...
The full tag must have at least three levels. The first two are fixed as firewall.paloalto
. The third level identifies the event's log type and will be determined dynamically by the rule you define in the Devo Relay. The fourth element is only used in some specific cases.
Technology | Brand | Type | Subtype |
---|
firewall
| paloalto
| config
system
threat
traffic
correlation
hipmatch
url
userid
| The tag levels below are only used withfirewall.paloalto.config This is used to indicate the parser version. Depending on the Palo Alto firewall version used by each client, some fields can arrive in a different order, so we need to add this tag level to indicate the parser version. The possible values are: v1 - This is the default value, also used if no value is set at this level. In this case, the parser uses the default field order (fields affected: seqno, actionflags, beforechangedetail and afterchangedetail). v2 - Used to indicate that the fields beforechangedetail and afterchangedetail are not part of the event and must be ignored and initialized with null. v3 - Used to indicate that the fields beforechangedetail and afterchangedetail come before the seqno and actionflags fields.
The tag level below is only used with These tables allow sending events in LEEF format instead of the default CSV format. To indicate this, all logs must have an additional tag level (leef ). Threats can also have logs in JSON format using the tag level |
JSON json at the end. CSV format tags are: |
These are the valid tags and corresponding data tables that will receive the parsers' data:
Tag | Data table |
---|
firewall.paloalto.all
| firewall.paloalto.all
Note |
---|
Union table - firewall.paloalto.all This is a union table that collect events from a set of tables for easy access and analysis. Learn more about these union table in this article. |
|
| firewall.paloalto.auth
|
firewall.paloalto.config.json
firewall.paloalto.config.leef
firewall.paloalto.config.v2
firewall.paloalto.config.v3
| firewall.paloalto.config
|
firewall.paloalto.correlation
| firewall.paloalto.correlation
|
firewall.paloalto.decryption
| firewall.paloalto.decryption
|
| firewall.paloalto.globalprotect
|
firewall.paloalto.hipmatch
| firewall.paloalto.hipmatch
|
firewall.paloalto.iptag
| firewall.paloalto.iptag
|
| firewall.paloalto.system
|
| firewall.paloalto.threat
|
firewall.paloalto.traffic
firewall.paloalto.traffic.json
firewall.paloalto.traffic.leef
| firewall.paloalto.traffic
|
| firewall.paloalto.url
|
| firewall.paloalto.userid
|
For more information, read more about Devo tags.
How is the data sent to Devo?
Since there is no functionality to apply the Devo tag in the source system, the events should be forwarded to a Devo Relay to be identified, tagged, and then forwarded securely to the Devo Cloud.
...
Rw ui tabs macro |
---|
firewall.paloalto.authField | Type | Extra fields |
---|
eventdate | timestamp
| | machine | str
| | leef_ver | str
| | vendor | str
| | product | str
| | version | str
| | event_id | str
| | recv_date | timestamp
| | serial | str
| | log_type | str
| | sub_type | str
| | conf_ver | str
| | create_date | timestamp
| | vsys | str
| | src_ip | ip4
| | src_ip_str | str
| | src_user | str
| | normalize_user | str
| | object | str
| | auth_policy | str
| | rep_cnt | int4
| | mfa_auth_id | str
| | mfa_vendor | str
| | log_action | str
| | auth_server_profile | str
| | auth_description | str
| | client_type | str
| | auth_event | str
| | auth_factor_no | str
| | seq_no | str
| | action_flags | str
| | dg_hier_level_1 | str
