Page Comparison

...

Field in

...

Field in source table

...

Field transformation

...

Data Type

...

Extra Field

...

eventdate

...

eventdate

...

timestamp

...

-

...

timestamp

...

create_date

...

timestamp

...

-

...

recvdate

...

recv_date

...

timestamp

...

-

...

machine

...

machine

...

str

...

-

...

logType

...

log_type

...

str

...

-

...

subType

...

sub_type

...

str

...

-

...

serial

...

serial

...

str

...

-

...

srcIp

...

src_ip

...

ip4

...

-

...

dstIp

...

-

...

Code Block
ip4(null(''))

...

ip4

...

-

...

srcNatIp

...

srcNatIp

...

ip4

...

-

...

dstNatIp

...

dstNatIp

...

ip4

...

-

...

Table of Contents

minLevel	1
maxLevel	2
type	flat

Introduction

This union table collects information from a set of tables that contain events from Palo Alto Network's firewalls.

Source tables

The information displayed is extracted from the following tables:

Expand

title	Check source tables

firewall.paloalto.auth
firewall.paloalto.config
firewall.paloalto.correlation
firewall.paloalto.globalprotect
firewall.paloalto.hipmatch
firewall.paloalto.system
firewall.paloalto.threat
firewall.paloalto.traffic
firewall.paloalto.url
firewall.paloalto.userid

Table structure

This is the set of columns displayed by this union table, which is the result of the collection of columns present in all source tables:

Note

Extra columns

Fields marked as Extra in the table below are not shown by default in data tables and need to be explicitly requested in the query. You can find them marked as Extra when you perform a query so they can be easily identified. Learn more about this in Selecting unrevealed columns.

Field	Data type	Extra fields
eventdate	`timestamp`	-
timestamp	`timestamp`	-
recvdate	`timestamp`	-
machine	`str`	-
logType	`str`	-
subType	`str`	-
serial	`str`	-
srcIp	`ip4`	-
dstIp	`ip4`	-
srcNatIp	`ip4`	-
dstNatIp	`ip4`	-
rule	`str`	-
srcUser	`str`	-
dstUser	`str`	-
app	`str`	-
virtSys	`str`	-
srcZone	`str`	-
dstZone	`str`	-
srcIface	`str`	-
dstIface	`str`	-
logAction	`str`	-
session	`str`	-
repCnt	`int4`	-
srcPort	`int4`	-
dstPort	`int4`	-
srcNatPort	`int4`	-

Field	Data type	Extra fields
dstNatPort	`int4`	-
flags	`str`	-
proto	`str`	-
action	`str`	-
category	`str`	-
seqno	`int8`	-
actionFlags	`str`	-
deviceName	`str`	-
bytes	`int8`	-
sentBytes	`int8`	-
recvBytes	`int8`	-
pkts	`int4`	-
srcCountry	`str`	-
dstCountry	`str`	-
session_end_reason	`str`	-
url_filename	`str`	-
threatid	`str`	-
severity	`str`	-
direction	`str`	-
host	`str`	-
result	`str`	-
path	`str`	-
rawMessage	`str`	-
hostchain	`str`	✓
tag	`str`	✓

Field transformations

Even though all source tables have several features in common, they have some particularities that make it necessary to undergo a set of transformations to harmonize them for the union table. The most common transformations comprise changes in the data type or the application of rules when several columns in the source table feed a single column in the union table. You can find below the detailed list of transformations in each source table.

...

Rw tab

title	Tables 1-5

[firewall.paloalto.auth][firewall.paloalto.config][firewall.paloalto.correlation][firewall.paloalto.globalprotect][firewall.paloalto.hipmatch]

...

Table of Contents

minLevel	1
maxLevel	2
type	flat

Introduction

This union table collects information from a set of tables that contain events from Palo Alto Network's firewalls.

Source tables

The information displayed is extracted from the following tables:

Expand

title	Check source tables

firewall.paloalto.auth
firewall.paloalto.config
firewall.paloalto.correlation
firewall.paloalto.decryption
firewall.paloalto.globalprotect
firewall.paloalto.hipmatch
firewall.paloalto.iptag
firewall.paloalto.system
firewall.paloalto.threat
firewall.paloalto.traffic
firewall.paloalto.url
firewall.paloalto.userid

Table structure

This is the set of columns displayed by this union table, which is the result of the collection of columns present in all source tables:

Note

Extra columns

Fields marked as Extra in the table below are not shown by default in data tables and need to be explicitly requested in the query. You can find them marked as Extra when you perform a query so they can be easily identified. Learn more about this in Selecting unrevealed columns.

Field	Type	Source field name	Extra fields
eventdate	`timestamp`
timestamp	`timestamp`
received_date	`timestamp`	recvdate
machine	`str`
log_type	`str`	logType
subtype	`str`	subType
serial	`str`
source_ip	`str`
source_ipv4	`ip4`	srcIp
destination_ip	`str`
destination_ipv4	`ip4`	dstIp
source_nat_ip	`str`
source_nat_ipv4	`ip4`	srcNatIp
destination_nat_ip	`str`
destination_nat_ipv4	`ip4`	dstNatIp
rule	`str`
session	`str`
source_username	`str`	srcUser
destination_username	`str`	dstUser
application	`str`	app
virtual_system	`str`	virtSys
source_zone	`str`	srcZone
destination_zone	`str`	dstZone
source_interface	`str`	srcIface
destination_interface	`str`	dstIface
log_action	`str`	logAction
repeat_count	`int4`	repCnt
source_port	`str`
destination_port	`str`
source_nat_port	`str`
destination_nat_port	`str`
flags	`str`
protocol	`str`	proto
action	`str`
category	`str`
sequence_number	`int8`	seqno
action_flags	`str`	actionFlags
device_name	`str`	deviceName
bytes_total	`int8`	bytes
bytes_sent	`int8`	sentBytes
bytes_received	`int8`	recvBytes
packets_total	`int4`	pkts
source_geo_country_name	`str`	srcCountry
destination_geo_country_name	`str`	dstCountry
session_end_reason	`str`
url_file_name	`str`	url_filename
threat_id	`str`	threatid
severity	`str`
hostname	`str`	host
file_path	`str`	path
rawMessage	`str`
hostchain	`str`		✓
tag	`str`		✓

Field transformations

Even though all source tables have several features in common, they have some particularities that make it necessary to undergo a set of transformations to harmonize them for the union table. The most common transformations comprise changes in the data type or the application of rules when several columns in the source table feed a single column in the union table. You can find below the detailed list of transformations in each source table.

