endport) dpt dstPort target.port
Data Source (datasource) cs5 DataSource datasource

principal.labels.key and principal.labels.value

additional.fields.key and additional.fields.value.string_value

Data Source Type (datasourcetype) cs6 DataSourceType datasourcetype

principal.labels.key and principal.labels.value

additional.fields.key and additional.fields.value.string_value

Sequence Number (seqno) externalId sequence metadata.product_log_id
Action Flags (actionflags) PanOSActionFlags ActionFlags actionflags

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Device Group Hierarchy (dg_hier_level_1) PanOSDGl1 DeviceGroupHierarchyL1 dg_hier_level_1

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Device Group Hierarchy (dg_hier_level_2) PanOSDGl2 DeviceGroupHierarchyL2 dg_hier_level_2

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Device Group Hierarchy (dg_hier_level_3) PanOSDGl3 DeviceGroupHierarchyL3 dg_hier_level_3

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Device Group Hierarchy (dg_hier_level_4) PanOSDGl4 DeviceGroupHierarchyL4 dg_hier_level_4

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Virtual System Name (vsys_name) PanOSVsysName vSrcName principal.resource.name

principal.resource.resource_type=VIRTUAL_MACHINE

Device Name (device_name) dvchost DeviceName intermediary.hostname
Virtual System ID (vsys_id) cn2 VirtualSystemID principal.resource.resource_type=VIRTUAL_MACHINE and principal.resource.product_object_id
Factor Type (factortype) cs1 FactorType factortype

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Factor Completion Time (factorcompletiontime) end FactorCompletionTime factorcompletiontime

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Factor Number (factorno) cn1 FactorNumber factorno

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

User Group Flags (ugflags) PanOSUGFlags ugflags

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

User by Source (userbysource) PanOSUserBySource principal.user.userid

principal.administrative_domain

principal.user.email_addresses

High Resolution Timestamp (high_res timestamp) PanOSTimeGeneratedHighResolution metadata.collected_timestamp,

metadata.event_timestamp (if "Generate Time" is absent)

HIP match

The following table lists the log fields of the HIP match log type and their corresponding UDM fields.

CSV field CEF field LEEF field Google Security Operations label key UDM field
Receive Time (receive_time or cef-formatted-receive_time) rt devTime metadata.collected_timestamp,

metadata.event_timestamp (if "Generate Time" is absent)

Serial Number (serial) deviceExternalId SerialNumber intermediary.asset.hardware.serial_number
Type (type) type (Header) cat metadata.product_event_type
Threat/Content Type (subtype) subtype (Header) Subtype
Generated Time (time_generated or cef-formatted-time_generated) start startTime metadata.event_timestamp
Source User (srcuser) suser usrName principal.user.userid
Virtual System (vsys) cs3 VirtualSystem vsys

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Machine Name (machinename) shost identHostName principal.hostname
Operating System (os) cs2 OS principal.asset.platform_software.platform
Source Address (src) src identsrc principal.ip
HIP (matchname) cat HIP matchname

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Repeat Count (repeatcnt) cnt RepeatCount repeatcnt

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

HIP Type (matchtype) Device Event Class ID (Header) HIPType matchtype

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Sequence Number (seqno) externalId sequence metadata.product_log_id
Action Flags (actionflags) PanOSActionFlags ActionFlags actionflags

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Device Group Hierarchy (dg_hier_level_1) PanOSDGl1 DeviceGroupHierarchyL1 dg_hier_level_1

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Device Group Hierarchy (dg_hier_level_2) PanOSDGl2 DeviceGroupHierarchyL2 dg_hier_level_2

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Device Group Hierarchy (dg_hier_level_3) PanOSDGl3 DeviceGroupHierarchyL3 dg_hier_level_3

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Device Group Hierarchy (dg_hier_level_4) PanOSDGl4 DeviceGroupHierarchyL4 dg_hier_level_4

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Virtual System Name (vsys_name) PanOSVsysName vSrcName principal.resource.name

principal.resource.resource_type=VIRTUAL_MACHINE

Device Name (device_name) dvchost DeviceName intermediary.hostname
Virtual System ID (vsys_id) cn2 VirtualSystemID principal.resource.resource_type=VIRTUAL_MACHINE and principal.resource.product_object_id
IPv6 System Address (srcipv6) c6a2 srcipv6 principal.asset.ip
Host ID (hostid) PanOSHostID principal.asset.product_object_id
User Device Serial Number (serialnumber) PanOSEndpointSerialNumber principal.asset.hardware.serial_number
Device MAC Address (mac) PanOSEndpointMac principal.asset.mac
High Resolution Timestamp (high_res_timestamp) PanOSTimeGeneratedHighResolution metadata.collected_timestamp,

metadata.event_timestamp (if "Generate Time" is absent)

IP tag

The following table lists the log fields of the IP tag log type and their corresponding UDM fields.

CSV field CEF field LEEF field Google Security Operations label key UDM field
Receive Time (receive_time or cef-formatted-receive_time) rt devTime metadata.collected_timestamp,

metadata.event_timestamp (if "Generate Time" is absent)

Serial Number (serial) deviceExternalId SerialNumber intermediary.asset.hardware.serial_number
Type (type) type (Header) cat metadata.product_event_type
Threat/Content Type (subtype) subtype (Header) Subtype metadata.product_event_type
Generated Time (time_generated or cef-formatted-time_generated) GenerateTime metadata.event_timestamp
Virtual System (vsys) cs3 VirtualSystem vsys

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Source IP (ip) src src principal.ip
Tag Name (tag_name) PanOSTagName TagName tag_name

principal.labels.key and principal.labels.value

additional.fields.key and additional.fields.value.string_value

Event ID (event_id) PanOSEventID EventID event_id

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Repeat Count (repeatcnt) cnt RepeatCount repeatcnt

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Timeout (timeout) PanOSTimeout TimeoutThreshold timeout

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Data Source Name (datasourcename) PanOSDataSourceName DataSourceName datasourcename

principal.labels.key and principal.labels.value

additional.fields.key and additional.fields.value.string_value

Data Source Type (datasource_type) PanOSDataSourceType DataSource datasource_type

principal.labels.key and principal.labels.value

additional.fields.key and additional.fields.value.string_value

Data Source Subtype (datasource_subtype) PanOSDataSourceSubType DataSourceType datasource_subtype

principal.labels.key and principal.labels.value

additional.fields.key and additional.fields.value.string_value

Sequence Number (seqno) externalId sequence metadata.product_log_id
Action Flags (actionflags) PanOSActionFlags ActionFlags actionflags

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Device Group Hierarchy (dg_hier_level_1) PanOSDGl1 DeviceGroupHierarchyL1 dg_hier_level_1

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Device Group Hierarchy (dg_hier_level_2) PanOSDGl2 DeviceGroupHierarchyL2 dg_hier_level_2

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Device Group Hierarchy (dg_hier_level_3) PanOSDGl3 DeviceGroupHierarchyL3 dg_hier_level_3

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Device Group Hierarchy (dg_hier_level_4) PanOSDGl4 DeviceGroupHierarchyL4 dg_hier_level_4

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Virtual System Name (vsys_name) PanOsVsysName vSrcName principal.resource.name

principal.resource.resource_type=VIRTUAL_MACHINE

Device Name (device_name) dvchost DeviceName intermediary.hostname
Virtual System ID (vsys_id) cn2 VirtualSystemID principal.resource.resource_type=VIRTUAL_MACHINE and principal.resource.product_object_id
High Resolution Timestamp (high_res timestamp) PanOSTimeGeneratedHighResolution metadata.collected_timestamp,

metadata.event_timestamp (if "Generate Time" is absent)

Decryption

The following table lists the log fields of the decryption log type and their corresponding UDM fields.

