Page Comparison

...

Table of Contents

minLevel	1
maxLevel	2
type	flat

Introduction

This union table collects information from a set of tables that contain events from Palo Alto Network's firewalls.

Source tables

The information displayed is extracted from the following tables:

Expand

title	Check source tables

firewall.paloalto.auth
firewall.paloalto.config
firewall.paloalto.correlation
firewall.paloalto.decryption
firewall.paloalto.globalprotect
firewall.paloalto.hipmatch
firewall.paloalto.iptag
firewall.paloalto.system
firewall.paloalto.threat
firewall.paloalto.traffic
firewall.paloalto.url
firewall.paloalto.userid

Table structure

This is the set of columns displayed by this union table, which is the result of the collection of columns present in all source tables:

Note

Extra columns

Fields marked as Extra in the table below are not shown by default in data tables and need to be explicitly requested in the query. You can find them marked as Extra when you perform a query so they can be easily identified. Learn more about this in Selecting unrevealed columns.

...

Field

...

Data type

...

Extra fields

...

eventdate

...

timestamp

...

-

...

timestamp

...

timestamp

...

-

...

recvdate

...

timestamp

...

machine

...

str

...

logType

...

str

...

subType

...

str

...

serial

...

str

...

srcIp

...

ip4

...

dstIp

...

ip4

...

srcNatIp

...

ip4

...

dstNatIp

...

ip4

...

rule

...

str

...

srcUser

...

str

...

dstUser

...

str

...

app

...

str

...

virtSys

...

str

...

srcZone

...

str

...

dstZone

...

str

...

srcIface

...

str

...

dstIface

...

str

...

logAction

...

str

...

session

...

str

...

repCnt

...

int4

...

srcPort

...

int4

...

dstPort

...

int4

...

srcNatPort

...

int4

...

Field

...

Data type

...

Extra fields

...

dstNatPort

...

int4

...

flags

...

str

...

proto

...

str

...

action

...

str

...

category

...

str

...

seqno

...

int8

...

actionFlags

...

str

...

deviceName

...

str

...

bytes

...

int8

...

sentBytes

...

int8

...

recvBytes

...

int8

...

pkts

...

int4

...

srcCountry

...

str

...

dstCountry

...

str

...

session_end_reason

...

str

...

url_filename

...

str

...

threatid

...

str

...

severity

...

str

...

direction

...

str

...

host

...

str

...

result

...

str

...

path

...

str

...

rawMessage

...

str

...

hostchain

...

str

...

✓

...

tag

...

str

...

✓

Field transformations

Even though all source tables have several features in common, they have some particularities that make it necessary to undergo a set of transformations to harmonize them for the union table. The most common transformations comprise changes in the data type or the application of rules when several columns in the source table feed a single column in the union table. You can find below the detailed list of transformations in each source table.

...

Rw tab

title	Tables 1-6

[firewall.paloalto.auth][firewall.paloalto.config][firewall.paloalto.correlation] [firewall.paloalto.decryption][firewall.paloalto.globalprotect][firewall.paloalto.hipmatch]

...

Field in union table

...

Field in source table

...

Field transformation

...

Type

...

Extra fields

...

eventdate

...

eventdate

...

timestamp

...

timestamp

...

create_date

...

timestamp

...

recvdate

...

recv_date

...

timestamp

...

machine

...

machine

...

str

...

logType

...

log_type

...

str

...

subType

...

sub_type

...

str

...

serial

...

serial

...

str

...

srcIp

...

src_ip

...

ip4

...

dstIp

...

-

...

Code Block
ip4(null(''))

...

ip4

...

srcNatIp

...

srcNatIp

...

ip4

...

dstNatIp

...

dstNatIp

...

ip4

...

rule

...

-

...

Code Block
null('')

...

str

...

srcUser

...

src_user

...

str

...

dstUser

...

-

...

Code Block
null('')

...

str

...

app

...

-

...

Code Block
null('')

...

str

...

virtSys

...

vsys

...

str

...

srcZone

...

-

...

Code Block
null('')

...

str

...

Table of Contents

minLevel	1
maxLevel	2
type	flat

Introduction

This union table collects information from a set of tables that contain events from Palo Alto Network's firewalls.

Source tables

The information displayed is extracted from the following tables:

Expand

title	Check source tables

firewall.paloalto.auth
firewall.paloalto.config
firewall.paloalto.correlation
firewall.paloalto.decryption
firewall.paloalto.globalprotect
firewall.paloalto.hipmatch
firewall.paloalto.iptag
firewall.paloalto.system
firewall.paloalto.threat
firewall.paloalto.traffic
firewall.paloalto.url
firewall.paloalto.userid

Table structure

This is the set of columns displayed by this union table, which is the result of the collection of columns present in all source tables:

Note

Extra columns

Fields marked as Extra in the table below are not shown by default in data tables and need to be explicitly requested in the query. You can find them marked as Extra when you perform a query so they can be easily identified. Learn more about this in Selecting unrevealed columns.

Field	Type	Source field name	Extra fields
eventdate	`timestamp`
timestamp	`timestamp`
received_date	`timestamp`	recvdate
machine	`str`
log_type	`str`	logType
subtype	`str`	subType
serial	`str`
source_ip	`str`
source_ipv4	`ip4`	srcIp
destination_ip	`str`
destination_ipv4	`ip4`	dstIp
source_nat_ip	`str`
source_nat_ipv4	`ip4`	srcNatIp
destination_nat_ip	`str`
destination_nat_ipv4	`ip4`	dstNatIp
rule	`str`
session	`str`
source_username	`str`	srcUser
destination_username	`str`	dstUser
application	`str`	app
virtual_system	`str`	virtSys
source_zone	`str`	srcZone
destination_zone	`str`	dstZone
source_interface	`str`	srcIface
destination_interface	`str`	dstIface
log_action	`str`	logAction
repeat_count	`int4`	repCnt
source_port	`str`
destination_port	`str`
source_nat_port	`str`
destination_nat_port	`str`
flags	`str`
protocol	`str`	proto
action	`str`
category	`str`
sequence_number	`int8`	seqno
action_flags	`str`	actionFlags
device_name	`str`	deviceName
bytes_total	`int8`	bytes
bytes_sent	`int8`	sentBytes
bytes_received	`int8`	recvBytes
packets_total	`int4`	pkts
source_geo_country_name	`str`	srcCountry
destination_geo_country_name	`str`	dstCountry
session_end_reason	`str`
url_file_name	`str`	url_filename
threat_id	`str`	threatid
severity	`str`
hostname	`str`	host
file_path	`str`	path
rawMessage	`str`
hostchain	`str`		✓
tag	`str`		✓

Field transformations

Even though all source tables have several features in common, they have some particularities that make it necessary to undergo a set of transformations to harmonize them for the union table. The most common transformations comprise changes in the data type or the application of rules when several columns in the source table feed a single column in the union table. You can find below the detailed list of transformations in each source table.

