| Table of Contents |
|---|
| minLevel | 1 |
|---|
| maxLevel | 2 |
|---|
| type | flat |
|---|
|
...
This is the set of columns displayed by this union table, which is the result of the collection of columns present in all source tables:
| Note |
|---|
Extra columns Fields marked as Extra in the table below are not shown by default in data tables and need to be explicitly requested in the query. You can find them marked as Extra when you perform a query so they can be easily identified. Learn more about this in Selecting unrevealed columns. |
Field | Type | Source field name | Extra fields |
|---|
eventdate | timestamp
| | |
timestamp | timestamp
| | |
recvdate | timestamp
| | |
machine | str
| | |
logType | str
| | |
subType | str
| | |
serial | str
| | |
srcIp | ip4
| | |
dstIp | ip4
| | |
srcNatIp | ip4
| srcXIp | |
dstNatIp | ip4
| dstXIp | |
rule | str
| | |
srcUser | str
| | |
dstUser | str
| | |
app | str
| | |
virtSys | str
| | |
srcZone | str
| | |
dstZone | str
| | |
srcIface | str
| | |
dstIface | str
| | |
logAction | str
| | |
session | str
| | |
repCnt | int4
| | |
srcPort | int4
| | |
dstPort | int4
| | |
srcNatPort | int4
| srcXPort | |
dstNatPort | int4
| dstXPort | |
flags | str
| | |
proto | str
| | |
action | str
| | |
category | str
| | |
seqno | int8
| | |
actionFlags | str
| | |
deviceName | str
| | |
bytes | int8
| | |
sentBytes | int8
| | |
recvBytes | int8
| | |
pkts | int4
| | |
srcCountry | str
| | |
dstCountry | str
| | |
session_end_reason | str
| | |
severity | str
| | |
rawMessage | str
| | |
hostchain | str
| | ✓ |
tag | str
| | ✓ |
...
| Rw ui tabs macro |
|---|
[firewall.paloalto.auth][firewall.paloalto.config][firewall.paloalto.correlation] [firewall.paloalto.decryption][firewall.paloalto.globalprotect][firewall.paloalto.hipmatch] firewall.paloalto.auth | Anchor |
|---|
| firewall.paloalto.auth |
|---|
| firewall.paloalto.auth |
|---|
|
Field in union table | Field in source table | Field transformation | Type | Extra fields |
|---|
eventdate | eventdate | | timestamp
| | timestamp | create_date | | timestamp
| | recvdate | recv_date | | timestamp
| | machine | machine | | str
| | logType | log_type | | str
| | subType | sub_type | | str
| | serial | serial | | str
| | srcIp | src_ip | | ip4
| | dstIp | - | | ip4
| | srcNatIp | srcNatIp | | ip4
| | dstNatIp | dstNatIp | | ip4
| | rule | - | | str
| | srcUser | src_user | | str
| | dstUser | - | | str
| | app | - | | str
| | virtSys | vsys | | str
| | srcZone | - | | str
| | dstZone | - | | str
| | srcIface | - | | str
| | dstIface | - | | str
| | logAction | log_action | | str
| | session | session_id | | str
| | repCnt | rep_cnt | | int4
| | srcPort | - | | int4
| | dstPort | - | | int4
| | srcNatPort | srcNatPort | | int4
| | dstNatPort | dstNatPort | | int4
| | flags | - | | str
| | proto | auth_proto | | str
| | action | - | | str
| | category | src_category | | str
| | seqno | seq_no | | int8
| | actionFlags | action_flags | | str
| | deviceName | device_name | | str
| | bytes | - | | int8
| | sentBytes | - | | int8
| | recvBytes | - | | int8
| | pkts | - | | int4
| | srcCountry | - | | str
| | dstCountry | - | | str
| | session_end_reason | - | | str
| | severity | - | | str
| | rawMessage | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
firewall.paloalto.config | Anchor |
|---|
| firewall.paloalto.config |
|---|
| firewall.paloalto.config |
