Table of Contents | ||||
---|---|---|---|---|
|
...
Technology | Brand | Type | Subtype |
---|---|---|---|
|
|
| The tag levels below are only used with This is used to indicate the parser version. Depending on the Palo Alto firewall version used by each client, some fields can arrive in a different order, so we need to add this tag level to indicate the parser version. The possible values are:
The tag level below is only used with
These tables allow sending events in LEEF format instead of the default CSV format. To indicate this, all logs must have an additional tag level (leef). Threats can also have logs in JSON format using the tag level JSON at the end. CSV format tags are:
|
...
For more information, read more about Devo tags.
How is the data sent to Devo?
Since there is no functionality to apply the Devo tag in the source system, the events should be forwarded to a Devo Relay to be identified, tagged, and then forwarded securely to the Devo Cloud.
...
These are the fields displayed in these tables:
Anchor | ||||
---|---|---|---|---|
|
Field | Type | Source field name | Extra fields | ||
---|---|---|---|---|---|
eventdate |
|
| |||
machine |
|
| |||
timestamp |
|
| |||
recvdate |
|
| |||
serial |
|
| |||
subType |
|
| |||
vsys |
|
| |||
eventId |
|
| |||
object |
|
| |||
future_use_4 |
|
| |||
future_use_5 |
|
| |||
module |
|
| |||
severity |
|
| |||
description |
| opaque | |||
client_ip |
|
| |||
client_port |
| ||||
user_name |
|
| |||
seqno |
|
| |||
actionflags |
|
| |||
dev_group_hierarchy_1 |
|
| |||
dev_group_hierarchy_2 |
|
| |||
dev_group_hierarchy_3 |
|
| |||
dev_group_hierarchy_4 |
|
| |||
virtual_sys_name |
|
| |||
log_source_name |
| ||||
device_name |
|
| |||
reason |
| ||||
protocol |
| ||||
high_res_timestamp |
|
| auth_username | high_res_timestamp_fmt high_res_timestamp_tmp | |
auth_username |
|
| |||
auth_srcIp |
|
| |||
auth_status |
| hostchain | |||
lease_ip_address |
|
| ✓ | ||
taglease_hardware_address |
| ||||
src_host |
| ||||
interface | ✓ | rawMessage | |||
lease_time_of |
| ||||
server_ip | ✓ |
firewall.paloalto.threat
| |||
server_mask |
| ||
gateway |
| ||
dns1 |
| ||
dns2 |
| ||
dns_sufix |
| ||
hostchain |
|
| ✓ |
tag |
|
| ✓ |
rawMessage |
|
| ✓ |
Anchor | ||||
---|---|---|---|---|
|
Field | Type | Source field name | Extra fields |
---|---|---|---|
eventdate |
|
| |
machine |
|
| |
timestamp |
| createdate | |
recvdate |
|
| |
serial |
|
| |
subType |
|
| |
vendor |
|
| |
product |
|
| |
version |
|
| |
event_id |
|
| |
delimiter |
|
| |
srcIp |
|
| |
dstIp |
|
| |
srcNatIp |
| srcXIp | |
dstNatIp |
| dstXIp | |
srcIp_str |
|
| |
rule |
|
| |
srcUser |
|
| |
dstUser |
|
| |
app |
|
| |
virtSys |
|
| |
srcZone |
|
| |
dstZone |
|
| |
srcIface |
|
| |
dstIface |
|
| |
logForwardingProfile |
|
| |
logAction |
|
| |
session |
|
| |
repCnt |
|
| |
srcPort |
|
| |
dstPort |
|
| |
srcNatPort |
| srcXPort | |
dstNatPort |
| dstXPort | |
flags |
|
| |
proto |
|
| |
action |
|
| |
url_filename |
| misc | |
threatid |
|
| |
category |
|
| |
severity |
|
| |
sevNum |
|
| |
direction |
|
| |
seqno |
|
| |
actionflags |
|
| |
srcloc |
|
| |
dstloc |
|
| |
cpadding |
|
| |
contenttype |
|
| |
pcap_id |
|
| |
src_category |
|
| |
dst_category |
|
| |
threatname |
|
| |
pcapId |
| pcadId | |
fileDigest |
|
| |
cloud |
|
| |
urlIdx |
|
| |
userAgent |
|
| |
fileType |
|
| |
xff |
|
| |
referer |
|
| |
sender |
|
| |
subject |
|
| |
recipient |
|
| |
reportid |
|
| |
dgHierLevel1 |
|
| |
dgHierLevel2 |
|
| |
dgHierLevel3 |
|
| |
dgHierLevel4 |
|
| |
vsysName |
|
| |
deviceName |
|
| |
srcVMuuid |
|
| |
dstVMuuid |
|
| |
httpMethod |
|
| |
tunnelIDimsi |
|
| |
monitorTagIMEI |
|
| |
parentSessID |
|
| |
parentStartTime |
|
| |
tunnel |
|
| |
thrCategory |
|
| |
contentver |
|
| |
sctpAssociationID |
|
| |