Rw ui tabs macro

Rw tab

title	Tables 1-6

[firewall.paloalto.auth][firewall.paloalto.config][firewall.paloalto.correlation] [firewall.paloalto.decryption][firewall.paloalto.globalprotect][firewall.paloalto.hipmatch]

firewall.paloalto.auth
Anchor
firewall.paloalto.auth
firewall.paloalto.auth

Field in union table

Field in source table

Field transformation

Type

Extra fields

eventdate

timestamp

timestamp

create_date

timestamp

received_date

timestamp

machine

str

log_type

str

subtype

str

serial

str

source_ip

src_ip_str

str

source_ipv4

ip4

destination_ip

-

Code Block
null('')

str

destination_ipv4

ip4

source_nat_ip

-

Code Block
null('')

str

source_nat_ipv4

ip4

destination_nat_ip

-

Code Block
null('')

str

destination_nat_ipv4

ip4

rule

-

Code Block
null('')

str

session

session_id

str

source_username

str

destination_username

str

application

str

virtual_system

str

source_zone

str

destination_zone

str

source_interface

str

destination_interface

str

log_action

str

repeat_count

int4

source_port

-

Code Block
null('')

str

destination_port

-

Code Block
null('')

str

source_nat_port

-

Code Block
null('')

str

destination_nat_port

-

Code Block
null('')

str

flags

-

Code Block
null('')

str

protocol

str

action

-

Code Block
null('')

str

category

src_category

str

sequence_number

int8

action_flags

str

device_name

str

bytes_total

int8

bytes_sent

int8

bytes_received

int8

packets_total

int4

source_geo_country_name

str

destination_geo_country_name

str

session_end_reason

-

Code Block
null('')

str

url_file_name

str

threat_id

str

severity

-

Code Block
null('')

str

hostname

str

file_path

str

rawMessage

str

hostchain

str

✓

tag

str

✓

firewall.paloalto.config
Anchor
firewall.paloalto.config
firewall.paloalto.config

Field in union table

Field in source table

Field transformation

Type

Extra fields

eventdate

timestamp

timestamp

timestamp

received_date

timestamp

machine

str

log_type

str

subtype

str

serial

str

source_ip

-

Code Block
null('')

str

source_ipv4

ip4

destination_ip

-

Code Block
null('')

str

destination_ipv4

ip4

source_nat_ip

-

Code Block
null('')

str

source_nat_ipv4

ip4

destination_nat_ip

-

Code Block
null('')

str

destination_nat_ipv4

ip4

rule

-

Code Block
null('')

str

session

-

Code Block
null('')

str

source_username

str

destination_username

str

application

str

virtual_system

str

source_zone

str

destination_zone

str

source_interface

str

destination_interface

str

log_action

str

repeat_count

int4

source_port

-

Code Block
null('')

str

...

destination_port

-

Code Block
null('')

str

...

srcPort

source_nat_port

-

Code Block
null('')

str

...

logAction

...

log_action

...

str

...

session

...

session_id

...

str

...

repCnt

...

rep_cnt

...

int4

destination_nat_port

-

Code Block
null(

...

'')

...

str

...

flags

-

Code Block
null(

...

'')

...

str

...

protocol

...

dstNatPort

...

dstNatPort

...

int4

...

protocol

...

int4

...

action

str

action

-

Code Block
null('')

str

...

proto

...

auth_proto

...

str

category

-

Code Block
null(''

...

str

...

category

...

src_category

...

str

...

sequence_number

...

sequence_

...

number

...

int8

...

int8

...


action_flags	action_flags		`str`

...


device_name	device_name	`str`
bytes_total

...

bytes_total

...

int8

...

int8

...

sentBytes

...

-

...

Code Block
null(int8(0))

...

int8

...

recvBytes

...

-

...

Code Block
null(int8(0))

...

int8

...

pkts

...

-

...

Code Block
null(0)

...

int4

...

srcCountry

...

-

...

Code Block
null('')

...

str

...

dstCountry

...

-

...

Code Block
null('')

bytes_sent

int8

bytes_received

int8

packets_total

int4

source_geo_country_name

str

destination_geo_country_name

str

session_end_reason

-

Code Block
null('')

str

url_file_

...

name

url_file_

...

severity

...

-

...

Code Block
null('')

...

str

...

direction

...

-

...

Code Block
null('')

...

str

...

name

str

...

threatid

...

-

...

Code Block
null('')

...

str

threat_id

str

severity

-

Code Block
null('')

str

...

hostname

...

-

...

hostname		`str`
file_path

...

-

file_path		`str`
rawMessage	rawMessage		`str`
hostchain	hostchain		`str`	✓
tag	tag		`str`	✓

firewall.paloalto.

...

correlation
Anchor
firewall.paloalto.

...

correlation
firewall.paloalto.

...

correlation

Field in union table	Field in source table	Field transformation

...

Type	Extra fields
eventdate	eventdate		`timestamp`
timestamp	timestamp		`timestamp`

...

recvdate

...

subType

...

subType

...

str

...

serial

...

serial

...

str

...

srcIp

...

-

...


received_date	received_date	`timestamp`
machine	machine	`str`
log_type	log_type	`str`
subtype	subtype	`str`

...

logType

...

logType

...

str

serial

str

source_ip

srcIp_str

str

source_ipv4

ip4

destination_ip

-

Code Block
null('')

...

str

destination_ipv4

ip4

...


source_nat_ip	-

...

Code Block
null('')

...

str

source_nat_ipv4

ip4

...

destination_nat_ip

-

Code Block

...

null(''

...

str

destination_nat_ipv4

ip4

...

rule

-

Code Block

...

null('')

...

str

...

session

-

Code Block
null('')

str

...

srcUser

...

-

...

null('')

...

str

...

dstUser

...

-

...

null('')

...

str

...

app

...

-

...

null('')

...

str

...

virtSys

...

vsys

...

str

...

srcZone

...

source_username

str

destination_username

str

application

str

virtual_system

str

source_zone

str

destination_zone

str

source_interface

str

destination_interface

str

log_action

str

repeat_count

int4

source_port

-

Code Block
null('')

str

...

destination_port

-

Code Block
null('')

str

...

source_nat_port

-

Code Block
null('')

str

...

destination_nat_port

-

Code Block
null('')

str

...

flags

-

Code Block
null('')

str

...

protocol

...

-

protocol

str

...


action	-

...

Code Block

...

null(''

...

str

...

category

-

Code Block

...

null('')

...

int4

...

dstPort

...

-

...

int4(null(''))

...

int4

...

srcNatPort

...

srcNatPort

...

int4

...

dstNatPort

...

dstNatPort

...

int4

...

flags

...

-

...

null('')

...

str

...

proto

...

-

...

null('')

...

str

...

action

...

actionFlags

...

str

sequence_number

int8

action_flags

str

device_name

str

bytes_total

int8

bytes_sent

int8

bytes_received

int8

packets_total

int4

source_geo_country_name

str

destination_geo_country_name

str

session_end_reason

-

Code Block
null('')

str

...

category

...

-

...

null('')

...

str

...

seqno

...

seqno

...

int8

url_file_name

str

threat_id

str

severity

-

Code Block
null('')

str

hostname

str

...

file_path

...

file_

...

Field in union table

...

Field in source table

...

Field transformation

...

Data type

...

Extra fields

...

eventdate

...

eventdate

...

timestamp

...

timestamp

...

timestamp

...

timestamp

...

recvdate

...

recvdate

...

timestamp

...

machine

...

machine

...

str

...

logType

...

logType

...

str

...

subType

...

subType

...

str

...

serial

...

serial

...

str

...

srcIp

...

srcIp

...

ip4

...

dstIp

...