|---|
|
Field in union table | Field in source table | Field transformation | Type | Extra fields |
|---|
eventdate | eventdate | | timestamp
| | timestamp | timestamp | | timestamp
| | recvdate | recvdate | | timestamp
| | machine | machine | | str
| | logType | logType | | str
| | subType | subType | | str
| | serial | serial | | str
| | srcIp | - | | ip4
| | dstIp | - | | ip4
| | srcNatIp | - | | ip4
| | dstNatIp | - | | ip4
| | rule | - | | str
| | srcUser | - | | str
| | dstUser | - | | str
| | app | - | | str
| | virtSys | vsys | | str
| | srcZone | - | | str
| | dstZone | - | | str
| | srcIface | - | | str
| | dstIface | - | | str
| | logAction | - | | str
| | session | - | | str
| | repCnt | - | | int4
| | srcPort | - | | int4
| | dstPort | - | | int4
| | srcNatPort | srcNatPort | | int4
| | dstNatPort | dstNatPort | | int4
| | flags | - | | str
| | proto | - | | str
| | action | - | | str
| | category | - | | str
| | seqno | seqno | | int8
| | actionFlags | - | | str
| | deviceName | device_name | | str
| | bytes | - | | int8
| | sentBytes | - | | int8
| | recvBytes | - | | int8
| | pkts | - | | int4
| | srcCountry | - | | str
| | dstCountry | - | | str
| | session_end_reason | - | | str
| | severity | - | | str
| | rawMessage | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
firewall.paloalto.correlation | Anchor |
|---|
| firewall.paloalto.correlation |
|---|
| firewall.paloalto.correlation |
|---|
|
Field in union table | Field in source table | Field transformation | Type | Extra fields |
|---|
eventdate | eventdate | | timestamp
| | timestamp | timestamp | | timestamp
| | recvdate | recvdate | | timestamp
| | machine | machine | | str
| | logType | logType | | str
| | subType | subType | | str
| | serial | serial | | str
| | srcIp | srcIp | | ip4
| | dstIp | - | | ip4
| | srcNatIp | - | | ip4
| | dstNatIp | - | | ip4
| | rule | - | | str
| | srcUser | srcUser | | str
| | dstUser | - | | str
| | app | - | | str
| | virtSys | vsys | | str
| | srcZone | - | | str
| | dstZone | - | | str
| | srcIface | - | | str
| | dstIface | - | | str
| | logAction | - | | str
| | session | - | | str
| | repCnt | - | | int4
| | srcPort | - | | int4
| | dstPort | - | | int4
| | srcNatPort | srcNatPort | | int4
| | dstNatPort | dstNatPort | | int4
| | flags | - | | str
| | proto | - | | str
| | action | - | | str
| | category | - | | str
| | seqno | - | | int8
| | actionFlags | - | | str
| | deviceName | device_name | | str
| | bytes | - | | int8
| | sentBytes | - | | int8
| | recvBytes | - | | int8
| | pkts | - | | int4
| | srcCountry | - | | str
| | dstCountry | - | | str
| | session_end_reason | - | | str
| | severity | - | | str
| | rawMessage | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
firewall.paloalto.decryption | Anchor |
|---|
| firewall.paloalto.decryption |
|---|
| firewall.paloalto.decryption |
|---|
|
Field in union table | Field in source table | Field transformation | Type | Extra fields |
|---|
eventdate | eventdate | | timestamp
| | timestamp | time_generated | | timestamp
| | recvdate | receive_time | | timestamp
| | machine | machine | | str
| | logType | logtype | | str
| | subType | subtype | | str
| | serial | serial | | str
| | srcIp | src_ip4 | | ip4
| | dstIp | dst_ip4 | | ip4
| | srcNatIp | srcNatIp | | ip4
| | dstNatIp | dstNatIp | | ip4
| | rule | rule | | str
| | srcUser | src_user | | str