| | dg_hier_level_2 | str
| | dg_hier_level_3 | str
| | dg_hier_level_4 | str
| | vsys_name | str
| | device_name | str
| | vsys_id | str
| | auth_proto | str
| | rule_matched_uuid | str
| | high_res_timestamp | timestamp
| | src_category | str
| | src_profile | str
| | src_model | str
| | src_vendor | str
| | src_osfamily | str
| | src_osversion | str
| | src_host | str
| | src_mac | str
| | service_region | str
| | user_agent | str
| | session_id | str
| | dev_time_format | str
| | hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| ✓ |
firewall.paloalto.configField | Type | Field transformation | Source field name | Extra fields |
---|
eventdate | timestamp
| | | | machine | str
| | | | timestamp | timestamp
| | | | recvdate | timestamp
| | | | serial | str
| | | | subType | str
| | | | host | str
| | | | vsys | str
| | | | cmd | str
| | | | admin | str
| | | | adminClient | str
| | | | result | str
| | | | path | str
| | | | seqno | int8
| | | | actionflags | str
| | | | beforechangedetail | str
| | | | afterchangedetail | str
| | | | dev_group_hierarchy_1 | int8
| Code Block |
---|
int(dev_group_hierarchy_1_aux) |
| dev_group_hierarchy_1_aux | | dev_group_hierarchy_2 | int8
| Code Block |
---|
int(dev_group_hierarchy_2_aux) |
| dev_group_hierarchy_2_aux | | dev_group_hierarchy_3 | int8
| Code Block |
---|
int(dev_group_hierarchy_3_aux) |
| dev_group_hierarchy_3_aux | | dev_group_hierarchy_4 | int8
| Code Block |
---|
int(dev_group_hierarchy_4_aux) |
| dev_group_hierarchy_4_aux | | virtual_sys_name | str
| | | | device_name | str
| | | | device_group | str
| | | | audit_comment | str
| | | | high_res_timestamp | timestamp
| | | | hostchain | str
| | | ✓ | tag | str
| | | ✓ | rawMessage | str
| | | ✓ |
firewall.paloalto.correlationField | Type | Source field name | Extra fields |
---|
eventdate | timestamp
| | | machine | str
| | | future_use_1 | str
| | | recvdate | timestamp
| receive_time | | serial | str
| | | logType | str
| type | | subType | str
| subtype | | future_use_2 | str
| | | timestamp | timestamp
| time_generated | | srcIp | ip4
| ip | | srcIp_str | str
| | | srcUser | str
| user | | category | str
| | | severity | str
| | | dg_hier_level_1 | int8
| | | dg_hier_level_2 | int8
| | | dg_hier_level_3 | int8
| | | dg_hier_level_4 | int8
| | | vsys_name | str
| | | device_name | str
| | | vsys_id | str
| | | objectname | str
| | | object_id | str
| | | evidence | str
| | | hostchain | str
| | ✓ | tag | str
| | ✓ | rawMessage | str
| | |
firewall.paloalto.decryptionField | Type | Extra fields |
---|
eventdate | timestamp
| | machine | str
| | receive_time | timestamp
| | serial | str
| | logtype | str
| | subtype | str
| | config_ver | str
| | time_generated | timestamp
| | src | str
| | src_ip4 | ip4
| | dst | str
| | dst_ip4 | ip4
| | nat_src | str
| | nat_src_ip4 | ip4
| | nat_dst | str
| | nat_dst_ip4 | ip4
| | rule | str
| | src_user | str
| | dst_user | str
| | app | str
| | vsys | str
| | src_zone | str
| | dst_zone | str
| | inbound_if | str
| | outbound_if | str
| | log_set | str
| | time_received | timestamp
| | session_id | str
| | repeat_cnt | int4
| | src_port | str
| | dst_port | str
| | nat_src_port | str
| | nat_dst_port | str
| | flags | str
| | proto | str
| | action | str
| | tunnel | str
| | src_uuid | str
| | dst_uuid | str
| | rule_uuid | str
| | hs_stage_c2f | str
| | hs_stage_f2s | str
| | tls_version | str
| | tls_keyxchg | str
| | tls_enc | str
| | tls_auth | str
| | policy_name | str
| | ec_curve | str
| | err_index | str
| | root_status | str
| | chain_status | str