-

...

ip4(null(''))

...

ip4

...

srcNatIp

...

-

...

ip4(null(''))

...

ip4

...

dstNatIp

...

-

...

ip4(null(''))

...

ip4

...

rule

...

-

...

null('')

...

str

...

srcUser

...

srcUser

...

str

...

dstUser

...

-

...

null('')

...

str

...

app

...

-

...

null('')

...

str

...

virtSys

...

vsys

...

str

...

srcZone

...

-

...

null('')

...

str

...

dstZone

...

-

...

null('')

...

str

...

srcIface

...

-

...

null('')

...

str

...

dstIface

...

-

...

null('')

...

str

...

logAction

...

-

...

null('')

...

str

...

session

...

path

str

...

bytes

...

-

...

int8(null(''))

...

int8

...

sentBytes

...

-

...

int8(null(''))

...

int8

...

recvBytes

...

-

...

int8(null(''))

...

int8

...

pkts

...

-

...

int4(null(''))

...

int4

...

srcCountry

...

-

...

null('')

...

str

...

dstCountry

...

-

...

null('')

...

str

...

session_end_reason

...

-

...

null('')

...

str

...

url_filename

...

url_filename

...

str

...

threatid

...

-

...

null('')

...

str

...

severity

...

-

...

null('')

...

str

...

direction

...

-

...

null('')

...

str

...

host

...

host

...

str

...

result

...

result

...

str

...

path

...

path

...

str

...

rawMessage

...

rawMessage

...

str

...

hostchain

...

hostchain

...

str

...

✓

...

tag

...

tag

...

str

...

✓

...

dstNatPort

...

dstNatPort

...

int4

...

flags

...

-

...

null('')

...

str

...

proto

...

-

...

null('')

...

str

...

action

...

-

...

null('')

...

str

...

category

...

-

...

null('')

...

str

...

seqno

...

-

...

int8(null(''))

...

int8

...

actionFlags

...

rawMessage	rawMessage	`str`
hostchain	hostchain	`str`	✓
tag	tag	`str`	✓

firewall.paloalto.decryption
Anchor
firewall.paloalto.decryption
firewall.paloalto.decryption

Field in union table

Field in source table

Field transformation

Type

Extra fields

eventdate

timestamp

timestamp

time_generated

timestamp

received_date

timestamp

machine

str

log_type

str

subtype

str

serial

str

source_ip

src

str

source_ipv4

ip4

destination_ip

dst

str

destination_ipv4

ip4

source_nat_ip

nat_src

str

source_nat_ipv4

ip4

destination_nat_ip

nat_dst

str

destination_nat_ipv4

ip4

rule

str

session

session_id

str

source_username

str

destination_username

str

application

str

virtual_system

str

source_zone

str

destination_zone

str

source_interface

str

destination_interface

str

log_action

str

repeat_count

int4

source_port

src_port

str

destination_port

dst_port

str

source_nat_port

nat_src_port

str

destination_nat_port

nat_dst_port

str

flags

str

protocol

str

action

str

category

-

Code Block
null('')

str

...

repCnt

...

-

...

int4(null(''))

...

int4

...

srcPort

...

-

...

int4(null(''))

...

int4

...

dstPort

...

-

...

int4(null(''))

...

int4

...

srcNatPort

...

srcNatPort

...

int4

sequence_number

int8

action_flags

str

device_name

str

bytes_total

int8

bytes_sent

int8

bytes_received

int8

packets_total

int4

source_geo_country_name

str

destination_geo_country_name

str

session_end_reason

-

Code Block
null('')

str

...

deviceName

...


url_file_name	url_file_name		`str`

...


threat_id	threat_id	`str`
severity	-

...

Code Block
null('')

...

int8

...

sentBytes

...

-

...

int8(null(''))

...

int8

...

recvBytes

...

-

...

int8(null(''))

...

int8

...

pkts

...

-

...

int4(null(''))

...

int4

...

srcCountry

...

-

...

null('')

...

str

...

dstCountry

...

-

...

null('')

...

str

...

session_end_reason

...

-

...

null('')

...

str

...

url_filename

...

url_filename

...

str

...

threatid

...

-

...

null('')

...

str

...

severity

...

-

...

null('')

...

str

...

direction

...

-

...

null('')

...

str

...

host

...

-

...

null('')

...

str

...

result

...

-

...

null('')

...

str

...

path

...

-

...

null('')

...

str

...

rawMessage

...

rawMessage

...

str

...

hostchain

...

hostchain

...

str

...

✓

...

tag

...

tag

...

str

...

✓

...

Field in union table

...

Field in source table

...

Field transformation

...

Data type

...

Extra fields

...

eventdate

...

eventdate

...

timestamp

...

timestamp

...

time_generated

...

timestamp

...

recvdate

...

receive_time

...

timestamp

...

machine

...

machine

...

str

...

logType

...

logtype

...

str

...

subType

...

subtype

...

str

...

serial

...

serial

...

str

...

srcIp

...

src_ip4

...

ip4

...

dstIp

...

dst_ip4

...

ip4

...

srcNatIp

...

srcNatIp

...

ip4

...

dstNatIp

...

dstNatIp

...

ip4

...

rule

...

rule

...

str

...

srcUser

...

src_user

...

str

...

dstUser

...

dst_user

...

str

...

app

...

app

...

str

...

virtSys

...

vsys

...

str

...

srcZone

...

src_zone

...

str

...

dstZone

...

dst_zone

...

str

...

srcIface

...

inbound_if

...

str

...

dstIface

...

outbound_if

...

str

...

logAction

...

log_set

...

str

...

session

...

session_id

...

str

...

repCnt

...

repeat_cnt

...

int4

...

srcPort

...

src_port

...

Code Block
int4(src_port)

...

int4

...

dstPort

...

dst_port

...

Code Block
int4(dst_port)

...

int4

...

srcNatPort

...

srcNatPort

...

int4

...

dstNatPort

...

dstNatPort

...

int4

...

flags

...

flags

...

str

...

proto

...

proto

...

str

...

action

...

str

hostname

str

file_path

str

rawMessage

str

hostchain

str

✓

tag

str

✓

firewall.paloalto.globalprotect
Anchor
firewall.paloalto.globalprotect
firewall.paloalto.globalprotect

Field in union table

Field in source table

Field transformation

Type

Extra fields

eventdate

timestamp

timestamp

createdate

timestamp

received_date

timestamp

machine

str

log_type

str

subtype

str

serial

str

source_ip

public_ip

public_ipv6

Code Block
isnotnull(public_ip) ? str(public_ip) : public_ipv6

str

source_ipv4

ip4

destination_ip

-

Code Block
null('')

str

destination_ipv4

ip4

source_nat_ip

-

Code Block
null('')

str

source_nat_ipv4

ip4

destination_nat_ip

-

Code Block
null('')

str

destination_nat_ipv4

ip4

rule

-

Code Block
null('')

str

session

-

Code Block
null('')

str

source_username

str

destination_username

str

application

str

virtual_system

str

source_zone

str

destination_zone

str

source_interface

str

destination_interface

str

log_action

str

repeat_count

int4

source_port

-

Code Block
null('')

str

destination_port

-

Code Block
null('')

str

source_nat_port

-

Code Block
null('')

str

destination_nat_port

-

Code Block
null('')

str

flags

-

Code Block
null('')

str

protocol

str

action

-

Code Block
null('')

str

category

-

Code Block
null('')

str

...

seqno

...

seqno

...


sequence_number	sequence_number		`int8`

...


action_flags	action_flags		`str`

...


device_name	device_name	`str`
bytes_total

...

bytes_total

...

int8

...

int8

...

sentBytes

...

