Page Comparison

Table of Contents

minLevel	1
maxLevel	2
type	flat

Introduction

This union table collects information from a set of tables that contain events from Palo Alto Network's firewalls.

Source tables

The information displayed is extracted from the following tables:

Expand

title	Check source tables

firewall.paloalto.auth
firewall.paloalto.config
firewall.paloalto.correlation
firewall.paloalto.decryption
firewall.paloalto.globalprotect
firewall.paloalto.hipmatch
firewall.paloalto.iptag
firewall.paloalto.system
firewall.paloalto.threat
firewall.paloalto.traffic
firewall.paloalto.url
firewall.paloalto.userid

Table structure

This is the set of columns displayed by this union table, which is the result of the collection of columns present in all source tables:

Note

Extra columns

Fields marked as Extra in the table below are not shown by default in data tables and need to be explicitly requested in the query. You can find them marked as Extra when you perform a query so they can be easily identified. Learn more about this in Selecting unrevealed columns.

Field	Data type	Extra fields
eventdate	`timestamp`	-
timestamp	`timestamp`	-
recvdate	`timestamp`-
machine	`str`-
logType	`str`-
subType	`str`	-
serial	`str`	-
srcIp	`ip4`	-
dstIp	`ip4`-
srcNatIp	`ip4`-
dstNatIp	`ip4`-
rule	`str`	-
srcUser	`str`	-
dstUser	`str`-
app	`str`-
virtSys	`str`-
srcZone	`str`	-
dstZone	`str`	-
srcIface	`str`	-
dstIface	`str`-
logAction	`str`-
session	`str`-
repCnt	`int4`	-
srcPort	`int4`	-
dstPort	`int4`-
srcNatPort	`int4`-

Field	Data type	Extra fields
dstNatPort	`int4`-
flags	`str`	-
proto	`str`	-
action	`str`	-
category	`str`-
seqno	`int8`-
actionFlags	`str`-
deviceName	`str`	-
bytes	`int8`	-
sentBytes	`int8`	-
recvBytes	`int8`	-
pkts	`int4`-
srcCountry	`str`	-
dstCountry	`str`	-
session_end_reason	`str`	-
url_filename	`str`-
threatid	`str`-
severity	`str`-
direction	`str`	-
host	`str`	-
result	`str`-
path	`str`-
rawMessage	`str`-
hostchain	`str`	✓
tag	`str`	✓

Field transformations

Even though all source tables have several features in common, they have some particularities that make it necessary to undergo a set of transformations to harmonize them for the union table. The most common transformations comprise changes in the data type or the application of rules when several columns in the source table feed a single column in the union table. You can find below the detailed list of transformations in each source table.

Rw ui tabs macro

Rw tab

title	Tables 1-56

[firewall.paloalto.auth][firewall.paloalto.config][firewall.paloalto.correlation] [firewall.paloalto.decryption][firewall.paloalto.globalprotect][firewall.paloalto.hipmatch]

firewall.paloalto.auth
Anchor
firewall.paloalto.auth
firewall.paloalto.auth

Field in union table

Field in source table

Field transformation

Data Type

Extra Fieldfields

eventdate

timestamp

-

timestamp

create_date

timestamp-

recvdate

recv_date

timestamp-

machine

str-

logType

log_type

str

-

subType

sub_type

str

-

serial

str

-

srcIp

src_ip

ip4-

dstIp

-

Code Block
ip4(null(''))

ip4-

srcNatIp

ip4-

dstNatIp

ip4

-

rule

-

Code Block
null('')

str

-

srcUser

src_user

str-

dstUser

-

Code Block
null('')

str-

app

-

Code Block
null('')

str-

virtSys

vsys

str

-

srcZone

-

Code Block
null('')

str

-

dstZone

-

Code Block
null('')

str

-

srcIface

-

Code Block
null('')

str-

dstIface

-

Code Block
null('')

str-

logAction

log_action

str-

session

session_id

str

-

repCnt

rep_cnt

int4

-

srcPort

-

Code Block
null(0)

int4

-

dstPort

-

Code Block
null(0)

int4

-

srcNatPort

int4-

dstNatPort

int4

-

flags

-

Code Block
null('')

str

-

proto

auth_proto

str

-

action

-

Code Block
null('')

str-

category

src_category

str-

seqno

seq_no

Code Block
int8(seq_no)

int8-

actionFlags

action_flags

str

-

deviceName

device_name

str

-

bytes

-

Code Block
null(int8(0))