| | proxy_type | str
| | cert_serial | str
| | finger_print | str
| | cert_start_date | timestamp
| | cert_end_date | timestamp
| | cert_ver | str
| | cert_size | int4
| | cn_len | int4
| | issuer_len | int4
| | root_cn_len | int4
| | sni_len | int4
| | cert_flags | str
| | cn | str
| | issuer_cn | str
| | root_cn | str
| | sni | str
| | error | str
| | container_id | str
| | pod_namespace | str
| | pod_name | str
| | src_edl | str
| | dst_edl | str
| | src_dag | str
| | dst_dag | str
| | high_res_timestamp | str
| | src_category | str
| | src_profile | str
| | src_model | str
| | src_vendor | str
| | src_osfamily | str
| | src_osversion | str
| | src_host | str
| | src_mac | str
| | dst_category | str
| | dst_profile | str
| | dst_model | str
| | dst_vendor | str
| | dst_osfamily | str
| | dst_osversion | str
| | dst_host | str
| | dst_mac | str
| | seqno | str
| | action_flags | str
| | dg_hier_level_1 | int8
| | dg_hier_level_2 | int8
| | dg_hier_level_3 | int8
| | dg_hier_level_4 | int8
| | vsys_name | str
| | device_name | str
| | vsys_id | str
| | app_subcategory | str
| | app_category | str
| | app_technology | str
| | app_risk | int4
| | app_characteristic | str
| | app_container | str
| | app_saas | str
| | app_sanctioned_state | str
| | cluster_name | str
| | hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| ✓ |
firewall.paloalto.globalprotectField | Type | Extra fields |
---|
eventdate | timestamp
| | machine | str
| | leefVer | str
| | vendor | str
| | product | str
| | version | str
| | recvdate | timestamp
| | serial | str
| | subType | str
| | createdate | timestamp
| | vsys | str
| | eventId | str
| | stage | str
| | auth_method | str
| | tunnel_type | str
| | srcuser | str
| | srcregion | str
| | machinename | str
| | public_ip | ip4
| | public_ipv6 | str
| | private_ip | ip4
| | private_ipv6 | str
| | hostid | str
| | serialnumber | str
| | client_ver | str
| | client_os | str
| | client_os_ver | str
| | repeatcnt | int4
| | reason | str
| | error | str
| | description | str
| | status | str
| | location | str
| | login_duration | int8
| | connect_method | str
| | error_code | str
| | portal | str
| | seqno | str
| | actionflags | str
| | profile_token | str
| | attempted_gateways | str
| | dg_hier_level_1 | str
| | dg_hier_level_2 | str
| | dg_hier_level_3 | str
| | dg_hier_level_4 | str
| | gateway | str
| | gateway_priority | str
| | gateway_selection_type | str
| | device_name | str
| | ssl_response_time | int8
| | high_res_timestamp | timestamp
| | vsys_id | str
| | vsys_name | str
| | dev_time_format | str
| | hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| |
firewall.paloalto.hipmatchField | Type | Source field name | Extra fields |
---|
eventdate | timestamp
| | | machine | str
| | | leefVer | str
| | | vendor | str
| | | product | str
| | | version | str
| | | eventID | str
| | | recvdate | timestamp
| | | serial | str
| | | logType | str
| | | subType | str
| | | createdate | timestamp
| | | srcUser | str
| | | vsys | str
| | | host | str
| | | os | str
| | | srcIp | ip4
| | | srcIp_str | str
| | | matchName | str
| | | repeatCnt | str
| | | matchType | str
| | | seqno | int8
| | | actionflags | str
| | | dev_group_hierarchy_1 | str
| | | dev_group_hierarchy_2 | str
| | | dev_group_hierarchy_3 | str
| | | dev_group_hierarchy_4 | str
| | | virtual_sys_name | str
| | | device_name | str
| | | vsys_id | str
| | | srcIpv6 | str
| | | hostId | str
| | | serialNumber | str
| | | profile_token | str
| | | tenant_id | str
| | | is_duplicate_log | bool
| | | log_exported | bool