-

...

Code Block
null(int8(0))

...

int8

...

recvBytes

...

-

...

Code Block
null(int8(0))

...

int8

...

pkts

...

-

...

Code Block
null(int4(0))

...

int4

...

srcCountry

...

-

...

Code Block
null('')

...

str

...

dstCountry

...

-

...

Code Block
null('')

bytes_sent

int8

bytes_received

int8

packets_total

int4

source_geo_country_name

str

destination_geo_country_name

str

session_end_reason

-

Code Block
null('')

str

url_

...

file_name

url_file_

...

str

...

threatid

...

-

...

Code Block
null('')

...

str

...

severity

...

-

...

Code Block
null('')

...

str

...

direction

...

-

...

Code Block
null('')

...

str

...

name

str

threat_id

str

severity

-

Code Block
null('')

str

...

hostname

...

-

...

hostname		`str`
file_path

...

-

file_path		`str`
rawMessage	rawMessage		`str`
hostchain	hostchain		`str`	✓
tag	tag		`str`	✓

firewall.paloalto.

...

hipmatch
Anchor
firewall.paloalto.

...

hipmatch
firewall.paloalto.

...

Field in union table

...

Field in source table

...

Field transformation

...

Data type

...

Extra fields

...

eventdate

...

eventdate

...

timestamp

...

timestamp

...

createdate

...

timestamp

...

recvdate

...

recvdate

...

timestamp

...

machine

...

machine

...

str

...

logType

...

logType

...

str

...

subType

...

subType

...

str

...

serial

...

serialnumber

...

str

...

srcIp

...

srcIp

...

ip4

...

dstIp

...

-

...

Code Block
ip4(null(''))

...

ip4

...

srcNatIp

...

-

...

Code Block
ip4(null(''))

...

ip4

...

dstNatIp

...

-

...

Code Block
ip4(null(''))

...

ip4

...

rule

...

-

...

Code Block
null('')

...

str

...

srcUser

...

srcUser

...

str

...

dstUser

...

-

...

Code Block
null('')

...

str

...

app

...

-

...

Code Block
null('')

...

str

...

virtSys

...

vsys

...

str

...

srcZone

...

-

...

Code Block
null('')

...

str

...

hipmatch

Field in union table

Field in source table

Field transformation

Type

Extra fields

eventdate

timestamp

timestamp

createdate

timestamp

received_date

timestamp

machine

str

log_type

str

subtype

str

serial

serialNumber

str

source_ip

srcIp_str

str

source_ipv4

ip4

destination_ip

-

Code Block
null('')

str

destination_ipv4

ip4

source_nat_ip

-

Code Block
null('')

str

source_nat_ipv4

ip4

destination_nat_ip

-

Code Block
null('')

str

destination_nat_ipv4

ip4

rule

-

Code Block
null('')

str

session

-

Code Block
null('')

str

source_username

str

destination_username

str

application

str

virtual_system

str

source_zone

str

destination_zone

str

source_interface

str

destination_interface

str

log_action

str

repeat_count

int4

source_port

-

Code Block
null('')

str

...

destination_port

-

Code Block
null('')

str

...

source_nat_port

-

Code Block
null('')

str

...

destination_nat_port

-

Code Block
null('')

str

...

flags

-

Code Block
null('')

str

...

protocol

...

protocol

...

Code Block
int4(repeatcnt)

...

int4

str

action

-

Code Block

...

null('')

...

str

...

category

-

Code Block

...

null(''

...

str

...

srcNatPort

sequence_number

...

int8

...

dstNatPort

action_flags

...

Field in union table

...

Field in source table

...

Field transformation

...

Data type

...

Extra fields

...

eventdate

...

eventdate

...

timestamp

...

timestamp

...

createdate

...

timestamp

...

recvdate

...

recvdate

...

timestamp

...

machine

...

machine

...

str

...

logType

...

logType

...

str

...

subType

...

subType

...

str

...

serial

...

serialNumber

...

str

...

srcIp

...

srcIp

...

ip4

...

dstIp

...

-

...

ip4(null(''))

...

ip4

...

srcNatIp

...

-

...

ip4(null(''))

...

ip4

...

dstNatIp

...

-

...

ip4(null(''))

...

ip4

...

rule

...

-

...

null('')

...

str

...

srcUser

...

srcUser

...

str

...

dstUser

...

-

...

null('')

...

str

...

app

...

-

...

null('')

...

str

...

virtSys

...

vsys

...

str

...

srcZone

...

-

...

null('')

...

str

...

dstZone

...

-

...

null('')

...

str

...

srcIface

...

-

...

null('')

...

str

...

dstIface

...

str

...

flags

...

-

...

Code Block
null('')

...

str

...

proto

...

-

...

Code Block
null('')

...

str

...

action

...

-

...

Code Block
null('')

...

str

...

category

...

-

...

Code Block
null('')

...

str

...

seqno

...

seqno

...

int8

...

actionFlags

...

actionflags

...

str

...

deviceName

...

machinename

...

str

...

bytes

...

-

...

Code Block
int8(null(''))

...

int8

...

sentBytes

...

-

...

Code Block
int8(null(''))

...

int8

...

recvBytes

...

-

...

Code Block
int8(null(''))

...

int8

...

pkts

...

-

...

Code Block
int4(null(''))

...

int4

...

srcCountry

...

-

...

Code Block
null('')

...

str

...

dstCountry

...

-

...

Code Block
null('')

...

str

...

session_end_reason

...

-

...

Code Block
null('')

...

str

...

url_filename

...

url_filename

...

str

...

threatid

...

-

...

Code Block
null('')

...

str

...

severity

...

-

...

Code Block
null('')

...

str

...

direction

...

-

...

Code Block
null('')

...

str

...

host

...

host

...

str

...

result

...

-

...

Code Block
null('')

...

str

...

path

...

-

...

Code Block
null('')

...

str

...

rawMessage

...

rawMessage

...

str

...

hostchain

...

hostchain

...

str

...

✓

...

tag

...

tag

...

str

...