CSV field CEF field LEEF field Google Security Operations label key UDM field
Receive Time (receive_time or cef-formatted-receive_time) rt metadata.collected_timestamp,

metadata.event_timestamp (if "Generate Time" is absent)

Serial Number (serial) PanOSDeviceSN intermediary.asset.hardware.serial_number
Type (type) type (Header) metadata.product_event_type
Threat/Content Type (subtype) subtype (Header) metadata.product_event_type
Config Version (config_ver) PanOSConfigVersion config_ver

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Generate Time (time_generated) PanOSLogTimeStamp metadata.event_timestamp
Source Address (src) src principal.ip
Destination Address (dst) dst target.ip
NAT Source IP (natsrc) sourceTranslatedAddress principa.nat_ip
NAT Destination IP (natdst) destinationTranslatedAddress target.nat_ip
Rule (rule) cs1 security_result.rule_name
Source User (srcuser) suser principal.user.userid
Destination User (dstuser) duser target.user.userid
Application (app) app target.application
Virtual System (vsys) cs3 vsys

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Source Zone (from) cs4 from

principal.labels.key and principal.labels.value

additional.fields.key and additional.fields.value.string_value

Destination Zone (to) cs5 to

target.labels.key and target.labels.value

additional.fields.key and additional.fields.value.string_value

Inbound Interface (inbound_if) deviceInboundInterface inbound_if

principal.labels.key and principal.labels.value

additional.fields.key and additional.fields.value.string_value

Outbound Interface (outbound_if) deviceOutboundInterface outbound_if

target.labels.key and target.labels.value

additional.fields.key and additional.fields.value.string_value

Log Action (logset) cs6 logset

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Time Logged (time_received) PanOSTimeReceivedManagementPlane -
Session ID (sessionid) cn1 network.session_id
Repeat Count (repeatcnt) PanOSCountOfRepeats/RepeatCount repeatcnt

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Source Port (sport) spt principal.port
Destination Port (dport) dpt target.port
NAT Source Port (natsport) sourceTranslatedPort principal.nat_port
NAT Destination Port (natdport) destinationTranslatedPort target.nat_port
Flags (flags) flexString1 flags

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

IP Protocol (proto) proto network.ip_protocol
Action (action) act security_result.action_details

security_result.action

Tunnel (tunnel) PanOSTunnel tunnel

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Source VM UUID (src_uuid) PanOSSourceUUID principal.asset.asset_id
Destination VM UUID (dst_uuid) PanOSDestinationUUID target.asset.asset_id
UUID for rule (rule_uuid) PanOSRuleUUID security_result.rule_id
Stage for Client to Firewall (hs_stage_c2f) PanOSClientToFirewall hs_stage_c2f

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Stage for Firewall to Server (hs_stage_f2s) PanOSFirewallToServer hs_stage_f2s

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

TLS Version (tls_version) PanOSTLSVersion network.tls.version
Key Exchange Algorithm (tls_keyxchg) PanOSTLSKeyExchange tls_keyxchg

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Encryption Algorithm (tls_enc) PanOSTLSEncryptionAlgorithm tls_enc

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Hash Algorithm (tls_auth) PanOSTLSAuth tls_auth

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Policy Name (policy_name) PanOSPolicyName policy_name

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Elliptic Curve (ec_curve) PanOSEllipticCurve network.tls.curve
Error Index (err_index) PanOSErrorIndex err_index

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Root Status (root_status) PanOSRootStatus root_status

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Chain Status (chain_status) PanOSChainStatus chain_status

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Proxy Type (proxy_type) PanOSProxyType proxy_type

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Certificate Serial Number (cert_serial) PanOSCertificateSerial network.tls.server.certificate.serial
Certificate Fingerprint (fingerprint) PanOSFingerprint network.tls.server.certificate.md5/sha1/sha256
Certificate Start Date (notbefore) PanOSTimeNotBefore network.tls.server.certificate.not_before
Certificate End Date (notafter) PanOSTimeNotAfter network.tls.server.certificate.not_after
Certificate Version (cert_ver) PanOSCertificateVersion network.tls.server.certificate.version
Certificate Size (cert_size) PanOSCertificateSize cert_size

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Common Name Length (cn_len) PanOSCommonNameLength cn_len

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Issuer Common Name Length (issuer_len) PanOSIssuerNameLength issuer_len

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Root Common Name Length (rootcn_len) PanOSRootCNLength rootcn_len

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

SNI Length (sni_len) PanOSSNILength sni_len

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Certificate Flags (cert_flags) PanOSCertificateFlags cert_flags

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Subject Common Name (cn) PanOSCommonName cn

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Issuer Common Name (issuer_cn) PanOSIssuerCommonName network.tls.server.certificate.issuer
Root Common Name (root_cn) PanOSRootCommonName root_cn

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Server Name Indication

(sni)

network.tls.client.server_name
Error (error) PanOSErrorMessage error

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Container ID (container_id) PanOSContainerID container_id

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

POD Namespace (pod_namespace) PanOSContainerNameSpace pod_namespace

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

POD Name (pod_name) PanOSContainerName pod_name

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Source External Dynamic List (src_edl) PanOSSourceEDL src_edl

principal.labels.key and principal.labels.value

additional.fields.key and additional.fields.value.string_value

Destination External Dynamic List (dst_edl) PanOSDestinationEDL dst_edl

target.labels.key and target.labels.value

additional.fields.key and additional.fields.value.string_value

Source Dynamic Address Group (src_dag) PanOSSourceDynamicAddressGroup principal.group.group_display_name
Destination Dynamic Address Group (dst_dag) PanOSDestinationDynamicAddressGroup target.group.group_display_name
High Resolution Timestamp (high_res_timestamp) PanOSTimeGeneratedHighResolution metadata.collected_timestamp,

metadata.event_timestamp (if "Generate Time" is absent)