payloadProtocolID |
|
| |
httpHeaders |
|
| |
url |
|
| |
urlCategory |
|
| |
urlCategoryList |
|
| |
uuidForRule |
|
| |
http2Connection |
|
| |
dynusergroup_name |
|
| |
xff_ip |
|
| |
src_profile |
|
| |
src_model |
|
| |
src_vendor |
|
| |
src_osfamily |
|
| |
src_osversion |
|
| |
src_host |
|
| |
src_mac |
|
| |
dst_profile |
|
| |
dst_model |
|
| |
dst_vendor |
|
| |
dst_osfamily |
|
| |
dst_osversion |
|
| |
dst_host |
|
| |
dst_mac |
|
| |
container_id |
|
| |
pod_namespace |
|
| |
src_edl |
|
| |
dst_edl |
|
| |
hostid |
|
| |
serialnumber |
|
| |
domain_edl |
|
| |
src_dag |
|
| |
dst_dag |
|
| |
partial_hash |
|
| |
high_res_timestamp |
|
| |
nsdsai_sst |
|
| |
log_type |
|
|
tag
xff_address |
|
|
✓
source_external_dynamic_list |
|
|
✓
destination_external_dynamic_list |
|
|
✓
firewall.paloalto.traffic
Field
Type
Source field name
Extra fields
eventdate
timestamp
source_dynamic_address_group |
|
| |
destination_dynamic_address_group |
|
| |
justification |
|
| |
slice_service_type |
|
|
application_subcategory |
timestamp
|
|
application_category |
timestamp
|
|
application_technology |
|
|
application_risk |
|
|
application_characteristic |
ip4
|
|
application_container |
ip4
|
|
tunneled_application |
ip4
|
|
application_saas |
ip4
|
|
application_sanctioned_ |
state |
|
|
cloud_report_ |
id |
|
|
cluster_name |
|
|
flow_type |
|
|
hostchain |
|
| ✓ |
tag |
|
|
✓ |
str
rawMessage |
srcZone
|
|
✓ |
str
Anchor |
---|
...
dg_hier_level_2
...
int4
...
...
dg_hier_level_3
...
int4
...
...
dg_hier_level_4
...
int4
...
...
vsys_name
...
str
...
...
device_name
...
str
...
...
action_source
...
str
...
...
srcVMuuid
...
str
...
...
dstVMuuid
...
str
...
...
tunnelIDimsi
...
str
...
...
monitorTagIMEI
...
str
...
...
parentSessID
...
int4
...
...
parentStartTime
...
timestamp
...
...
tunnel
...
str
...
...
sctpAssociationID
...
int4
...
...
sctpChunks
...
int8
...
...
sctpChunksSent
...
int8
...
...
sctpChunksReceived
...
int8
...
...
uuidForRule
...
str
...
...
http2Connection
...
str
...
...
link_change_count
...
str
...
...
policy_id
...
str
...
...
link_switches
...
str
...
...
sdwan_cluster
...
str
...
...
sdwan_device_type
...
str
...
...
sdwan_cluster_type
...
str
...
...
sdwan_site
...
str
...
...
dynusergroup_name
...
str
...
...
xff_ip
...
str
...
...
src_category
...
str
...
...
src_profile
...
str
...
...
src_model
...
str
...
...
src_vendor
...
str
...
...
src_osfamily
...
str
...
...
src_osversion
...
str
...
...
src_host
...
str
...
...
src_mac
...
str
...
...
dst_category
...
str
...
...
dst_profile
...
str
...
...
dst_model
...
str
...
...
dst_vendor
...
str
...
...
dst_osfamily
...
str
...
...
dst_osversion
...
str
...
...
dst_host
...
str
...
...
dst_mac
...
str
...
...
container_id
...
str
...
...
pod_namespace
...
str
...
...
pod_name
...
str
...
...
src_edl
...
str
...
...
dst_edl
...
str
...
...
hostid
...
str
...
...
serialnumber
...
str
...
...
src_dag
...
str
...
...
dst_dag
...
str
...
...
session_owner
...
str
...
...
high_res_timestamp
...
timestamp
...
...
nsdsai_sst
...
str
...
...
nsdsai_sd
...
str
...
...
app_category
...
str
...
...
app_subcategory
...
str
...
...
app_technology
...
str
...
...
app_risk
...
int4
...
...
devTimeFormat
...
str
...
...
hostchain
...
|
...
srcIface
...
str
...
...
dstIface
...
str
...
...
logAction
...
str
...
...
session
...
str
...
...
repCnt
...
int4
...
...
srcPort
...
int4
...
...
dstPort
...
int4
...
...
srcNatPort
...
int4
...
srcXPort
...
dstNatPort
...
int4
...
dstXPort
...
flags
...
str
...
...
proto
...
str
...
...
action
...
str
...
...
bytes
...
int8
...
...
sentBytes
...
int8
...
...
recvBytes
...
int8
...
...
pkts
...
int4
...
...
startdate
...
timestamp
...
...
elapsedTime
...
int8
...
...
category
...
str
...
...
padding
...
int4
...
...
seqno
...
int8
...