✓

...

device_name

str

bytes_total

int8

bytes_sent

int8

bytes_received

int8

packets_total

int4

source_geo_country_name

str

destination_geo_country_name

str

session_end_reason

-

Code Block
null('')

str

url_file_name

str

threat_id

str

severity

-

Code Block
null('')

str

hostname

str

file_path

str

rawMessage

str

hostchain

str

✓

tag

str

✓

Rw tab

title	Table 7-12

[firewall.paloalto.iptag][firewall.paloalto.system][firewall.paloalto.threat][firewall.paloalto.traffic][firewall.paloalto.url][firewall.paloalto.userid]

firewall.paloalto.iptag
Anchor
firewall.paloalto.iptag
firewall.paloalto.iptag

Field in union table

Field in source table

Field transformation

Type

Extra fields

eventdate

timestamp

timestamp

timestamp

received_date

timestamp

machine

hostname

str

log_type

str

subtype

str

serial

str

source_ip

srcIp

Code Block
str(srcIp)

str

source_ipv4

ip4

destination_ip

-

Code Block
null('')

str

destination_ipv4

ip4

source_nat_ip

-

Code Block
null('')

str

source_nat_ipv4

ip4

destination_nat_ip

-

Code Block
null('')

str

destination_nat_ipv4

ip4

rule

-

Code Block
null('')

str

session

-

Code Block
null('')

str

source_username

str

destination_username

str

application

str

virtual_system

str

source_zone

str

destination_zone

str

source_interface

str

destination_interface

str

log_action

str

repeat_count

int4

source_port

-

Code Block
null('')

str

...

destination_port

-

Code Block
null('')

str

...

srcPort

...

-

...

source_nat_port

-

Code Block
null('')

str

...

repCnt

...

repeatCnt

...

int4(repeatCnt)

...

int4

destination_nat_port

-

Code Block
null(''

...

str

...

dstNatPort

...

dstNatPort

...

int4

...

flags

...


flags	-

...

int4(null(''))

...

int4

...

srcNatPort

...

srcNatPort

...

int4

Code Block
null('')

str

...

protocol

...

-

protocol

str

action

-

Code Block
null('')

str

category

-

Code Block
null('')

str

...

seqno

...

seqno

...

int8

...

actionFlags

...

actionflags

...

str

...


sequence_number	sequence_number	`int8`
action_flags	action_flags	`str`
device_name	device_name	`str`
bytes

...

-

...

int8(null(''))

...

int8

...

sentBytes

...

-

...

int8(null(''))

...

int8

...

recvBytes

...

-

...

int8(null(''))

...

int8

...

pkts

...

-

...

int4(null(''))

...

int4

...

srcCountry

...

-

...

null('')

...

str

...

dstCountry

...

-

...

_total

bytes_total

int8

bytes_sent

int8

bytes_received

int8

packets_total

int4

source_geo_country_name

str

destination_geo_country_name

str

session_end_reason

-

Code Block
null('')

str

url_file_

...

name

url_

...

str

...

threatid

...

-

...

file_name

str

...

severity

...

-

...


threat_id	threat_id		`str`

...

severity

-

Code Block
null('')

str

...

result

...

-

...

null('')

...

str

...

path

...

-

...

hostname

...

host

...

str

hostname		`str`
file_path	file_path		`str`
rawMessage	rawMessage		`str`
hostchain	hostchain		`str`	✓
tag	tag

...

str

...

✓

Rw tab

title	Table 7-12

...

str

✓

firewall.paloalto.

...

system
Anchor
firewall.paloalto.

...

system
firewall.paloalto.

...

system

Field in union table	Field in source table	Field transformation

...

Type	Extra fields
eventdate	eventdate		`timestamp`
timestamp	timestamp		`timestamp`

...

recvdate

...

received_date	received_date		`timestamp`
machine	machine

...

hostname

...

str

...

logType

...

logType

...

str

...

subType

...

threatType

...

str

...

serial

...

serial

...

str

...

srcIp

...

srcIp

...

ip4

str

log_type

str

subtype

str

serial

str

source_ip

client_ip

Code Block
str(client_ip)

str

source_ipv4

ip4

destination_ip

-

Code Block
null('')

str

destination_ipv4

ip4

source_nat_ip

-

Code Block
null(

...

srcNatIp

...

srcNatIp

...

ip4

...

dstNatIp

...

dstNatIp

...

ip4

...

'')

...

ip4

str

source_nat_ipv4

ip4

destination_nat_ip

-

Code Block
null('

...

str

...

')

str

destination_nat_ipv4

ip4

rule

-

Code Block
null('')

str

...

srcPort

...

-

...

Code Block
null(int4(0))

...

int4

...

dstPort

...

-

...

Code Block
null(int4(0))

...

int4

...

srcNatPort

...

srcNatPort

...

int4

...

dstNatPort

...

dstNatPort

...

int4

...

session

-

Code Block
null('')

str

...

app

...

-

...

Code Block
null('')

...

str

...

virtSys

...

vsys

...

str

...

srcZone

...

-

...

Code Block
null('')

...

str

...

dstZone

...

-

...

Code Block
null('')

...

str

...

srcIface

...

-

...

Code Block
null('')

...

str

...

dstIface

...

-

...

Code Block
null('')

...

str

...

logAction

...

-

...

Code Block
null('')

...

str

...

session

...

-

...

Code Block
null('')

...

str

...

repCnt

...

repeatCount

...

int4

source_username

str

destination_username

str

application

str

virtual_system

str

source_zone

str

destination_zone

str

source_interface

str

destination_interface

str

log_action

str

repeat_count

int4

source_port

client_port

str

destination_port

-

Code Block
null('')

str

source_nat_port

-

Code Block
null('')

str

...

destination_nat_port

-

Code Block
null('')

str

...

flags

-

Code Block
null('')

str

...

protocol

str

action

-

Code Block
null('')

str

...

category

-

Code Block
null(

...

int8

...

actionFlags

...

actionflags

...

str

...

'')

str

sequence_number

int8

action_flags

str

device_name

str

bytes

...

-

...

Code Block
null(int8(0))

...

int8

...

sentBytes

...

-

...

Code Block
null(int8(0))

...

int8

...

recvBytes

...

-

...

Code Block
null(int8(0))

...

int8

...

pkts

...

-

...

Code Block
null(int4(0))

...

int4

...

srcCountry

...

-

...

Code Block
null('')

...

str

...

dstCountry

...

-

...

_total

bytes_total

int8

bytes_sent

int8

bytes_received

int8

packets_total

int4

source_geo_country_name

str

destination_geo_country_name

str

session_end_reason

-

Code Block
null('')

str

url_file_

...

name

url_file_

...

name

str

...

threatid

...

-

threat_id	threat_id		`str`
severity

...

severity

...

Code Block
null('')

str

...

hostname

...

-

...

result

...

-

...

Code Block
null('')

...

str

...

path

...

-

...

hostname

str

...

host

...

-

...

Code Block
null('')

...

str

file_path	file_path	`str`
rawMessage	rawMessage	`str`
hostchain	hostchain	`str`	✓
tag	tag	`str`	✓

firewall.paloalto.

...

threat
Anchor
firewall.paloalto.

...

threat
firewall.paloalto.

...

threat

Field in union table	Field in source table	Field transformation

...

Type	Extra fields
eventdate	eventdate		`timestamp`
timestamp	timestamp		`timestamp`

...

recvdate

received_date	received_date		`timestamp`
machine	machine		`str`

...

logType

...

logType

...

str

...

subType

...

subType

...

str

...

serial

...

serial

...

str

...

srcIp

...

-

...

1ip4(null(''))

...

ip4

...

dstIp

...

-

...

1ip4(null(''))

...

ip4

...

srcNatIp

...

-

...