Source Device Category (src_category) PanOSSourceDeviceCategory src_category

principal.labels.key and principal.labels.value

additional.fields.key and additional.fields.value.string_value

Source Device Profile (src_profile) PanOSSourceDeviceProfile src_profile

principal.labels.key and principal.labels.value

additional.fields.key and additional.fields.value.string_value

Source Device Model (src_model) PanOSSourceDeviceModel src_model

principal.labels.key and principal.labels.value

additional.fields.key and additional.fields.value.string_value

Source Device Vendor (src_vendor) PanOSSourceDeviceVendor src_vendor

principal.labels.key and principal.labels.value

additional.fields.key and additional.fields.value.string_value

Source Device OS Family (src_osfamily) PanOSSourceDeviceOSFamily

principal.asset.platform_software.platform

principal.labels.key and principal.labels.value

Source Device OS Version (src_osversion) PanOSSourceDeviceOSVersion principal.asset.software.version
Source Hostname (src_host) PanOSSourceDeviceHost principal.hostname
Source MAC Address (src_mac) PanOSSourceDeviceMac principal.mac
Destination Device Category (dst_category) PanOSDestinationDeviceCategory dst_category

target.labels.key and target.labels.value

additional.fields.key and additional.fields.value.string_value

Destination Device Profile (dst_profile) PanOSDestinationDeviceProfile dst_profile

target.labels.key and target.labels.value

additional.fields.key and additional.fields.value.string_value

Destination Device Model (dst_model) PanOSDestinationDeviceModel dst_model

target.labels.key and target.labels.value

additional.fields.key and additional.fields.value.string_value

Destination Device Vendor (dst_vendor) PanOSDestinationDeviceVendor dst_vendor

target.labels.key and target.labels.value

additional.fields.key and additional.fields.value.string_value

Destination Device OS Family (dst_osfamily) PanOSDestinationDeviceOSFamily dst_osfamily

target.labels.key and target.labels.value

additional.fields.key and additional.fields.value.string_value

Destination Device OS Version (dst_osversion) PanOSDestinationDeviceOSVersion target.asset.software.version
Destination Hostname (dst_host) PanOSDestinationDeviceHost target.hostname
Destination MAC Address (dst_mac) PanOSDestinationDeviceMac target.mac
Sequence Number (seqno) PanOSLogTypeSeqNo metadata.product_log_id
Action Flags (actionflags) PanOSActionFlags actionflags

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Device Group Hierarchy (dg_hier_level_1) DeviceGroupHierarchyL1 dg_hier_level_1

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Device Group Hierarchy (dg_hier_level_2) DeviceGroupHierarchyL2 dg_hier_level_2

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Device Group Hierarchy (dg_hier_level_3) DeviceGroupHierarchyL3 dg_hier_level_3

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Device Group Hierarchy (dg_hier_level_4) DeviceGroupHierarchyL4 dg_hier_level_4

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Virtual System Name (vsys_name) principal.resource.name

principal.resource.resource_type=VIRTUAL_MACHINE

Device Name (device_name) intermediary.hostname
Virtual System ID (vsys_id) principal.resource.resource_type=VIRTUAL_MACHINE and principal.resource.product_object_id
Application Subcategory (subcategory_of_app) subcategory_of_app

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Application Category (category_of_app) category_of_app

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Application Technology (technology_of_app) technology_of_app

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Application Risk (risk_of_app) security_result.severity
Application Characteristic (characteristic_of_app) characteristic_of_app

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Application Container (container_of_app) container_of_app

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Application SaaS (is_saas_of_app) is_saas_of_app

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Application Sanctioned State (sanctioned_state_of_app) sanctioned_state_of_app

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Tunnel

The following table lists the log fields of the tunnel log type and their corresponding UDM fields.

CSV field CEF field LEEF field Google Security Operations label key UDM field
Receive Time (receive_time or cef-formatted-receive_time) rt devTime metadata.collected_timestamp,

metadata.event_timestamp (if "Generate Time" is absent)

Serial Number (serial) deviceExternalId SerialNumber intermediary.asset.hardware.serial_number
Type (type) type (Header) cat metadata.product_event_type
Threat/Content Type (subtype) subtype (Header) Subtype metadata.product_event_type
Generated Time (time_generated or cef-formatted-time_generated) metadata.event_timestamp
Source Address (src) src src principal.ip
Destination Address (dst) dst dst target.ip
NAT Source IP (natsrc) sourceTranslatedAddress srcPostNAT principal.nat_ip
NAT Destination IP (natdst) destinationTranslatedAddress dstPostNAT target.nat_ip
Rule Name (rule) cs1 RuleName security_result.rule_name
Source User (srcuser) suser SourceUser / usrName principal.user.userid
Destination User (dstuser) duser DestinationUser target.user.userid
Application (app) app Application network.application_protocol
Virtual System (vsys) cs3 VirtualSystem vsys

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Source Zone (from) cs4 SourceZone from

principal.labels.key and principal.labels.value

additional.fields.key and additional.fields.value.string_value

Destination Zone (to) cs5 DestinationZone to

target.labels.key and target.labels.value

additional.fields.key and additional.fields.value.string_value

Inbound Interface (inbound_if) deviceInboundInterface IngressInterface inbound_if

principal.labels.key and principal.labels.value

additional.fields.key and additional.fields.value.string_value

Outbound Interface (outbound_if) deviceOutboundInterface EgressInterface outbound_if

target.labels.key and target.labels.value

additional.fields.key and additional.fields.value.string_value

Log Action (logset) cs6 LogForwardingProfile logset

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Session ID (sessionid) cn1 SessionID network.session_id
Repeat Count (repeatcnt) cnt RepeatCount repeatcnt

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Source Port (sport) spt srcPort principal.port
Destination Port (dport) dpt dstPort target.port
NAT Source Port (natsport) sourceTranslatedPort srcPostNATPort principal.nat_port
NAT Destination Port (natdport) destinationTranslatedPort dstPostNATPort target.nat_port
Flags (flags) flexString1 Flags flags

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

IP Protocol (proto) proto proto network.ip_protocol
Action (action) act action security_result.action_details

security_result.action

Severity (severity) security_result.severity and security_result.severity_details
Sequence Number (seqno) externalId sequence metadata.product_log_id
Action Flags (actionflags) PanOSActionFlags ActionFlags actionflags

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Source Location (srcloc) principal.location.country_or_region
Destination Location (dstloc) target.location.country_or_region
Device Group Hierarchy (dg_hier_level_1) PanOSDGl1 DeviceGroupHierarchyL1 dg_hier_level_1

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Device Group Hierarchy (dg_hier_level_2) PanOSDGl2 DeviceGroupHierarchyL2 dg_hier_level_2

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Device Group Hierarchy (dg_hier_level_3) PanOSDGl3 DeviceGroupHierarchyL3 dg_hier_level_3

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Device Group Hierarchy (dg_hier_level_4) PanOSDGl4 DeviceGroupHierarchyL4 dg_hier_level_4

