Collect Palo Alto Networks firewall logs

Overview

This document describes how you can configure syslog and a Chronicle forwarder to collect Palo Alto Networks firewall logs. This document also explains how Palo Alto Networks firewall log fields map to Chronicle Unified Data Model (UDM) fields.

For an overview about Chronicle data ingestion, see Data ingestion to Chronicle.

An ingestion label identifies the parser which normalizes raw log data to structured UDM format. The information in this document applies to the parser with the PAN_FIREWALL ingestion label.

Before you begin

  • To understand the components deployed to collect Palo Alto Networks firewall logs, review the deployment architecture. Each customer deployment might differ from this representation and might be more complex.

    The following diagram shows how you can configure syslog on a Palo Alto Networks firewall and install a Chronicle forwarder on a Linux server to forward log data to Chronicle. The parser supports logs written in the following data formats: Comma Separated Values (CSV), Common Event Format (CEF), and Log Event Extended Format (LEEF).

    Deployment architecture

  • Verify the log formats and PAN-OS versions that the Chronicle parser supports. The following table lists the log formats and the corresponding PAN-OS versions that the Chronicle parser supports:

    Log format PAN-OS version
    CSV 10.1.3
    CEF 10.0.0
    LEEF 9.1.0

  • Verify the Palo Alto Networks firewall log types that the Chronicle parser supports. The Chronicle parser supports the following Palo Alto Networks firewall log types:

    • Traffic
    • Threat
    • WildFire submissions
    • Tunnel inspection
    • Config
    • System
    • HIP match
    • IP-Tag
    • User-ID
    • Decryption
    • Authentication
    • URL filtering
    • Data filtering
    • GlobalProtect
    • Correlation

    For more information about the Palo Alto Networks firewall log types, see PAN-OS log types.

  • Ensure that all systems in the deployment architecture are configured in the UTC time zone.

  • Before you use the Palo Alto Networks firewall Gold parser, review the changes in field mappings between the default parser and Gold parser listed in this document. As part of the migration, ensure that the rules, searches, dashboards, or other processes that depend on the original fields use the updated fields.

    For example, in the default parser, the "category" log field is mapped to the "security_result.description" UDM field. In the PAN firewall Gold parser, the "category" log field is mapped to the "security_result.category_details" UDM field. If you migrate to PAN firewall Gold parser and use "category" in your rules, you need to modify the rules to use the "security_result.category_details" UDM field of the Gold parser.

Configure syslog and the Chronicle forwarder

To configure syslog and the Chronicle forwarder, complete the following steps:

  1. To monitor CSV logs, configure the syslog server profile. For more information, see Configure the syslog server profile.

    When you configure the syslog server profile, specify "Default" as the custom log format.

  2. To monitor CEF logs, configure the Palo Alto Networks firewall to forward CEF logs. For more information, download the PAN-OS CEF Integration guide PDF and see the "Configuration of Palo Alto Networks NGFW to output CEF events" section.

  3. To monitor LEEF logs, configure the syslog server profile. For more information, see Custom log forwarding in LEEF format.

  4. Configure the Chronicle forwarder to send logs to Chronicle. For more information, see Installing and configuring the forwarder on Linux. The following is an example of a Chronicle forwarder configuration:

      - syslog:
          common:
            enabled: true
            data_type: PAN_FIREWALL
            batch_n_seconds: 10
            batch_n_bytes: 1048576
          tcp_address: 0.0.0.0:10518
          connection_timeout_sec: 60
    

Field mapping reference: PAN firewall logs fields to UDM fields

This section explains how the Chronicle parser maps Palo Alto Networks firewall log fields to Chronicle UDM event fields for each log type.

The Chronicle label key refers to the name of the key mapped to Labels.key UDM field. For example, in the case of the "Virtual System" field, the field name is "cs3" in CEF format and is "VirtualSystem" in LEEF format. The UDM field "about.labels.key" contains the value "vsys" and the UDM field "about.labels.value" contains the value of that field.

Some of the CEF or LEEF field names do not have a name corresponding to the CSV field names. In such cases, if you add your own variable name in custom log format in the syslog profile, the Chronicle parser does not map it to the UDM field.

Refer to the following sections for mapping reference of each log type:

System

The following table lists the log fields of the system log type and their corresponding UDM fields.

CSV field CEF field LEEF field Chronicle label key UDM field
Receive Time (receive_time or cef-formatted-receive_time) rt devTime metadata.collected_timestamp,

metadata.event_timestamp (if "Generate Time" is absent)

Serial Number (serial) deviceExternalId SerialNumber intermediary.asset.hardware.serial_number
Type (type) type (Header) cat metadata.product_event_type is set to "%{type} - %{subtype}".
Threat/Content Type (subtype) subtype (Header) Subtype metadata.product_event_type is set to "%{type} - %{subtype}".
Generated Time (time_generated or cef-formatted-time_generated) metadata.event_timestamp
Virtual System (vsys) cs3 VirtualSystem vsys about.labels.key/value
Event ID (eventid) cat eventid about.labels.key/value
Object (object) fname Filename object about.labels.key/value
Module (module) flexString2 Module module about.labels.key/value
Severity (severity) $number-of-severity(header) Severity security_result.severity and security_result.severity_details
Description (opaque) msg msg metadata.description
Sequence Number (seqno) externalId sequence metadata.product_log_id
Action Flags (actionflags) PanOSActionFlags ActionFlags actionflags about.labels.key/value
Device Group Hierarchy (dg_hier_level_1 to dg_hier_level_4) PanOSDGl1 DeviceGroupHierarchyL1 dg_hier_level_1 about.labels.key/value
Device Group Hierarchy (dg_hier_level_2) PanOSDGl2 DeviceGroupHierarchyL2 dg_hier_level_2 about.labels.key/value
Device Group Hierarchy (dg_hier_level_3) PanOSDGl3 DeviceGroupHierarchyL3 dg_hier_level_3 about.labels.key/value
Device Group Hierarchy (dg_hier_level_4) PanOSDGl4 DeviceGroupHierarchyL4 dg_hier_level_4 about.labels.key/value
Virtual System Name (vsys_name) PanOSVsysName vSrcName principal.resource.name

principal.resource.resource_type=VIRTUAL_MACHINE

Device Name (device_name) dvchost DeviceName intermediary.hostname
High Resolution Timestamp (high_res_timestamp) anOSTimeGeneratedHighResolution metadata.collected_timestamp,

metadata.event_timestamp (if "Generate Time" is absent)

Config

The following table lists the log fields of the config log type and their corresponding UDM fields.

CSV field CEF field LEEF field Chronicle label key UDM field
Receive Time (receive_time or cef-formatted-receive_time) rt devTime metadata.collected_timestamp,

metadata.event_timestamp (if "Generate Time" is absent)

Serial Number (serial) deviceExternalId SerialNumber intermediary.asset.hardware.serial_number
Type (type) type (Header) cat metadata.product_event_type
Threat/Content Type (subtype) subtype (Header) metadata.product_event_type
Generated Time (time_generated or cef-formatted-time_generated) metadata.event_timestamp
Host (host) shost src principal.ip/hostname
Virtual System (vsys) cs3 VirtualSystem vsys about.labels.key/value
Command (cmd) act msg cmd about.labels.key/value
Admin (admin) duser usrName principal.user.userid
Client (client) destinationServiceName client principal.application
Result (result) Signature ID (Header)(reason) Result security_result.summary
Configuration Path (path) msg ConfigurationPath principal.process.command_line
Before Change Detail (before_change_detail) cs1 BeforeChangeDetail before_change_detail target.resource.attribute.labels.key/value
After Change Detail (after_change_detail) cs2 AfterChangeDetail after_change_detail target.resource.attribute.labels.key/value
Sequence Number (seqno) externalId sequence metadata.product_log_id
Action Flags (actionflags) PanOSActionFlags ActionFlags actionflags about.labels.key/value
Device Group Hierarchy (dg_hier_level_1 to dg_hier_level_4) PanOSDGl1 DeviceGroupHierarchyL1 dg_hier_level_1 about.labels.key/value
Device Group Hierarchy (dg_hier_level_2) PanOSDGl2 DeviceGroupHierarchyL2 dg_hier_level_2 about.labels.key/value
Device Group Hierarchy (dg_hier_level_3) PanOSDGl3 DeviceGroupHierarchyL3 dg_hier_level_3 about.labels.key/value
Device Group Hierarchy (dg_hier_level_4) PanOSDGl4 DeviceGroupHierarchyL4 dg_hier_level_4 about.labels.key/value
Virtual System Name (vsys_name) PanOSVsysName vSrcName principal.resource.name

principal.resource.resource_type=VIRTUAL_MACHINE

Device Name (device_name) dvchost DeviceName intermediary.hostname
Device Group (dg_id) PanOSFWDeviceGroup dg_id principal.asset.attribute.labels.key/value
Audit Comment (comment) PanOSPolicyAuditComment comment about.labels.key/value

Threat/WildFire

The following table lists the log fields of the Threat/WildFire log type and their corresponding UDM fields.

CSV field CEF field LEEF field Chronicle label key UDM field
Receive Time (receive_time or cef-formatted-receive_time) rt devTime metadata.collected_timestamp,

metadata.event_timestamp (if "Generate Time" is absent)

Serial Number (serial #) deviceExternalId SerialNumber intermediary.asset.hardware.serial_number
Type (type) type (Header) cat metadata.product_event_type
Threat/Content Type (subtype) cat/subtype (Header) Subtype metadata.product_event_type
Generate Time (time_generated or cef-formatted-time_generated) metadata.event_timestamp
Source address (src) src src principal.ip
Destination address (dst) dst dst target.ip
NAT Source IP (natsrc) sourceTranslatedAddress srcPostNAT principal.nat_ip
NAT Destination IP (natdst) destinationTranslatedAddress dstPostNAT target.nat_ip
Rule Name (rule) cs1 RuleName security_result.rule_name
Source User (srcuser) suser SourceUser / usrName principal.user.userid
Destination User (dstuser) duser DestinationUser target.user.userid
Application (app) app Application target.application
Virtual System (vsys) cs3 VirtualSystem vsys about.labels.key/value
Source Zone (from) cs4 SourceZone from principal.labels.key/value
Destination Zone (to) cs5 DestinationZone to target.labels.key/value
Inbound Interface (inbound_if) deviceInboundInterface IngressInterface inbound_if principal.labels.key/value
Outbound Interface (outbound_if) deviceOutboundInterface EgressInterface outbound_if target.labels.key/value
Log Action (logset) cs6 LogForwardingProfile logset about.labels.key/value
Session ID (sessionid) cn1 SessionID network.session_id
Repeat Count (repeatcnt) cnt RepeatCount repeatcnt about.labels.key/value
Source Port (sport) spt srcPort principal.port
Destination Port (dport) dpt dstPort target.port
NAT Source Port (natsport) sourceTranslatedPort srcPostNATPort principal.nat_port
NAT Destination Port (natdport) destinationTranslatedPort dstPostNATPort target.nat_port
Flags (flags) flexString1 Flags flags about.labels.key/value
IP Protocol (proto) proto proto network.ip_protocol
Action (action) act action security_result.action_details