1ip4(null(''))

...

ip4

...

dstNatIp

...

-

...

1ip4(null(''))

...

ip4

...

rule

...

-

...

null('')

...

str

...

srcUser

...

-

...

null('')

...

str

...

dstUser

...

-

...

null('')

...

str

...

app

...

-

...

null('')

...

str

...

virtSys

...

-

...

null('')

...

str

...

srcZone

...

-

...

null('')

...

str

...

dstZone

...

-

...

null('')

...

str

...

srcIface

...

-

...

null('')

...

str

...

dstIface

...

-

...

null('')

...

str

...

logAction

...

-

...

null('')

...

str

...

session

...

-

...

null('')

...

str

...

repCnt

...

-

...

int4(null(''))

...

int4

...

srcPort

...

-

...

int4(null(''))

...

int4

...

dstPort

...

-

...

int4(null(''))

...

int4

...

srcNatPort

...

srcNatPort

...

int4

...

dstNatPort

...

dstNatPort

...

int4

...

flags

...

-

...

null('')

...

str

...

proto

...

-

...

null('')

...

str

...

action

...

-

...

null('')

...

str

...

category

...

-

...

null('')

...

str

...

seqno

...

seqno

...

int8

...

actionFlags

...

-

...

null('')

...

str

...

deviceName

...

device_name

...

str

...

bytes

...

-

...

int8(null(''))

...

int8

...

sentBytes

...

-

...

int8(null(''))

...

int8

...

recvBytes

...

-

...

int8(null(''))

...

int8

...

pkts

...

-

...

int4(null(''))

...

int4

...

srcCountry

...

-

...

null('')

...

str

...

dstCountry

...

-

...

log_type

str

subtype

str

serial

str

source_ip

srcIp

Code Block
str(srcIp)

str

source_ipv4

ip4

destination_ip

dstIp

Code Block
str(dstIp)

str

destination_ipv4

ip4

source_nat_ip

srcNatIp

Code Block
str(srcNatIp)

str

source_nat_ipv4

ip4

destination_nat_ip

dstNatIp

Code Block
str(dstNatIp)

str

destination_nat_ipv4

ip4

rule

str

session

str

source_username

str

destination_username

str

application

str

virtual_system

str

source_zone

str

destination_zone

str

source_interface

str

destination_interface

str

log_action

str

repeat_count

int4

source_port

srcPort

Code Block
str(srcPort)

str

destination_port

dstPort

Code Block
str(dstPort)

str

source_nat_port

srcNatPort

Code Block
str(srcNatPort)

str

destination_nat_port

dstNatPort

Code Block
str(dstNatPort)

str

flags

str

protocol

str

action

str

category

str

sequence_number

int8

action_flags

str

device_name

str

bytes_total

int8

bytes_sent

int8

bytes_received

int8

packets_total

int4

source_geo_country_name

str

destination_geo_country_name

str

session_end_reason

-

Code Block
null('')

str

url_file_

...

name

url_

...

file_name

str

...

threatid

...

-

threat_id	threat_id		`str`
severity

...

-

...

null('')

...

str

...

direction

...

-

...

null('')

...

str

...

host

...

-

...

severity

str

...

hostname

...

-

...

hostname		`str`
file_path

...

-

file_path		`str`
rawMessage	rawMessage		`str`
hostchain	hostchain		`str`	✓
tag	tag		`str`	✓

firewall.paloalto.

...

traffic
Anchor
firewall.paloalto.

...

traffic
firewall.paloalto.

...

traffic

Field in union table	Field in source table	Field transformation

...

Type	Extra fields
eventdate	eventdate		`timestamp`
timestamp	timestamp		`timestamp`

...

recvdate

received_date	received_date		`timestamp`
machine	machine		`str`

...

logType

...


log_type	log_type		`str`

...


subtype	subtype

...

	`str`
serial	serial

...

str

...

srcIp

...

srcIp

...

ip4

...

dstIp

...

dstIp

...

ip4

...

srcNatIp

...

srcNatIp

...

ip4

...

dstNatIp

...

dstNatIp

...

ip4

...

rule

...

rule

...

str

...

srcUser

...

srcUser

...

str

...

dstUser

...

dstUser

...

str

...

app

...

app

...

str

...

virtSys

...

virtSys

...

str

...

srcZone

...

srcZone

...

str

...

dstZone

...

dstZone

...

str

...

srcIface

...

srcIface

...

str

...

dstIface

...

dstIface

...

str

...

logAction

...

logAction

...

str

...

session

...

session

...

str

...

repCnt

...

repCnt

...

int4

...

srcPort

...

srcPort

...

int4

...

dstPort

...

dstPort

...

int4

...

srcNatPort

...

srcNatPort

...

int4

...

dstNatPort

...

dstNatPort

...

int4

...

flags

...

flags

...

str

...

proto

...

proto

...

str

...

action

...

action

...

str

...

category

...

category

...

str

...

seqno

...

seqno

...

int8

...

actionFlags

...

actionflags

...

str

...

deviceName

...

deviceName

...

str

...

bytes

...

-

...

int8(null(''))

...

int8

...

sentBytes

...

-

...

int8(null(''))

...

int8

...

recvBytes

...

-

...

int8(null(''))

...

int8

...

pkts

...

-

...

int4(null(''))

...

int4

...

srcCountry

...

srcloc

...

str

...

dstCountry

...

dstloc

...

str

...

session_end_reason

...

-

...

null('')

...

str

...

url_filename

...

url_filename

...

str

...

threatid

...

threatid

...

str

...

severity

...

severity

...

str

...

direction

...

direction

...

str

...

host

...

-

...

null('')

...

str

...

result

...

-

...

null('')

...

str

...

path

...

-

...

null('')

...

str

...

rawMessage

...

rawMessage

...

str

...

hostchain

...

hostchain

...

str

...

✓

...

tag

...

tag

...

str

...

✓

...

Field in union table

...

Field in source table

...

Field transformation

...

Data type

...

Extra fields

...

eventdate

...

eventdate

...

timestamp

...

timestamp

...

timestamp

...

timestamp

...

recvdate

...

recvdate

...

timestamp

...

machine

...

machine

...

str

...

logType

...

logType

...

str

...

subType

...

subType

...

str

...

serial

...

serial

...

str

...

srcIp

...

srcIp

...

ip4

...

dstIp

...

dstIp

...

ip4

...

srcNatIp

...

srcNatIp

...

ip4

...

dstNatIp

...

dstNatIp

...

ip4

...

rule

...

rule

...

str

...

srcUser

...

srcUser

...

str

...

dstUser

...

dstUser

...

str

...

app

...

app

...

str

...

virtSys

...

virtSys

...

str

...

srcZone

...

srcZone

...

str

...

dstZone

...

dstZone

...

str

...

srcIface

...

srcIface

...

str

...

dstIface

...

dstIface

...

str

...

logAction

...

logAction

...

str

...

session

...

session

...

str

...

repCnt

...

repCnt

...

int4

...

srcPort

...

srcPort

...

int4

...

dstPort

...

dstPort

...

int4

...

srcNatPort

...

srcNatPort

...

int4

...

dstNatPort

...

dstNatPort

...

int4

...

flags

...

flags

...

str

...

proto

...

proto

...

str

...

action

...

action

...

str

...

category

...

category

...

str

...

seqno

...

seqno

...

int8

...

actionFlags

...

actionFlags

...

str

...

deviceName

...

device_name

...

str

...

bytes

...

bytes

...

int8

...

sentBytes

...

sentBytes

...

int8

...

recvBytes

...

recvBytes

...

int8

...

pkts

...

pkts

...

int4(pkts)

...

int4

...

srcCountry

...

srcCountry

...

str

...

dstCountry

...

dstCountry

...

str

...

session_end_reason

...

session_end_reason

...

str

...

url_filename

...

url_filename

...

str

...

threatid

...