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Virtual System Name (vsys_name) PanOSVsysName vSrcName principal.resource.name

principal.resource.resource_type=VIRTUAL_MACHINE

Device Name (device_name) dvchost DeviceName intermediary.hostname
Tunnel ID (tunnelid) PanOSTunnelID TunnelID tunnelid

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Monitor Tag (monitortag) PanOSMonitorTag MonitorTag monitortag

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Parent Session ID (parent_session_id) PanOSParentSessionID ParentSessionID parent_session_id network.parent_session_id
Parent Start Time (parent_start_time) PanOSParentStartTime ParentStartTime parent_start_time

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Tunnel Type (tunnel) cs2 TunnelType tunnel

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Bytes (bytes) flexNumber1 totalBytes bytes

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Bytes Sent (bytes_sent) in srcBytes network.sent_bytes
Bytes Received (bytes_received) out dstBytes network.received_bytes
Packets (packets) cn2 totalPackets packets

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Packets Sent (pkts_sent) PanOSPacketsSent srcPackets pkts_sent

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Packets Received (pkts_received) PanOSPacketsReceived dstPackets pkts_received

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Maximum Encapsulation (max_encap) flexNumber2 MaximumEncapsulation max_encap

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Unknown Protocol (unknown_proto) cfp1 UnknownProtocol unknown_proto

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Strict Checking (strict_check) cfp2 StrictChecking strict_check

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Tunnel Fragment (tunnel_fragment) PanOSTunnelFragment TunnelFragment tunnel_fragment

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Sessions Created (sessions_created) cfp3 SessionsCreated sessions_created

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Sessions Closed (sessions_closed) cfp4 SessionsClosed sessions_closed

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Session End Reason (session_end_reason) reason SessionEndReason security_result.summary
Action Source (action_source) cat ActionSource action_source

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Start Time (start) startTime start

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Elapsed Time (elapsed) cn3 ElapsedTime elapsed network.session_duration.seconds
Tunnel Inspection Rule (tunnel_insp_rule) PanOSTunneInspectionRule security_result.rule_name = "Tunnel Inspection Rule: %{PanOSTunnelInspectionRule}"
Remote User IP (remote_user_ip) PanOSRmtUserIP target.ip
Remote User ID (remote_user_id) PanOSRmtUserID remote_user_id

target.labels.key and target.labels.value

additional.fields.key and additional.fields.value.string_value

Security Rule UUID (rule_uuid) PanOSRuleUUID security_result.rule_id
PCAP ID (pcap_id) PanOSPcapID pcap_id

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Dynamic User Group Name (dynusergroup_name) PanDynamicUsrgrp principal.group.group_display_name
Source External Dynamic List (src_edl) PanOSSourceEDL src_edl

principal.labels.key and principal.labels.value

additional.fields.key and additional.fields.value.string_value

Destination External Dynamic List (dst_edl) PanOSDestinationEDL dst_edl

target.labels.key and target.labels.value

additional.fields.key and additional.fields.value.string_value

High Resolution Timestamp (high_res timestamp) PanOSTimeGeneratedHighResolution metadata.collected_timestamp,

metadata.event_timestamp (if "Generate Time" is absent)

A Slice Differentiator (nssai_sd) nssai_sd

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

A Slice Service Type (nssai_sd) nssai_sd1

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

PDU Session ID (pdu_session_id) pdu_session_id

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Application Subcategory (subcategory_of_app) subcategory_of_app

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Application Category (category_of_app) category_of_app

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Application Technology (technology_of_app) technology_of_app

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Application Risk (risk_of_app) risk_of_app

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Application Characteristic (characteristic_of_app) characteristic_of_app

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Application Container (container_of_app) container_of_app

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Application SaaS (is_saas_of_app) is_saas_of_app

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Application Sanctioned State (sanctioned_state_of_app) sanctioned_state_of_app

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Authentication

The following table lists the log fields of the authentication log type and their corresponding UDM fields.

CSV field CEF field LEEF field Google Security Operations label key UDM field
Receive Time (receive_time or cef-formatted-receive_time) rt devTime metadata.collected_timestamp,

metadata.event_timestamp (if "Generate Time" is absent)

Serial Number (serial) deviceExternalId SerialNumber intermediary.asset.hardware.serial_number
Type (type) type (Header) cat metadata.product_event_type
Threat/Content Type (subtype) subtype (Header) Subtype metadata.product_event_type
Generated Time (time_generated or cef-formatted-time_generated) metadata.event_timestamp
Virtual System (vsys) cs3 VirtualSystem vsys

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Source IP (ip) src src principal.ip
User (user) duser usrName target.user.userid
Normalize User (normalize_user) cs2 NormalizeUser target.user.user_display_name
Object (object) fname ObjectName object

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Authentication Policy (authpolicy) cs4 AuthPolicy authpolicy

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Repeat Count (repeatcnt) cnt RepeatCount repeatcnt

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Authentication ID (authid) cn2 AuthenticationID authid

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Vendor (vendor) flexString2 Vendor vendor

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Log Action (logset) cs6 LogForwardingProfile logset

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Server Profile (serverprofile) cs1 ServerProfile serverprofile

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Description (desc) PanOSDesc AdditionalAuthInfo security_result.description
Client Type (clienttype) cs5 ClientType clienttype

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Event Type (event) msg msg extensions.auth.auth_details
Factor Number (factorno) cn1 FactorNumber factorno

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Sequence Number (seqno) externalId sequence metadata.product_log_id
Action Flags (actionflags) PanOSActionFlags ActionFlags actionflags

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Device Group Hierarchy (dg_hier_level_1) PanOSDGl1 DeviceGroupHierarchyL1 dg_hier_level_1

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Device Group Hierarchy (dg_hier_level_2) PanOSDGl2 DeviceGroupHierarchyL2 dg_hier_level_2

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Device Group Hierarchy (dg_hier_level_3) PanOSDGl3 DeviceGroupHierarchyL3 dg_hier_level_3

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Device Group Hierarchy (dg_hier_level_4) PanOSDGl4 DeviceGroupHierarchyL4 dg_hier_level_4

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Virtual System Name (vsys_name) PanOSVsysName vSrcName principal.resource.name

principal.resource.resource_type=VIRTUAL_MACHINE

Device Name (device_name) dvchost DeviceName intermediary.hostname
Virtual System ID (vsys_id) principal.resource.resource_type=VIRTUAL_MACHINE and principal.resource.product_object_id
Authentication Protocol (authproto) authproto

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

UUID for rule (rule_uuid) PanOSRuleUUID/RuleUUID security_result.rule_id
High Resolution Timestamp (high_res _timestamp) PanOSTimeGeneratedHighResolution metadata.collected_timestamp,

metadata.event_timestamp (if "Generate Time" is absent)