security_result.action

URL/Filename (misc) request Miscellaneous target.file.full_path

target.url

Threat/Content Name (threatid) cat ThreatID security_result.threat_name
Category (category) cs2 URLCategory security_result.category_details
Severity (severity) number-of-severity(header) Severity security_result.severity and security_result.severity_details
Direction (direction) flexString2 Direction network.direction
Sequence Number (seqno) externalId sequence metadata.product_log_id
Action Flags (actionflags) PanOSActionFlags ActionFlags actionflags about.labels.key/value
Source Country (srcloc) SourceLocation principal.location.country_or_region
Destination Country (dstloc) DestinationLocation target.location.country_or_region
Content Type (contenttype) ContentType contenttype about.labels.key/value
PCAP ID (pcap_id) fileId PCAP_ID pcap_id about.labels.key/value
File Digest (filedigest) fileHash FileDigest about.file.sha1/md5/sha256
Cloud (cloud) filePath Cloud cloud about.labels.key/value
URL Index (url_idx) URLIndex url_idx about.labels.key/value
User Agent (user_agent) network.http.user_agent
File Type (filetype) fileType FileType about.file.mime_type
X-Forwarded-For (xff) principal.ip
Referer (referer) network.http.referral_url
Sender (sender) suid Sender network.email.from
Subject (subject) msg Subject network.email.subject
Recipient (recipient) duid Recipient network.email.to
Report ID (reportid) oldFileId ReportID reportid about.labels.key/value
Device Group Hierarchy (dg_hier_level_1 to dg_hier_level_4) PanOSDGl1 DeviceGroupHierarchyL1 dg_hier_level_1 about.labels.key/value
Device Group Hierarchy (dg_hier_level_2) PanOSDGl2 DeviceGroupHierarchyL2 dg_hier_level_2 about.labels.key/value
Device Group Hierarchy (dg_hier_level_3) PanOSDGl3 DeviceGroupHierarchyL3 dg_hier_level_3 about.labels.key/value
Device Group Hierarchy (dg_hier_level_4) PanOSDGl4 DeviceGroupHierarchyL4 dg_hier_level_4 about.labels.key/value
Virtual System Name (vsys_name) PanOSVsysName vSrcName principal.resource.name

principal.resource.resource_type=VIRTUAL_MACHINE

Device Name (device_name) dvchost DeviceName intermediary.hostname
Source VM UUID (src_uuid) PanOSSrcUUID SrcUUID principal.user.product_object_id
Destination VM UUID (dst_uuid) PanOSDstUUID DstUUID target.user.product_object_id
HTTP Method (http_method) RequestMethod network.http.method
Tunnel ID/IMSI (tunnel_id/imsi) PanOSTunnelID TunnelID tunnel_id/imsi about.labels.key/value
Monitor Tag/IMEI (monitortag/imei) PanOSMonitorTag MonitorTag monitortag/imei about.labels.key/value
Parent Session ID (parent_session_id) PanOSParentSessionID ParentSessionID parent_session_id about.labels.key/value
Parent Session Start Time (parent_start_time) PanOSParentStartTime ParentStartTime parent_start_time about.labels.key/value
Tunnel Type (tunnel) PanOSTunnelType TunnelType tunnel about.labels.key/value
Threat Category (thr_category) PanOSThreatCategory ThreatCategory thr_category security_result.detection_fields.key/value
Content Version (contentver) PanOSContentVer ContentVer contentver about.labels.key/value
SCTP Association ID (assoc_id) PanOSAssocID assoc_id about.labels.key/value
Payload Protocol ID (ppid) PanOSPPID ppid about.labels.key/value
HTTP Headers (http_headers) PanOSHTTPHeader http_headers about.labels.key/value
URL Category List (url_category_list) PanOSURLCatList url_category_list about.labels.key/value
Rule UUID (rule_uuid) PanOSRuleUUID security_result.rule_id
HTTP/2 Connection (http2_connection) PanOSHTTP2Con http2_connection about.labels.key/value
Dynamic User Group Name (dynusergroup_name) PanDynamicUsrgrp dynusergroup_name principal.labels.key/value
XFF Address (xff_ip) PanXFFIP principal.ip
Source Device Category (src_category) PanSrcDeviceCat src_category principal.labels.key/value
Source Device Profile (src_profile) PanSrcDeviceProf src_profile principal.labels.key/value
Source Device Model (src_model) PanSrcDeviceModel src_model principal.labels.key/value
Source Device Vendor (src_vendor) PanSrcDeviceVendor src_vendor principal.labels.key/value
Source Device OS Family (src_osfamily) PanSrcDeviceOS src_osfamily principal.asset.platform_software.platform

principal.labels.key/value

Source Device OS Version (src_osversion) PanSrcDeviceOSv principal.asset.software.version
Source Hostname (src_host) PanSrcHostname principal.hostname
Source MAC Address (src_mac) PanSrcMac principal.mac
Destination Device Category (dst_category) PanDstDeviceCat dst_category target.labels.key/value
Destination Device Profile (dst_profile) PanDstDeviceProf dst_profile target.labels.key/value
Destination Device Model (dst_model) PanDstDeviceModel dst_model target.labels.key/value
Destination Device Vendor (dst_vendor) PanDstDeviceVendor dst_vendor target.labels.key/value
Destination Device OS Family (dst_osfamily) PanDstDeviceOS dst_osfamily target.labels.key/value
Destination Device OS Version (dst_osversion) PanDstDeviceOSv target.asset.software.version
Destination Hostname (dst_host) PanDstHostname target.hostname
Destination MAC Address (dst_mac) PanDstMac target.mac
Container ID (container_id) PanContainerName container_id about.labels.key/value
POD Namespace (pod_namespace) PanPODNamespace pod_namespace about.labels.key/value
POD Name (pod_name) PanPODName pod_name about.labels.key/value
Source External Dynamic List (src_edl) PanSrcEDL src_edl about.labels.key/value
Destination External Dynamic List (dst_edl) PanDstEDL dst_edl about.labels.key/value
Host ID (hostid) PanGPHostID hostid about.labels.key/value
User Device Serial Number (serialnumber) PanEPSerial principal.asset.hardware.serial_number
Domain EDL (domain_edl) PanDomainEDL domain_edl about.labels.key/value
Source Dynamic Address Group (src_dag) PanSrcDAG principal.group.group_display_name
Destination Dynamic Address Group (dst_dag) PanDstDAG target.group.group_display_name
Partial Hash (partial_hash) PanPartialHash partial_hash about.labels.key/value
High Resolution Timestamp (high_res timestamp) PanTimeHighRes high_res timestamp metadata.collected_timestamp,

metadata.event_timestamp (if "Generate Time" is absent)

Reason (reason) PanReasonFilteringAction reason about.labels.key/value
Justification (justification) PanJustification justification about.labels.key/value
A Slice Service Type (nssai_sst) PanASServiceType nssai_sst about.labels.key/value
Application Subcategory (subcategory_of_app) subcategory_of_app about.labels.key/value
Application Category (category_of_app) category_of_app about.labels.key/value
Application Technology (technology_of_app) technology_of_app about.labels.key/value
Application Risk (risk_of_app) risk_of_app about.labels.key/value
Application Characteristic (characteristic_of_app) characteristic_of_app about.labels.key/value
Application Container (container_of_app) container_of_app about.labels.key/value
Application SaaS (is_saas_of_app) is_saas_of_app about.labels.key/value
Application Sanctioned State (sanctioned_state_of_app) sanctioned_state_of_app about.labels.key/value

Traffic

The following table lists the log fields of the traffic log type and their corresponding UDM fields.

CSV field CEF field LEEF field Chronicle label key UDM field
Receive Time (receive_time or cef-formatted-receive_time) rt devTime metadata.collected_timestamp,

metadata.event_timestamp (if "Generate Time" is absent)

Serial Number (serial) deviceExternalId SerialNumber intermediary.asset.hardware.serial_number
Type (type) type (Header) cat/Type metadata.product_event_type
Threat/Content Type (subtype) subtype (Header) Subtype metadata.product_event_type
Generated Time (time_generated or cef-formatted-time_generated) start metadata.event_timestamp
Source Address (src) src src principal.ip
Destination Address (dst) dst dst target.ip
NAT Source IP (natsrc) sourceTranslatedAddress srcPostNAT principal.nat_ip
NAT Destination IP (natdst) destinationTranslatedAddress dstPostNAT target.nat_ip
Rule Name (rule) cs1 RuleName security_result.rule_name
Source User (srcuser) suser SourceUser principal.user.userid
Destination User (dstuser) duser DestinationUser target.user.userid
Application (app) app Application target.application
Virtual System (vsys) cs3 VirtualSystem vsys about.labels.key/value
Source Zone (from) cs4 SourceZone from principal.labels.key/value
Destination Zone (to) cs5 DestinationZone to target.labels.key/value
Inbound Interface (inbound_if) deviceInboundInterface IngressInterface inbound_if principal.labels.key/value
Outbound Interface (outbound_if) deviceOutboundInterface EgressInterface outbound_if target.labels.key/value
Log Action (logset) cs6 LogForwardingProfile logset about.labels.key/value
Session ID (sessionid) cn1 SessionID network.session_id
Repeat Count (repeatcnt) cnt RepeatCount repeatcnt about.labels.key/value
Source Port (sport) spt srcPort principal.port
Destination Port (dport) dpt dstPort target.port
NAT Source Port (natsport) sourceTranslatedPort srcPostNATPort principal.nat_port
NAT Destination Port (natdport) destinationTranslatedPort dstPostNATPort target.nat_port
Flags (flags) flexString1 Flags flags about.labels.key/value
IP Protocol (proto) proto proto network.ip_protocol
Action (action) act action security_result.action_details

security_result.action

Bytes (bytes) flexNumber1 totalBytes bytes about.labels.key/value
Bytes Sent (bytes_sent) in srcBytes network.received_bytes
Bytes Received (bytes_received) out dstBytes network.sent_bytes
Packets (packets) cn2 totalPackets packets about.labels.key/value
Start Time (start) StartTime start about.labels.key/value
Elapsed Time (elapsed) cn3 ElapsedTime elapsed about.labels.key/value
Category (category) cs2 URLCategory security_result.category / security_result.category_details
Sequence Number (seqno) externalId sequence metadata.product_log_id
Action Flags (actionflags) PanOSActionFlags ActionFlags actionflags about.labels.key/value
Source Country (srcloc) SourceLocation principal.location.country_or_region
Destination Country (dstloc) DestinationLocation target.location.country_or_region
Packets Sent (pkts_sent) PanOSPacketsSent srcPackets pkts_sent about.labels.key/value
Packets Received (pkts_received) PanOSPacketsReceived dstPackets pkts_received about.labels.key/value
Session End Reason (session_end_reason) reason SessionEndReason security_result.summary
Device Group Hierarchy1 (dg_hier_level_1 to dg_hier_level_4) PanOSDGl1 DeviceGroupHierarchyL1 dg_hier_level_1 about.labels.key/value
Device Group Hierarchy2 (dg_hier_level_2) PanOSDGl2 DeviceGroupHierarchyL2 dg_hier_level_2 about.labels.key/value
Device Group Hierarchy3 (dg_hier_level_3) PanOSDGl3 DeviceGroupHierarchyL3 dg_hier_level_3 about.labels.key/value
Device Group Hierarchy (dg_hier_level_4) PanOSDGl4 DeviceGroupHierarchyL4 dg_hier_level_4 about.labels.key/value
Virtual System Name (vsys_name) PanOSVsysName vSrcName principal.resource.name