Rw ui tabs macro

Rw tab

title	Tables 1-6

[firewall.paloalto.auth][firewall.paloalto.config][firewall.paloalto.correlation] [firewall.paloalto.decryption][firewall.paloalto.globalprotect][firewall.paloalto.hipmatch]

firewall.paloalto.auth
Anchor
firewall.paloalto.auth
firewall.paloalto.auth

Field in union table

Field in source table

Field transformation

Type

Extra fields

eventdate

timestamp

timestamp

create_date

timestamp

received_date

timestamp

machine

str

log_type

str

subtype

str

serial

str

source_ip

src_ip_str

str

source_ipv4

ip4

destination_ip

-

Code Block
null('')

str

destination_ipv4

ip4

source_nat_ip

-

Code Block
null('')

str

source_nat_ipv4

ip4

destination_nat_ip

-

Code Block
null('')

str

destination_nat_ipv4

ip4

rule

-

Code Block
null('')

str

session

session_id

str

source_username

str

destination_username

str

application

str

virtual_system

str

source_zone

str

destination_zone

str

source_interface

str

destination_interface

str

log_action

str

repeat_count

int4

source_port

-

Code Block
null('')

str

destination_port

-

Code Block
null('')

str

source_nat_port

-

Code Block
null('')

str

destination_nat_port

-

Code Block
null('')

str

flags

-

Code Block
null('')

str

protocol

str

action

-

Code Block
null('')

str

category

src_category

str

sequence_number

int8

action_flags

str

device_name

str

bytes_total

int8

bytes_sent

int8

bytes_received

int8

packets_total

int4

source_geo_country_name

str

destination_geo_country_name

str

session_end_reason

-

Code Block
null('')

str

url_file_name

str

threat_id

str

severity

-

Code Block
null('')

str

hostname

str

file_path

str

rawMessage

str

hostchain

str

✓

tag

str

✓

firewall.paloalto.config
Anchor
firewall.paloalto.config
firewall.paloalto.config

Field in union table

Field in source table

Field transformation

Type

Extra fields

eventdate

timestamp

timestamp

timestamp

received_date

timestamp

machine

str

log_type

str

subtype

str

serial

str

source_ip

-

Code Block
null('')

str

source_ipv4

ip4

destination_ip

-

Code Block
null('')

str

destination_ipv4

ip4

source_nat_ip

-

Code Block
null('')

str

source_nat_ipv4

ip4

destination_nat_ip

-

Code Block
null('')

str

destination_nat_ipv4

ip4

rule

-

Code Block
null('')

str

session

-

Code Block
null('')

str

source_username

str

destination_username

str

application

str

virtual_system

str

source_zone

str

destination_zone

str

source_interface

str

destination_interface

str

log_action

str

repeat_count

int4

source_port

-

Code Block
null('')

str

destination_port

-

Code Block
null('')

str

source_nat_port

-

Code Block
null('')

str

destination_nat_port

-

Code Block
null('')

str

flags

-

Code Block
null('')

str

protocol

str

action

-

Code Block
null('')

str

category

-

Code Block
null('')

str

sequence_number

int8

action_flags

str

device_name

str

bytes_total

int8

bytes_sent

int8

bytes_received

int8

packets_total

int4

source_geo_country_name

str

destination_geo_country_name

str

session_end_reason

-

Code Block
null('')

str

url_file_name

str

threat_id

str

severity

-

Code Block
null('')

str

hostname

str

file_path

str

rawMessage

str

hostchain

str

✓

tag

str

✓

firewall.paloalto.correlation
Anchor
firewall.paloalto.correlation
firewall.paloalto.correlation

Field in union table

Field in source table

Field transformation

Type

Extra fields

eventdate

timestamp

timestamp

timestamp

received_date

timestamp

machine

str

log_type

str

subtype

str

serial

str

source_ip

srcIp_str

str

source_ipv4

ip4

destination_ip

-

Code Block
null('')

str

destination_ipv4

ip4

source_nat_ip

-

Code Block
null('')

str

source_nat_ipv4

ip4

destination_nat_ip

-

Code Block
null('')

str

...

-

...

srcUser

...


destination_nat_ipv4	destination_nat_ipv4

...

ip4

...

rule

...

dstUser

...

-

Code Block
null('')

str

...

-

session

-

Code Block
null('')

str

...

-

...

virtSys

...


source_username	source_username		`str`

...

-

...

srcZone

...

-

...

Code Block
null('')

...

str

...

-

...

dstZone

...

-

...

Code Block
null('')

...

str

...

-

...

srcIface

...

-

...

Code Block
null('')

...

str

...

-

...

dstIface

...

-

...

Code Block
null('')

...

str

...

-

...

logAction

...

log_action

...

str

...

-

...

session

...

session_id

...

str

...

-

...

repCnt

...

rep_cnt

...

int4

...

-

...

srcPort

destination_username

str

application

str

virtual_system

str

source_zone

str

destination_zone

str

source_interface

str

destination_interface

str

log_action

str

repeat_count

int4

source_port

-

Code Block
null(

...

'')

...

int4

...

-

str

destination_port

-

Code Block
null(

...

'')

...

str

source_nat_port

-

...

srcNatPort

...

srcNatPort

...

Code Block
null('')

str

destination_nat_port

-

...

dstNatPort

...

dstNatPort

...

int4

...

-

Code Block
null('')

str

flags

-

Code Block
null('')

str

...

-

...

proto

...


protocol	protocol		`str`

...

action

-

Code Block
null('')

str

...

-

...

category

...

str

-

...

seq_no

Code Block

...

null('')

...

str

...

-

...

actionFlags

...


sequence_number	sequence_number

...

dstCountry

...

-

...

Code Block
null('')

...

str

...

int8

...

-

...

deviceName

...

device_name

...

str

...

-

...

bytes

...

-

...

Code Block
null(int8(0))

...

int8

...

-

...

sentBytes

...

-

...

Code Block
null(int8(0))

...

int8

...

-

...

recvBytes

...

-

...

Code Block
null(int8(0))

...

int8

...

-

...

pkts

...

-

...

Code Block
null(0)

...

int4

...

-

...

srcCountry

...

-

...

Code Block
null('')

...

str

...

-

action_flags

str

device_name

str

bytes_total

int8

bytes_sent

int8

bytes_received

int8

packets_total

int4

source_geo_country_name

str

destination_geo_country_name

str

session_end_reason

-

Code Block
null('')

str

...

-

url_file_

...

name

url_

...

file_name

str

...

-

...

threatid

...

-

...

Code Block
null('')

...

str

...

-

...

severity

...

-

...

Code Block
null('')

...

str

...

-

...

direction

...

-

...

Code Block
null('')

...

str

...

-

threat_id

str

severity

-

Code Block
null('')

str

...

hostname

...

path

...

-

...

Code Block
null('')

...

str

...

hostname

...

-

...

Code Block
null('')

...

str

...

-

	`str`
file_path	file_path	`str`
rawMessage	rawMessage	`str`

...


hostchain	hostchain	`str`	✓
tag	tag	`str`	✓

firewall.paloalto.

...

decryption
Anchor
firewall.paloalto.

...

decryption
firewall.paloalto.

...

decryption

Field in union table	Field in source table	Field transformation

...

Type	Extra fields
eventdate	eventdate		`timestamp`

...

timestamp

...

time_generated

...

recvdate

...

timestamp

...