Source Device Category (src_category) PanOSSourceDeviceCategory src_category

principal.labels.key and principal.labels.value

additional.fields.key and additional.fields.value.string_value

Source Device Profile (src_profile) PanOSSourceDeviceProfile src_profile

principal.labels.key and principal.labels.value

additional.fields.key and additional.fields.value.string_value

Source Device Model (src_model) PanOSSourceDeviceModel src_model

principal.labels.key and principal.labels.value

additional.fields.key and additional.fields.value.string_value

Source Device Vendor (src_vendor) PanOSSourceDeviceVendor src_vendor

principal.labels.key and principal.labels.value

additional.fields.key and additional.fields.value.string_value

Source Device OS Family (src_osfamily) PanOSSourceDeviceOSFamily

principal.asset.platform_software.platform

principal.labels.key and principal.labels.value

additional.fields.key and additional.fields.value.string_value

Source Device OS Version (src_osversion) PanOSSourceDeviceOSVersion principal.asset.software.version
Source Hostname (src_host) PanOSSourceHostname principal.hostname
Source MAC Address (src_mac) PanOSSourceMac principal.asset.mac
Region (region) PanOSTrafficOriginRegion principal.location.country_or_region
User Agent (user_agent) PanOSHTTPUserAgent network.http.user_agent
Session ID(sessionid) PanOSTrafficSessionID network.session_id

URL

The following table lists the log fields of the URL log type and their corresponding UDM fields.

CSV field CEF field LEEF field Google Security Operations label key UDM field
Receive Time (cef-formatted-receive_time) rt devTime metadata.collected_timestamp,

metadata.event_timestamp (if "Generate Time" is absent)

Serial # (serial) deviceExternalId SerialNumber intermediary.asset.hardware.serial_number
Type (type) type (Header) cat metadata.product_event_type
Threat/Content Type (subtype) subtype (Header) Subtype metadata.product_event_type
Generate Time metadata.event_timestamp
Source address (src) src src principal.ip
Destination address (dst) dst dst target.ip
NAT Source IP (natsrc) sourceTranslatedAddress srcPostNAT principal.nat_ip
NAT Destination IP (natdst) destinationTranslatedAddress dstPostNAT target.nat_ip
Rule (rule) cs1 RuleName security_result.rule_name
Source User (srcuser) suser SourceUser principal.user.userid
Destination User (dstuser) duser DestinationUser target.user.userid
Application (app) app Application network.application_protocol
Virtual System (vsys) cs3 VirtualSystem vsys

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Source Zone (from) cs4 SourceZone from

principal.labels.key and principal.labels.value

additional.fields.key and additional.fields.value.string_value

Destination Zone (to) cs5 DestinationZone to

target.labels.key and target.labels.value

additional.fields.key and additional.fields.value.string_value

Inbound Interface (inbound_if) deviceInboundInterface IngressInterface inbound_if

principal.labels.key and principal.labels.value

additional.fields.key and additional.fields.value.string_value

Outbound Interface (outbound_if) deviceOutboundInterface EgressInterface outbound_if

target.labels.key and target.labels.value

additional.fields.key and additional.fields.value.string_value

Log Action (logset) cs6 LogForwardingProfile logset

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Time Logged time_logged

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Session ID (sessionid) cn1 SessionID network.session_id
Repeat Count (repeatcnt) cnt RepeatCount repeatcnt

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Source Port (sport) spt srcPort principal.port
Destination Port (dport) dpt dstPort target.port
NAT Source Port (natsport) sourceTranslatedPort srcPostNATPort principal.nat_port
NAT Destination Port (natdport) destinationTranslatedPort dstPostNATPort target.nat_port
Flags (flags) flexString1 Flags flags

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

IP Protocol (proto) proto proto network.ip_protocol
Action (action) act action security_result.action_details

security_result.action

URL/Filename (misc) Miscellaneous target.file.full_path

target.url

Threat/Content Name (threatid) cat ThreatID security_result.threat_id
Category (category) cs2 URLCategory category

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Severity (severity) number-of-severity (Header) Severity security_result.severity

security_result.severity_details

Direction (direction) flexString2 Direction network.direction
Sequence Number (seqno) externalId sequence metadata.product_log_id
Action Flags (actionflags) PanOSActionFlags ActionFlags actionflags

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Source Country (srcloc) SourceLocation principal.location.country_or_region
Destination Country (dstloc) DestinationLocation target.location.country_or_region
contenttype (contenttype) requestContext ContentType contenttype

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

pcap_id (pcap_id) fileId PCAP_ID pcap_id

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

filedigest (filedigest) FileDigest about.file.sha1/md5/sha256
cloud (cloud) Cloud cloud

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

url_idx (url_idx) URLIndex url_idx

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

user_agent (user_agent) requestClientApplication UserAgent network.http.user_agent
filetype (filetype) about.file.mime_type
xff (xff) PanOSXForwarderfor identSrc xff

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

referer (referer) PanOSReferer Referer network.http.referral_url
sender (sender) network.email.from
subject (subject) Subject network.email.subject
recipient (recipient) network.email.to
reportid (reportid) reportid

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

DG Hierarchy Level 1 (dg_hier_level_1) PanOSDGl1 DeviceGroupHierarchyL1 dg_hier_level_1

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

DG Hierarchy Level 2 (dg_hier_level_2) PanOSDGl2 DeviceGroupHierarchyL2 dg_hier_level_2

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

DG Hierarchy Level 3 (dg_hier_level_3) PanOSDGl3 DeviceGroupHierarchyL3 dg_hier_level_3

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

DG Hierarchy Level 4 (dg_hier_level_4) PanOSDGl4 DeviceGroupHierarchyL4 dg_hier_level_4

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Virtual System Name (vsys_name) PanOSVsysName vSrcName principal.resource.name

principal.resource.resource_type=VIRTUAL_MACHINE

Device Name (device_name) dvchost DeviceName intermediary.hostname
file_url (file_url) about.url
Source VM UUID (src_uuid) SrcUUID principal.asset.asset_id
Destination VM UUID (dst_uuid) DstUUID target.asset.asset_id
http_method (http_method) requestMethod RequestMethod network.http.method
Tunnel ID/IMSI (tunnelid) PanOSTunnelID TunnelID tunnelid

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Monitor Tag/IMEI (monitortag) PanOSMonitorTag MonitorTag monitortag

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Parent Session ID (parent_session_id) PanOSParentSessionID ParentSessionID parent_session_id network.parent_session_id
Parent Session Start Time (parent_start_time) PanOSParentStartTime ParentStartTime parent_start_time

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Tunnel (tunnel) PanOSTunnelType TunnelType tunnel

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

thr_category (thr_category) PanOSThreatCategory ThreatCategory thr_category security_result.detection_fields.key/value
contentver (contentver) PanOSContentVer ContentVer contentver

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

sig_flags (sig_flags) sig_flags

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

SCTP Association ID (assoc_id) PanOSAssocID assoc_id

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Payload Protocol ID (ppid) PanOSPPID ppid