| | | log_forwarded | bool
| | | is_prisma_networks | bool
| | | is_prisma_users | bool
| | | log_source | str
| | | log_source_tz_offset | str
| | | source | str
| | | source_device_category | str
| | | source_device_class | str
| | | source_device_host | str
| | | source_device_mac | str
| | | source_device_model | str
| | | source_device_os | str
| | | source_device_osfamily | str
| | | source_device_osversion | str
| | | source_device_profile | str
| | | source_device_vendor | str
| | | source_user_domain | str
| | | source_user_name | str
| | | source_user_uuid | str
| | | high_res_timestamp | timestamp
| | | device_identification_timestamp | timestamp
| | | uuid | str
| | | dev_time_format | str
| | | message | str
| rawMessage | | hostchain | str
| | ✓ | tag | str
| | ✓ | rawMessage | str
| | ✓ |
firewall.paloalto.iptagField | Type | Extra fields |
---|
eventdate | timestamp
| | hostname | str
| | recvdate | timestamp
| | serial | str
| | threatType | int4
| | timestamp | timestamp
| | vsys | str
| | srcIp | ip4
| | tagName | str
| | eventId | str
| | repeatCount | int4
| | timeout | int4
| | data_source_name | str
| | data_source_type | str
| | data_source_subtype | str
| | seqno | int8
| | actionflags | str
| | dev_group_hierarchy_1 | int4
| | dev_group_hierarchy_2 | int4
| | dev_group_hierarchy_3 | int4
| | dev_group_hierarchy_4 | int4
| | virtual_sys_name | str
| | device_name | str
| | virtual_sys_id | int4
| | hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| ✓ |
firewall.paloalto.systemField | Type | Field transformation | Source field name | Extra fields |
---|
eventdate | timestamp
| | | | machine | str
| | | | timestamp | timestamp
| | | | recvdate | timestamp
| | | | serial | str
| | | | subType | str
| | | | vsys | str
| | | | eventId | str
| | | | object | str
| | | | future_use_4 | str
| | | | future_use_5 | str
| | | | module | str
| | | | severity | str
| | | | description | str
| | opaque | | client_ip | ip4
| | | | client_port | str
| | | | user_name | str
| | | | seqno | int8
| | | | actionflags | str
| | | | dev_group_hierarchy_1 | int8
| | | | dev_group_hierarchy_2 | int8
| | | | dev_group_hierarchy_3 | int8
| | | | dev_group_hierarchy_4 | int8
| | | | virtual_sys_name | str
| | | | log_source_name | str
| | | | device_name | str
| | | | reason | str
| | | | protocol | str
| | | | high_res_timestamp | timestamp
| Code Block |
---|
ifthenelse(isnotnull(high_res_timestamp_fmt), parsedate(high_res_timestamp_tmp, dateformat(high_res_timestamp_fmt)), null(timestamp(0))) |
| high_res_timestamp_ | fmttmpusernamesrcIpip4 statusvsys | str
| | | | server_profile | str
| | | | idp_entity_id | str
| | | | lease_ip_address | str
| | | | lease_hardware_address | str
| | | | src_host | str
| | | | interface | str
| | | | lease_time_of | str
| | | | server_ip | str
| | | | server_mask | str
| | | | gateway | str
| | | | dns1 | str
| | | | dns2 | str
| | | | dns_sufix | str
| | | | hostchain | str
| | | ✓ | tag | str
| | | ✓ | rawMessage | str
| | | ✓ |
firewall.paloalto.threatField | Type | Field transformation | Source field name | Extra fields |
---|
eventdate | timestamp
| | | | machine | str
| | | | timestamp | timestamp
| | createdate | | recvdate | timestamp
| | | | serial | str
| | | | subType | str
| | | | vendor | str
| | | | product | str
| | | | version | str
| | | | event_id | int8
| | | | delimiter | str
| | | | srcIp | ip4
| | | | dstIp | ip4
| | | | srcNatIp | ip4
| | srcXIp | | dstNatIp | ip4
| | dstXIp | | srcIp_str | str
| | | | rule | str
| | | | srcUser | str
| | | | dstUser | str