principal.resource.resource_type=VIRTUAL_MACHINE

Device Name (device_name) dvchost DeviceName intermediary.hostname
Action Source (action_source) cat ActionSource action_source about.labels.key/value
Source VM UUID (src_uuid) PanOSSrcUUID SrcUUID principal.asset.product_object_id
Destination VM UUID (dst_uuid) PanOSDstUUID DstUUID target.asset.product_object_id
Tunnel ID/IMSI (tunnelid/imsi) PanOSTunnelID TunnelID tunnelid/imsi about.labels.key/value
Monitor Tag/IMEI (monitortag/imei) PanOSMonitorTag MonitorTag monitortag/imei about.labels.key/value
Parent Session ID (parent_session_id) PanOSParentSessionID ParentSessionID parent_session_id about.labels.key/value
Parent Start Time (parent_start_time) PanOSParentStartTime ParentStartTime parent_start_time about.labels.key/value
Tunnel Type (tunnel) PanOSTunnelType TunnelType tunnel about.labels.key/value
SCTP Association ID (assoc_id) PanOSSCTPAssocID assoc_id about.labels.key/value
SCTP Chunks (chunks) PanOSSCTPChunks chunks about.labels.key/value
SCTP Chunks Sent (chunks_sent) PanOSSCTPChunkSent chunks_sent about.labels.key/value
SCTP Chunks Received (chunks_received) PanOSSCTPChunksRcv chunks_received about.labels.key/value
Rule UUID (rule_uuid) PanOSRuleUUID security_result.rule_id
HTTP/2 Connection (http2_connection) PanOSHTTP2Con http2_connection about.labels.key/value
App Flap Count (link_change_count) PanLinkChange link_change_count about.labels.key/value
Policy ID (policy_id) PanPolicyID policy_id about.labels.key/value
Link Switches (link_switches) PanLinkDetail link_switches about.labels.key/value
SD-WAN Cluster (sdwan_cluster) PanSDWANCluster sdwan_cluster about.labels.key/value
SD-WAN Device Type (sdwan_device_type) PanSDWANDevice sdwan_device_type about.labels.key/value
SD-WAN Cluster Type (sdwan_cluster_type) PanSDWANClustype sdwan_cluster_type about.labels.key/value
SD-WAN Site (sdwan_site) PanSDWANSite sdwan_site about.labels.key/value
Dynamic User Group Name (dynusergroup_name) PanDynamicUsrgrp dynusergroup_name about.labels.key/value
XFF Address (xff_ip) PanXFFIP principal.ip
Source Device Category (src_category) PanSrcDeviceCat src_category principal.labels.key/value
Source Device Profile (src_profile) PanSrcDeviceProf src_profile principal.labels.key/value
Source Device Model (src_model) PanSrcDeviceModel src_model principal.labels.key/value
Source Device Vendor (src_vendor) PanSrcDeviceVendor src_vendor principal.labels.key/value
Source Device OS Family (src_osfamily) PanSrcDeviceOS principal.asset.platform_software.platform

principal.labels.key/value

Source Device OS Version (src_osversion) PanSrcDeviceOSv principal.asset.software.version
Source Hostname (src_host) PanSrcHostname principal.hostname
Source MAC Address (src_mac) PanSrcMac principal.mac
Destination Device Category (dst_category) PanDstDeviceCat dst_category target.labels.key/value
Destination Device Profile (dst_profile) PanDstDeviceProf dst_profile target.labels.key/value
Destination Device Model (dst_model) PanDstDeviceModel dst_model target.labels.key/value
Destination Device Vendor (dst_vendor) PanDstDeviceVendor dst_vendor target.labels.key/value
Destination Device OS Family (dst_osfamily) PanDstDeviceOS dst_osfamily target.labels.key/value
Destination Device OS Version (dst_osversion) PanDstDeviceOSv target.asset.software.version
Destination Hostname (dst_host) PanDstHostname target.hostname
Destination MAC Address (dst_mac) PanDstMac target.mac
Container ID (container_id) PanContainerName container_id about.labels.key/value
POD Namespace (pod_namespace) PanPODNamespace pod_namespace about.labels.key/value
POD Name (pod_name) PanPODName pod_name about.labels.key/value
Source External Dynamic List (src_edl) PanSrcEDL src_edl principal.labels.key/value
Destination External Dynamic List (dst_edl) PanDstEDL dst_edl target.labels.key/value
Host ID (hostid) PanGPHostID hostid about.labels.key/value
User Device Serial Number (serialnumber) PanEPSerial principal.asset.hardware.serial_number
Source Dynamic Address Group (src_dag) PanSrcDAG principal.group.group_display_name
Destination Dynamic Address Group (dst_dag) PanDstDAG target.group.group_display_name
Session Owner (session_owner) PanHASessionOwner session_owner about.labels.key/value
High Resolution Timestamp (high_res_timestamp) PanTimeHighRes metadata.collected_timestamp,

metadata.event_timestamp (if "Generate Time" is absent)

A Slice Service Type (nsdsai_sst) PanASServiceType nsdsai_sst about.labels.key/value
A Slice Differentiator (nsdsai_sd) PanASServiceDiff nsdsai_sd about.labels.key/value
Application Subcategory (subcategory_of_app) subcategory_of_app about.labels.key/value
Application Category (category_of_app) category_of_app about.labels.key/value
Application Technology (technology_of_app) technology_of_app about.labels.key/value
Application Risk (risk_of_app) security_result.severity
Application Characteristic (characteristic_of_app) characteristic_of_app about.labels.key/value
Application Container (container_of_app) container_of_app about.labels.key/value
Application SaaS (is_saas_of_app) is_saas_of_app about.labels.key/value
Application Sanctioned State (sanctioned_state_of_app) sanctioned_state_of_app about.labels.key/value
Application Subcategory (subcategory_of_app) subcategory_of_app1 about.labels.key/value

User-ID

The following table lists the log fields of the user-id log type and their corresponding UDM fields.

CSV field CEF field LEEF field Chronicle label key UDM field
Receive Time (receive_time or cef-formatted-receive_time) rt devTime metadata.collected_timestamp,

metadata.event_timestamp (if "Generate Time" is absent)

Serial Number (serial) deviceExternalId SerialNumber intermediary.asset.hardware.serial_number
Type (type) type (Header) cat metadata.product_event_type
Threat/Content Type (subtype) subtype (Header) Subtype metadata.product_event_type
Generated Time (time_generated or cef-formatted-time_generated) metadata.event_timestamp
Virtual System (vsys) cs3 VirtualSystem vsys about.labels.key/value
Source IP (ip) src src principal.ip
User (user) duser usrName target.user.userid

target.administrative_domain

target.user.email_addresses

Data Source Name (datasourcename) cs4 DataSourceName datasourcename principal.labels.key/value
Event ID (eventid) EventID eventid about.labels.key/value
Repeat Count (repeatcnt) cnt RepeatCount repeatcnt about.labels.key/value
Time Out Threshold (timeout) cn3 TimeoutThreshold timeout about.labels.key/value
Source Port (beginport) spt srcPort principal.port
Destination Port (endport) dpt dstPort target.port
Data Source (datasource) cs5 DataSource datasource principal.labels.key/value
Data Source Type (datasourcetype) cs6 DataSourceType datasourcetype principal.labels.key/value
Sequence Number (seqno) externalId sequence metadata.product_log_id
Action Flags (actionflags) PanOSActionFlags ActionFlags actionflags about.labels.key/value
Device Group Hierarchy (dg_hier_level_1) PanOSDGl1 DeviceGroupHierarchyL1 dg_hier_level_1 about.labels.key/value
Device Group Hierarchy (dg_hier_level_2) PanOSDGl2 DeviceGroupHierarchyL2 dg_hier_level_2 about.labels.key/value
Device Group Hierarchy (dg_hier_level_3) PanOSDGl3 DeviceGroupHierarchyL3 dg_hier_level_3 about.labels.key/value
Device Group Hierarchy (dg_hier_level_4) PanOSDGl4 DeviceGroupHierarchyL4 dg_hier_level_4 about.labels.key/value
Virtual System Name (vsys_name) PanOSVsysName vSrcName principal.resource.name

principal.resource.resource_type=VIRTUAL_MACHINE

Device Name (device_name) dvchost DeviceName intermediary.hostname
Virtual System ID (vsys_id) cn2 VirtualSystemID principal.resource.resource_type=VIRTUAL_MACHINE and principal.resource.product_object_id
Factor Type (factortype) cs1 FactorType factortype about.labels.key/value
Factor Completion Time (factorcompletiontime) end FactorCompletionTime factorcompletiontime about.labels.key/value
Factor Number (factorno) cn1 FactorNumber factorno about.labels.key/value
User Group Flags (ugflags) PanOSUGFlags ugflags about.labels.key/value
User by Source (userbysource) PanOSUserBySource principal.user.userid

principal.administrative_domain

principal.user.email_addresses

High Resolution Timestamp (high_res timestamp) PanOSTimeGeneratedHighResolution metadata.collected_timestamp,

metadata.event_timestamp (if "Generate Time" is absent)

HIP match

The following table lists the log fields of the HIP match log type and their corresponding UDM fields.

CSV field CEF field LEEF field Chronicle label key UDM field
Receive Time (receive_time or cef-formatted-receive_time) rt devTime metadata.collected_timestamp,

metadata.event_timestamp (if "Generate Time" is absent)

Serial Number (serial) deviceExternalId SerialNumber intermediary.asset.hardware.serial_number
Type (type) type (Header) cat metadata.product_event_type
Threat/Content Type (subtype) subtype (Header) Subtype
Generated Time (time_generated or cef-formatted-time_generated) start startTime metadata.event_timestamp
Source User (srcuser) suser usrName principal.user.userid
Virtual System (vsys) cs3 VirtualSystem vsys about.labels.key/value
Machine Name (machinename) shost identHostName principal.hostname
Operating System (os) cs2 OS principal.asset.platform_software.platform
Source Address (src) src identsrc principal.ip
HIP (matchname) cat HIP matchname about.labels.key/value
Repeat Count (repeatcnt) cnt RepeatCount repeatcnt about.labels.key/value
HIP Type (matchtype) Device Event Class ID (Header) HIPType matchtype
Sequence Number (seqno) externalId sequence metadata.product_log_id
Action Flags (actionflags) PanOSActionFlags ActionFlags actionflags about.labels.key/value
Device Group Hierarchy (dg_hier_level_1) PanOSDGl1 DeviceGroupHierarchyL1 dg_hier_level_1 about.labels.key/value
Device Group Hierarchy (dg_hier_level_2) PanOSDGl2 DeviceGroupHierarchyL2 dg_hier_level_2 about.labels.key/value
Device Group Hierarchy (dg_hier_level_3) PanOSDGl3 DeviceGroupHierarchyL3 dg_hier_level_3 about.labels.key/value
Device Group Hierarchy (dg_hier_level_4) PanOSDGl4 DeviceGroupHierarchyL4 dg_hier_level_4 about.labels.key/value
Virtual System Name (vsys_name) PanOSVsysName vSrcName principal.resource.name

principal.resource.resource_type=VIRTUAL_MACHINE

Device Name (device_name) dvchost DeviceName intermediary.hostname
Virtual System ID (vsys_id) cn2 VirtualSystemID principal.resource.resource_type=VIRTUAL_MACHINE and principal.resource.product_object_id
IPv6 System Address (srcipv6) c6a2 srcipv6 principal.asset.ip
Host ID (hostid) PanOSHostID principal.asset.product_object_id
User Device Serial Number (serialnumber) PanOSEndpointSerialNumber principal.asset.hardware.serial_number
Device MAC Address (mac) PanOSEndpointMac principal.asset.mac
High Resolution Timestamp (high_res_timestamp) PanOSTimeGeneratedHighResolution metadata.collected_timestamp,

metadata.event_timestamp (if "Generate Time" is absent)

IP tag

The following table lists the log fields of the IP tag log type and their corresponding UDM fields.