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

http_headers (http_headers) PanOSHTTPHeader http_headers

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

URL Category List (url_category_list) PanOSURLCatList url_category_list

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

UUID for rule (rule_uuid) PanOSRuleUUID rule_uuid

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

HTTP/2 Connection (http2_connection) PanOSHTTP2Con http2_connection

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

dynusergroup_name (dynusergroup_name) PanDynamicUsrgrp dynusergroup_name

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

XFF address (xff_ip) PanXFFIP principal.ip
Source Device Category (src_category) PanSrcDeviceCat src_category

principal.labels.key and principal.labels.value

additional.fields.key and additional.fields.value.string_value

Source Device Profile (src_profile) PanSrcDeviceProf src_profile

principal.labels.key and principal.labels.value

additional.fields.key and additional.fields.value.string_value

Source Device Model (src_model) PanSrcDeviceModel src_model

principal.labels.key and principal.labels.value

additional.fields.key and additional.fields.value.string_value

Source Device Vendor (src_vendor) PanSrcDeviceVendor src_vendor

principal.labels.key and principal.labels.value

additional.fields.key and additional.fields.value.string_value

Source Device OS Family (src_osfamily) PanSrcDeviceOS

principal.asset.platform_software.platform

principal.labels.key and principal.labels.value

additional.fields.key and additional.fields.value.string_value

Source Device OS Version (src_osversion) PanSrcDeviceOSv principal.asset.software.version
Source Hostname (src_host) PanSrcHostname src_host

principal.labels.key and principal.labels.value

additional.fields.key and additional.fields.value.string_value

Source Mac Address (src_mac) PanSrcMac principal.mac
Destination Device Category (dst_category) PanDstDeviceCat dst_category

target.labels.key and target.labels.value

additional.fields.key and additional.fields.value.string_value

Destination Device Profile (dst_profile) PanDstDeviceProf dst_profile

target.labels.key and target.labels.value

additional.fields.key and additional.fields.value.string_value

Destination Device Model (dst_model) PanDstDeviceModel dst_model

target.labels.key and target.labels.value

additional.fields.key and additional.fields.value.string_value

Destination Device Vendor (dst_vendor) PanDstDeviceVendor dst_vendor

target.labels.key and target.labels.value

additional.fields.key and additional.fields.value.string_value

Destination Device OS Family (dst_osfamily) PanDstDeviceOS target.asset.platform_software.platform

target.labels.key and target.labels.value

Destination Device OS Version (dst_osversion) PanDstDeviceOSv target.asset.software.version
Destination Hostname (dst_host) PanPODNamespace target.hostname
Destination Mac Address (dst_mac) PanDstMac target.mac
Container ID (container_id) PanContainerName container_id

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

POD Namespace (pod_namespace) PanPODNamespace pod_namespace

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

POD Name (pod_name) PanPODName pod_name

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Source External Dynamic List (src_edl) PanSrcEDL src_edl

principal.labels.key and principal.labels.value

additional.fields.key and additional.fields.value.string_value

Destination External Dynamic List (dst_edl) PanDstEDL dst_edl

target.labels.key and target.labels.value

additional.fields.key and additional.fields.value.string_value

Host ID (hostid) PanGPHostID hostid

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Serial Number (serialnumber) PanEPSerial principal.asset.hardware.serial_number
domain_edl (domain_edl) PanDomainEDL domain_edl

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Source Dynamic Address Group (src_dag) PanSrcDAG principal.group.group_display_name
Destination Dynamic Address Group (dst_dag) PanDstDAG target.group.group_display_name
partial_hash (partial_hash) PanPartialHash partial_hash

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

High Res Timestamp (high_res_timestamp) PanTimeHighRes metadata.collected_timestamp,

metadata.event_timestamp (if "Generate Time" is absent)

Reason (reason) PanReasonFilteringAction reason

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

justification (justification) PanJustification justification

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

nssai_sst (nssai_sst) PanASServiceType nssai_sst

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Subcategory of app (subcategory_of_app) subcategory_of_app

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Category of app (category_of_app) category_of_app

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Technology of app (technology_of_app) technology_of_app

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Risk of app (risk_of_app) risk_of_app

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Characteristic of app (characteristic_of_app) characteristic_of_app

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Container of app (container_of_app) container_of_app

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Tunneled app (tunneled_app) tunneled_app

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

SaaS of app (is_saas_of_app) is_saas_of_app

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Sanctioned State of app (sanctioned_state_of_app) sanctioned_state_of_app

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Data

The following table lists the log fields of the data log type and their corresponding UDM fields.

CSV field CEF field LEEF field Google Security Operations label key UDM field
Receive Time (cef-formatted-receive_time) rt devTime metadata.collected_timestamp,

metadata.event_timestamp (if "Generate Time" is absent)

Serial # (serial) deviceExternalId SerialNumber intermediary.asset.hardware.serial_number
Type (type) type (Header) cat metadata.product_event_type
Threat/Content Type (subtype) subtype (Header) Subtype metadata.product_event_type
Generate Time metadata.event_timestamp
Source address (src) src src principal.ip
Destination address (dst) dst dst target.ip
NAT Source IP (natsrc) sourceTranslatedAddress srcPostNAT principal.nat_ip
NAT Destination IP (natdst) destinationTranslatedAddress dstPostNAT target.nat_ip
Rule (rule) cs1 RuleName security_result.rule_name
Source User (srcuser) suser SourceUser principal.user.userid
Destination User (dstuser) duser DestinationUser target.user.userid
Application (app) app Application network.application_protocol
Virtual System (vsys) cs3 VirtualSystem vsys

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Source Zone (from) cs4 SourceZone from

principal.labels.key and principal.labels.value

additional.fields.key and additional.fields.value.string_value

Destination Zone (to) cs5 DestinationZone to

target.labels.key and target.labels.value

additional.fields.key and additional.fields.value.string_value

Inbound Interface (inbound_if) deviceInboundInterface IngressInterface inbound_if

principal.labels.key and principal.labels.value

additional.fields.key and additional.fields.value.string_value

Outbound Interface (outbound_if) deviceOutboundInterface EgressInterface outbound_if

target.labels.key and target.labels.value

additional.fields.key and additional.fields.value.string_value

Log Action (logset) cs6 LogForwardingProfile logset

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Time Logged time_logged

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Session ID (sessionid) cn1 SessionID network.session_id
Repeat Count (repeatcnt) cnt RepeatCount repeatcnt

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Source Port (sport) spt srcPort principal.port
Destination Port (dport) dpt dstPort target.port
NAT Source Port (natsport) sourceTranslatedPort srcPostNATPort principal.nat_port
NAT Destination Port (natdport) destinationTranslatedPort dstPostNATPort target.nat_port
Flags (flags) flexString1 Flags flags

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

IP Protocol (proto) proto proto network.ip_protocol
Action (action) act action security_result.action_details

security_result.action

URL/Filename (misc) Miscellaneous target.file.full_path

target.url

Threat/Content Name (threatid) cat ThreatID security_result.threat_id
Category (category) cs2 URLCategory category