-

...

null('')

...

str

...

severity

...

-

...

null('')

...

str

...

direction

...

-

...

null('')

...

str

...

host

...

-

...

null('')

...

str

...

result

...

-

...

null('')

...

str

...

path

...

-

...

null('')

...

str

...

rawMessage

...

rawMessage

...

str

...

hostchain

...

hostchain

...

str

...

✓

...

tag

...

tag

...

str

...

✓

...

Field in union table

...

Field in source table

...

Field transformation

...

Data type

...

Extra fields

...

eventdate

...

eventdate

...

timestamp

...

timestamp

...

timestamp

...

timestamp

...

recvdate

...

recvdate

...

timestamp

...

machine

...

machine

...

str

...

logType

...

logType

...

str

...

subType

...

subType

...

str

...

serial

...

serial

...

str

...

srcIp

...

srcIp

...

ip4

...

dstIp

...

dstIp

...

ip4

...

srcNatIp

...

srcNatIp

...

ip4

...

dstNatIp

...

dstNatIp

...

ip4

...

rule

...

rule

...

str

...

srcUser

...

srcUser

...

str

...

dstUser

...

dstUser

...

str

...

app

...

app

...

str

...

virtSys

...

virtSys

...

str

...

srcZone

...

srcZone

...

str

...

dstZone

...

dstZone

...

str

...

srcIface

...

srcIface

...

str

...

dstIface

...

dstIface

...

str

...

logAction

...

logAction

...

str

...

session

...

session

...

str

...

repCnt

...

repCnt

...

int4

...

srcPort

...

srcPort

...

int4

...

dstPort

...

dstPort

...

int4

...

srcNatPort

...

srcNatPort

...

int4

...

dstNatPort

...

dstNatPort

...

int4

...

flags

...

flags

...

str

...

proto

...

proto

...

str

...

action

...

action

...

str

...

category

...

category

...

str

...

seqno

...

seqno

...

int8

...

actionFlags

...

actionflags

...

str

...

deviceName

...

deviceName

...

str

...

bytes

...

-

...

int8(null(''))

...

int8

...

sentBytes

...

-

...

int8(null(''))

...

int8

...

recvBytes

...

-

...

int8(null(''))

...

int8

...

pkts

...

-

...

int4(null(''))

...

int4

...

srcCountry

...

srcloc

...

str

...

dstCountry

...

dstloc

...

str

...

session_end_reason

...

-

...

null('')

...

str

...

url_filename

...

url_filename

...

str

...

threatid

...

threatid

...

str

...

severity

...

severity

...

str

...

direction

...

direction

...

str

...

host

...

-

...

null('')

...

str

...

result

...

-

...

null('')

...

str

...

path

...

-

...

null('')

...

str

...

rawMessage

...

rawMessage

...

str

...

hostchain

...

hostchain

...

str

...

✓

...

tag

...

tag

...

str

...

✓

...

Field in union table

...

Field in source table

...

Field transformation

...

Data type

...

Extra fields

...

eventdate

...

eventdate

...

timestamp

...

timestamp

...

timestamp

...

timestamp

...

recvdate

...

recvdate

...

timestamp

...

machine

...

machine

...

str

...

logType

...

logType

...

str

...

subType

...

subType

...

str

...

serial

...

serial

...

str

...

srcIp

...

srcIp

...

ip4

...

dstIp

...

-

...

ip4(null(''))

...

ip4

...

srcNatIp

...

-

...

ip4(null(''))

...

ip4

...

dstNatIp

...

-

...

ip4(null(''))

...

ip4

...

rule

...

-

...

null('')

...

str

...

srcUser

...

srcUser

...

str

...

dstUser

...

-

...

null('')

...

str

...

app

...

-

...

null('')

...

str

...

virtSys

...

virtSys

...

str

...

srcZone

...

-

...

null('')

...

str

...

dstZone

...

-

...

null('')

...

str

...

srcIface

...

-

...

null('')

...

str

...

dstIface

...

-

...

null('')

...

str

...

logAction

...

-

...

null('')

...

str

...

session

...

-

...

null('')

...

str

...

repCnt

...

-

...

int4(null(''))

...

int4

...

srcPort

...

srcPort

...

int4

...

dstPort

...

dstPort

...

int4

...

srcNatPort

...

srcNatPort

...

int4

...

dstNatPort

...

dstNatPort

...

int4

...

flags

...

-

...

null('')

...

str

...

proto

...

-

...

null('')

...

str

...

action

...

-

...

actionFlags

...

actionFlags

...

str

...

str

source_ip

srcIp_str

str

source_ipv4

ip4

destination_ip

dstIp_str

str

destination_ipv4

ip4

source_nat_ip

srcNatIp

Code Block
str(srcNatIp)

str

source_nat_ipv4

ip4

destination_nat_ip

dstNatIp

Code Block
str(dstNatIp)

str

destination_nat_ipv4

ip4

rule

str

session

str

source_username

str

destination_username

str

application

str

virtual_system

str

source_zone

str

destination_zone

str

source_interface

str

destination_interface

str

log_action

str

repeat_count

int4

source_port

srcPort

Code Block
str(srcPort)

str

destination_port

dstPort

Code Block
str(dstPort)

str

source_nat_port

srcNatPort

Code Block
str(srcNatPort)

str

destination_nat_port

dstNatPort

Code Block
str(dstNatPort)

str

flags

str

protocol

str

action

str

category

str

sequence_number

int8

action_flags

str

device_name

str

bytes_total

int8

bytes_sent

int8

bytes_received

int8

packets_total

int4

source_geo_country_name

str

destination_geo_country_name

str

session_end_reason

str

url_file_name

str

threat_id

str

severity

-

Code Block
null('')

str

hostname

str

file_path

str

rawMessage

str

hostchain

str

✓

tag

str

✓

firewall.paloalto.url
Anchor
firewall.paloalto.url
firewall.paloalto.url

Field in union table

Field in source table

Field transformation

Type

Extra fields

eventdate

timestamp

timestamp

timestamp

received_date

timestamp

machine

str

log_type

str

subtype

str

serial

str

source_ip

srcIp_str

str

source_ipv4

ip4

destination_ip

dstIp_str

str

destination_ipv4

ip4

source_nat_ip

srcNatIp

Code Block
str(srcNatIp)

str

source_nat_ipv4

ip4

destination_nat_ip

dstNatIp

Code Block
str(dstNatIp)

str

destination_nat_ipv4

ip4

rule

str

session

str

source_username

str

destination_username

str

application

str

virtual_system

str

source_zone

str

destination_zone

str

source_interface

str

destination_interface

str

log_action

str

repeat_count

int4

source_port

srcPort

Code Block
str(srcPort)

str

destination_port

dstPort

Code Block
str(dstPort)

str

source_nat_port

srcNatPort

Code Block
str(srcNatPort)

str

destination_nat_port

dstNatPort

Code Block
str(dstNatPort)

str

flags

str

protocol

str

action

str

category

str

sequence_number

int8

action_flags

str

device_name

str

bytes_total

int8

bytes_sent

int8

bytes_received

int8

packets_total

int4

source_geo_country_name

str

destination_geo_country_name

str

session_end_reason

-

Code Block
null('')

str

url_file_name

str

threat_id

str

severity

str

hostname

str

file_path

str

rawMessage

str

hostchain

str

✓

tag

str

✓

firewall.paloalto.userid
Anchor
firewall.paloalto.userid
firewall.paloalto.userid