-

received_date

timestamp

...


machine	machine

...

		`str`
log_type	log_type		`str`

...

subtype

...

subtype

...

str

...

serial

...

serial

...

str

...

source_ip

...

src

...

category

...

-

str

...

-

...

srcIp

...

-

...

ip4(null(''))

...

ip4

...

-

...

dstIp

...

-

...

ip4(null(''))

...

ip4

...

-

...

srcNatIp

...

-

...

ip4(null(''))

...

ip4

...

-

...

dstNatIp

...

-

...

ip4(null(''))

...

ip4

...

-

...

rule

...

-

...

null('')

...

str

...

-

...

srcUser

...

-

...

null('')

...

str

...

-

...

dstUser

...

-

...

null('')

...

str

...

-

...

app

...

-

...

null('')

...

str

...

-

...

virtSys

...

vsys

...

str

...

-

...

srcZone

...

-

...

null('')

...

str

...

-

...

dstZone

...

-

...

null('')

...

str

...

-

...

srcIface

...

-

...

null('')

...

str

...

-

...

dstIface

...

-

...

null('')

...

str

...

-

...

logAction

...

-

...

null('')

...

str

...

-

...

session

...

-

...

null('')

...

str

...

-

...

repCnt

...

-

...

int4(null(''))

...

int4

...

-

...

srcPort

...

-

...

int4(null(''))

...

int4

...

-

...

dstPort

...

-

...

int4(null(''))

...

int4

...

-

...

srcNatPort

...

srcNatPort

...

int4

...

-

...

dstNatPort

...

dstNatPort

...

int4

...

-

...

flags

...

-

...

null('')

...

str

...

-

...

proto

...

-

...

null('')

...

str

...

-

...

action

...

-

...

null('')

...

str

...

-

...

source_ipv4

ip4

destination_ip

dst

str

destination_ipv4

ip4

source_nat_ip

nat_src

str

source_nat_ipv4

ip4

destination_nat_ip

nat_dst

str

destination_nat_ipv4

ip4

rule

str

session

session_id

str

source_username

str

destination_username

str

application

str

virtual_system

str

source_zone

str

destination_zone

str

source_interface

str

destination_interface

str

log_action

str

repeat_count

int4

source_port

src_port

str

destination_port

dst_port

str

source_nat_port

nat_src_port

str

destination_nat_port

nat_dst_port

str

flags

str

protocol

str

action

str

category

-

Code Block
null('')

str

...

-

...

seqno

...

sequence_number

int8

...

-

...

actionFlags

...

-

...

null('')

...

str

...

-

action_flags	action_flags		`str`
device_name	device_name

...

str

...

-

...

bytes

...

-

...

int8(null(''))

...

int8

...

-

...

sentBytes

...

-

...

int8(null(''))

...

int8

...

-

...

recvBytes

...

-

...

int8(null(''))

...

int8

...

-

...

pkts

...

-

...

int4(null(''))

...

int4

...

-

...

srcCountry

...

-

...

null('')

...

str

...

-

...

dstCountry

...

-

...

null('')

...

str

...

str

bytes_total

int8

bytes_sent

int8

bytes_received

int8

packets_total

int4

source_geo_country_name

str

destination_geo_country_name

str

session_end_reason

-

Code Block
null('')

str

...


url_file_

...

name

url_

...

threatid

...

-

...

file_name

str

...

-

threat_id

str

...

-

...


severity	-

...

null('')

...

str

...

-

...

direction

Code Block
null('')

str

...

hostname

...

hostname

...

result

...

result

...

str

...

-

...

path

...

str

...

-

file_path

str

...


rawMessage	rawMessage

...

str

...


hostchain	hostchain

...

	`str`	✓
tag	tag		`str`	✓

firewall.paloalto.

...

globalprotect
Anchor
firewall.paloalto.

...

globalprotect
firewall.paloalto.

...

globalprotect

Field in union table	Field in source table	Field transformation

...

Type	Extra fields
eventdate	eventdate		`timestamp`

...

timestamp

...

createdate

...

recvdate

...

timestamp

...

-

received_date

timestamp

...


machine	machine

...

		`str`
log_type	log_type		`str`
subtype	subtype		`str`

...

serial

...

serial

...

str

...

-

...

subType

...

subType

...

str

...

-

...

serial

...

serial

...

str

...

-

...

srcIp

...

srcIp

...

ip4

...

-

...

dstIp

...

-

...

ip4(null(''))

...

ip4

...

-

...

srcNatIp

...

-

...

source_ip

public_ip

public_ipv6

Code Block
isnotnull(public_ip) ? str(public_ip) : public_ipv6

str

source_ipv4

ip4

destination_ip

-

Code Block
null('')

str

destination_ipv4

ip4

source_nat_ip

-

Code Block
null('')

...

rule

...

ip4

...

-

...

dstNatIp

...

-

...

ip4(null(''))

...

ip4

...

-

...

str

source_nat_ipv4

ip4

destination_nat_ip

-

Code Block
null('')

str

...

-

...

srcUser

...

srcUser

...

destination_nat_ipv4	destination_nat_ipv4		`ip4`
rule	-

...

dstUser

Code Block
null('')

str

session

-

...

Code Block

...

-

...

srcNatPort

...

srcNatPort

...

int4

...

-

...

dstNatPort

...

dstNatPort

...

int4

...

-

...

flags

...

null('')

str

...

-

...

virtSys

...

vsys

...

str

...

-

...

srcZone

...

-

...

null('')

...

str

...

-

...

dstZone

...

-

...

null('')

...

str

...

-

...

srcIface

...

-

...

null('')

...

str

...

-

...

dstIface

...

-

...

null('')

...

str

...

-

...

logAction

...

-

...

null('')

...

str

...

-

...

session

...

-

...

null('')

...

str

...

-

...

repCnt

...

-

...

int4(null(''))

...

int4

...

-

...

srcPort

...

-

...

int4(null(''))

...

int4

...

-

...

dstPort

...

-

...

int4(null(''))

...

int4

...

-

...

source_username

str

destination_username

str

application

str

virtual_system

str

source_zone

str

destination_zone

str

source_interface

str

destination_interface

str

log_action

str

repeat_count

int4

source_port

-

Code Block
null('')

str

destination_port

-

Code Block
null('')

str

source_nat_port

-

Code Block
null('')

str

destination_nat_port

-

Code Block
null('')

str

flags

-

...

proto

Code Block
null('')

str

...

protocol

str

action

-

Code Block
null('')

str

...

-

category

-

Code Block
null('')

str

...

-

...

seqno

...

-

...

int8(null(''))

...

int8

...

-

...

actionFlags

...

-

...

null('')

...

str

...

-

...

deviceName

sequence_number	sequence_number	`int8`
action_flags	action_flags	`str`
device_name	device_name	`str`

...


bytes_total	bytes_total

...

int8

...

int8

...