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Severity (severity) number-of-severity (Header) Severity security_result.severity

security_result.severity_details

Direction (direction) flexString2 Direction network.direction
Sequence Number (seqno) externalId sequence metadata.product_log_id
Action Flags (actionflags) PanOSActionFlags ActionFlags actionflags

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Source Country (srcloc) SourceLocation principal.location.country_or_region
Destination Country (dstloc) DestinationLocation target.location.country_or_region
contenttype (contenttype) ContentType contenttype

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

pcap_id (pcap_id) fileId PCAP_ID pcap_id

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

filedigest (filedigest) FileDigest about.file.sha1/md5/sha256
cloud (cloud) Cloud cloud

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

url_idx (url_idx) URLIndex url_idx

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

user_agent (user_agent) network.http.user_agent
filetype (filetype) about.file.mime_type
xff (xff) xff

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

referer (referer) network.http.referral_url
sender (sender) network.email.from
subject (subject) Subject network.email.subject
recipient (recipient) network.email.to
reportid (reportid) reportid

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

DG Hierarchy Level 1 (dg_hier_level_1) PanOSDGl1 DeviceGroupHierarchyL1 dg_hier_level_1

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

DG Hierarchy Level 2 (dg_hier_level_2) PanOSDGl2 DeviceGroupHierarchyL2 dg_hier_level_2

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

DG Hierarchy Level 3 (dg_hier_level_3) PanOSDGl3 DeviceGroupHierarchyL3 dg_hier_level_3

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

DG Hierarchy Level 4 (dg_hier_level_4) PanOSDGl4 DeviceGroupHierarchyL4 dg_hier_level_4

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Virtual System Name (vsys_name) PanOSVsysName vSrcName principal.resource.name

principal.resource.resource_type=VIRTUAL_MACHINE

Device Name (device_name) dvchost DeviceName intermediary.hostname
file_url (file_url) about.url
Source VM UUID (src_uuid) SrcUUID principal.asset.asset_id
Destination VM UUID (dst_uuid) DstUUID target.asset.asset_id
http_method (http_method) RequestMethod network.http.method
Tunnel ID/IMSI (tunnelid) PanOSTunnelID TunnelID tunnelid

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Monitor Tag/IMEI (monitortag) PanOSMonitorTag MonitorTag monitortag

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Parent Session ID (parent_session_id) PanOSParentSessionID ParentSessionID parent_session_id network.parent_session_id
Parent Session Start Time (parent_start_time) PanOSParentStartTime ParentStartTime parent_start_time

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Tunnel (tunnel) PanOSTunnelType TunnelType tunnel

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

thr_category (thr_category) PanOSThreatCategory ThreatCategory thr_category security_result.detection_fields.key/value
contentver (contentver) PanOSContentVer ContentVer contentver

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

sig_flags (sig_flags) sig_flags

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

SCTP Association ID (assoc_id) PanOSAssocID assoc_id

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Payload Protocol ID (ppid) PanOSPPID ppid

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

http_headers (http_headers) PanOSHTTPHeader http_headers

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

URL Category List (url_category_list) url_category_list

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

UUID for rule (rule_uuid) PanOSRuleUUID rule_uuid

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

HTTP/2 Connection (http2_connection) http2_connection

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

dynusergroup_name (dynusergroup_name) dynusergroup_name

principal.labels.key and principal.labels.value

additional.fields.key and additional.fields.value.string_value

XFF address (xff_ip) principal.ip
Source Device Category (src_category) src_category

principal.labels.key and principal.labels.value

additional.fields.key and additional.fields.value.string_value

Source Device Profile (src_profile) src_profile

principal.labels.key and principal.labels.value

additional.fields.key and additional.fields.value.string_value

Source Device Model (src_model) src_model

principal.labels.key and principal.labels.value

additional.fields.key and additional.fields.value.string_value

Source Device Vendor (src_vendor) src_vendor

principal.labels.key and principal.labels.value

additional.fields.key and additional.fields.value.string_value

Source Device OS Family (src_osfamily)

principal.asset.platform_software.platform

principal.labels.key and principal.labels.value

additional.fields.key and additional.fields.value.string_value

Source Device OS Version (src_osversion) principal.asset.software.version
Source Hostname (src_host) src_host

principal.labels.key and principal.labels.value

additional.fields.key and additional.fields.value.string_value

Source Mac Address (src_mac) principal.mac
Destination Device Category (dst_category) dst_category

target.labels.key and target.labels.value

additional.fields.key and additional.fields.value.string_value

Destination Device Profile (dst_profile) dst_profile

target.labels.key and target.labels.value

additional.fields.key and additional.fields.value.string_value

Destination Device Model (dst_model) dst_model

target.labels.key and target.labels.value

additional.fields.key and additional.fields.value.string_value

Destination Device Vendor (dst_vendor) dst_vendor

target.labels.key and target.labels.value

additional.fields.key and additional.fields.value.string_value

Destination Device OS Family (dst_osfamily) target.asset.platform_software.platform

target.labels.key and target.labels.value

Destination Device OS Version (dst_osversion) target.asset.software.version
Destination Hostname (dst_host) target.hostname
Destination Mac Address (dst_mac) target.mac
Container ID (container_id) container_id

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

POD Namespace (pod_namespace) pod_namespace

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

POD Name (pod_name) pod_name

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Source External Dynamic List (src_edl) src_edl

principal.labels.key and principal.labels.value

additional.fields.key and additional.fields.value.string_value

Destination External Dynamic List (dst_edl) dst_edl

target.labels.key and target.labels.value

additional.fields.key and additional.fields.value.string_value

Host ID (hostid) hostid

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Serial Number (serialnumber) principal.asset.hardware.serial_number
domain_edl (domain_edl) domain_edl

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Source Dynamic Address Group (src_dag) principal.group.group_display_name
Destination Dynamic Address Group (dst_dag) target.group.group_display_name
partial_hash (partial_hash) partial_hash

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

High Res Timestamp (high_res_timestamp) metadata.collected_timestamp,

metadata.event_timestamp (if "Generate Time" is absent)

Reason (reason) reason

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

justification (justification) justification

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

nssai_sst (nssai_sst) nssai_sst

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Subcategory of app (subcategory_of_app) subcategory_of_app

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Category of app (category_of_app) category_of_app

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Technology of app (technology_of_app) technology_of_app

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Risk of app (risk_of_app) risk_of_app

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Characteristic of app (characteristic_of_app) characteristic_of_app

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Container of app (container_of_app) container_of_app

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Tunneled app (tunneled_app) tunneled_app

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

SaaS of app (is_saas_of_app) is_saas_of_app

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Sanctioned State of app (sanctioned_state_of_app) sanctioned_state_of_app

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

GlobalProtect

The following table lists the log fields of the GlobalProtect log type and their corresponding UDM fields.