CSV field CEF field LEEF field Chronicle label key UDM field
Receive Time (receive_time or cef-formatted-receive_time) rt devTime metadata.collected_timestamp,

metadata.event_timestamp (if "Generate Time" is absent)

Serial Number (serial) deviceExternalId SerialNumber intermediary.asset.hardware.serial_number
Type (type) type (Header) cat metadata.product_event_type
Threat/Content Type (subtype) subtype (Header) Subtype metadata.product_event_type
Generated Time (time_generated or cef-formatted-time_generated) GenerateTime metadata.event_timestamp
Virtual System (vsys) cs3 VirtualSystem vsys about.labels.key/value
Source IP (ip) src src principal.ip
Tag Name (tag_name) PanOSTagName TagName tag_name principal.labels.key/value
Event ID (event_id) PanOSEventID EventID event_id about.labels.key/value
Repeat Count (repeatcnt) cnt RepeatCount repeatcnt about.labels.key/value
Timeout (timeout) PanOSTimeout TimeoutThreshold timeout about.labels.key/value
Data Source Name (datasourcename) PanOSDataSourceName DataSourceName datasourcename principal.labels.key/value
Data Source Type (datasource_type) PanOSDataSourceType DataSource datasource_type principal.labels.key/value
Data Source Subtype (datasource_subtype) PanOSDataSourceSubType DataSourceType datasource_subtype principal.labels.key/value
Sequence Number (seqno) externalId sequence metadata.product_log_id
Action Flags (actionflags) PanOSActionFlags ActionFlags actionflags about.labels.key/value
Device Group Hierarchy (dg_hier_level_1) PanOSDGl1 DeviceGroupHierarchyL1 dg_hier_level_1 about.labels.key/value
Device Group Hierarchy (dg_hier_level_2) PanOSDGl2 DeviceGroupHierarchyL2 dg_hier_level_2 about.labels.key/value
Device Group Hierarchy (dg_hier_level_3) PanOSDGl3 DeviceGroupHierarchyL3 dg_hier_level_3 about.labels.key/value
Device Group Hierarchy (dg_hier_level_4) PanOSDGl4 DeviceGroupHierarchyL4 dg_hier_level_4 about.labels.key/value
Virtual System Name (vsys_name) PanOsVsysName vSrcName principal.resource.name

principal.resource.resource_type=VIRTUAL_MACHINE

Device Name (device_name) dvchost DeviceName intermediary.hostname
Virtual System ID (vsys_id) cn2 VirtualSystemID principal.resource.resource_type=VIRTUAL_MACHINE and principal.resource.product_object_id
High Resolution Timestamp (high_res timestamp) PanOSTimeGeneratedHighResolution metadata.collected_timestamp,

metadata.event_timestamp (if "Generate Time" is absent)

Decryption

The following table lists the log fields of the decryption log type and their corresponding UDM fields.

CSV field CEF field LEEF field Chronicle label key UDM field
Receive Time (receive_time or cef-formatted-receive_time) rt metadata.collected_timestamp,

metadata.event_timestamp (if "Generate Time" is absent)

Serial Number (serial) PanOSDeviceSN intermediary.asset.hardware.serial_number
Type (type) type (Header) metadata.product_event_type
Threat/Content Type (subtype) subtype (Header) metadata.product_event_type
Config Version (config_ver) PanOSConfigVersion config_ver about.labels.key/value
Generate Time (time_generated) PanOSLogTimeStamp metadata.event_timestamp
Source Address (src) src principal.ip
Destination Address (dst) dst target.ip
NAT Source IP (natsrc) sourceTranslatedAddress principa.nat_ip
NAT Destination IP (natdst) destinationTranslatedAddress target.nat_ip
Rule (rule) cs1 security_result.rule_name
Source User (srcuser) suser principal.user.userid
Destination User (dstuser) duser target.user.userid
Application (app) app target.application
Virtual System (vsys) cs3 vsys about.labels.key/value
Source Zone (from) cs4 from principal.labels.key/value
Destination Zone (to) cs5 to target.labels.key/value
Inbound Interface (inbound_if) deviceInboundInterface inbound_if principal.labels.key/value
Outbound Interface (outbound_if) deviceOutboundInterface outbound_if target.labels.key/value
Log Action (logset) cs6 logset about.labels.key/value
Time Logged (time_received) PanOSTimeReceivedManagementPlane -
Session ID (sessionid) cn1 network.session_id
Repeat Count (repeatcnt) PanOSCountOfRepeats repeatcnt about.labels.key/value
Source Port (sport) spt principal.port
Destination Port (dport) dpt target.port
NAT Source Port (natsport) sourceTranslatedPort principal.nat_port
NAT Destination Port (natdport) destinationTranslatedPort target.nat_port
Flags (flags) flexString1 flags about.labels.key/value
IP Protocol (proto) proto network.ip_protocol
Action (action) act security_result.action_details

security_result.action

Tunnel (tunnel) PanOSTunnel tunnel about.labels.key/value
Source VM UUID (src_uuid) PanOSSourceUUID principal.asset.asset_id
Destination VM UUID (dst_uuid) PanOSDestinationUUID target.asset.asset_id
UUID for rule (rule_uuid) PanOSRuleUUID security_result.rule_id
Stage for Client to Firewall (hs_stage_c2f) PanOSClientToFirewall hs_stage_c2f about.labels.key/value
Stage for Firewall to Server (hs_stage_f2s) PanOSFirewallToServer hs_stage_f2s about.labels.key/value
TLS Version (tls_version) PanOSTLSVersion network.tls.version
Key Exchange Algorithm (tls_keyxchg) PanOSTLSKeyExchange tls_keyxchg about.labels.key/value
Encryption Algorithm (tls_enc) PanOSTLSEncryptionAlgorithm tls_enc about.labels.key/value
Hash Algorithm (tls_auth) PanOSTLSAuth tls_auth about.labels.key/value
Policy Name (policy_name) PanOSPolicyName policy_name about.labels.key/value
Elliptic Curve (ec_curve) PanOSEllipticCurve network.tls.curve
Error Index (err_index) PanOSErrorIndex err_index about.labels.key/value
Root Status (root_status) PanOSRootStatus root_status about.labels.key/value
Chain Status (chain_status) PanOSChainStatus chain_status about.labels.key/value
Proxy Type (proxy_type) PanOSProxyType proxy_type about.labels.key/value
Certificate Serial Number (cert_serial) PanOSCertificateSerial network.tls.server.certificate.serial
Certificate Fingerprint (fingerprint) PanOSFingerprint network.tls.server.certificate.md5/sha1/sha256
Certificate Start Date (notbefore) PanOSTimeNotBefore network.tls.server.certificate.not_before
Certificate End Date (notafter) PanOSTimeNotAfter network.tls.server.certificate.not_after
Certificate Version (cert_ver) PanOSCertificateVersion network.tls.server.certificate.version
Certificate Size (cert_size) PanOSCertificateSize cert_size about.labels.key/value
Common Name Length (cn_len) PanOSCommonNameLength cn_len about.labels.key/value
Issuer Common Name Length (issuer_len) PanOSIssuerNameLength issuer_len about.labels.key/value
Root Common Name Length (rootcn_len) PanOSRootCNLength rootcn_len about.labels.key/value
SNI Length (sni_len) PanOSSNILength sni_len about.labels.key/value
Certificate Flags (cert_flags) PanOSCertificateFlags cert_flags about.labels.key/value
Subject Common Name (cn) PanOSCommonName cn about.labels.key/value
Issuer Common Name (issuer_cn) PanOSIssuerCommonName network.tls.server.certificate.issuer
Root Common Name (root_cn) PanOSRootCommonName root_cn about.labels.key/value
Server Name Indication

(sni)

network.tls.client.server_name
Error (error) PanOSErrorMessage error about.labels.key/value
Container ID (container_id) PanOSContainerID container_id about.labels.key/value
POD Namespace (pod_namespace) PanOSContainerNameSpace pod_namespace about.labels.key/value
POD Name (pod_name) PanOSContainerName pod_name about.labels.key/value
Source External Dynamic List (src_edl) PanOSSourceEDL src_edl principal.labels.key/value
Destination External Dynamic List (dst_edl) PanOSDestinationEDL dst_edl target.labels.key/value
Source Dynamic Address Group (src_dag) PanOSSourceDynamicAddressGroup principal.group.group_display_name
Destination Dynamic Address Group (dst_dag) PanOSDestinationDynamicAddressGroup target.group.group_display_name
High Resolution Timestamp (high_res_timestamp) PanOSTimeGeneratedHighResolution metadata.collected_timestamp,

metadata.event_timestamp (if "Generate Time" is absent)

Source Device Category (src_category) PanOSSourceDeviceCategory src_category principal.labels.key/value
Source Device Profile (src_profile) PanOSSourceDeviceProfile src_profile principal.labels.key/value
Source Device Model (src_model) PanOSSourceDeviceModel src_model principal.labels.key/value
Source Device Vendor (src_vendor) PanOSSourceDeviceVendor src_vendor principal.labels.key/value
Source Device OS Family (src_osfamily) PanOSSourceDeviceOSFamily principal.asset.platform_software.platform

principal.labels.key/value

Source Device OS Version (src_osversion) PanOSSourceDeviceOSVersion principal.asset.software.version
Source Hostname (src_host) PanOSSourceDeviceHost principal.hostname
Source MAC Address (src_mac) PanOSSourceDeviceMac principal.mac
Destination Device Category (dst_category) PanOSDestinationDeviceCategory dst_category target.labels.key/value
Destination Device Profile (dst_profile) PanOSDestinationDeviceProfile dst_profile target.labels.key/value
Destination Device Model (dst_model) PanOSDestinationDeviceModel dst_model target.labels.key/value
Destination Device Vendor (dst_vendor) PanOSDestinationDeviceVendor dst_vendor target.labels.key/value
Destination Device OS Family (dst_osfamily) PanOSDestinationDeviceOSFamily dst_osfamily target.labels.key/value
Destination Device OS Version (dst_osversion) PanOSDestinationDeviceOSVersion target.asset.software.version
Destination Hostname (dst_host) PanOSDestinationDeviceHost target.hostname
Destination MAC Address (dst_mac) PanOSDestinationDeviceMac target.mac
Sequence Number (seqno) PanOSLogTypeSeqNo metadata.product_log_id
Action Flags (actionflags) PanOSActionFlags actionflags about.labels.key/value
Device Group Hierarchy (dg_hier_level_1) DeviceGroupHierarchyL1 dg_hier_level_1 about.labels.key/value
Device Group Hierarchy (dg_hier_level_2) DeviceGroupHierarchyL2 dg_hier_level_2 about.labels.key/value
Device Group Hierarchy (dg_hier_level_3) DeviceGroupHierarchyL3 dg_hier_level_3 about.labels.key/value
Device Group Hierarchy (dg_hier_level_4) DeviceGroupHierarchyL4 dg_hier_level_4 about.labels.key/value
Virtual System Name (vsys_name) principal.resource.name

principal.resource.resource_type=VIRTUAL_MACHINE

Device Name (device_name) intermediary.hostname
Virtual System ID (vsys_id) principal.resource.resource_type=VIRTUAL_MACHINE and principal.resource.product_object_id
Application Subcategory (subcategory_of_app) subcategory_of_app about.labels.key/value
Application Category (category_of_app) category_of_app about.labels.key/value
Application Technology (technology_of_app) technology_of_app about.labels.key/value
Application Risk (risk_of_app) security_result.severity
Application Characteristic (characteristic_of_app) characteristic_of_app about.labels.key/value
Application Container (container_of_app) container_of_app about.labels.key/value
Application SaaS (is_saas_of_app) is_saas_of_app about.labels.key/value
Application Sanctioned State (sanctioned_state_of_app) sanctioned_state_of_app about.labels.key/value

Tunnel

The following table lists the log fields of the tunnel log type and their corresponding UDM fields.