-

...

sentBytes

...

-

...

int8(null(''))

...

int8

...

-

...

recvBytes

...

-

...

int8(null(''))

...

int8

...

-

...

pkts

...

-

...

int4(null(''))

...

int4

...

-

...

srcCountry

...

-

...

null('')

...

str

...

-

...

dstCountry

...

-

...

null('')

...

str

...

bytes_sent

int8

bytes_received

int8

packets_total

int4

source_geo_country_name

str

destination_geo_country_name

str

session_end_reason

-

Code Block
null('')

str

...

-

url_

...

file_name

url_

...

str

...

-

...

threatid

...

-

...

null('')

...

str

...

-

...

severity

...

-

...

file_name

str

...

-

...

direction

...

-

...

null('')

...

threat_id	threat_id		`str`
severity	-

...

host

Code Block
null('')

str

...

hostname

...

hostname

...

-

...

null('')

str

...


file_path	file_path

...

-

str

...


rawMessage	rawMessage

...

str

...


hostchain	hostchain

...

	`str`	✓
tag	tag		`str`	✓

firewall.paloalto.

...

hipmatch
Anchor
firewall.paloalto.

...

hipmatch
firewall.paloalto.

...

hipmatch

Field in union table	Field in source table	Field transformation

...

Type	Extra fields
eventdate	eventdate		`timestamp`

...

recvdate

...

recvdate


timestamp	createdate		`timestamp`

...

-

...

machine

...

received_date

timestamp

...

-

machine	machine		`str`
log_type	log_type		`str`

...

subtype

...

logType

subtype

str

...

serial

...

subType

serialNumber

str

...

-

...

serial

...


source_ip	srcIp_str		`str`

...

-

...

srcIp

...

srcIp


source_ipv4	source_ipv4		`ip4`

...

destination_ip

...

dstIp

-

Code Block

...

null('')

...

srcNatIp

str

destination_ipv4

ip4

...

-

source_nat_ip

-

Code Block

...

null(''

...

rule

...

ip4

...

-

...

dstNatIp

...

-

...

Code Block
ip4(null(''))

...

ip4

...

-

...

str

source_nat_ipv4

ip4

destination_nat_ip

-

Code Block
null('')

str

...

-

...

srcUser

destination_nat_ipv4

...

ip4

...

-

...

rule

-

Code Block
null('')

str

...

-

...

session

-

Code Block
null('')

str

...

-

...

virtSys

...

source_username

str

...

-

...

srcZone

...

-

...

Code Block
null('')

...

str

...

-

...

dstZone

...

-

...

Code Block
null('')

...

str

...

-

...

srcIface

...

-

...

Code Block
null('')

...

str

...

-

...

dstIface

...

-

...

Code Block
null('')

...

str

...

-

...

logAction

...

-

...

Code Block
null('')

...

str

...

-

...

session

...

-

...

Code Block
null('')

...

str

...

-

...

repCnt

...

repeatcnt

...

Code Block
int4(repeatcnt)

...

int4

...

-

...

srcPort

...

-

...

Code Block
int4(null(''))

...

int4

...

-

...

dstPort

...

-

...

Code Block
int4(null(''))

...

int4

...

-

...

srcNatPort

...

srcNatPort

...

int4

...

-

...

dstNatPort

...

dstNatPort

...

int4

...

-

...

destination_username

str

application

str

virtual_system

str

source_zone

str

destination_zone

str

source_interface

str

destination_interface

str

log_action

str

repeat_count

int4

source_port

-

Code Block
null('')

str

destination_port

-

Code Block
null('')

str

source_nat_port

-

Code Block
null('')

str

destination_nat_port

-

Code Block
null('')

str

...

-

flags

-

Code Block
null('')

str

...

protocol

str

action

-

Code Block
null('')

str

...

-

...

category

-

Code Block
null('')

str

...

-

...

seqno

...

actionFlags

...

actionflags

sequence_number

int8

...

-

action_flags

str

...

-

...

deviceName

...


device_name	device_name		`str`

...


bytes_total	bytes_total

...

-

int8

...

int8

...

-

...

sentBytes

...

-

...

Code Block
int8(null(''))

...

int8

...

-

...

recvBytes

...

-

...

Code Block
int8(null(''))

...

int8

...

-

...

pkts

...

-

...

Code Block
int4(null(''))

...

int4

...

-

...

srcCountry

...

-

...

Code Block
null('')

...

str

...

-

...

dstCountry

...

-

...

Code Block
null('')

...

str

...

bytes_sent

int8

bytes_received

int8

packets_total

int4

source_geo_country_name

str

destination_geo_country_name

str

session_end_reason

-

Code Block
null('')

str

...


url_file_

...

name

url_

...

file_name

str

...

-

...

threat_id

str

severity

-

Code Block
null('')

str

...

-

...

severity

...

-

...

Code Block
null('')

...

str

...

-

...

direction

...

-

...

Code Block
null('')

...

str

...

-

...

host

...


hostname	hostname	`str`
file_path	file_path	`str`
rawMessage	rawMessage	`str`
hostchain	hostchain	`str`	✓
tag	tag	`str`	✓

rw-tab

...

title	Table 7-

...

Code Block
null('')

...

str

...

-

...

path

...

-

...

Code Block
null('')

...

str

...

-

...

rawMessage

...

rawMessage

...

str

...

-

...

hostchain

...

hostchain

...

str

...

✓

...

tag

...

tag

...

str

...

✓

...

Field in union table

...

Field in source table

...

Field transformation

...

Data type

...

Extra fields

...

eventdate

...

eventdate

...

timestamp

...

timestamp

...

createdate

...

timestamp

...

-

...

recvdate

...

recvdate

...

timestamp

...

-

...

machine

...

machine

...

str

...

-

...

logType

...

logType

...

str

...

-

...

subType

...

subType

...

str

...

-

...

serial

...

serialNumber

...

str

...

-

...

srcIp

...

srcIp

...

ip4

...

-

...

dstIp

...

-

...

ip4(null(''))

...

ip4

...

-

...

srcNatIp

...

-

...

ip4(null(''))

...

ip4

...

-

...

dstNatIp

...

-

...

ip4(null(''))

...

ip4

...

-

...

rule

...

12

[firewall.paloalto.iptag][firewall.paloalto.system][firewall.paloalto.threat][firewall.paloalto.traffic][firewall.paloalto.url][firewall.paloalto.userid]

firewall.paloalto.iptag
Anchor
firewall.paloalto.iptag
firewall.paloalto.iptag

Field in union table

Field in source table

Field transformation

Type

Extra fields

eventdate

timestamp

timestamp

timestamp

received_date

timestamp

machine

hostname

str

log_type

str

subtype

str

serial

str

source_ip

srcIp

Code Block
str(srcIp)

str

source_ipv4

ip4

destination_ip

-

Code Block
null('')

str

destination_ipv4

ip4

source_nat_ip

-

Code Block
null('')

str

source_nat_ipv4

ip4

destination_nat_ip

-

Code Block
null('')

str

destination_nat_ipv4

ip4

rule

-

Code Block
null('')

str

session

-

Code Block
null('')

str

...