CSV field CEF field LEEF field Google Security Operations label key UDM field
Receive Time (receive_time) rt received_time metadata.event_timestamp
Serial # (serial) PanOSDeviceSN intermediary_asset_hardware_serial_number intermediary.asset.hardware.serial_number
Type (type) type (Header) metadata.product_event_type
Threat/Content Type (subtype) subtype (Header) Subtype metadata.product_event_type
Generate Time (time_generated) PanOSLogTimeStamp generated_timestamp metadata.event_timestamp
Virtual System (vsys) PanOSVirtualSystem vsys

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Event ID (eventid) PanOSEventID event_id

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Stage (stage) PanOSStage stage

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Authentication Method (auth_method) PanOSAuthMethod extension_auth_auth_details extensions.auth.auth_details
Tunnel Type (tunnel_type) PanOSTunnelType tunnel

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Source User (srcuser) PanOSSourceUserName src_user principal.user.email_address

principal.user.userid

principal.administrative_domain

Source Region (srcregion) PanOSSourceRegion src_region principal.location.country_or_region
Machine Name (machinename) PanOSEndpointDeviceName machine_name principal.hostname
Public IP (public_ip) PanOSPublicIPv4 principal.nat_ip
Public IPv6 (public_ipv6) PanOSPublicIPv6 principal.nat_ip
Private IP (private_ip) PanOSPrivateIPv4 principal.ip
Private IPv6 (private_ipv6) PanOSPrivateIPv6 principal.ip
Host ID (hostid) PanOSHostID hostid principal.asset.asset_id
Serial Number (serialnumber) PanOSDeviceSN principal.asset.hardware.serial_number
Client Version (client_ver) PanOSGlobalProtectClientVersion client_ver

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Client OS (client_os) PanOSEndpointOSType principal.asset.platform_software.platform(enum)
Client OS Version (client_os_ver) PanOSEndpointOSVersion principal.asset.platform_software.platform_version
Repeat Count (repeatcnt) PanOSCountOfRepeats repeatcnt

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Reason (reason) PanOSQuarantineReason security_result.summary
Error (error) PanOSConnectionError error security_result.description
Description (opaque) PanOSDescription security_result.description
Status (status) PanOSEventStatus status

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Location (location) PanOSGPGatewayLocation target.location.country_or_region
Login Duration (login_duration) PanOSLoginDuration network.session_duration
Connect Method (connect_method) PanOSConnectionMethod connect_method

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Error Code (error_code) PanOSConnectionErrorID error_code

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Portal (portal) PanOSPortal portal

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Sequence Number (seqno) PanOSSequenceNo metadata.product_log_id
Action Flags (actionflags) PanOSActionFlags actionflags

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

High Resolution Timestamp (high_res_timestamp) anOSTimeGeneratedHighResolution metadata.collected_timestamp,

metadata.event_timestamp (if "Generate Time" is absent)

Gateway Selection Method (selection_type) PanOSGatewaySelectionType selection_type

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

SSL Response Time (response_time) PanOSSSLResponseTime response_time

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Gateway Priority (priority) PanOSGatewayPriority priority

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Attempted Gateways (attempted_gateways) PanOSAttemptedGateways attempted_gateways

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Gateway Name (gateway) PanOSAttemptedGateways gateway

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Device Group Hierarchy (dg_hier_level_1) dg_hier_level_1

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Device Group Hierarchy (dg_hier_level_2) dg_hier_level_2

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Device Group Hierarchy (dg_hier_level_3) dg_hier_level_3

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Device Group Hierarchy (dg_hier_level_4) dg_hier_level_4

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Virtual System Name (vsys_name) principal.resource.name

principal.resource.resource_type=VIRTUAL_MACHINE

Device Name (device_name) target.hostname
Virtual System ID (vsys_id) principal.resource.resource_type=VIRTUAL_MACHINE and principal.resource.product_object_id

Correlation

The following table lists the log fields of the Correlation log type and their corresponding UDM fields.

CSV field CEF field LEEF field Google Security Operations label key UDM field
Generated Time (time_generated or cef-formatted-time_generated) startTime generated_timestamp metadata.event_timestamp
Source Address (src) src principal.ip
Source User (srcuser) SourceUser / usrName principal.user.userid
Virtual System (vsys) VirtualSystem vsys

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Category (category) security_result.category_details
Severity (severity) Severity security_result.severity and security_result.severity_details
Device Group Hierarchy Level 1 DeviceGroupHierarchyL1

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Device Group Hierarchy Level 2 DeviceGroupHierarchyL2

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Device Group Hierarchy Level 3 DeviceGroupHierarchyL3

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Device Group Hierarchy Level 4 DeviceGroupHierarchyL4

about.labels.key and about.labels.value

additional.fields.key and additional.fields.value.string_value

Virtual System Name (vsys_name) vSrcName principal.resource.name

principal.resource.resource_type=VIRTUAL_MACHINE

Device Name (device_name) DeviceName intermediary.hostname
Virtual System ID (vsys_id) VirtualSystemID principal.resource.resource_type=VIRTUAL_MACHINE and principal.resource.product_object_id
Object Name (objectname) ObjectName target.resource.name
Object ID (object_id) ObjectID target.resource.product_object_id

Field mapping reference: Log types to UDM event type

The following table lists the Palo Alto Networks firewall log types and their corresponding UDM event types.

Log type UDM event type
Traffic NETWORK_CONNECTION
Threat NETWORK_CONNECTION
URL Filtering NETWORK_CONNECTION
WildFire NETWORK_CONNECTION

WildFire submissions logs are a subtype of Threat log type and use the same syslog format.

Data Filtering NETWORK_CONNECTION
Tunnel NETWORK_CONNECTION
Config SETTING_MODIFICATION/SETTING_CREATION/SETTING_DELETION/SETTING_UNCATEGORIZED

The value of the "Command (cmd)" field determines the UDM event type mapping. If the cmd field value is add or clone, SETTING_CREATION is set.

If the cmd field value is delete, SETTING_DELETION is set.

If the cmd field value is edit, move, rename, set, or commit, SETTING_MODIFICATION is set.

If the cmd field value does not contain any values, then SETTING_UNCATEGORIZED is set.

System

If the subtype value is "dhcp", then NETWORK_DHCP is set.

If the subtype value is "auth", then USER_LOGIN is set.

If the description value is "logged in", then USER_LOGIN is set.

If the description value is "logged out", then USER_LOGOUT is set.

For other values of the subtype, GENERIC_EVENT is set.

HIP Match NETWORK_CONNECTION
IP Tag GENERIC_EVENT
User-ID USER_LOGIN/USER_LOGOUT/USER_UNCATEGORIZED

If subtype value is "login", then USER_LOGIN is set.

If subtype value is "logout", then USER_LOGOUT is set.

If subtype does not contain any value, then USER_UNCATEGORIZED is set.

Decryption NETWORK_CONNECTION
Authentication GENERIC_EVENT

What's next