| | | | app | str
| | | | virtSys | str
| | | | srcZone | str
| | | | dstZone | str
| | | | srcIface | str
| | | | dstIface | str
| | | | logForwardingProfile | str
| | | | logAction | str
| | | | session | str
| | | | repCnt | int4
| | | | srcPort | int4
| | | | dstPort | int4
| | | | srcNatPort | int4
| | srcXPort | | dstNatPort | int4
| | dstXPort | | flags | str
| | | | proto | str
| | | | action | str
| | | | url_filename | str
| | misc | | threatid | str
| | | | category | str
| | | | severity | str
| | | | sevNum | str
| | | | direction | str
| | | | seqno | int8
| | | | actionflags | str
| | | | srcloc | str
| | | | dstloc | str
| | | | cpadding | int4
| | | | contenttype | str
| | | | pcap_id | str
| | | | src_category | str
| | | | dst_category | str
| | | | threatname | str
| | | | pcapId | int8
| | pcadId | | fileDigest | str
| | | | cloud | str
| | | | urlIdx | int4
| | | | userAgent | str
| | | | fileType | str
| | | | xff | str
| | | | referer | str
| | | | sender | str
| | | | subject | str
| | | | recipient | str
| | | | reportid | int8
| | | | dgHierLevel1 | int4
| | | | dgHierLevel2 | int4
| | | | dgHierLevel3 | int4
| | | | dgHierLevel4 | int4
| | | | vsysName | str
| | | | deviceName | str
| | | | srcVMuuid | str
| | | | dstVMuuid | str
| | | | httpMethod | str
| | | | tunnelIDimsi | str
| | | | monitorTagIMEI | str
| | | | parentSessID | int8
| | | | parentStartTime | timestamp
| | | | tunnel | str
| | | | thrCategory | str
| | | | contentver | str
| | | | sctpAssociationID | int8
| | | | payloadProtocolID | int8
| | | | httpHeaders | str
| | | | url | str
| | | | urlCategory | str
| | | | urlCategoryList | str
| | | | uuidForRule | str
| | | | http2Connection | str
| | | | dynusergroup_name | str
| | | | xff_ip | str
| | | | src_profile | str
| | | | src_model | str
| | | | src_vendor | str
| | | | src_osfamily | str
| | | | src_osversion | str
| | | | src_host | str
| | | | src_mac | str
| | | | dst_profile | str
| | | | dst_model | str
| | | | dst_vendor | str
| | | | dst_osfamily | str
| | | | dst_osversion | str
| | | | dst_host | str
| | | | dst_mac | str
| | | | container_id | str
| | | | pod_namespace | str
| | | | src_edl | str
| | | | dst_edl | str
| | | | hostid | str
| | | | serialnumber | str
| | | | domain_edl | str
| | | | src_dag | str
| | | | dst_dag | str
| | | | partial_hash | str
| | | | high_res_timestamp | timestamp
| | | | nsdsai_sst | str
| | | | log_type | str
| | | | xff_address | str
| | | | source_external_dynamic_list | str
| | | | destination_external_dynamic_list | str
| | | | source_dynamic_address_group | str
| | | | destination_dynamic_address_group | str
| | | | justification | str
| | | | slice_service_type | str
| | | | application_subcategory | str
| | | | application_category | str
| | | | application_technology | str
| | | | application_risk | str
| | | | application_characteristic | str
| | | | application_container | str
| | | | tunneled_application | str
| | | | application_saas | str
| | | | application_sanctioned_state | str
| | | | cloud_report_id | str
| | | | cluster_name | str
| | | | flow_type | str
| | | | hostchain | str
| | | ✓ | tag | str
| | | ✓ | rawMessage | str
| | | |
firewall.paloalto.trafficField | Type | Field transformation | Source field name | Extra fields |
---|
eventdate | timestamp
| | | | machine | str
| | | | timestamp | timestamp
| | createdate | | recvdate | timestamp
| | | | serial | str
| | | | subType | str
| | | | srcIp | ip4
| | | | dstIp | ip4
| | | | srcNatIp | ip4
| | srcXIp | | dstNatIp | ip4
| | dstXIp | | srcIp_str | str