-

...

srcUser

source_username	source_username		`str`
destination_username	destination_username		`str`

...

application

...

application

...

-

...

null('')

...

session

...

-

str

...

-

...

app

...

-

...

null('')

...

str

...

-

...

virtSys

...

vsys

...

str

...

-

...

srcZone

...

-

...

null('')

...

str

...

-

...

dstZone

...

-

...

null('')

...

str

...

-

...

srcIface

...

-

...

null('')

...

str

...

-

...

dstIface

...

-

...

null('')

...

str

...

-

...

logAction

...

-

...

null('')

...

str

...

-

...

virtual_system

str

source_zone

str

destination_zone

str

source_interface

str

destination_interface

str

log_action

str

repeat_count

int4

source_port

-

Code Block
null('')

str

...

-

...

repCnt

...

repeatCnt

...

int4(repeatCnt)

...

destination_port

-

...

srcPort

Code Block

...

null('')

...

str

source_nat_port

-

...

dstPort

Code Block

...

null(''

...

int4

...

-

...

srcNatPort

...

srcNatPort

...

int4

...

-

...

dstNatPort

...

dstNatPort

...

str

destination_nat_port

-

...

Code Block

...

-

null('')

str

flags

-

...

Code Block

...

-

null('')

str

...

protocol

str

action

-

Code Block
null('')

str

...

category

-

Code Block
null('')

str

...

-

...

seqno

...

actionFlags

...

sequence_number

int8

...

-

action_flags

str

...

device_name

...

deviceName

device_name

str

...


bytes_total	bytes_total

...

int8

...

int8

...

-

...

sentBytes

...

-

...

int8(null(''))

...

int8

...

-

...

recvBytes

...

-

...

int8(null(''))

...

int8

...

-

...

pkts

...

-

...

int4(null(''))

...

int4

...

-

...

srcCountry

...

-

...

null('')

...

str

...

-

...

dstCountry

...

-

...

null('')

...

str

...

bytes_sent

int8

bytes_received

int8

packets_total

int4

source_geo_country_name

str

destination_geo_country_name

str

session_end_reason

-

Code Block
null('')

str

...


url_file_

...

name

url_

...

threatid

...

-

...

file_name

str

...

-

threat_id

str

...

-

...


severity	-

...

null('')

...

str

...

-

...

direction

Code Block
null('')

str

...

hostname

...

hostname

...

rawMessage

...

rawMessage

...

str

...

-

...

hostchain

...

str

...

-

...

result

...

-

...

null('')

...

str

...

-

...

path

...

-

...

null('')

...

str

...

-

file_path	file_path	`str`
rawMessage	rawMessage	`str`
hostchain	hostchain	`str`	✓
tag	tag	`str`	✓

...

Rw tab

title	Table 6-10

...

firewall.paloalto.system
Anchor
firewall.paloalto.system
firewall.paloalto.system

Field in union table	Field in source table	Field transformation

...

Type	Extra fields
eventdate	eventdate		`timestamp`

...


timestamp	timestamp

...

recvdate

...

timestamp

...

-

received_date

timestamp

...


machine	machine

...

		`str`
log_type	log_type		`str`
subtype	subtype		`str`

...

serial

...

serial

...

str

...

-

...

subType

...

subType

...

str

...

-

...

serial

...

serial

...

str

...

-

...

srcIp

...

-

...

source_ip

client_ip

Code Block
str(client_ip)

str

source_ipv4

ip4

destination_ip

-

Code Block
null('')

...

str

destination_ipv4

ip4

source_nat_ip

-

...

Code Block

...

-

null('')

...

str

source_nat_ipv4

ip4

...

-

destination_nat_ip

-

Code Block

...

null('')

...

dstNatIp

...

-

...

1ip4(null(''))

...

ip4

...

ip4

...

-

...

str

destination_nat_ipv4

ip4

rule

-

Code Block
null('')

str

session

-

...

srcUser

Code Block
null('')

str

...

-

...

dstUser

...

-

...


source_username	source_username	`str`
destination_username	destination_username	`str`

...

application

...

app

...

-

...

virtSys

...

-

...

application

str

...

-

...

srcNatPort

...

srcNatPort

...

int4

...

-

...

dstNatPort

...

dstNatPort

...

int4

...

-

...

flags

...

virtual_system

str

...

-

...

srcZone

...

-

...

null('')

...

str

...

-

...

dstZone

...

-

...

null('')

...

str

...

-

...

srcIface

...

-

...

null('')

...

str

...

-

...

dstIface

...

-

...

null('')

...

str

...

-

...

logAction

...

-

...

null('')

...

str

...

-

...

session

...

-

...

null('')

...

str

...

-

...

repCnt

...

-

...

int4(null(''))

...

int4

...

-

...

srcPort

...

-

...

int4(null(''))

...

int4

...

-

...

dstPort

...

-

...

int4(null(''))

...

int4

...

-

source_zone

str

destination_zone

str

source_interface

str

destination_interface

str

log_action

str

repeat_count

int4

source_port

client_port

str

destination_port

-

Code Block
null('')

str

source_nat_port

-

Code Block
null('')

str

destination_nat_port

-

Code Block
null('')

str

flags

-

Code Block
null('')

str

...

protocol

...

protocol

...

-

...

null('')

...

str

action

-

Code Block
null('')

str

...

category

-

Code Block
null('')

str

...

-

...

seqno

...

sequence_number

int8

...

-

...

actionFlags

...

-

...

null('')

...

str

...

-

action_flags	action_flags		`str`
device_name	device_name		`str`

...


bytes_total	bytes

...

-

...

int8(null(''))

...

int8

...

-

...

sentBytes

...

-

...

int8(null(''))

...

int8

...

-

...

recvBytes

...

-

...

int8(null(''))

...

int8

...

-

...

pkts

...

-

...

int4(null(''))

...

int4

...

-

...

srcCountry

...

-

...

null('')

...

str

...

-

...

dstCountry

...

-

...

null('')

...

str

...

-

...

session_end_reason

...

-

...

null('')

...

str

...

-

...

url_filename

...

url_filename

...

str

...

-

...

threatid

...

rawMessage

...

rawMessage

...

str

...

-

...

hostchain

...

_total

int8

bytes_sent

int8

bytes_received

int8

packets_total

int4

source_geo_country_name

str

destination_geo_country_name

str

session_end_reason

-

Code Block
null('')

str

...

-

...

severity

...

-

...

null('')

...

str

...

-

...

direction

...

-

...

null('')

...

str

...

-

...

host

...

-

...

null('')

...

str

...

-

...

result

...

-

...

null('')

...

str

...

-

...

path

...

-

...

null('')

...

str

...