| | dstUser | dst_user | | str
| | app | app | | str
| | virtSys | vsys | | str
| | srcZone | src_zone | | str
| | dstZone | dst_zone | | str
| | srcIface | inbound_if | | str
| | dstIface | outbound_if | | str
| | logAction | log_set | | str
| | session | session_id | | str
| | repCnt | repeat_cnt | | int4
| | srcPort | src_port | | int4
| | dstPort | dst_port | | int4
| | srcNatPort | srcNatPort | | int4
| | dstNatPort | dstNatPort | | int4
| | flags | flags | | str
| | proto | proto | | str
| | action | action | | str
| | category | - | | str
| | seqno | seqno | | int8
| | actionFlags | action_flags | | str
| | deviceName | device_name | | str
| | bytes | - | | int8
| | sentBytes | - | | int8
| | recvBytes | - | | int8
| | pkts | - | | int4
| | srcCountry | - | | str
| | dstCountry | - | | str
| | session_end_reason | - | | str
| | url_filename | url_filename | | str
| | threatid | - | | str
| | severity | - | | str
| | direction | - | | str
| | host | - | | str
| | result | - | | str
| | path | - | | str
| | rawMessage | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
firewall.paloalto.globalprotect | Anchor |
|---|
| firewall.paloalto.globalprotect |
|---|
| firewall.paloalto.globalprotect |
|---|
|
Field in union table | Field in source table | Field transformation | Type | Extra fields |
|---|
eventdate | eventdate | | timestamp
| | timestamp | createdate | | timestamp
| | recvdate | recvdate | | timestamp
| | machine | machine | | str
| | logType | logType | | str
| | subType | subType | | str
| | serial | serial | | str
| | srcIp | - | | Code Block |
|---|
ip4(null(''))public_ip | | ip4
| | dstIp | - | | ip4
| | srcNatIp | - | | ip4
| | dstNatIp | - | | ip4
| | rule | - | | str
| | srcUser | srcuser | | str
| | dstUser | - | | str
| | app | - | | str
| | virtSys | vsys | | str
| | srcZone | - | | str
| | dstZone | - | | str
| | srcIface | - | | str
| | dstIface | - | | str
| | logAction | - | | str
| | session | - | | str
| | repCnt | repeatcnt | | Code Block |
|---|
int4(repeatcnt) |
| int4
| | srcPort | - | | int4
| | dstPort | - | | int4
| | srcNatPort | srcNatPort | | int4
| | dstNatPort | dstNatPort | | int4
| | flags | - | | str
| | proto | - | | str
| | action | - | | str
| | category | - | | str
| | seqno | seqno | | int8
| | actionFlags | actionflags | | str
| | deviceName | machinename | | str
| | bytes | - | | int8
| | sentBytes | - | | int8
| | recvBytes | - | | int8
| | pkts | - | | int4
| | srcCountry | srcregion | | str
| | dstCountry | - | | str
| | session_end_reason | - | | str
| | severity | - | | str
| | rawMessage | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
firewall.paloalto.hipmatch | Anchor |
|---|
| firewall.paloalto.hipmatch |
|---|
| firewall.paloalto.hipmatch |
|---|
|
Field in union table | Field in source table | Field transformation | Type | Extra fields |
|---|
eventdate | eventdate | | timestamp
| | timestamp | createdate | | timestamp
| | recvdate | recvdate | | timestamp
| | machine | machine | | str
| | logType | logType | | str
| | subType | subType | | str
| | serial | serialNumber | | str
| | srcIp | srcIp | | ip4
| | dstIp | - | | ip4
| | srcNatIp | - | | ip4
| | dstNatIp | - | | ip4
| | rule | - | | str
| | srcUser | srcUser | | str
| | dstUser | - | | str
| | app | - | | str
| | virtSys | vsys | | str
| | srcZone | - | | str
| | dstZone | - | | str
| | srcIface | - | | str