int8-

sentBytes

-

Code Block
null(int8(0))

int8-

recvBytes

-

Code Block
null(int8(0))

int8-

pkts

-

Code Block
null(0)

int4

-

srcCountry

-

Code Block
null('')

str

-

dstCountry

-

Code Block
null('')

str

-

session_end_reason

-

Code Block
null('')

str-

url_filename

str-

threatid

-

Code Block
null('')

str-

severity

-

Code Block
null('')

str

-

direction

-

Code Block
null('')

str

-

host

-

Code Block
null('')

str-

result

-

Code Block
null('')

str-

path

-

Code Block
null('')

str-

rawMessage

str

-

hostchain

str

✓

tag

str

✓

firewall.paloalto.config
Anchor
firewall.paloalto.config
firewall.paloalto.config

Field in union table	Field in source table	Field transformation	Data type	Extra fields
eventdate	eventdate		`timestamp`	-
timestamp	timestamp		`timestamp`	-
recvdate	recvdate		`timestamp`-
machine	machine		`str`-
logType	logType		`str`-
subType	subType		`str`	-
serial	serial		`str`	-
srcIp	-	`ip4(null(''))`	`ip4`-
dstIp	-	`ip4(null(''))`	`ip4`-
srcNatIp	-	`ip4(null(''))`	`ip4`-
dstNatIp	-	`ip4(null(''))`	`ip4`	-
rule	-	`null('')`	`str`	-
srcUser	-	`null('')`	`str`	-
dstUser	-	`null('')`	`str`-
app	-	`null('')`	`str`-
virtSys	vsys		`str`-
srcZone	-	`null('')`	`str`	-
dstZone	-	`null('')`	`str`	-
srcIface	-	`null('')`	`str`	-
dstIface	-	`null('')`	`str`	-
logAction	-	`null('')`	`str`-
session	-	`null('')`	`str`	-
repCnt	-	`int4(null(''))`	`int4`	-
srcPort	-	`int4(null(''))`	`int4`	-
dstPort	-	`int4(null(''))`	`int4`-
srcNatPort	srcNatPort		`int4`-
dstNatPort	dstNatPort		`int4`-
flags	-	`null('')`	`str`	-
proto	-	`null('')`	`str`	-
action	-	`null('')`	`str`-
category	-	`null('')`	`str`-
seqno	seqno		`int8`-
actionFlags	-	`null('')`	`str`	-
deviceName	device_name		`str`	-
bytes	-	`int8(null(''))`	`int8`	-
sentBytes	-	`int8(null(''))`	`int8`-
recvBytes	-	`int8(null(''))`	`int8`-
pkts	-	`int4(null(''))`	`int4`-
srcCountry	-	`null('')`	`str`	-
dstCountry	-	`null('')`	`str`	-
session_end_reason	-	`null('')`	`str`-
url_filename	url_filename		`str`-
threatid	-	`null('')`	`str`-
severity	-	`null('')`	`str`	-
direction	-	`null('')`	`str`	-
host	host		`str`	-
result	result		`str`-
path	path		`str`-
rawMessage	rawMessage		`str`-
hostchain	hostchain		`str`	✓
tag	tag		`str`	✓

firewall.paloalto.correlation
Anchor
firewall.paloalto.correlation
firewall.paloalto.correlation

Field in union table	Field in source table	Field transformation	Data type	Extra fields
eventdate	eventdate		`timestamp`	-
timestamp	timestamp		`timestamp`	-
recvdate	recvdate		`timestamp`-
machine	machine		`str`-
logType	logType		`str`-
subType	subType		`str`	-
serial	serial		`str`	-
srcIp	srcIp		`ip4`	-
dstIp	-	`ip4(null(''))`	`ip4`-
srcNatIp	-	`ip4(null(''))`	`ip4`-
dstNatIp	-	`ip4(null(''))`	`ip4`-
rule	-	`null('')`	`str`	-
srcUser	srcUser		`str`	-
dstUser	-	`null('')`	`str`	-
app	-	`null('')`	`str`	-
virtSys	vsys		`str`-
srcZone	-	`null('')`	`str`	-
dstZone	-	`null('')`	`str`	-
srcIface	-	`null('')`	`str`	-
dstIface	-	`null('')`	`str`-
logAction	-	`null('')`	`str`-
session	-	`null('')`	`str`-
repCnt	-	`int4(null(''))`	`int4`	-
srcPort	-	`int4(null(''))`	`int4`	-
dstPort	-	`int4(null(''))`	`int4`-
srcNatPort	srcNatPort		`int4`-
dstNatPort	dstNatPort		`int4`-
flags	-	`null('')`	`str`	-
proto	-	`null('')`	`str`	-
action	-	`null('')`	`str`	-
category	-	`null('')`	`str`-
seqno	-	`int8(null(''))`	`int8`-
actionFlags	-	`null('')`	`str`-
deviceName	device_name		`str`	-
bytes	-	`int8(null(''))`	`int8`	-
sentBytes	-	`int8(null(''))`	`int8`-
recvBytes	-	`int8(null(''))`	`int8`-
pkts	-	`int4(null(''))`	`int4`-
srcCountry	-	`null('')`	`str`	-
dstCountry	-	`null('')`	`str`	-
session_end_reason	-	`null('')`	`str`	-
url_filename	url_filename		`str`-
threatid	-	`null('')`	`str`-
severity	-	`null('')`	`str`-
direction	-	`null('')`	`str`	-
host	-	`null('')`	`str`	-
result	-	`null('')`	`str`-
path	-	`null('')`	`str`-
rawMessage	rawMessage		`str`-
hostchain	hostchain		`str`	✓
tag	tag		`str`	✓