-

url_file_name	url_file_name	`str`
threat_id	threat_id	`str`
severity	severity	`str`
hostname	hostname	`str`
file_path	file_path	`str`
rawMessage	rawMessage	`str`
hostchain	hostchain	`str`	✓
tag	tag	`str`	✓

firewall.paloalto.threat
Anchor
firewall.paloalto.threat
firewall.paloalto.threat

Field in union table	Field in source table	Field transformation

...

Type	Extra fields
eventdate	eventdate		`timestamp`

...


timestamp	timestamp	`timestamp`
received_date	received_date	`timestamp`

...

-

...

recvdate

...

recvdate

...

timestamp

...

-

...

machine

...

machine

...

str

...

-

...

logType

...

logType

...

str

...

-

...

subType

...

subType

...

str

...

-

...

serial

...

serial

...

str

...

-

...

srcIp

...

srcIp

...

ip4

...

-

...

dstIp

...

dstIp

...

ip4

...

-

...

srcNatIp

...

srcNatIp

...

ip4

...

-

...

dstNatIp

...

dstNatIp

...

ip4

...

-

...

rule

...

rule

...

str

...

-

...

srcUser

...

srcUser

...

str

...

-

...

dstUser

...

dstUser

...

str

...

-

...

app

...

app

...

str

...

-

...

virtSys

...

virtSys

...

str

...

-

...

srcZone

...

srcZone

...

str

...

-

...

dstZone

...

dstZone

...

str

...

-

...

srcIface

...

srcIface

...

str

...

-

...

dstIface

...

dstIface

...

str

...

-

...

logAction

...

logAction

...

str

...

-

...

session

...

session

...

str

...

-

...

repCnt

...

repCnt

...

int4

...

-

...

srcPort

...

srcPort

...

int4

...

-

...

dstPort

...

dstPort

...

int4

...

-

...

srcNatPort

...

srcNatPort

...

int4

...

-

...

dstNatPort

...

dstNatPort

...

int4

...

-

...

flags

...

flags

...

str

...

-

...

proto

...

proto

...

str

...

-

...

action

...

action

...

str

...

-

...

category

...

category

...

str

...

-

...

seqno

...

seqno

...

int8

...

-

...

actionFlags

...

actionflags

...

str

...

-

...

deviceName

...

deviceName

...

str

...

-

...

bytes

...

-

...

int8(null(''))

...

int8

...

-

...

sentBytes

...

-

...

int8(null(''))

...

int8

...

-

...

recvBytes

...

-

...

int8(null(''))

...

int8

...

-

...

pkts

...

-

...

int4(null(''))

...

int4

...

-

...

srcCountry

...

srcloc

...

str

...

-

...

dstCountry

...

dstloc

...

str

...

machine

str

log_type

str

subtype

str

serial

str

source_ip

srcIp

Code Block
str(srcIp)

str

source_ipv4

ip4

destination_ip

dstIp

Code Block
str(dstIp)

str

destination_ipv4

ip4

source_nat_ip

srcNatIp

Code Block
str(srcNatIp)

str

source_nat_ipv4

ip4

destination_nat_ip

dstNatIp

Code Block
str(dstNatIp)

str

destination_nat_ipv4

ip4

rule

str

session

str

source_username

str

destination_username

str

application

str

virtual_system

str

source_zone

str

destination_zone

str

source_interface

str

destination_interface

str

log_action

str

repeat_count

int4

source_port

srcPort

Code Block
str(srcPort)

str

destination_port

dstPort

Code Block
str(dstPort)

str

source_nat_port

srcNatPort

Code Block
str(srcNatPort)

str

destination_nat_port

dstNatPort

Code Block
str(dstNatPort)

str

flags

str

protocol

str

action

str

category

str

sequence_number

int8

action_flags

str

device_name

str

bytes_total

int8

bytes_sent

int8

bytes_received

int8

packets_total

int4

source_geo_country_name

str

destination_geo_country_name

str

session_end_reason

-

Code Block
null('')

str

...

-

url_file_

...

name

url_file_

...

name

str

...

-

...

threatid

threat_id

str

...

-

...

direction

...


severity	severity

...

str

...

-

...

result

...

-

...

str

...

-

...

host

...

-

...

null('')

...

str

...

-

hostname

str

...


file_path	file_path

...

-

...

null('')

str

...


rawMessage	rawMessage

...

str

...


hostchain	hostchain

...

	`str`	✓
tag	tag		`str`	✓

firewall.paloalto.traffic
Anchor
firewall.paloalto.traffic
firewall.paloalto.traffic

Field in union table	Field in source table	Field transformation

...

Type	Extra fields
eventdate	eventdate		`timestamp`

...


timestamp	timestamp

...

recvdate

...

timestamp

...

-

received_date

timestamp

...


machine	machine

...

logType

...

		`str`
log_type	log_type		`str`
subtype	subtype		`str`
serial	serial		`str`

...

-

...

dstIp

...

dstIp

...

ip4

...

-

...

srcNatIp

...

srcNatIp

...

ip4

...

-

...

dstNatIp

...

dstNatIp

...

ip4

...

-

...

rule

...

rule

...

str

...

-

...

srcUser

...

srcUser

...

str

...

-

...

dstUser

...

dstUser

...

str

...

-

...

app

...

app

...

str

...

-

...

virtSys

...

virtSys

...

str

...

-

...

srcZone

...

srcZone

...

str

...

-

...

dstZone

...

dstZone

...

str

...

-

...

srcIface

...

srcIface

...

str

...

-

...

dstIface

...

dstIface

...

str

...

-

...

logAction

...

logAction

...

str

...

-

...

session

...

session

...

str

...

-

...

repCnt

...

repCnt

...

int4

...

-

...

srcPort

...

srcPort

...

int4

...

-

...

dstPort

...

dstPort

...

int4

...

-

...

srcNatPort

...

srcNatPort

...

int4

...

-

...

dstNatPort

...

dstNatPort

...

int4

...

-

...

flags

...

flags

...

str

...

-

...

proto

...

proto

...

str

...

-

...

action

...

action

...

str

...

-

...

category

...

category

...

str

...

-

...

seqno

...

seqno

...

int8

...

-

...

actionFlags

...

actionFlags

...

str

...

-

...

deviceName

...

device_name

...

str

...

-

...

bytes

...

bytes

...

int8

...

-

...

sentBytes

...

sentBytes

...

int8

...

-

...

recvBytes

...

recvBytes

...

int8

...

-

...

pkts

...

pkts

...

int4(pkts)

...

int4

...

-

...

srcCountry

...

srcCountry

...

str

...

-

...

dstCountry

...

dstCountry

...

str

...

source_ip

srcIp_str

str

...

-

...

subType

...

subType

...

str

...

-

...

serial

...

serial

...

str

...

-

...

srcIp

...

srcIp

...

ip4

...