| | | | dstIp_str | str
| | | | rule | str
| | | | srcUser | str
| | | | dstUser | str
| | | | app | str
| | | | virtSys | str
| | | | srcZone | str
| | | | dstZone | str
| | | | srcIface | str
| | | | dstIface | str
| | | | logAction | str
| | | | session | str
| | | | repCnt | int4
| | | | srcPort | int4
| | | | dstPort | int4
| | | | srcNatPort | int4
| | srcXPort | | dstNatPort | int4
| | dstXPort | | flags | str
| | | | proto | str
| | | | action | str
| | | | bytes | int8
| | | | sentBytes | int8
| | | | recvBytes | int8
| | | | pkts | int4
| | | | startdate | timestamp
| | | | elapsedTime | int8
| | | | category | str
| | | | padding | int4
| | | | seqno | int8
| | | | actionFlags | str
| | | | srcCountry | str
| | | | dstCountry | str
| | | | cpadding | int4
| | | | sentPkts | int4
| | | | recvPkts | int4
| | | | session_end_reason | str
| | | | dg_hier_level_1 | int4
| | | | dg_hier_level_2 | int4
| | | | dg_hier_level_3 | int4
| | | | dg_hier_level_4 | int4
| | | | vsys_name | str
| | | | device_name | str
| | | | action_source | str
| | | | srcVMuuid | str
| | | | dstVMuuid | str
| | | | tunnelIDimsi | str
| | | | monitorTagIMEI | str
| | | | parentSessID | int4
| | | | parentStartTime | timestamp
| | | | tunnel | str
| | | | sctpAssociationID | int4
| | | | sctpChunks | int8
| | | | sctpChunksSent | int8
| | | | sctpChunksReceived | int8
| | | | uuidForRule | str
| | | | http2Connection | str
| | | | link_change_count | str
| | | | policy_id | str
| | | | link_switches | str
| | | | sdwan_cluster | str
| | | | sdwan_device_type | str
| | | | sdwan_cluster_type | str
| | | | sdwan_site | str
| | | | dynusergroup_name | str
| | | | xff_ip | str
| | | | src_category | str
| | | | src_profile | str
| | | | src_model | str
| | | | src_vendor | str
| | | | src_osfamily | str
| | | | src_osversion | str
| | | | src_host | str
| | | | src_mac | str
| | | | dst_category | str
| | | | dst_profile | str
| | | | dst_model | str
| | | | dst_vendor | str
| | | | dst_osfamily | str
| | | | dst_osversion | str
| | | | dst_host | str
| | | | dst_mac | str
| | | | container_id | str
| | | | pod_namespace | str
| | | | pod_name | str
| | | | src_edl | str
| | | | dst_edl | str
| | | | hostid | str
| | | | serialnumber | str
| | | | src_dag | str
| | | | dst_dag | str
| | | | session_owner | str
| | | | high_res_timestamp | timestamp
| Code Block |
---|
ifthenelse(isnotnull(high_res_timestamp_fmt), parsedate(high_res_timestamp_tmp, dateformat(high_res_timestamp_fmt)), null(timestamp(0))) |
| high_res_timestamp_fmt high_res_timestamp_tmp | | nsdsai_sst | str
| | | | nsdsai_sd | str
| | | | app_category | str
| | | | app_subcategory | str
| | | | app_technology | str
| | | | app_risk | int4
| | | | app_characteristic | str
| | | | app_container | str
| | | | app_tunneled | str
| | | | app_saas | str
| | | | app_sanctioned_state | str
| | | | offloaded | str
| | | | flow_type | str
| | | | cluster_name | str
| | | | devTimeFormat | str
| | | | hostchain | str
| | | ✓ | tag | str
| | | ✓ | rawMessage | str
| | | |
firewall.paloalto.urlField | Type | Source field name | Extra fields |
---|
eventdate | timestamp
| | | machine | str
| | | timestamp | timestamp
| createdate | | recvdate | timestamp
| | | serial | str
| | | subType | str
| | | srcIp | ip4
| | | srcIp_str | str
| | | dstIp | ip4
| | | dstIp_str | str
| | | srcNatIp | ip4
| srcXIp | | dstNatIp | ip4
| dstXIp | | rule | str
| | | srcUser | str
| | | dstUser | str
| | | app | str
| | | virtSys | str
| | | srcZone | str
| | | dstZone | str
| | | srcIface | str