firewall.paloalto.

globalprotect

decryption
Anchor
firewall.paloalto.

globalprotect

decryption
firewall.paloalto.

globalprotect

decryption

Field in union table	Field in source table	Field transformation	Data type	Extra fields
eventdate	eventdate

	`timestamp`
timestamp

-

time_generated

timestamp

createdate

recvdate

timestamp

-

machine

str

-

logType

str

-

subType

str

-

serial

serialnumber

str

-

srcIp

ip4

-

dstIp

-

Code Block

recvdate

timestamp

-

receive_time

timestamp

machine

str

logType

logtype

str

subType

subtype

str

serial

str

srcIp

src_ip4

ip4

dstIp

dst_ip4

ip4

srcNatIp

ip4

dstNatIp

ip4

rule

str

srcUser

src_user

str

dstUser

dst_user

str

app

str

virtSys

vsys

str

srcZone

src_zone

str

dstZone

dst_zone

str

srcIface

inbound_if

str

dstIface

outbound_if

str

logAction

log_set

str

session

session_id

str

repCnt

repeat_cnt

int4

srcPort

src_port

Code Block
int4(src_port)

int4

dstPort

dst_port

Code Block
int4(dst_port)

int4

srcNatPort

int4

dstNatPort

int4

flags

str

proto

str

action

str

category

-

Code Block
null('')

str

seqno

Code Block
int8(seqno)

int8

actionFlags

action_flags

str

deviceName

device_name

str

bytes

-

Code Block
null(int8(0))

int8

sentBytes

-

Code Block
null(int8(0))

int8

recvBytes

-

Code Block
null(int8(0))

int8

pkts

-

Code Block
null(int4(0))

int4

srcCountry

-

Code Block
null('')

str

dstCountry

-

Code Block
null('')

str

session_end_reason

-

Code Block
null('')

str

url_filename

str

threatid

-

Code Block
null('')

str

severity

-

Code Block
null('')

str

direction

-

Code Block
null('')

str

host

-

Code Block
null('')

str

result

-

Code Block
null('')

str

path

-

Code Block
null('')

str

rawMessage

str

hostchain

str

✓

tag

str

✓

firewall.paloalto.globalprotect
Anchor
firewall.paloalto.globalprotect
firewall.paloalto.globalprotect

Field in union table

Field in source table

Field transformation

Data type

Extra fields

eventdate

timestamp

timestamp

createdate

timestamp

recvdate

timestamp

machine

str

logType

str

subType

str

serial

serialnumber

str

srcIp

ip4

dstIp

-

Code Block
ip4(null(''))

ip4

srcNatIp

-

Code Block
ip4(null(''))

ip4

dstNatIp

-

Code Block
ip4(null(''))

ip4

rule

-

Code Block
null('')

str

srcUser

str

dstUser

-

Code Block
null('')

str

app

-

Code Block
null('')

str

virtSys

vsys

str

srcZone

-

Code Block
null('')

str

dstZone

-

Code Block
null('')

str

srcIface

-

Code Block
null('')

str

dstIface

-

Code Block
null('')

str

logAction

-

Code Block
null('')

str

session

-

Code Block
null('')

str

repCnt

repeatcnt

Code Block
int4(repeatcnt)

int4

srcPort

-

Code Block
int4(null(''))

int4

dstPort

-

Code Block
int4(null(''))