| | dstIface | - | | str
| | logAction | - | | str
| | session | - | | str
| | repCnt | repeatCnt | | Code Block |
|---|
int4(repeatCnt) |
| int4
| | srcPort | - | | int4
| | dstPort | - | | int4
| | srcNatPort | srcNatPort | | int4
| | dstNatPort | dstNatPort | | int4
| | flags | - | | str
| | proto | - | | str
| | action | - | | str
| | category | - | | str
| | seqno | seqno | | int8
| | actionFlags | actionflags | | str
| | deviceName | device_name | | str
| | bytes | - | | int8
| | sentBytes | - | | int8
| | recvBytes | - | | int8
| | pkts | - | | int4
| | srcCountry | - | | str
| | dstCountry | - | | str
| | session_end_reason | - | | str
| | severity | - | | str
| | rawMessage | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
[firewall.paloalto.iptag][firewall.paloalto.system][firewall.paloalto.threat][firewall.paloalto.traffic][firewall.paloalto.url][firewall.paloalto.userid] firewall.paloalto.iptag | Anchor |
|---|
| firewall.paloalto.iptag |
|---|
| firewall.paloalto.iptag |
|---|
|
Field in union table | Field in source table | Field transformation | Data type | Extra fields |
|---|
eventdate | eventdate | | timestamp
| | timestamp | timestamp | | timestamp
| | recvdate | recvdate | | timestamp
| | machine | hostname | | str
| | logType | logType | | str
| | subType | threatType | | str
| | serial | serial | | str
| | srcIp | srcIp | | ip4
| | dstIp | - | | Code Block |
|---|
null(ip4(0.0.0.0)) |
| ip4
| | srcNatIp | srcNatIp | | ip4
| | dstNatIp | dstNatIp | | ip4
| | rule | - | | str
| | srcUser | - | | str
| | dstUser | - | | str
| | app | - | | str
| | virtSys | vsys | | str
| | srcZone | - | | str
| | dstZone | - | | str
| | srcIface | - | | str
| | dstIface | - | | str
| | logAction | - | | str
| | session | - | | str
| | repCnt | repeatCount | | int4
| | srcPort | - | | int4
| | dstPort | - | | int4
| | srcNatPort | srcNatPort | | int4
| | dstNatPort | dstNatPort | | int4
| | flags | - | | str
| | proto | - | | str
| | action | - | | str
| | category | - | | str
| | seqno | - | | int8
| | actionFlags | actionflags | | str
| | deviceName | device_name | | str
| | bytes | - | | int8
| | sentBytes | - | | int8
| | recvBytes | - | | int8
| | pkts | - | | int4
| | srcCountry | - | | str
| | dstCountry | - | | str
| | session_end_reason | - | | str
| | url_filename | url_filename | | str
| | threatid | - | | str
| | severity | - | | str
| | direction | - | | str
| | host | - | | str
| | result | - | | str
| | path | - | | str
| | rawMessage | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
firewall.paloalto.system | Anchor |
|---|
| firewall.paloalto.system |
|---|
| firewall.paloalto.system |
|---|
|
Field in union table | Field in source table | Field transformation | Type | Extra fields |
|---|
eventdate | eventdate | | timestamp
| | timestamp | timestamp | | timestamp
| | recvdate | recvdate | | timestamp
| | machine | machine | | str
| | logType | logType | | str
| | subType | subType | | str
| | serial | serial | | str
| | srcIp | client_ip | | ip4
| | dstIp | - | | ip4
| | srcNatIp | - | | ip4
| | dstNatIp | - | | ip4
| | rule | - | | str
| | srcUser | user_name | | str
| | dstUser | - | | str
| | app | - | | str
| | virtSys | - | | str
| | srcZone | - | | str
| | dstZone | - | | str
| | srcIface | - | | str
| | dstIface | - | | str
| | logAction | - | | str
| | session | - | | str
| | repCnt | - | | int4