| | | dstIface | str
| | | logAction | str
| | | session | str
| | | repCnt | int4
| | | srcPort | int4
| | | dstPort | int4
| | | srcNatPort | int4
| srcXPort | | dstNatPort | int4
| dstXPort | | flags | str
| | | proto | str
| | | action | str
| | | url_filename | str
| misc | | threatid | str
| | | category | str
| | | severity | str
| | | direction | str
| | | seqno | int8
| | | actionflags | str
| | | srcloc | str
| | | dstloc | str
| | | cpadding | int4
| | | contenttype | str
| | | pcapId | int8
| pcadId | | fileDigest | str
| | | cloud | str
| | | urlIdx | int4
| | | userAgent | str
| | | fileType | str
| | | xff | str
| | | referer | str
| | | sender | str
| | | subject | str
| | | recipient | str
| | | reportid | int4
| | | dgHierLevel1 | int4
| | | dgHierLevel2 | int4
| | | dgHierLevel3 | int4
| | | dgHierLevel4 | int4
| | | vsysName | str
| | | deviceName | str
| | | srcVMuuid | str
| | | dstVMuuid | str
| | | httpMethod | str
| | | tunnelIDimsi | str
| | | monitorTagIMEI | str
| | | parentSessID | int4
| | | parentStartTime | timestamp
| | | tunnel | str
| | | thrCategory | str
| | | contentver | str
| | | sctpAssociationID | int4
| | | payloadProtocolID | int8
| | | httpHeaders | str
| | | urlCategoryList | str
| | | uuidForRule | str
| | | http2Connection | str
| | | leefVer | str
| | | vendor | str
| | | product | str
| | | version | str
| | | eventID | str
| | | profileToken | str
| | | identSrc | str
| | | inlineMLVerdict | str
| | | dynamicUserGroupName | str
| | | xForwardedForIP | str
| | | sourceDeviceCategory | str
| | | sourceDeviceProfile | str
| | | sourceDeviceModel | str
| | | sourceDeviceVendor | str
| | | sourceDeviceOSFamily | str
| | | sourceDeviceOSVersion | str
| | | sourceDeviceHost | str
| | | sourceDeviceMac | str
| | | destinationDeviceCategory | str
| | | destinationDeviceProfile | str
| | | destinationDeviceModel | str
| | | destinationDeviceVendor | str
| | | destinationDeviceOSFamily | str
| | | destinationDeviceOSVersion | str
| | | destinationDeviceHost | str
| | | destinationDeviceMac | str
| | | containerID | str
| | | containerNameSpace | str
| | | containerName | str
| | | sourceEDL | str
| | | destinationEDL | str
| | | hostID | str
| | | endpointSerialNumber | str
| | | sourceDynamicAddressGroup | str
| | | destinationDynamicAddressGroup | str
| | | timeGeneratedHighResolution | str
| | | nssaiNetworkSliceType | str
| | | devTimeFormat | str
| | | hostchain | str
| | ✓ | tag | str
| | ✓ | rawMessage | str
| | |
firewall.paloalto.useridField | Type | Source field name | Extra fields |
---|
eventdate | timestamp
| | | machine | str
| | | future_use_1 | str
| | | recvdate | timestamp
| receive_time | | serial | str
| | | logType | str
| type | | subType | str
| subtype | | future_use_2 | str
| | | timestamp | timestamp
| time_generated | | virtSys | str
| vsys | | srcIp | ip4
| ip | | srcIp_str | str
| | | srcUser | str
| user | | datasourcename | str
| | | eventid2 | str
| | | repeatcnt | str
| | | timeout | str
| | | srcPort | int4
| beginport | | dstPort | int4
| endport | | datasource | str
| | | datasourcetype | str
| | | seqno | int8
| | | actionFlags | str
| actionflags | | dg_hier_level_1 | int8
| | | dg_hier_level_2 | int8
| | | dg_hier_level_3 | int8
| | | dg_hier_level_4 | int8
| | | vsys_name | str
| | | device_name | str
| | | vsys_id | str
| | | factortype | str
| | | factorcompletiontime | timestamp
| | | factorno | str
| | | ugflags | str
| | | userbysource | str
| | | hostchain | str
| | ✓ | tag | str
| | ✓ | rawMessage | str
| | |
|
...