int4

srcNatPort

int4

dstNatPort

int4

flags

-

Code Block
null('')

str

proto

-

Code Block
null('')

str

action

-

Code Block
null('')

str

category

-

Code Block
null('')

str

seqno

int8

actionFlags

actionflags

str

deviceName

machinename

str

bytes

-

Code Block
int8(null(''))

int8

sentBytes

-

Code Block
int8(null(''))

int8

recvBytes

-

Code Block
int8(null(''))

int8

pkts

-

Code Block
int4(null(''))

int4

srcCountry

-

Code Block
null('')

str

dstCountry

-

Code Block
null('')

str

session_end_reason

-

Code Block
null('')

str

url_filename

str

threatid

-

Code Block
null('')

str

severity

-

Code Block
null('')

str

direction

-

Code Block
null('')

str

host

str

result

-

Code Block
null('')

str

path

-

Code Block
null('')

str

rawMessage

str

hostchain

str

✓

tag

str

✓

firewall.paloalto.hipmatch
Anchor
firewall.paloalto.hipmatch
firewall.paloalto.hipmatch

Field in union table	Field in source table	Field transformation	Data type
eventdate	eventdate		`timestamp`
timestamp	createdate		`timestamp`
recvdate	recvdate		`timestamp`
machine	machine		`str`
logType	logType		`str`
subType	subType		`str`
serial	serialNumber		`str`
srcIp	srcIp		`ip4`
dstIp	-	`ip4(null(''))`	`ip4`

-


srcNatIp	-

code

ip4(null(''))

ip4

-


dstNatIp	-

Code Block

ip4(null(''))

ip4

-


rule	-

Code Block

null('')

str

-


srcUser	srcUser

str

-


dstUser	-

Code Block

null('')

str

-


app	-

code

null('')

str

-


virtSys	vsys

str

-


srcZone	-

Code Block

null('')

str

-


dstZone	-

code

null('')

str

-


srcIface	-

code

null('')

str

-


dstIface	-

Code Block

null('')

str

-


logAction	-

code

null('')

str

-


session	-

Code Block

null('')

str

-

code

repCnt

repeatcnt

repeatCnt

int4(

repeatcnt

repeatCnt)

int4

-


srcPort	-

Code Block

int4(null(''))

int4

-


dstPort	-

code

int4(null(''))

int4

-


srcNatPort	srcNatPort

int4

-


dstNatPort	dstNatPort

int4

-


flags	-

code

null('')

str

-


proto	-

code

null('')

str

-


action	-

Code Block

null('')

str

-


category	-

code

null('')

str

-


seqno	seqno

int8

-


actionFlags	actionflags

str

-


deviceName

machinename

device_name

str

-


bytes	-

code

int8(null(''))

int8

-


sentBytes	-

code

int8(null(''))

int8

-


recvBytes	-

Code Block

int8(null(''))

int8

-


pkts	-

code

int4(null(''))

int4

-


srcCountry	-

code

null('')

str

-


dstCountry	-

Code Block

null('')

str

-


session_end_reason	-

code

null('')

str

-


url_filename	url_filename

str

-


threatid	-

Code Block

null('')

str

-


severity	-

code

null('')

str

-


direction	-

Code Block

null('')

str

-


host	host

str

-


result	-

code

null('')

str

-


path	-

Code Block

null('')

str

-


rawMessage	rawMessage

str

-


hostchain	hostchain

		`str`	✓
tag	tag

str

✓

Rw tab

title	Table 7-12

[firewall.paloalto.iptag][firewall.paloalto.system][firewall.paloalto.threat][firewall.paloalto.traffic][firewall.paloalto.url][firewall.paloalto.userid]

firewall.paloalto.

hipmatch

iptag
Anchor
firewall.paloalto.

hipmatch

iptag
firewall.paloalto.

hipmatch

iptag

Field in union table	Field in source table	Field transformation	Data type	Extra fields
eventdate	eventdate		`timestamp`

-


timestamp	timestamp

createdate

timestamp

-


recvdate	recvdate		`timestamp`

-

machine

hostname

str

-


logType	logType		`str`

-


subType

subType

threatType

str

-


serial	serial

serialNumber

str

-


srcIp	srcIp		`ip4`

-

dstIp

-

Code Block
null(ip4(

null(''

0.0.0.0))

ip4

-


srcNatIp	srcNatIp	`ip4`
dstNatIp

-

dstNatIp

ip4

(null(''))ip4


rule	-

dstNatIp

Code Block

-

ip4(

null('')