| | srcPort | - | | int4
| | dstPort | - | | int4
| | srcNatPort | srcNatPort | | int4
| | dstNatPort | dstNatPort | | int4
| | flags | - | | str
| | proto | - | | str
| | action | - | | str
| | category | - | | str
| | seqno | seqno | | int8
| | actionFlags | actionflags | | str
| | deviceName | device_name | | str
| | bytes | - | | int8
| | sentBytes | - | | int8
| | recvBytes | - | | int8
| | pkts | - | | int4
| | srcCountry | - | | str
| | dstCountry | - | | str
| | session_end_reason | - | | str
| | severity | severity | | str
| | rawMessage | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
firewall.paloalto.threat | Anchor |
|---|
| firewall.paloalto.threat |
|---|
| firewall.paloalto.threat |
|---|
|
Field in union table | Field in source table | Field transformation | Type | Extra fields |
|---|
eventdate | eventdate | | timestamp
| | timestamp | timestamp | | timestamp
| | recvdate | recvdate | | timestamp
| | machine | machine | | str
| | logType | logType | | str
| | subType | subType | | str
| | serial | serial | | str
| | srcIp | srcIp | | ip4
| | dstIp | dstIp | | ip4
| | srcNatIp | srcNatIp | | ip4
| | dstNatIp | dstNatIp | | ip4
| | rule | rule | | str
| | srcUser | srcUser | | str
| | dstUser | dstUser | | str
| | app | app | | str
| | virtSys | virtSys | | str
| | srcZone | srcZone | | str
| | dstZone | dstZone | | str
| | srcIface | srcIface | | str
| | dstIface | dstIface | | str
| | logAction | logAction | | str
| | session | session | | str
| | repCnt | repCnt | | int4
| | srcPort | srcPort | | int4
| | dstPort | dstPort | | int4
| | srcNatPort | srcNatPort | | int4
| | dstNatPort | dstNatPort | | int4
| | flags | flags | | str
| | proto | proto | | str
| | action | action | | str
| | category | category | | str
| | seqno | seqno | | int8
| | actionFlags | actionflags | | str
| | deviceName | deviceName | | str
| | bytes | - | | int8
| | sentBytes | - | | int8
| | recvBytes | - | | int8
| | pkts | - | | int4
| | srcCountry | srcloc | | str
| | dstCountry | dstloc | | str
| | session_end_reason | - | | str
| | severity | severity | | str
| | rawMessage | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
firewall.paloalto.traffic | Anchor |
|---|
| firewall.paloalto.traffic |
|---|
| firewall.paloalto.traffic |
|---|
|
Field in union table | Field in source table | Field transformation | Type | Extra fields |
|---|
eventdate | eventdate | | timestamp
| | timestamp | timestamp | | timestamp
| | recvdate | recvdate | | timestamp
| | machine | machine | | str
| | logType | logType | | str
| | subType | subType | | str
| | serial | serial | | str
| | srcIp | srcIp | | ip4
| | dstIp | dstIp | | ip4
| | srcNatIp | srcNatIp | | ip4
| | dstNatIp | dstNatIp | | ip4
| | rule | rule | | str
| | srcUser | srcUser | | str
| | dstUser | dstUser | | str
| | app | app | | str
| | virtSys | virtSys | | str
| | srcZone | srcZone | | str
| | dstZone | dstZone | | str
| | srcIface | srcIface | | str
| | dstIface | dstIface | | str
| | logAction | logAction | | str
| | session | session | | str
| | repCnt | repCnt | | int4
| | srcPort | srcPort | | int4
| | dstPort | dstPort | | int4
| | srcNatPort | srcNatPort | | int4
| | dstNatPort | dstNatPort | | int4
| | flags | flags | | str
| | proto | proto | | str
| | action | action | | str
| | category | category | | str
| | seqno | seqno | | int8
| | actionFlags | actionFlags | | str