-

source_ipv4

ip4

destination_ip

dstIp_str

str

destination_ipv4

ip4

source_nat_ip

srcNatIp

Code Block
str(srcNatIp)

str

source_nat_ipv4

ip4

destination_nat_ip

dstNatIp

Code Block
str(dstNatIp)

str

destination_nat_ipv4

ip4

rule

str

session

str

source_username

str

destination_username

str

application

str

virtual_system

str

source_zone

str

destination_zone

str

source_interface

str

destination_interface

str

log_action

str

repeat_count

int4

source_port

srcPort

Code Block
str(srcPort)

str

destination_port

dstPort

Code Block
str(dstPort)

str

source_nat_port

srcNatPort

Code Block
str(srcNatPort)

str

destination_nat_port

dstNatPort

Code Block
str(dstNatPort)

str

flags

str

protocol

str

action

str

category

str

sequence_number

int8

action_flags

str

device_name

str

bytes_total

int8

bytes_sent

int8

bytes_received

int8

packets_total

int4

source_geo_country_name

str

destination_geo_country_name

str

session_end_reason

str

...

-

url_

...

file_name

url_

...

threatid

...

-

...

null('')

...

str

...

file_name

str

...

-

...

threat_id	threat_id		`str`
severity	-

...

null('')

...

str

...

-

...

direction

Code Block
null('')

str

...

hostname

...

hostname

...

-

...

null('')

...

path

...

-

...

str

...

-

...

result

...

-

...

null('')

...

str

...

-

file_path

str

...


rawMessage	rawMessage

...

str

...


hostchain	hostchain

...

	`str`	✓
tag	tag		`str`	✓

firewall.paloalto.url
Anchor
firewall.paloalto.url
firewall.paloalto.url

Field in union table	Field in source table	Field transformation

...

Type	Extra fields
eventdate	eventdate		`timestamp`

...


timestamp	timestamp

...

recvdate

...

timestamp

...

-

received_date

timestamp

...


machine	machine

...

srcCountry

...

srcloc

...

str

...

-

...

dstCountry

...

dstloc

...

str

...

		`str`
log_type	log_type		`str`
subtype	subtype		`str`
serial	serial		`str`

...

-

...

logType

...

logType

...

str

...

-

...

subType

...

subType

...

str

...

-

...

serial

...

serial

...

str

...

-

...

srcIp

...

srcIp

...

ip4

...

-

...

dstIp

...

dstIp

...

ip4

...

-

...

srcNatIp

...

srcNatIp

...

ip4

...

-

...

dstNatIp

...

dstNatIp

...

ip4

...

-

...

rule

...

rule

...

str

...

-

...

srcUser

...

srcUser

...

str

...

-

...

dstUser

...

dstUser

...

str

...

-

...

app

...

app

...

str

...

-

...

virtSys

...

virtSys

...

str

...

-

...

srcZone

...

srcZone

...

str

...

-

...

dstZone

...

dstZone

...

str

...

-

...

srcIface

...

srcIface

...

str

...

-

...

dstIface

...

dstIface

...

str

...

-

...

logAction

...

logAction

...

str

...

-

...

session

...

session

...

str

...

-

...

repCnt

...

repCnt

...

int4

...

-

...

srcPort

...

srcPort

...

int4

...

-

...

dstPort

...

dstPort

...

int4

...

-

...

srcNatPort

...

srcNatPort

...

int4

...

-

...

dstNatPort

...

dstNatPort

...

int4

...

-

...

flags

...

flags

...

str

...

-

...

proto

...

proto

...

str

...

-

...

action

...

action

...

str

...

-

...

category

...

category

...

str

...

-

...

seqno

...

seqno

...

int8

...

-

...

actionFlags

...

actionflags

...

str

...

-

...

deviceName

...

deviceName

...

str

...

-

...

bytes

...

-

...

int8(null(''))

...

int8

...

-

...

sentBytes

...

-

...

int8(null(''))

...

int8

...

-

...

recvBytes

...

-

...

int8(null(''))

...

int8

...

-

...

pkts

...

-

...

int4(null(''))

...

int4

...

-

source_ip

srcIp_str

str

source_ipv4

ip4

destination_ip

dstIp_str

str

destination_ipv4

ip4

source_nat_ip

srcNatIp

Code Block
str(srcNatIp)

str

source_nat_ipv4

ip4

destination_nat_ip

dstNatIp

Code Block
str(dstNatIp)

str

destination_nat_ipv4

ip4

rule

str

session

str

source_username

str

destination_username

str

application

str

virtual_system

str

source_zone

str

destination_zone

str

source_interface

str

destination_interface

str

log_action

str

repeat_count

int4

source_port

srcPort

Code Block
str(srcPort)

str

destination_port

dstPort

Code Block
str(dstPort)

str

source_nat_port

srcNatPort

Code Block
str(srcNatPort)

str

destination_nat_port

dstNatPort

Code Block
str(dstNatPort)

str

flags

str

protocol

str

action

str

category

str

sequence_number

int8

action_flags

str

device_name

str

bytes_total

int8

bytes_sent

int8

bytes_received

int8

packets_total

int4

source_geo_country_name

str

destination_geo_country_name

str

session_end_reason

-

Code Block
null('')

str

...


url_file_

...

name

url_

...

file_name

str

...

-

...

threatid

threat_id

str

...

direction

...

direction


severity	severity

...

str

...

-

str

...

hostname

...

host

...

-

...

path

...

-

...

hostname

str

...

-

...

result

...

-

...

null('')

...

str

...

-

file_path

str

...


rawMessage	rawMessage

...

str

...


hostchain	hostchain

...

	`str`	✓
tag	tag		`str`	✓

firewall.paloalto.userid
Anchor
firewall.paloalto.userid
firewall.paloalto.userid

Field in union table	Field in source table	Field transformation

...

Data type

...

Extra fields

...

eventdate

...

eventdate

...

timestamp

...

-

...

timestamp

...

timestamp

...

timestamp

...

-

...

recvdate

...

recvdate

...

timestamp

...

-

...

machine

...

machine

...

str

...

-

...

logType

...

logType

...

str

...

-

...

subType

...

subType

...

str

...

-

...

serial

...

serial

...

str

...

-

...

srcIp

...

srcIp

...

ip4

...

-

...

dstIp

...

-

...

ip4(null(''))

...

ip4

...

-

...

srcNatIp

...

-

...

ip4(null(''))

...

ip4

...

-

...

dstNatIp

...

-

...

ip4(null(''))

...

ip4

...

-

...

rule

...

-

...

null('')

...

str

...

-

...

srcUser

...

srcUser

...

str

...

-

...

dstUser

...

-

...

null('')

...

str

...

-

...

app

...

-

...

null('')

...

str

...

-

...

virtSys

...

virtSys

...

str

...

-

...

srcZone

...

-

...

null('')

...

str

...

-

...

dstZone

...

-

...

null('')

...

str

...

-

...

srcIface

...

-

...

null('')

...

str

...

-

...

dstIface

...

-

...

null('')

...

str

...

-

...

logAction

...

-

...

null('')

...

str

...