)

str

ip4


srcUser	-

rule

Code Block

-

null('')

str

-

srcUser

str

dstUser

-

dstUser

Code Block

-

null('')

str

-

app

-

Code Block
null('')

str

-


virtSys	vsys		`str`

-

srcZone

-

Code Block
null('')

str

-

dstZone

-

Code Block
null('')

str

-

srcIface

-

Code Block
null('')

str

-

dstIface

-

Code Block
null('')

str

-

logAction

-

Code Block
null('')

str

-

session

-

Code Block
null('')

str

-

repCnt

repeatCnt

int4(repeatCnt)

repeatCount

int4

-

srcPort

-

Code Block
null(int4(

null(''

0))

int4

-

dstPort

-

Code Block
null(int4(

null(''

0))

int4

-


srcNatPort	srcNatPort		`int4`

-


dstNatPort	dstNatPort		`int4`

-

flags

-

Code Block
null('')

str

-

proto

-

Code Block
null('')

str

-

action

-

Code Block
null('')

str

-

seqno

category

-

Code Block
null('')

str

seqno

-

seqno

Code Block
null(int4(0))

int8

-


actionFlags	actionflags		`str`

-


deviceName	device_name		`str`

-

bytes

-

Code Block
null(int8(

null(''

0))

int8

-


sentBytes	-

int8

Code Block
null(

null

int8(

''

0))

int8

-

recvBytes

-

Code Block
null(int8(

null(''

0))

int8

-

pkts

-

Code Block
null(int4(

null(''

0))

int4

-

srcCountry

-

Code Block
null('')

str

-

dstCountry

-

Code Block
null('')

str

-

session_end_reason

-

Code Block
null('')

str

-


url_filename	url_filename		`str`

-

threatid

-

Code Block
null('')

str

-

severity

-

Code Block
null('')

str

-

host

direction

-

Code Block
null('')

str

host

-

host

Code Block
null('')

str

-

result

-

Code Block
null('')

str

-

path

-

Code Block
null('')

str

-


rawMessage	rawMessage		`str`

-


hostchain	hostchain	`str`	✓
tag	tag

str

✓

Rw tab

title	Table 6-10

[firewall.paloalto.system][firewall.paloalto.threat][firewall.paloalto.traffic][firewall.paloalto.url][firewall.paloalto.userid]

str

✓

firewall.paloalto.system
Anchor
firewall.paloalto.system
firewall.paloalto.system

Field in union table	Field in source table	Field transformation	Data type	Extra fields
eventdate	eventdate		`timestamp`	-
timestamp	timestamp		`timestamp`	-
recvdate	recvdate		`timestamp`-
machine	machine		`str`-
logType	logType		`str`-
subType	subType		`str`	-
serial	serial		`str`	-
srcIp	-	`1ip4(null(''))`	`ip4`	-
dstIp	-	`1ip4(null(''))`	`ip4`-
srcNatIp	-	`1ip4(null(''))`	`ip4`-
dstNatIp	-	`1ip4(null(''))`	`ip4`-
rule	-	`null('')`	`str`	-
srcUser	-	`null('')`	`str`	-
dstUser	-	`null('')`	`str`-
app	-	`null('')`	`str`-
virtSys	-	`null('')`	`str`-
srcZone	-	`null('')`	`str`	-
dstZone	-	`null('')`	`str`	-
srcIface	-	`null('')`	`str`	-
dstIface	-	`null('')`	`str`-
logAction	-	`null('')`	`str`-
session	-	`null('')`	`str`-
repCnt	-	`int4(null(''))`	`int4`	-
srcPort	-	`int4(null(''))`	`int4`	-
dstPort	-	`int4(null(''))`	`int4`-
srcNatPort	srcNatPort		`int4`-
dstNatPort	dstNatPort		`int4`-
flags	-	`null('')`	`str`	-
proto	-	`null('')`	`str`	-
action	-	`null('')`	`str`	-
category	-	`null('')`	`str`-
seqno	seqno		`int8`-
actionFlags	-	`null('')`	`str`-
deviceName	device_name		`str`	-
bytes	-	`int8(null(''))`	`int8`	-
sentBytes	-	`int8(null(''))`	`int8`-
recvBytes	-	`int8(null(''))`	`int8`-
pkts	-	`int4(null(''))`	`int4`-
srcCountry	-	`null('')`	`str`	-
dstCountry	-	`null('')`	`str`	-
session_end_reason	-	`null('')`	`str`	-
url_filename	url_filename		`str`-
threatid	-	`null('')`	`str`-
severity	-	`null('')`	`str`-
direction	-	`null('')`	`str`	-
host	-	`null('')`	`str`	-
result	-	`null('')`	`str`-
path	-	`null('')`	`str`-
rawMessage	rawMessage		`str`-
hostchain	hostchain		`str`	✓
tag	tag		`str`	✓

firewall.paloalto.threat
Anchor
firewall.paloalto.threat
firewall.paloalto.threat