CSV field CEF field LEEF field Chronicle label key UDM field
Receive Time (receive_time or cef-formatted-receive_time) rt devTime metadata.collected_timestamp,

metadata.event_timestamp (if "Generate Time" is absent)

Serial Number (serial) deviceExternalId SerialNumber intermediary.asset.hardware.serial_number
Type (type) type (Header) cat metadata.product_event_type
Threat/Content Type (subtype) subtype (Header) Subtype metadata.product_event_type
Generated Time (time_generated or cef-formatted-time_generated) metadata.event_timestamp
Source Address (src) src src principal.ip
Destination Address (dst) dst dst target.ip
NAT Source IP (natsrc) sourceTranslatedAddress srcPostNAT principal.nat_ip
NAT Destination IP (natdst) destinationTranslatedAddress dstPostNAT target.nat_ip
Rule Name (rule) cs1 RuleName security_result.rule_name
Source User (srcuser) suser SourceUser / usrName principal.user.userid
Destination User (dstuser) duser DestinationUser target.user.userid
Application (app) app Application network.application_protocol
Virtual System (vsys) cs3 VirtualSystem vsys about.labels.key/value
Source Zone (from) cs4 SourceZone from principal.labels.key/value
Destination Zone (to) cs5 DestinationZone to target.labels.key/value
Inbound Interface (inbound_if) deviceInboundInterface IngressInterface inbound_if principal.labels.key/value
Outbound Interface (outbound_if) deviceOutboundInterface EgressInterface outbound_if target.labels.key/value
Log Action (logset) cs6 LogForwardingProfile logset about.labels.key/value
Session ID (sessionid) cn1 SessionID network.session_id
Repeat Count (repeatcnt) cnt RepeatCount repeatcnt about.labels.key/value
Source Port (sport) spt srcPort principal.port
Destination Port (dport) dpt dstPort target.port
NAT Source Port (natsport) sourceTranslatedPort srcPostNATPort principal.nat_port
NAT Destination Port (natdport) destinationTranslatedPort dstPostNATPort target.nat_port
Flags (flags) flexString1 Flags flags about.labels.key/value
IP Protocol (proto) proto proto network.ip_protocol
Action (action) act action security_result.action_details

security_result.action

Severity (severity) security_result.severity and security_result.severity_details
Sequence Number (seqno) externalId sequence metadata.product_log_id
Action Flags (actionflags) PanOSActionFlags ActionFlags actionflags about.labels.key/value
Source Location (srcloc) principal.location.country_or_region
Destination Location (dstloc) target.location.country_or_region
Device Group Hierarchy (dg_hier_level_1) PanOSDGl1 DeviceGroupHierarchyL1 dg_hier_level_1 about.labels.key/value
Device Group Hierarchy (dg_hier_level_2) PanOSDGl2 DeviceGroupHierarchyL2 dg_hier_level_2 about.labels.key/value
Device Group Hierarchy (dg_hier_level_3) PanOSDGl3 DeviceGroupHierarchyL3 dg_hier_level_3 about.labels.key/value
Device Group Hierarchy (dg_hier_level_4) PanOSDGl4 DeviceGroupHierarchyL4 dg_hier_level_4 about.labels.key/value
Virtual System Name (vsys_name) PanOSVsysName vSrcName principal.resource.name

principal.resource.resource_type=VIRTUAL_MACHINE

Device Name (device_name) dvchost DeviceName intermediary.hostname
Tunnel ID (tunnelid) PanOSTunnelID TunnelID tunnelid about.labels.key/value
Monitor Tag (monitortag) PanOSMonitorTag MonitorTag monitortag about.labels.key/value
Parent Session ID (parent_session_id) PanOSParentSessionID ParentSessionID parent_session_id about.labels.key/value
Parent Start Time (parent_start_time) PanOSParentStartTime ParentStartTime parent_start_time about.labels.key/value
Tunnel Type (tunnel) cs2 TunnelType tunnel about.labels.key/value
Bytes (bytes) flexNumber1 totalBytes bytes about.labels.key/value
Bytes Sent (bytes_sent) in srcBytes network.received_bytes
Bytes Received (bytes_received) out dstBytes network.sent_bytes
Packets (packets) cn2 totalPackets packets about.labels.key/value
Packets Sent (pkts_sent) PanOSPacketsSent srcPackets pkts_sent about.labels.key/value
Packets Received (pkts_received) PanOSPacketsReceived dstPackets pkts_received about.labels.key/value
Maximum Encapsulation (max_encap) flexNumber2 MaximumEncapsulation max_encap about.labels.key/value
Unknown Protocol (unknown_proto) cfp1 UnknownProtocol unknown_proto about.labels.key/value
Strict Checking (strict_check) cfp2 StrictChecking strict_check about.labels.key/value
Tunnel Fragment (tunnel_fragment) PanOSTunnelFragment TunnelFragment tunnel_fragment about.labels.key/value
Sessions Created (sessions_created) cfp3 SessionsCreated sessions_created about.labels.key/value
Sessions Closed (sessions_closed) cfp4 SessionsClosed sessions_closed about.labels.key/value
Session End Reason (session_end_reason) reason SessionEndReason security_result.summary
Action Source (action_source) cat ActionSource action_source about.labels.key/value
Start Time (start) startTime start about.labels.key/value
Elapsed Time (elapsed) cn3 ElapsedTime elapsed about.labels.key/value
Tunnel Inspection Rule (tunnel_insp_rule) PanOSTunneInspectionRule security_result.rule_name = "Tunnel Inspection Rule: %{PanOSTunnelInspectionRule}"
Remote User IP (remote_user_ip) PanOSRmtUserIP target.ip
Remote User ID (remote_user_id) PanOSRmtUserID remote_user_id target.labels.key/value
Security Rule UUID (rule_uuid) PanOSRuleUUID security_result.rule_id
PCAP ID (pcap_id) PanOSPcapID pcap_id about.labels.key/value
Dynamic User Group Name (dynusergroup_name) PanDynamicUsrgrp principal.group.group_display_name
Source External Dynamic List (src_edl) PanOSSourceEDL src_edl principal.labels.key/value
Destination External Dynamic List (dst_edl) PanOSDestinationEDL dst_edl target.labels.key/value
High Resolution Timestamp (high_res timestamp) PanOSTimeGeneratedHighResolution metadata.collected_timestamp,

metadata.event_timestamp (if "Generate Time" is absent)

A Slice Differentiator (nssai_sd) nssai_sd about.labels.key/value
A Slice Service Type (nssai_sd) nssai_sd1 about.labels.key/value
PDU Session ID (pdu_session_id) pdu_session_id about.labels.key/value
Application Subcategory (subcategory_of_app) subcategory_of_app about.labels.key/value
Application Category (category_of_app) category_of_app about.labels.key/value
Application Technology (technology_of_app) technology_of_app about.labels.key/value
Application Risk (risk_of_app) risk_of_app about.labels.key/value
Application Characteristic (characteristic_of_app) characteristic_of_app about.labels.key/value
Application Container (container_of_app) container_of_app about.labels.key/value
Application SaaS (is_saas_of_app) is_saas_of_app about.labels.key/value
Application Sanctioned State (sanctioned_state_of_app) sanctioned_state_of_app about.labels.key/value

Authentication

The following table lists the log fields of the authentication log type and their corresponding UDM fields.

CSV field CEF field LEEF field Chronicle label key UDM field
Receive Time (receive_time or cef-formatted-receive_time) rt devTime metadata.collected_timestamp,

metadata.event_timestamp (if "Generate Time" is absent)

Serial Number (serial) deviceExternalId SerialNumber intermediary.asset.hardware.serial_number
Type (type) type (Header) cat metadata.product_event_type
Threat/Content Type (subtype) subtype (Header) Subtype metadata.product_event_type
Generated Time (time_generated or cef-formatted-time_generated) metadata.event_timestamp
Virtual System (vsys) cs3 VirtualSystem vsys about.labels.key/value
Source IP (ip) src src principal.ip
User (user) duser usrName target.user.userid
Normalize User (normalize_user) cs2 NormalizeUser target.user.user_display_name
Object (object) fname ObjectName object about.labels.key/value
Authentication Policy (authpolicy) cs4 AuthPolicy authpolicy about.labels.key/value
Repeat Count (repeatcnt) cnt RepeatCount repeatcnt about.labels.key/value
Authentication ID (authid) cn2 AuthenticationID authid about.labels.key/value
Vendor (vendor) flexString2 Vendor vendor about.labels.key/value
Log Action (logset) cs6 LogForwardingProfile logset about.labels.key/value
Server Profile (serverprofile) cs1 ServerProfile serverprofile about.labels.key/value
Description (desc) PanOSDesc AdditionalAuthInfo security_result.description
Client Type (clienttype) cs5 ClientType clienttype about.labels.key/value
Event Type (event) msg msg extensions.auth.auth_details
Factor Number (factorno) cn1 FactorNumber factorno about.labels.key/value
Sequence Number (seqno) externalId sequence metadata.product_log_id
Action Flags (actionflags) PanOSActionFlags ActionFlags actionflags about.labels.key/value
Device Group Hierarchy (dg_hier_level_1) PanOSDGl1 DeviceGroupHierarchyL1 dg_hier_level_1 about.labels.key/value
Device Group Hierarchy (dg_hier_level_2) PanOSDGl2 DeviceGroupHierarchyL2 dg_hier_level_2 about.labels.key/value
Device Group Hierarchy (dg_hier_level_3) PanOSDGl3 DeviceGroupHierarchyL3 dg_hier_level_3 about.labels.key/value
Device Group Hierarchy (dg_hier_level_4) PanOSDGl4 DeviceGroupHierarchyL4 dg_hier_level_4 about.labels.key/value
Virtual System Name (vsys_name) PanOSVsysName vSrcName principal.resource.name

principal.resource.resource_type=VIRTUAL_MACHINE

Device Name (device_name) dvchost DeviceName intermediary.hostname
Virtual System ID (vsys_id) principal.resource.resource_type=VIRTUAL_MACHINE and principal.resource.product_object_id
Authentication Protocol (authproto) authproto about.labels.key/value
UUID for rule (rule_uuid) PanOSRuleUUID security_result.rule_id
High Resolution Timestamp (high_res _timestamp) PanOSTimeGeneratedHighResolution metadata.collected_timestamp,

metadata.event_timestamp (if "Generate Time" is absent)

Source Device Category (src_category) PanOSSourceDeviceCategory src_category principal.labels.key/value
Source Device Profile (src_profile) PanOSSourceDeviceProfile src_profile principal.labels.key/value
Source Device Model (src_model) PanOSSourceDeviceModel src_model principal.labels.key/value
Source Device Vendor (src_vendor) PanOSSourceDeviceVendor src_vendor principal.labels.key/value
Source Device OS Family (src_osfamily) PanOSSourceDeviceOSFamily principal.asset.platform_software.platform

principal.labels.key/value

Source Device OS Version (src_osversion) PanOSSourceDeviceOSVersion principal.asset.software.version
Source Hostname (src_host) PanOSSourceHostname principal.hostname
Source MAC Address (src_mac) PanOSSourceMac principal.asset.mac
Region (region) PanOSTrafficOriginRegion principal.location.country_or_region
User Agent (user_agent) PanOSHTTPUserAgent network.http.user_agent
Session ID(sessionid) PanOSTrafficSessionID network.session_id

URL

The following table lists the log fields of the URL log type and their corresponding UDM fields.