| | deviceName | device_name | | str
| | bytes | bytes | | int8
| | sentBytes | sentBytes | | int8
| | recvBytes | recvBytes | | int8
| | pkts | pkts | | int4
| | srcCountry | srcCountry | | str
| | dstCountry | dstCountry | | str
| | session_end_reason | session_end_reason | | str
| | severity | - | | str
| | rawMessage | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
firewall.paloalto.url | Anchor |
|---|
| firewall.paloalto.url |
|---|
| firewall.paloalto.url |
|---|
|
Field in union table | Field in source table | Field transformation | Type | Extra fields |
|---|
eventdate | eventdate | | timestamp
| | timestamp | timestamp | | timestamp
| | recvdate | recvdate | | timestamp
| | machine | machine | | str
| | logType | logType | | str
| | subType | subType | | str
| | serial | serial | | str
| | srcIp | srcIp | | ip4
| | dstIp | dstIp | | ip4
| | srcNatIp | srcNatIp | | ip4
| | dstNatIp | dstNatIp | | ip4
| | rule | rule | | str
| | srcUser | srcUser | | str
| | dstUser | dstUser | | str
| | app | app | | str
| | virtSys | virtSys | | str
| | srcZone | srcZone | | str
| | dstZone | dstZone | | str
| | srcIface | srcIface | | str
| | dstIface | dstIface | | str
| | logAction | logAction | | str
| | session | session | | str
| | repCnt | repCnt | | int4
| | srcPort | srcPort | | int4
| | dstPort | dstPort | | int4
| | srcNatPort | srcNatPort | | int4
| | dstNatPort | dstNatPort | | int4
| | flags | flags | | str
| | proto | proto | | str
| | action | action | | str
| | category | category | | str
| | seqno | seqno | | int8
| | actionFlags | actionflags | | str
| | deviceName | deviceName | | str
| | bytes | - | | int8
| | sentBytes | - | | int8
| | recvBytes | - | | int8
| | pkts | - | | int4
| | srcCountry | srcloc | | str
| | dstCountry | dstloc | | str
| | session_end_reason | - | | str
| | severity | severity | | str
| | rawMessage | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
firewall.paloalto.userid | Anchor |
|---|
| firewall.paloalto.userid |
|---|
| firewall.paloalto.userid |
|---|
|
Field in union table | Field in source table | Field transformation | Type | Extra fields |
|---|
eventdate | eventdate | | timestamp
| | timestamp | timestamp | | timestamp
| | recvdate | recvdate | | timestamp
| | machine | machine | | str
| | logType | logType | | str
| | subType | subType | | str
| | serial | serial | | str
| | srcIp | srcIp | | ip4
| | dstIp | - | | ip4
| | srcNatIp | - | | ip4
| | dstNatIp | - | | ip4
| | rule | - | | str
| | srcUser | srcUser | | str
| | dstUser | - | | str
| | app | - | | str
| | virtSys | virtSys | | str
| | srcZone | - | | str
| | dstZone | - | | str
| | srcIface | - | | str
| | dstIface | - | | str
| | logAction | - | | str
| | session | - | | str
| | repCnt | - | | int4
| | srcPort | srcPort | | int4
| | dstPort | dstPort | | int4
| | srcNatPort | srcNatPort | | int4
| | dstNatPort | dstNatPort | | int4
| | flags | - | | str
| | proto | - | | str
| | action | - | | str
| | category | - | | str
| | seqno | seqno | | int8
| | actionFlags | actionFlags | | str
| | deviceName | device_name | | str
| | bytes | - | | int8
| | sentBytes | - | | int8
| | recvBytes | - | | int8
| | pkts | - | | int4
| | srcCountry | - | | str
| | dstCountry | - | | str
| | session_end_reason | - | | str
| | severity | - | | str
| | rawMessage | rawMessage | | str
| | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
|