Field in union table	Field in source table	Field transformation	Data type	Extra fields
eventdate	eventdate		`timestamp`	-
timestamp	timestamp		`timestamp`	-
recvdate	recvdate		`timestamp`	-
machine	machine		`str`-
logType	logType		`str`-
subType	subType		`str`-
serial	serial		`str`	-
srcIp	srcIp		`ip4`	-
dstIp	dstIp		`ip4`-
srcNatIp	srcNatIp		`ip4`-
dstNatIp	dstNatIp		`ip4`-
rule	rule		`str`	-
srcUser	srcUser		`str`	-
dstUser	dstUser		`str`	-
app	app		`str`-
virtSys	virtSys		`str`-
srcZone	srcZone		`str`-
dstZone	dstZone		`str`	-
srcIface	srcIface		`str`	-
dstIface	dstIface		`str`-
logAction	logAction		`str`-
session	session		`str`-
repCnt	repCnt		`int4`	-
srcPort	srcPort		`int4`	-
dstPort	dstPort		`int4`	-
srcNatPort	srcNatPort		`int4`-
dstNatPort	dstNatPort		`int4`-
flags	flags		`str`-
proto	proto		`str`	-
action	action		`str`	-
category	category		`str`-
seqno	seqno		`int8`-
actionFlags	actionflags		`str`-
deviceName	deviceName		`str`	-
bytes	-	`int8(null(''))`	`int8`	-
sentBytes	-	`int8(null(''))`	`int8`	-
recvBytes	-	`int8(null(''))`	`int8`-
pkts	-	`int4(null(''))`	`int4`-
srcCountry	srcloc		`str`-
dstCountry	dstloc		`str`	-
session_end_reason	-	`null('')`	`str`	-
url_filename	url_filename		`str`-
threatid	threatid		`str`-
severity	severity		`str`-
direction	direction		`str`	-
host	-	`null('')`	`str`	-
result	-	`null('')`	`str`	-
path	-	`null('')`	`str`-
rawMessage	rawMessage		`str`-
hostchain	hostchain		`str`	✓
tag	tag		`str`	✓

firewall.paloalto.traffic
Anchor
firewall.paloalto.traffic
firewall.paloalto.traffic

Field in union table	Field in source table	Field transformation	Data type	Extra fields
eventdate	eventdate		`timestamp`-
timestamp	timestamp		`timestamp`	-
recvdate	recvdate		`timestamp`	-
machine	machine		`str`-
logType	logType		`str`-
subType	subType		`str`-
serial	serial		`str`	-
srcIp	srcIp		`ip4`	-
dstIp	dstIp		`ip4`	-
srcNatIp	srcNatIp		`ip4`-
dstNatIp	dstNatIp		`ip4`-
rule	rule		`str`-
srcUser	srcUser		`str`	-
dstUser	dstUser		`str`	-
app	app		`str`-
virtSys	virtSys		`str`-
srcZone	srcZone		`str`-
dstZone	dstZone		`str`	-
srcIface	srcIface		`str`	-
dstIface	dstIface		`str`	-
logAction	logAction		`str`-
session	session		`str`-
repCnt	repCnt		`int4`-
srcPort	srcPort		`int4`	-
dstPort	dstPort		`int4`	-
srcNatPort	srcNatPort		`int4`-
dstNatPort	dstNatPort		`int4`-
flags	flags		`str`-
proto	proto		`str`	-
action	action		`str`	-
category	category		`str`	-
seqno	seqno		`int8`-
actionFlags	actionFlags		`str`-
deviceName	device_name		`str`-
bytes	bytes		`int8`	-
sentBytes	sentBytes		`int8`	-
recvBytes	recvBytes		`int8`-
pkts	pkts	`int4(pkts)`	`int4`-
srcCountry	srcCountry		`str`-
dstCountry	dstCountry		`str`	-
session_end_reason	session_end_reason		`str`	-
url_filename	url_filename		`str`	-
threatid	-	`null('')`	`str`-
severity	-	`null('')`	`str`-
direction	-	`null('')`	`str`-
host	-	`null('')`	`str`	-
result	-	`null('')`	`str`	-
path	-	`null('')`	`str`-
rawMessage	rawMessage		`str`-
hostchain	hostchain		`str`	✓
tag	tag		`str`	✓