CSV field CEF field LEEF field Chronicle label key UDM field
Receive Time (cef-formatted-receive_time) rt devTime metadata.collected_timestamp,

metadata.event_timestamp (if "Generate Time" is absent)

Serial # (serial) deviceExternalId SerialNumber intermediary.asset.hardware.serial_number
Type (type) type (Header) cat metadata.product_event_type
Threat/Content Type (subtype) subtype (Header) Subtype metadata.product_event_type
Generate Time metadata.event_timestamp
Source address (src) src src principal.ip
Destination address (dst) dst dst target.ip
NAT Source IP (natsrc) sourceTranslatedAddress srcPostNAT principal.nat_ip
NAT Destination IP (natdst) destinationTranslatedAddress dstPostNAT target.nat_ip
Rule (rule) cs1 RuleName security_result.rule_name
Source User (srcuser) suser SourceUser principal.user.userid
Destination User (dstuser) duser DestinationUser target.user.userid
Application (app) app Application network.application_protocol
Virtual System (vsys) cs3 VirtualSystem vsys about.labels.key/value
Source Zone (from) cs4 SourceZone from principal.labels.key/value
Destination Zone (to) cs5 DestinationZone to target.labels.key/value
Inbound Interface (inbound_if) deviceInboundInterface IngressInterface inbound_if principal.labels.key/value
Outbound Interface (outbound_if) deviceOutboundInterface EgressInterface outbound_if target.labels.key/value
Log Action (logset) cs6 LogForwardingProfile logset about.labels.key/value
Time Logged time_logged about.labels.key/value
Session ID (sessionid) cn1 SessionID network.session_id
Repeat Count (repeatcnt) cnt RepeatCount repeatcnt about.labels.key/value
Source Port (sport) spt srcPort principal.port
Destination Port (dport) dpt dstPort target.port
NAT Source Port (natsport) sourceTranslatedPort srcPostNATPort principal.nat_port
NAT Destination Port (natdport) destinationTranslatedPort dstPostNATPort target.nat_port
Flags (flags) flexString1 Flags flags about.labels.key/value
IP Protocol (proto) proto proto network.ip_protocol
Action (action) act action security_result.action_details

security_result.action

URL/Filename (misc) Miscellaneous target.file.full_path

target.url

Threat/Content Name (threatid) cat ThreatID security_result.threat_id
Category (category) cs2 URLCategory category about.labels.key/value
Severity (severity) number-of-severity (Header) Severity security_result.severity

security_result.severity_details

Direction (direction) flexString2 Direction network.direction
Sequence Number (seqno) externalId sequence metadata.product_log_id
Action Flags (actionflags) PanOSActionFlags ActionFlags actionflags about.labels.key/value
Source Country (srcloc) SourceLocation principal.location.country_or_region
Destination Country (dstloc) DestinationLocation target.location.country_or_region
contenttype (contenttype) requestContext ContentType contenttype about.labels.key/value
pcap_id (pcap_id) fileId PCAP_ID pcap_id about.labels.key/value
filedigest (filedigest) FileDigest about.file.sha1/md5/sha256
cloud (cloud) Cloud cloud about.labels.key/value
url_idx (url_idx) URLIndex url_idx about.labels.key/value
user_agent (user_agent) requestClientApplication UserAgent network.http.user_agent
filetype (filetype) about.file.mime_type
xff (xff) PanOSXForwarderfor identSrc xff about.labels.key/value
referer (referer) PanOSReferer Referer network.http.referral_url
sender (sender) network.email.from
subject (subject) Subject network.email.subject
recipient (recipient) network.email.to
reportid (reportid) reportid about.labels.key/value
DG Hierarchy Level 1 (dg_hier_level_1) PanOSDGl1 DeviceGroupHierarchyL1 dg_hier_level_1 about.labels.key/value
DG Hierarchy Level 2 (dg_hier_level_2) PanOSDGl2 DeviceGroupHierarchyL2 dg_hier_level_2 about.labels.key/value
DG Hierarchy Level 3 (dg_hier_level_3) PanOSDGl3 DeviceGroupHierarchyL3 dg_hier_level_3 about.labels.key/value
DG Hierarchy Level 4 (dg_hier_level_4) PanOSDGl4 DeviceGroupHierarchyL4 dg_hier_level_4 about.labels.key/value
Virtual System Name (vsys_name) PanOSVsysName vSrcName principal.resource.name

principal.resource.resource_type=VIRTUAL_MACHINE

Device Name (device_name) dvchost DeviceName intermediary.hostname
file_url (file_url) about.url
Source VM UUID (src_uuid) SrcUUID principal.asset.asset_id
Destination VM UUID (dst_uuid) DstUUID target.asset.asset_id
http_method (http_method) requestMethod RequestMethod network.http.method
Tunnel ID/IMSI (tunnelid) PanOSTunnelID TunnelID tunnelid about.labels.key/value
Monitor Tag/IMEI (monitortag) PanOSMonitorTag MonitorTag monitortag about.labels.key/value
Parent Session ID (parent_session_id) PanOSParentSessionID ParentSessionID parent_session_id about.labels.key/value
Parent Session Start Time (parent_start_time) PanOSParentStartTime ParentStartTime parent_start_time about.labels.key/value
Tunnel (tunnel) PanOSTunnelType TunnelType tunnel about.labels.key/value
thr_category (thr_category) PanOSThreatCategory ThreatCategory thr_category security_result.detection_fields.key/value
contentver (contentver) PanOSContentVer ContentVer contentver about.labels.key/value
sig_flags (sig_flags) sig_flags about.labels.key/value
SCTP Association ID (assoc_id) PanOSAssocID assoc_id about.labels.key/value
Payload Protocol ID (ppid) PanOSPPID ppid about.labels.key/value
http_headers (http_headers) PanOSHTTPHeader http_headers about.labels.key/value
URL Category List (url_category_list) PanOSURLCatList url_category_list about.labels.key/value
UUID for rule (rule_uuid) PanOSRuleUUID rule_uuid about.labels.key/value
HTTP/2 Connection (http2_connection) PanOSHTTP2Con http2_connection about.labels.key/value
dynusergroup_name (dynusergroup_name) PanDynamicUsrgrp dynusergroup_name about.labels.key/value
XFF address (xff_ip) PanXFFIP principal.ip
Source Device Category (src_category) PanSrcDeviceCat src_category principal.labels.key/value
Source Device Profile (src_profile) PanSrcDeviceProf src_profile principal.labels.key/value
Source Device Model (src_model) PanSrcDeviceModel src_model principal.labels.key/value
Source Device Vendor (src_vendor) PanSrcDeviceVendor src_vendor principal.labels.key/value
Source Device OS Family (src_osfamily) PanSrcDeviceOS principal.asset.platform_software.platform

principal.labels.key/value

Source Device OS Version (src_osversion) PanSrcDeviceOSv principal.asset.software.version
Source Hostname (src_host) PanSrcHostname src_host principal.labels.key/value
Source Mac Address (src_mac) PanSrcMac principal.mac
Destination Device Category (dst_category) PanDstDeviceCat dst_category target.labels.key/value
Destination Device Profile (dst_profile) PanDstDeviceProf dst_profile target.labels.key/value
Destination Device Model (dst_model) PanDstDeviceModel dst_model target.labels.key/value
Destination Device Vendor (dst_vendor) PanDstDeviceVendor dst_vendor target.labels.key/value
Destination Device OS Family (dst_osfamily) PanDstDeviceOS target.asset.platform_software.platform

target.labels.key/value

Destination Device OS Version (dst_osversion) PanDstDeviceOSv target.asset.software.version
Destination Hostname (dst_host) PanPODNamespace target.hostname
Destination Mac Address (dst_mac) PanDstMac target.mac
Container ID (container_id) PanContainerName container_id about.labels.key/value
POD Namespace (pod_namespace) PanPODNamespace pod_namespace about.labels.key/value
POD Name (pod_name) PanPODName pod_name about.labels.key/value
Source External Dynamic List (src_edl) PanSrcEDL src_edl principal.labels.key/value
Destination External Dynamic List (dst_edl) PanDstEDL dst_edl target.labels.key/value
Host ID (hostid) PanGPHostID hostid about.labels.key/value
Serial Number (serialnumber) PanEPSerial principal.asset.hardware.serial_number
domain_edl (domain_edl) PanDomainEDL domain_edl about.labels.key/value
Source Dynamic Address Group (src_dag) PanSrcDAG principal.group.group_display_name
Destination Dynamic Address Group (dst_dag) PanDstDAG target.group.group_display_name
partial_hash (partial_hash) PanPartialHash partial_hash about.labels.key/value
High Res Timestamp (high_res_timestamp) PanTimeHighRes metadata.collected_timestamp,

metadata.event_timestamp (if "Generate Time" is absent)

Reason (reason) PanReasonFilteringAction reason about.labels.key/value
justification (justification) PanJustification justification about.labels.key/value
nssai_sst (nssai_sst) PanASServiceType nssai_sst about.labels.key/value
Subcategory of app (subcategory_of_app) subcategory_of_app about.labels.key/value
Category of app (category_of_app) category_of_app about.labels.key/value
Technology of app (technology_of_app) technology_of_app about.labels.key/value
Risk of app (risk_of_app) risk_of_app about.labels.key/value
Characteristic of app (characteristic_of_app) characteristic_of_app about.labels.key/value
Container of app (container_of_app) container_of_app about.labels.key/value
Tunneled app (tunneled_app) tunneled_app about.labels.key/value
SaaS of app (is_saas_of_app) is_saas_of_app about.labels.key/value
Sanctioned State of app (sanctioned_state_of_app) sanctioned_state_of_app about.labels.key/value

Data

The following table lists the log fields of the data log type and their corresponding UDM fields.