Field in union table

Field in source table

Field transformation

Type

Extra fields

eventdate

timestamp

timestamp

timestamp

received_date

timestamp

machine

str

log_type

str

subtype

str

serial

str

source_ip

srcIp_str

str

source_ipv4

ip4

destination_ip

-

Code Block
null('')

str

destination_ipv4

ip4

source_nat_ip

-

Code Block
null('')

str

source_nat_ipv4

ip4

destination_nat_ip

-

Code Block
null('')

str

destination_nat_ipv4

ip4

rule

-

Code Block
null('')

str

session

-

Code Block
null('')

str

source_username

str

destination_username

str

application

str

virtual_system

str

source_zone

str

destination_zone

str

source_interface

str

destination_interface

str

log_action

str

repeat_count

int4

source_port

srcPort

Code Block
str(srcPort)

str

destination_port

dstPort

Code Block
str(dstPort)

str

source_nat_port

-

Code Block
null('')

str

destination_nat_port

-

Code Block
null('')

str

flags

-

Code Block
null('')

str

protocol

str

action

-

Code Block
null('')

str

category

-

Code Block
null('')

str

...

seqno

...

seqno

...

int8

sequence_number	sequence_number	`int8`
action_flags	action_flags	`str`
device_name	device_name	`str`
bytes_total	bytes_total

...

int8

...

int8

...

sentBytes

...

-

...

int8(null(''))

...

int8

...

recvBytes

...

-

...

int8(null(''))

...

int8

...

pkts

...

-

...

int4(null(''))

...

int4

...

srcCountry

...

-

...

null('')

...

str

...

dstCountry

...

-

...

bytes_sent

int8

bytes_received

int8

packets_total

int4

source_geo_country_name

str

destination_geo_country_name

str

session_end_reason

-

Code Block
null('')

str

url_file_

...

name

url_file_

...

name

str

...

threatid

...

-

threat_id	threat_id		`str`
severity	-

...

null('')

...

str

...

direction

...

-

Code Block
null('')

str

...

hostname

...

-

...

path

...

-

...

null('')

hostname

str

...

result

...

-

...

null('')

...

str

file_path	file_path	`str`
rawMessage	rawMessage	`str`
hostchain	hostchain	`str`	✓
tag	tag	`str`	✓

Versions Compared

Old Version 13

New Version Current

Key

Introduction

Source tables

Table structure

Field transformations

Introduction

Source tables

Table structure

Field transformations

firewall.paloalto.auth
Anchor
firewall.paloalto.auth
firewall.paloalto.auth

firewall.paloalto.config
Anchor
firewall.paloalto.config
firewall.paloalto.config

firewall.paloalto.

correlation
Anchor
firewall.paloalto.

correlation
firewall.paloalto.

correlation

firewall.paloalto.decryption
Anchor
firewall.paloalto.decryption
firewall.paloalto.decryption

firewall.paloalto.globalprotect
Anchor
firewall.paloalto.globalprotect
firewall.paloalto.globalprotect

firewall.paloalto.

hipmatch
Anchor
firewall.paloalto.

hipmatch
firewall.paloalto.

hipmatch

firewall.paloalto.iptag
Anchor
firewall.paloalto.iptag
firewall.paloalto.iptag

firewall.paloalto.

system
Anchor
firewall.paloalto.

system
firewall.paloalto.

system

firewall.paloalto.

threat
Anchor
firewall.paloalto.

threat
firewall.paloalto.

threat

firewall.paloalto.

traffic
Anchor
firewall.paloalto.

traffic
firewall.paloalto.

traffic

firewall.paloalto.url
Anchor
firewall.paloalto.url
firewall.paloalto.url

firewall.paloalto.userid
Anchor
firewall.paloalto.userid
firewall.paloalto.userid

Page Comparison

Versions Compared

Old Version 13

New Version Current

Key

Introduction

Source tables

Table structure

Field transformations

Introduction

Source tables

Table structure

Field transformations

firewall.paloalto.auth Anchorfirewall.paloalto.authfirewall.paloalto.auth

firewall.paloalto.config Anchorfirewall.paloalto.configfirewall.paloalto.config

firewall.paloalto.

correlation Anchorfirewall.paloalto.

correlationfirewall.paloalto.

correlation

firewall.paloalto.decryption Anchorfirewall.paloalto.decryptionfirewall.paloalto.decryption

firewall.paloalto.globalprotect Anchorfirewall.paloalto.globalprotectfirewall.paloalto.globalprotect

firewall.paloalto.

hipmatch Anchorfirewall.paloalto.

hipmatchfirewall.paloalto.

hipmatch

firewall.paloalto.iptag Anchorfirewall.paloalto.iptagfirewall.paloalto.iptag

firewall.paloalto.

system Anchorfirewall.paloalto.

systemfirewall.paloalto.

system

firewall.paloalto.

threat Anchorfirewall.paloalto.

threatfirewall.paloalto.

threat

firewall.paloalto.

traffic Anchorfirewall.paloalto.

trafficfirewall.paloalto.

traffic

firewall.paloalto.url Anchorfirewall.paloalto.urlfirewall.paloalto.url

firewall.paloalto.userid Anchorfirewall.paloalto.useridfirewall.paloalto.userid

firewall.paloalto.auth
Anchor
firewall.paloalto.auth
firewall.paloalto.auth

firewall.paloalto.config
Anchor
firewall.paloalto.config
firewall.paloalto.config

correlation
Anchor
firewall.paloalto.

correlation
firewall.paloalto.

firewall.paloalto.decryption
Anchor
firewall.paloalto.decryption
firewall.paloalto.decryption

firewall.paloalto.globalprotect
Anchor
firewall.paloalto.globalprotect
firewall.paloalto.globalprotect

hipmatch
Anchor
firewall.paloalto.

hipmatch
firewall.paloalto.

firewall.paloalto.iptag
Anchor
firewall.paloalto.iptag
firewall.paloalto.iptag

system
Anchor
firewall.paloalto.

system
firewall.paloalto.

threat
Anchor
firewall.paloalto.

threat
firewall.paloalto.

traffic
Anchor
firewall.paloalto.

traffic
firewall.paloalto.

firewall.paloalto.url
Anchor
firewall.paloalto.url
firewall.paloalto.url

firewall.paloalto.userid
Anchor
firewall.paloalto.userid
firewall.paloalto.userid