firewall.paloalto.url
Anchor
firewall.paloalto.url
firewall.paloalto.url

Field in union table	Field in source table	Field transformation	Data type	Extra fields
eventdate	eventdate		`timestamp`-
timestamp	timestamp		`timestamp`	-
recvdate	recvdate		`timestamp`	-
machine	machine		`str`	-
logType	logType		`str`-
subType	subType		`str`-
serial	serial		`str`-
srcIp	srcIp		`ip4`	-
dstIp	dstIp		`ip4`	-
srcNatIp	srcNatIp		`ip4`-
dstNatIp	dstNatIp		`ip4`-
rule	rule		`str`-
srcUser	srcUser		`str`	-
dstUser	dstUser		`str`	-
app	app		`str`	-
virtSys	virtSys		`str`-
srcZone	srcZone		`str`-
dstZone	dstZone		`str`-
srcIface	srcIface		`str`	-
dstIface	dstIface		`str`	-
logAction	logAction		`str`-
session	session		`str`-
repCnt	repCnt		`int4`-
srcPort	srcPort		`int4`	-
dstPort	dstPort		`int4`	-
srcNatPort	srcNatPort		`int4`	-
dstNatPort	dstNatPort		`int4`-
flags	flags		`str`-
proto	proto		`str`-
action	action		`str`	-
category	category		`str`	-
seqno	seqno		`int8`-
actionFlags	actionflags		`str`-
deviceName	deviceName		`str`-
bytes	-	`int8(null(''))`	`int8`	-
sentBytes	-	`int8(null(''))`	`int8`	-
recvBytes	-	`int8(null(''))`	`int8`	-
pkts	-	`int4(null(''))`	`int4`-
srcCountry	srcloc		`str`-
dstCountry	dstloc		`str`-
session_end_reason	-	`null('')`	`str`	-
url_filename	url_filename		`str`	-
threatid	threatid		`str`-
severity	severity		`str`-
direction	direction		`str`-
host	-	`null('')`	`str`	-
result	-	`null('')`	`str`	-
path	-	`null('')`	`str`	-
rawMessage	rawMessage		`str`-
hostchain	hostchain		`str`	✓
tag	tag		`str`	✓

firewall.paloalto.userid
Anchor
firewall.paloalto.userid
firewall.paloalto.userid

Field in union table	Field in source table	Field transformation	Data type	Extra fields
eventdate	eventdate		`timestamp`-
timestamp	timestamp		`timestamp`-
recvdate	recvdate		`timestamp`	-
machine	machine		`str`	-
logType	logType		`str`-
subType	subType		`str`-
serial	serial		`str`-
srcIp	srcIp		`ip4`	-
dstIp	-	`ip4(null(''))`	`ip4`	-
srcNatIp	-	`ip4(null(''))`	`ip4`	-
dstNatIp	-	`ip4(null(''))`	`ip4`-
rule	-	`null('')`	`str`-
srcUser	srcUser		`str`-
dstUser	-	`null('')`	`str`	-
app	-	`null('')`	`str`	-
virtSys	virtSys		`str`-
srcZone	-	`null('')`	`str`-
dstZone	-	`null('')`	`str`-
srcIface	-	`null('')`	`str`	-
dstIface	-	`null('')`	`str`	-
logAction	-	`null('')`	`str`	-
session	-	`null('')`	`str`-
repCnt	-	`int4(null(''))`	`int4`-
srcPort	srcPort		`int4`-
dstPort	dstPort		`int4`	-
srcNatPort	srcNatPort		`int4`	-
dstNatPort	dstNatPort		`int4`-
flags	-	`null('')`	`str`-
proto	-	`null('')`	`str`-
action	-	`null('')`	`str`	-
category	-	`null('')`	`str`	-
seqno	seqno		`int8`	-
actionFlags	actionFlags		`str`-
deviceName	device_name		`str`-
bytes	-	`int8(null(''))`	`int8`-
sentBytes	-	`int8(null(''))`	`int8`	-
recvBytes	-	`int8(null(''))`	`int8`	-
pkts	-	`int4(null(''))`	`int4`-
srcCountry	-	`null('')`	`str`-
dstCountry	-	`null('')`	`str`-
session_end_reason	-	`null('')`	`str`	-
url_filename	url_filename		`str`	-
threatid	-	`null('')`	`str`	-
severity	-	`null('')`	`str`-
direction	-	`null('')`	`str`-
host	-	`null('')`	`str`-
result	-	`null('')`	`str`	-
path	-	`null('')`	`str`	-
rawMessage	rawMessage		`str`-
hostchain	hostchain		`str`	✓
tag	tag		`str`	✓