-

...

session

...

Type

Extra fields

eventdate

timestamp

timestamp

timestamp

received_date

timestamp

machine

str

log_type

str

subtype

str

serial

str

source_ip

srcIp_str

str

source_ipv4

ip4

destination_ip

-

Code Block
null('')

str

destination_ipv4

ip4

source_nat_ip

-

Code Block
null('')

str

source_nat_ipv4

ip4

destination_nat_ip

-

Code Block
null('')

str

destination_nat_ipv4

ip4

rule

-

Code Block
null('')

str

session

-

Code Block
null('')

str

source_username

str

destination_username

str

application

str

virtual_system

str

source_zone

str

destination_zone

str

source_interface

str

destination_interface

str

log_action

str

repeat_count

int4

source_port

srcPort

Code Block
str(srcPort)

str

destination_port

dstPort

Code Block
str(dstPort)

str

source_nat_port

-

Code Block
null('')

str

destination_nat_port

-

...

Code Block

...

-

null('')

...

dstPort

...

dstPort

...

int4

...

-

...

srcNatPort

...

srcNatPort

...

int4

...

-

...

dstNatPort

...

dstNatPort

...

int4

...

-

...

flags

...

int4

...

-

...

srcPort

...

srcPort

...

int4

...

-

str

flags

-

Code Block
null('')

str

...

protocol

...

protocol

...

-

...

null('')

...

str

action

-

Code Block
null('')

str

...

category

-

Code Block
null('')

str

...

-

...

seqno

...

actionFlags

...

sequence_number

int8

...

-

...

action_flags

str

...

-

device_name

str

...


bytes_total	bytes

...

-

...

int8(null(''))

...

int8

...

-

...

sentBytes

...

-

...

int8(null(''))

...

int8

...

-

...

recvBytes

...

-

...

int8(null(''))

...

int8

...

-

...

pkts

...

-

...

int4(null(''))

...

int4

...

-

...

srcCountry

...

-

...

null('')

...

str

...

-

...

dstCountry

...

-

...

null('')

...

str

...

-

...

session_end_reason

...

-

...

null('')

...

str

...

-

...

url_filename

...

url_filename

...

str

...

-

...

threatid

...

-

...

severity

...

-

...

_total

int8

bytes_sent

int8

bytes_received

int8

packets_total

int4

source_geo_country_name

str

destination_geo_country_name

str

session_end_reason

-

Code Block
null('')

str

...

-

...

url_file_name

str

...

-

...

direction

...

-

...

null('')

...

threat_id	threat_id		`str`
severity	-

...

host

Code Block
null('')

str

...

hostname

...

hostname

...

-

...

null('')

str

...


file_path	file_path

...

-

...

null('')

str

...


rawMessage	rawMessage

...

str

...


hostchain	hostchain

...

	`str`	✓
tag	tag		`str`	✓

Versions Compared

Old Version 12

New Version Current

Key

Introduction

Source tables

Table structure

Field transformations

Introduction

Source tables

Table structure

Field transformations

firewall.paloalto.auth
Anchor
firewall.paloalto.auth
firewall.paloalto.auth

firewall.paloalto.config
Anchor
firewall.paloalto.config
firewall.paloalto.config

firewall.paloalto.correlation
Anchor
firewall.paloalto.correlation
firewall.paloalto.correlation

firewall.paloalto.

decryption
Anchor
firewall.paloalto.

decryption
firewall.paloalto.

decryption

firewall.paloalto.

globalprotect
Anchor
firewall.paloalto.

globalprotect
firewall.paloalto.

globalprotect

firewall.paloalto.

hipmatch
Anchor
firewall.paloalto.

hipmatch
firewall.paloalto.

hipmatch

firewall.paloalto.iptag
Anchor
firewall.paloalto.iptag
firewall.paloalto.iptag

firewall.paloalto.system
Anchor
firewall.paloalto.system
firewall.paloalto.system

firewall.paloalto.threat
Anchor
firewall.paloalto.threat
firewall.paloalto.threat

firewall.paloalto.traffic
Anchor
firewall.paloalto.traffic
firewall.paloalto.traffic

firewall.paloalto.url
Anchor
firewall.paloalto.url
firewall.paloalto.url

firewall.paloalto.userid
Anchor
firewall.paloalto.userid
firewall.paloalto.userid

Page Comparison

Versions Compared

Old Version 12

New Version Current

Key

Introduction

Source tables

Table structure

Field transformations

Introduction

Source tables

Table structure

Field transformations

firewall.paloalto.auth Anchorfirewall.paloalto.authfirewall.paloalto.auth

firewall.paloalto.config Anchorfirewall.paloalto.configfirewall.paloalto.config

firewall.paloalto.correlation Anchorfirewall.paloalto.correlationfirewall.paloalto.correlation

firewall.paloalto.

decryption Anchorfirewall.paloalto.

decryptionfirewall.paloalto.

decryption

firewall.paloalto.

globalprotect Anchorfirewall.paloalto.

globalprotectfirewall.paloalto.

globalprotect

firewall.paloalto.

hipmatch Anchorfirewall.paloalto.

hipmatchfirewall.paloalto.

hipmatch

firewall.paloalto.iptag Anchorfirewall.paloalto.iptagfirewall.paloalto.iptag

firewall.paloalto.system Anchorfirewall.paloalto.systemfirewall.paloalto.system

firewall.paloalto.threat Anchorfirewall.paloalto.threatfirewall.paloalto.threat

firewall.paloalto.traffic Anchorfirewall.paloalto.trafficfirewall.paloalto.traffic

firewall.paloalto.url Anchorfirewall.paloalto.urlfirewall.paloalto.url

firewall.paloalto.userid Anchorfirewall.paloalto.useridfirewall.paloalto.userid

firewall.paloalto.auth
Anchor
firewall.paloalto.auth
firewall.paloalto.auth

firewall.paloalto.config
Anchor
firewall.paloalto.config
firewall.paloalto.config

firewall.paloalto.correlation
Anchor
firewall.paloalto.correlation
firewall.paloalto.correlation

decryption
Anchor
firewall.paloalto.

decryption
firewall.paloalto.

globalprotect
Anchor
firewall.paloalto.

globalprotect
firewall.paloalto.

hipmatch
Anchor
firewall.paloalto.

hipmatch
firewall.paloalto.

firewall.paloalto.iptag
Anchor
firewall.paloalto.iptag
firewall.paloalto.iptag

firewall.paloalto.system
Anchor
firewall.paloalto.system
firewall.paloalto.system

firewall.paloalto.threat
Anchor
firewall.paloalto.threat
firewall.paloalto.threat

firewall.paloalto.traffic
Anchor
firewall.paloalto.traffic
firewall.paloalto.traffic

firewall.paloalto.url
Anchor
firewall.paloalto.url
firewall.paloalto.url

firewall.paloalto.userid
Anchor
firewall.paloalto.userid
firewall.paloalto.userid