CSV field CEF field LEEF field Chronicle label key UDM field
Receive Time (cef-formatted-receive_time) rt devTime metadata.collected_timestamp,

metadata.event_timestamp (if "Generate Time" is absent)

Serial # (serial) deviceExternalId SerialNumber intermediary.asset.hardware.serial_number
Type (type) type (Header) cat metadata.product_event_type
Threat/Content Type (subtype) subtype (Header) Subtype metadata.product_event_type
Generate Time metadata.event_timestamp
Source address (src) src src principal.ip
Destination address (dst) dst dst target.ip
NAT Source IP (natsrc) sourceTranslatedAddress srcPostNAT principal.nat_ip
NAT Destination IP (natdst) destinationTranslatedAddress dstPostNAT target.nat_ip
Rule (rule) cs1 RuleName security_result.rule_name
Source User (srcuser) suser SourceUser principal.user.userid
Destination User (dstuser) duser DestinationUser target.user.userid
Application (app) app Application network.application_protocol
Virtual System (vsys) cs3 VirtualSystem vsys about.labels.key/value
Source Zone (from) cs4 SourceZone from principal.labels.key/value
Destination Zone (to) cs5 DestinationZone to target.labels.key/value
Inbound Interface (inbound_if) deviceInboundInterface IngressInterface inbound_if principal.labels.key/value
Outbound Interface (outbound_if) deviceOutboundInterface EgressInterface outbound_if target.labels.key/value
Log Action (logset) cs6 LogForwardingProfile logset about.labels.key/value
Time Logged time_logged about.labels.key/value
Session ID (sessionid) cn1 SessionID network.session_id
Repeat Count (repeatcnt) cnt RepeatCount repeatcnt about.labels.key/value
Source Port (sport) spt srcPort principal.port
Destination Port (dport) dpt dstPort target.port
NAT Source Port (natsport) sourceTranslatedPort srcPostNATPort principal.nat_port
NAT Destination Port (natdport) destinationTranslatedPort dstPostNATPort target.nat_port
Flags (flags) flexString1 Flags flags about.labels.key/value
IP Protocol (proto) proto proto network.ip_protocol
Action (action) act action security_result.action_details

security_result.action

URL/Filename (misc) Miscellaneous target.file.full_path

target.url

Threat/Content Name (threatid) cat ThreatID security_result.threat_id
Category (category) cs2 URLCategory category about.labels.key/value
Severity (severity) number-of-severity (Header) Severity security_result.severity

security_result.severity_details

Direction (direction) flexString2 Direction network.direction
Sequence Number (seqno) externalId sequence metadata.product_log_id
Action Flags (actionflags) PanOSActionFlags ActionFlags actionflags about.labels.key/value
Source Country (srcloc) SourceLocation principal.location.country_or_region
Destination Country (dstloc) DestinationLocation target.location.country_or_region
contenttype (contenttype) ContentType contenttype about.labels.key/value
pcap_id (pcap_id) fileId PCAP_ID pcap_id about.labels.key/value
filedigest (filedigest) FileDigest about.file.sha1/md5/sha256
cloud (cloud) Cloud cloud about.labels.key/value
url_idx (url_idx) URLIndex url_idx about.labels.key/value
user_agent (user_agent) network.http.user_agent
filetype (filetype) about.file.mime_type
xff (xff) xff about.labels.key/value
referer (referer) network.http.referral_url
sender (sender) network.email.from
subject (subject) Subject network.email.subject
recipient (recipient) network.email.to
reportid (reportid) reportid about.labels.key/value
DG Hierarchy Level 1 (dg_hier_level_1) PanOSDGl1 DeviceGroupHierarchyL1 dg_hier_level_1 about.labels.key/value
DG Hierarchy Level 2 (dg_hier_level_2) PanOSDGl2 DeviceGroupHierarchyL2 dg_hier_level_2 about.labels.key/value
DG Hierarchy Level 3 (dg_hier_level_3) PanOSDGl3 DeviceGroupHierarchyL3 dg_hier_level_3 about.labels.key/value
DG Hierarchy Level 4 (dg_hier_level_4) PanOSDGl4 DeviceGroupHierarchyL4 dg_hier_level_4 about.labels.key/value
Virtual System Name (vsys_name) PanOSVsysName vSrcName principal.resource.name

principal.resource.resource_type=VIRTUAL_MACHINE

Device Name (device_name) dvchost DeviceName intermediary.hostname
file_url (file_url) about.url
Source VM UUID (src_uuid) SrcUUID principal.asset.asset_id
Destination VM UUID (dst_uuid) DstUUID target.asset.asset_id
http_method (http_method) RequestMethod network.http.method
Tunnel ID/IMSI (tunnelid) PanOSTunnelID TunnelID tunnelid about.labels.key/value
Monitor Tag/IMEI (monitortag) PanOSMonitorTag MonitorTag monitortag about.labels.key/value
Parent Session ID (parent_session_id) PanOSParentSessionID ParentSessionID parent_session_id about.labels.key/value
Parent Session Start Time (parent_start_time) PanOSParentStartTime ParentStartTime parent_start_time about.labels.key/value
Tunnel (tunnel) PanOSTunnelType TunnelType tunnel about.labels.key/value
thr_category (thr_category) PanOSThreatCategory ThreatCategory thr_category security_result.detection_fields.key/value
contentver (contentver) PanOSContentVer ContentVer contentver about.labels.key/value
sig_flags (sig_flags) sig_flags about.labels.key/value
SCTP Association ID (assoc_id) PanOSAssocID assoc_id about.labels.key/value
Payload Protocol ID (ppid) PanOSPPID ppid about.labels.key/value
http_headers (http_headers) PanOSHTTPHeader http_headers about.labels.key/value
URL Category List (url_category_list) url_category_list about.labels.key/value
UUID for rule (rule_uuid) PanOSRuleUUID rule_uuid about.labels.key/value
HTTP/2 Connection (http2_connection) http2_connection about.labels.key/value
dynusergroup_name (dynusergroup_name) dynusergroup_name principal.labels.key/value
XFF address (xff_ip) principal.ip
Source Device Category (src_category) src_category principal.labels.key/value
Source Device Profile (src_profile) src_profile principal.labels.key/value
Source Device Model (src_model) src_model principal.labels.key/value
Source Device Vendor (src_vendor) src_vendor principal.labels.key/value
Source Device OS Family (src_osfamily) principal.asset.platform_software.platform

principal.labels.key/value

Source Device OS Version (src_osversion) principal.asset.software.version
Source Hostname (src_host) src_host principal.labels.key/value
Source Mac Address (src_mac) principal.mac
Destination Device Category (dst_category) dst_category target.labels.key/value
Destination Device Profile (dst_profile) dst_profile target.labels.key/value
Destination Device Model (dst_model) dst_model target.labels.key/value
Destination Device Vendor (dst_vendor) dst_vendor target.labels.key/value
Destination Device OS Family (dst_osfamily) target.asset.platform_software.platform

target.labels.key/value

Destination Device OS Version (dst_osversion) target.asset.software.version
Destination Hostname (dst_host) target.hostname
Destination Mac Address (dst_mac) target.mac
Container ID (container_id) container_id about.labels.key/value
POD Namespace (pod_namespace) pod_namespace about.labels.key/value
POD Name (pod_name) pod_name about.labels.key/value
Source External Dynamic List (src_edl) src_edl principal.labels.key/value
Destination External Dynamic List (dst_edl) dst_edl target.labels.key/value
Host ID (hostid) hostid about.labels.key/value
Serial Number (serialnumber) principal.asset.hardware.serial_number
domain_edl (domain_edl) domain_edl about.labels.key/value
Source Dynamic Address Group (src_dag) principal.group.group_display_name
Destination Dynamic Address Group (dst_dag) target.group.group_display_name
partial_hash (partial_hash) partial_hash about.labels.key/value
High Res Timestamp (high_res_timestamp) metadata.collected_timestamp,

metadata.event_timestamp (if "Generate Time" is absent)

Reason (reason) reason about.labels.key/value
justification (justification) justification about.labels.key/value
nssai_sst (nssai_sst) nssai_sst about.labels.key/value
Subcategory of app (subcategory_of_app) subcategory_of_app about.labels.key/value
Category of app (category_of_app) category_of_app about.labels.key/value
Technology of app (technology_of_app) technology_of_app about.labels.key/value
Risk of app (risk_of_app) risk_of_app about.labels.key/value
Characteristic of app (characteristic_of_app) characteristic_of_app about.labels.key/value
Container of app (container_of_app) container_of_app about.labels.key/value
Tunneled app (tunneled_app) tunneled_app about.labels.key/value
SaaS of app (is_saas_of_app) is_saas_of_app about.labels.key/value
Sanctioned State of app (sanctioned_state_of_app) sanctioned_state_of_app about.labels.key/value

GlobalProtect

The following table lists the log fields of the GlobalProtect log type and their corresponding UDM fields.

CSV field CEF field LEEF field Chronicle label key UDM field
Receive Time (receive_time) rt received_time metadata.event_timestamp
Serial # (serial) PanOSDeviceSN intermediary_asset_hardware_serial_number intermediary.asset.hardware.serial_number
Type (type) type (Header) metadata.product_event_type
Threat/Content Type (subtype) subtype (Header) Subtype metadata.product_event_type
Generate Time (time_generated) PanOSLogTimeStamp generated_timestamp metadata.event_timestamp
Virtual System (vsys) PanOSVirtualSystem vsys about.labels.key/value
Event ID (eventid) PanOSEventID event_id about.labels.key/value
Stage (stage) PanOSStage stage about.labels.key/value
Authentication Method (auth_method) PanOSAuthMethod extension_auth_auth_details extensions.auth.auth_details
Tunnel Type (tunnel_type) PanOSTunnelType tunnel about.labels.key/value
Source User (srcuser) PanOSSourceUserName src_user principal.user.email_address

principal.user.userid

principal.administrative_domain

Source Region (srcregion) PanOSSourceRegion src_region principal.location.country_or_region
Machine Name (machinename) PanOSEndpointDeviceName machine_name principal.hostname
Public IP (public_ip) PanOSPublicIPv4 principal.nat_ip
Public IPv6 (public_ipv6) PanOSPublicIPv6 principal.nat_ip
Private IP (private_ip) PanOSPrivateIPv4 principal.ip
Private IPv6 (private_ipv6) PanOSPrivateIPv6 principal.ip
Host ID (hostid) PanOSHostID hostid principal.asset.asset_id
Serial Number (serialnumber) PanOSDeviceSN principal.asset.hardware.serial_number
Client Version (client_ver) PanOSGlobalProtectClientVersion client_ver about.labels.key/value
Client OS (client_os) PanOSEndpointOSType principal.asset.platform_software.platform(enum)
Client OS Version (client_os_ver) PanOSEndpointOSVersion principal.asset.platform_software.platform_version
Repeat Count (repeatcnt) PanOSCountOfRepeats repeatcnt about.labels.key/value
Reason (reason) PanOSQuarantineReason security_result.summary
Error (error) PanOSConnectionError error security_result.description
Description (opaque) PanOSDescription security_result.description
Status (status) PanOSEventStatus status about.labels.key/value
Location (location) PanOSGPGatewayLocation target.location.country_or_region
Login Duration (login_duration) PanOSLoginDuration network.session_duration
Connect Method (connect_method) PanOSConnectionMethod connect_method about.labels.key/value
Error Code (error_code) PanOSConnectionErrorID error_code about.labels.key/value
Portal (portal) PanOSPortal portal about.labels.key/value
Sequence Number (seqno) PanOSSequenceNo metadata.product_log_id
Action Flags (actionflags) PanOSActionFlags actionflags about.labels.key/value
High Resolution Timestamp (high_res_timestamp) anOSTimeGeneratedHighResolution metadata.collected_timestamp,

metadata.event_timestamp (if "Generate Time" is absent)

Gateway Selection Method (selection_type) PanOSGatewaySelectionType selection_type about.labels.key/value
SSL Response Time (response_time) PanOSSSLResponseTime response_time about.labels.key/value
Gateway Priority (priority) PanOSGatewayPriority priority about.labels.key/value
Attempted Gateways (attempted_gateways) PanOSAttemptedGateways attempted_gateways about.labels.key/value
Gateway Name (gateway) PanOSAttemptedGateways gateway about.labels.key/value
Device Group Hierarchy (dg_hier_level_1) dg_hier_level_1 about.labels.key/value
Device Group Hierarchy (dg_hier_level_2) dg_hier_level_2 about.labels.key/value
Device Group Hierarchy (dg_hier_level_3) dg_hier_level_3 about.labels.key/value
Device Group Hierarchy (dg_hier_level_4) dg_hier_level_4 about.labels.key/value
Virtual System Name (vsys_name) principal.resource.name

principal.resource.resource_type=VIRTUAL_MACHINE

Device Name (device_name) target.hostname
Virtual System ID (vsys_id) principal.resource.resource_type=VIRTUAL_MACHINE and principal.resource.product_object_id

Correlation

The following table lists the log fields of the Correlation log type and their corresponding UDM fields.