Versions Compared

Old Version 12

New Version 13

Key

Introduction

Source tables

Table structure

Field transformations

firewall.paloalto.auth
Anchor
firewall.paloalto.auth
firewall.paloalto.auth

firewall.paloalto.config
Anchor
firewall.paloalto.config
firewall.paloalto.config

firewall.paloalto.correlation
Anchor
firewall.paloalto.correlation
firewall.paloalto.correlation

firewall.paloalto.

decryption
Anchor
firewall.paloalto.

decryption
firewall.paloalto.

decryption

firewall.paloalto.globalprotect
Anchor
firewall.paloalto.globalprotect
firewall.paloalto.globalprotect

firewall.paloalto.hipmatch
Anchor
firewall.paloalto.hipmatch
firewall.paloalto.hipmatch

firewall.paloalto.

iptag
Anchor
firewall.paloalto.

iptag
firewall.paloalto.

iptag

firewall.paloalto.system
Anchor
firewall.paloalto.system
firewall.paloalto.system

firewall.paloalto.threat
Anchor
firewall.paloalto.threat
firewall.paloalto.threat

firewall.paloalto.traffic
Anchor
firewall.paloalto.traffic
firewall.paloalto.traffic

firewall.paloalto.url
Anchor
firewall.paloalto.url
firewall.paloalto.url

firewall.paloalto.userid
Anchor
firewall.paloalto.userid
firewall.paloalto.userid

Page Comparison

Versions Compared

Old Version 12

New Version 13

Key

Introduction

Source tables

Table structure

Field transformations

firewall.paloalto.auth Anchorfirewall.paloalto.authfirewall.paloalto.auth

firewall.paloalto.config Anchorfirewall.paloalto.configfirewall.paloalto.config

firewall.paloalto.correlation Anchorfirewall.paloalto.correlationfirewall.paloalto.correlation

firewall.paloalto.

decryption Anchorfirewall.paloalto.

decryptionfirewall.paloalto.

decryption

firewall.paloalto.globalprotect Anchorfirewall.paloalto.globalprotectfirewall.paloalto.globalprotect

firewall.paloalto.hipmatch Anchorfirewall.paloalto.hipmatchfirewall.paloalto.hipmatch

firewall.paloalto.

iptag Anchorfirewall.paloalto.

iptagfirewall.paloalto.

iptag

firewall.paloalto.system Anchorfirewall.paloalto.systemfirewall.paloalto.system

firewall.paloalto.threat Anchorfirewall.paloalto.threatfirewall.paloalto.threat

firewall.paloalto.traffic Anchorfirewall.paloalto.trafficfirewall.paloalto.traffic

firewall.paloalto.url Anchorfirewall.paloalto.urlfirewall.paloalto.url

firewall.paloalto.userid Anchorfirewall.paloalto.useridfirewall.paloalto.userid

firewall.paloalto.auth
Anchor
firewall.paloalto.auth
firewall.paloalto.auth

firewall.paloalto.config
Anchor
firewall.paloalto.config
firewall.paloalto.config

firewall.paloalto.correlation
Anchor
firewall.paloalto.correlation
firewall.paloalto.correlation

decryption
Anchor
firewall.paloalto.

decryption
firewall.paloalto.

firewall.paloalto.globalprotect
Anchor
firewall.paloalto.globalprotect
firewall.paloalto.globalprotect

firewall.paloalto.hipmatch
Anchor
firewall.paloalto.hipmatch
firewall.paloalto.hipmatch

iptag
Anchor
firewall.paloalto.

iptag
firewall.paloalto.

firewall.paloalto.system
Anchor
firewall.paloalto.system
firewall.paloalto.system

firewall.paloalto.threat
Anchor
firewall.paloalto.threat
firewall.paloalto.threat

firewall.paloalto.traffic
Anchor
firewall.paloalto.traffic
firewall.paloalto.traffic

firewall.paloalto.url
Anchor
firewall.paloalto.url
firewall.paloalto.url

firewall.paloalto.userid
Anchor
firewall.paloalto.userid
firewall.paloalto.userid