...
actionFlags
...
str
...
...
srcCountry
...
str
...
...
dstCountry
...
str
...
...
cpadding
...
int4
...
...
sentPkts
...
int4
...
...
recvPkts
...
int4
...
...
session_end_reason
...
str
...
...
dg_hier_level_1
...
int4
...
|
Field | Type | Field transformation | Source field name | Extra fields | ||
---|---|---|---|---|---|---|
eventdate |
|
|
| |||
machine |
|
|
| |||
timestamp |
|
| createdate | |||
recvdate |
|
|
| |||
serial |
|
|
| |||
subType |
|
|
| |||
srcIp |
|
|
| |||
dstIp |
|
|
| |||
srcNatIp |
|
| srcXIp | |||
dstNatIp |
|
| dstXIp | |||
srcIp_str |
|
|
| |||
dstIp_str |
|
|
| |||
rule |
|
|
| |||
srcUser |
|
|
| |||
dstUser |
|
|
| |||
app |
|
|
| |||
virtSys |
|
|
| |||
srcZone |
|
|
| |||
dstZone |
|
|
| |||
srcIface |
|
|
| |||
dstIface |
|
|
| |||
logAction |
|
|
| |||
session |
|
|
| |||
repCnt |
|
|
| |||
srcPort |
|
|
| |||
dstPort |
|
|
| |||
srcNatPort |
|
| srcXPort | |||
dstNatPort |
|
| dstXPort | |||
flags |
|
|
| |||
proto |
|
|
| |||
action |
|
|
| |||
bytes |
|
|
| |||
sentBytes |
|
|
| |||
recvBytes |
|
|
| |||
pkts |
|
|
| |||
startdate |
|
|
| |||
elapsedTime |
|
|
| |||
category |
|
|
| |||
padding |
|
|
| |||
seqno |
|
|
| |||
actionFlags |
|
|
| |||
srcCountry |
|
|
| |||
dstCountry |
|
|
| |||
cpadding |
|
|
| |||
sentPkts |
|
|
| |||
recvPkts |
|
|
| |||
session_end_reason |
|
|
| |||
dg_hier_level_1 |
|
|
| |||
dg_hier_level_2 |
|
|
| |||
dg_hier_level_3 |
|
|
| |||
dg_hier_level_4 |
|
|
| |||
vsys_name |
|
|
| |||
device_name |
|
|
| |||
action_source |
|
|
| |||
srcVMuuid |
|
|
| |||
dstVMuuid |
|
|
| |||
tunnelIDimsi |
|
|
| |||
monitorTagIMEI |
|
|
| |||
parentSessID |
|
|
| |||
parentStartTime |
|
|
| |||
tunnel |
|
|
| |||
sctpAssociationID |
|
|
| |||
sctpChunks |
|
|
| |||
sctpChunksSent |
|
|
| |||
sctpChunksReceived |
|
|
| |||
uuidForRule |
|
|
| |||
http2Connection |
|
|
| |||
link_change_count |
|
|
| |||
policy_id |
|
|
| |||
link_switches |
|
|
| |||
sdwan_cluster |
|
|
| |||
sdwan_device_type |
|
|
| |||
sdwan_cluster_type |
|
|
| |||
sdwan_site |
|
|
| |||
dynusergroup_name |
|
|
| |||
xff_ip |
|
|
| |||
src_category |
|
|
| |||
src_profile |
|
|
| |||
src_model |
|
|
| |||
src_vendor |
|
|
| |||
src_osfamily |
|
|
| |||
src_osversion |
|
|
| |||
src_host |
|
|
| |||
src_mac |
|
|
| |||
dst_category |
|
|
| |||
dst_profile |
|
|
| |||
dst_model |
|
|
| |||
dst_vendor |
|
|
| |||
dst_osfamily |
|
|
| |||
dst_osversion |
|
|
| |||
dst_host |
|
|
| |||
dst_mac |
|
|
| |||
container_id |
|
|
| |||
pod_namespace |
|
|
| |||
pod_name |
|
|
| |||
src_edl |
|
|
| |||
dst_edl |
|
|
| |||
hostid |
|
|
| |||
serialnumber |
|
|
| |||
src_dag |
|
|
| |||
dst_dag |
|
|
| |||
session_owner |
|
|
| |||
high_res_timestamp |
|
| high_res_timestamp_fmt high_res_timestamp_tmp | |||
nsdsai_sst |
|
|
| |||
nsdsai_sd |
|
|
| |||
app_category |
|
|
| |||
app_subcategory |
|
|
| |||
app_technology |
|
|
| |||
app_risk |
|
|
| |||
app_characteristic |
|
|
| |||
app_container |
|
|
| |||
app_tunneled |
|
|
| |||
app_saas |
|
|
| |||
app_sanctioned_state |
|
|
| |||
offloaded |
|
|
| |||
flow_type |
|
|
| |||
cluster_name |
|
|
| |||
devTimeFormat |
|
|
| |||
hostchain |
|
|
| ✓ | ||
tag |
|
|
| ✓ | ||
rawMessage |
|
|
| ✓ |