CSV field CEF field LEEF field Chronicle label key UDM field
Generated Time (time_generated or cef-formatted-time_generated) startTime generated_timestamp metadata.event_timestamp
Source Address (src) src principal.ip
Source User (srcuser) SourceUser / usrName principal.user.userid
Virtual System (vsys) VirtualSystem vsys about.labels.key/value
Category (category) security_result.category_details
Severity (severity) Severity security_result.severity and security_result.severity_details
Device Group Hierarchy Level 1 DeviceGroupHierarchyL1 about.labels.key/value
Device Group Hierarchy Level 2 DeviceGroupHierarchyL2 about.labels.key/value
Device Group Hierarchy Level 3 DeviceGroupHierarchyL3 about.labels.key/value
Device Group Hierarchy Level 4 DeviceGroupHierarchyL4 about.labels.key/value
Virtual System Name (vsys_name) vSrcName principal.resource.name

principal.resource.resource_type=VIRTUAL_MACHINE

Device Name (device_name) DeviceName intermediary.hostname
Virtual System ID (vsys_id) VirtualSystemID principal.resource.resource_type=VIRTUAL_MACHINE and principal.resource.product_object_id
Object Name (objectname) ObjectName target.resource.name
Object ID (object_id) ObjectID target.resource.product_object_id

Field mapping reference: Log types to UDM event type

The following table lists the Palo Alto Networks firewall log types and their corresponding UDM event types.

Log type UDM event type
Traffic NETWORK_CONNECTION
Threat NETWORK_CONNECTION
URL Filtering NETWORK_CONNECTION
WildFire NETWORK_CONNECTION

WildFire submissions logs are a subtype of Threat log type and use the same syslog format.

Data Filtering NETWORK_CONNECTION
Tunnel NETWORK_CONNECTION
Config SETTING_MODIFICATION/SETTING_CREATION/SETTING_DELETION/SETTING_UNCATEGORIZED

The value of the "Command (cmd)" field determines the UDM event type mapping. If the cmd field value is add or clone, SETTING_CREATION is set.

If the cmd field value is delete, SETTING_DELETION is set.

If the cmd field value is edit, move, rename, set, or commit, SETTING_MODIFICATION is set.

If the cmd field value does not contain any values, then SETTING_UNCATEGORIZED is set.

System

If the value of subtype is dhcp, then NETWORK_DHCP is set. For other values, GENERIC_EVENT is set.

HIP Match NETWORK_CONNECTION
IP Tag GENERIC_EVENT
User-ID USER_LOGIN/USER_LOGOUT/USER_UNCATEGORIZED

If subtype value is "login", then USER_LOGIN is set.

If subtype value is "logout", then USER_LOGOUT is set.

If subtype does not contain any value, then USER_UNCATEGORIZED is set.

Decryption NETWORK_CONNECTION
Authentication GENERIC_EVENT

Changes in field mappings between the default parser and Gold parser

The following table lists the field mapping changes between the PAN firewall default parser and the enhanced PAN firewall Gold parser:

Log types Log fields UDM mapping in default parser UDM mapping in Gold parser
All log types (LEEF) Session End Reason security_result.detection_fields.key/value security_result.summary
All log types (LEEF) Bytes security_result.detection_fields.key/value about.labels.key/value
All log types (LEEF/CSV) Source Zone security_result.detection_fields.key/value principal.labels.key/value
All log types (LEEF/CSV) Destination Zone security_result.detection_fields.key/value target.labels.key/value
All log types (LEEF) intermediary (observer_hostname) intermediary.hostname observer.hostname
All log types (LEEF) action If "action" is "BLOCK", "event.idm.is_alert" is set to "true".

If "action" is "sinkhole" and format is "LEEF", "security_result.action" is set to "ALLOW_WITH_MODIFICATION".

If "action" is "sinkhole" and format is "CSV", "security_result.action" is set to "BLOCK".

If "action" is "BLOCK", "event.idm.is_alert" isn't set to "true"

If "action" is "sinkhole", "security_result.action" is set to "BLOCK"

TRAFFIC Serial metadata.product_log_id intermediary.asset.hardware.serial_number
TRAFFIC NAT Source IP src.ip, principal.nat_ip principal.nat_ip
TRAFFIC NAT Destination IP If "natDstAddress" is not equal to "dstAddress", NAT Destination IP is mapped to "target.nat_ip" and "target.ip" target.nat_ip
TRAFFIC Destination Zone security_result.detection_fields.key/value target.labels.key/value
TRAFFIC Bytes Sent network.sent_bytes network.received_bytes
TRAFFIC Bytes Received network.received_bytes network.sent_bytes
TRAFFIC Elapsed Time network.session_duration.seconds about.labels.key/value
TRAFFIC Category security_result.description security_result.category_details
TRAFFIC Application CSV is set to security_result.about.application

LEEF is set to principal.application

target.application
THREAT Tunnel Type security_result.category_details about.labels.key/value
THREAT Threat/Content Name security_result.summary security_result.threat_name
THREAT NAT Source IP principal.nat_ip

src.ip

principal.nat_ip
THREAT X-Forwarded-For if index == 0, principal.ip

if index > 0, then, intermediary.ip

principal.ip
THREAT URL/Filename target.file.full_path

target.hostname

target.url

target.file.full_path

target.url

THREAT Application [all subtype except "file", "url"] security_result.about.application target.application
THREAT Application [subtype "file", "url"] security_result.about.application network.application_protocol
THREAT Category security_result.description security_result.category_details
THREAT Threat Category security_result.category_details security_result.detection_fields
THREAT HTTP Headers If "httpHeaders" contains "travel" or "computer-and-internet-info", it is mapped to "security_result.category_details", else it is not mapped. about.labels.key/value
THREAT Cloud target.file.sha256 about.labels.key/value
THREAT Serial Number metadata.product_log_id intermediary.asset.hardware.serial_number
THREAT Severity

If Severity is "critical" or subtype is "wildfire-virus", "wildfire", "virus", "vulnerability", "scan", or "spyware", "security_result.severity" is set to "HIGH".

If severity is "low", "security_result.severity" is set to "LOW".

If severity is "medium", "security_result.severity" is set to "MEDIUM"

If severity is "informational", "security_result.severity" is set to "INFORMATIONAL"

If severity is "high", "security_result.severity" is set to "HIGH"

If severity is "error", "security_result.severity" is set to "ERROR"

If severity is "critical", "security_result.severity" is set to "CRITICAL"

security_result.severity_details
THREAT (LEEF) URL/Filename [subtype "virus", "wildfire-virus", "wildfire", "file"] security_result.description target.file.full_path
THREAT (LEEF) URL/Filename [subtype "url"] security_result.description target_url
THREAT (LEEF) Threat Category security_result.category_details security_result.detection_fields.key/value
THREAT (LEEF) URL/Filename [subtype all] "urlHostname" and "urlPath" are extracted from Miscellaneous and "urlHostname" is mapped with "target.hostname" Not mapped
THREAT (LEEF) Application network.application_protocol

If Application is DNS, then

network.dns.opcode is set to 0

metadata.event_type" is set to "NETWORK_DNS"

dnsQuestion.name" is set to "%{urlHostname}"

dnsQuestion.name" is set to "%{dst}"

If subtype is "file" or "url", map Application to network_application_protocol.
SYSTEM platform_version [subtype globalprotect] principal.platform_version principal.asset.software.platform_version
SYSTEM Description [subtype dhcp] Extracted mac using grok

principal.mac is set to "%{mac}"

"Extracted ""dhcp_client_hostname"" and mapped with network.dhcp.client_hostname and principal.hostname"

Extracted mac using grok

network.dhcp.chaddr is set to "%{mac}"

Extracted ""dhcp_client_hostname"" and mapped with network.dhcp.client_hostname

SYSTEM Device Name [subtype dhcp] network.dhcp.sname and intermediary.hostname intermediary.hostname
SYSTEM Event ID, Description [subtype "url-filtering", "userid","monitoring", syslog", "general", "vpn", "satd", "panorama-check"] metadata.description is set to "%{Event ID}" -- "%{Description}" metadata.description is set to "%{Description}"
SYSTEM action security_result.action = ALLOW or BLOCK or UNKNOWN_ACTION

if type == SYSTEM and subType = auth/globalprotect

action = ALLOW

if [Message] ~= Login Failed

action = BLOCK

If type is SYSTEM and subType is auth/globalprotect and message contains "Login Failed", security_result.action is set to "BLOCK".
SYSTEM deviceName [subtype globalprotect] If "Event ID" includes "globalprotectgateway-config" and deviceName is not empty then, event_type is set to RESOURCE_CREATION, deviceName is mapped to target.resource.resource_name, and target.resource.resource_type is set to ACCESS_POLICY. target.resource.name

target.resource.resource_type is not set

USERID (CSV format) User principal.user.userid

principal.administrative_domain

target.user.email_addresses

target.user.userid

target.administrative_domain

target.user.email_addresses

USERID Device Name target.hostname intermediary.hostname
USERID security_result.action IF USER_LOGIN, security_result.action is set to ALLOW

else if USER_LOGOUT, security_result.action is set to UNKNOWN_ACTION

Not Mapped.
USERID User by Source target.user.userid

target.user.email_addresses

principal.user.userid

principal.administrative_domain

principal.user.email_addresses

USERID (LEEF format) User about.user.userid target.user.userid
HIPMATCH Host ID principal.mac principal.asset.product_object_id
HIPMATCH IPv6 System Address src.ip

principal.nat_ip

principal.asset.ip
HIPMATCH Machine Name target.resource.name

resource.resource_type is set to "DEVICE"

principal.hostname
HIPMATCH Operating System principal.platform principal.asset.platform_software.platform(enum)
HIPMATCH Device Name target.hostname intermediary.hostname
HIPMATCH UDM EVENT TYPE SCAN_HOST GENERIC_EVENT
HIPMATCH (LEEF) Source User about.user.userid principal.user.userid

Revision History

The following section lists the changes to the PAN_FIREWALL parser.

Date Description
May 2022 Added GlobalProtect and Correlation log types.
Feb 2022 Updates to field mapping.

What's next