Introduction
The tags beginning with cef0.paloAltoNetworks identify events in CEF format generated by Palo Alto.
Tag structure
Events in CEF format don’t have a specific tag structure, as explained in Technologies supported in CEF syslog format. They are always sent to a table with the structure cef0.deviceVendor.deviceProduct.
In this case, the valid data tables are:
Tags | Data tables |
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
How is the data sent to Devo?
Learn more about CEF syslog format and how Devo tags these events in Technologies supported in CEF syslog format.
Table structure
These are the fields displayed in this table:
cef0.paloAltoNetworks.cortexXsoar
cef0.paloAltoNetworks.cortexXdr
Field | Type | Source field name | Extra fields |
|---|---|---|---|
eventdate |
|
| |
hostname |
|
| |
priorityCode |
|
| |
cefTag |
|
| |
cefVersion |
|
| |
embDeviceVendor |
|
| |
embDeviceProduct |
|
| |
deviceVersion |
|
| |
signatureID |
|
| |
name |
|
| |
severity |
|
| |
_cefVer |
|
| |
act |
|
| |
app |
|
| |
cat |
|
| |
cs1Label |
|
| |
cs1 |
|
| |
cs2Label |
|
| |
cs2 |
|
| |
cs3Label |
|
| |
cs3 |
|
| |
cs4Label |
|
| |
cs4 |
|
| |
cs5Label |
|
| |
cs5 |
|
| |
cs6Label |
|
| |
cs6 |
|
| |
dst |
|
| |
dpt |
|
| |
end |
|
| |
deviceFacility |
|
| |
externalId |
|
| |
fileHash |
|
| |
filePath |
|
| |
request |
|
| |
shost |
|
| |
src |
|
| |
spt |
|
| |
suser |
|
| |
CSPaccountname |
|
| |
cgoSha256 |
|
| |
incident |
|
| |
initiatorPath |
|
| |
initiatorSha256 |
|
| |
osParentCmd |
|
| |
osParentName |
|
| |
osParentSha256 |
|
| |
osParentSignature |
|
| |
osParentSigner |
|
| |
targetprocesscmd |
|
| |
targetprocessname |
|
| |
targetprocesssha256 |
|
| |
targetprocesssignature |
|
| |
tenantCDLid |
|
| |
tenantname |
|
| |
hostchain |
|
| ✓ |
tag |
| cefTag | ✓ |
rawMessage |
|
| ✓ |
cef0.paloAltoNetworks.cortexXdrAgent
Field | Type | Source field name | Extra fields |
|---|---|---|---|
eventdate |
|
| |
hostname |
|
| |
priorityCode |
|
| |
cefTag |
|
| |
cefVersion |
|
| |
embDeviceVendor |
|
| |
embDeviceProduct |
|
| |
deviceVersion |
|
| |
signatureID |
|
| |
name |
|
| |
severity |
|
| |
dvchost |
|
| |
shost |
|
| |
cat |
|
| |
end |
|
| |
rt |
|
| |
cs1Label |
|
| |
cs1 |
|
| |
cs2Label |
|
| |
cs2 |
|
| |
cs3Label |
|
| |
cs3 |
|
| |
cs4Label |
|
| |
cs4 |
|
| |
msg |
|
| |
tenantname |
|
| |
tenantCDLid |
|
| |
CSPaccountname |
|
| |
hostchain |
|
| ✓ |
tag |
| cefTag | ✓ |
rawMessage |
|
| ✓ |
cef0.paloAltoNetworks.cortexXsoar
Field | Type | Source field name | Extra fields |
|---|---|---|---|
eventdate |
|
| |
machine |
|
| |
priority_code |
|
| |
cef_tag |
|
| |
cef_version |
|
| |
emb_device_vendor |
|
| |
emb_device_product |
|
| |
device_version |
|
| |
signature_id |
|
| |
name |
|
| |
severity |
|
| |
device_custom_string_1_label |
|
| |
device_custom_string_1 |
|
| |
device_custom_string_2_label |
|
| |
device_custom_string_2 |
|
| |
device_custom_string_3_label |
|
| |
device_custom_string_3 |
|
| |
device_custom_string_4_label |
|
| |
device_custom_string_4 |
|
| |
end |
|
| |
external_id |
|
| |
message |
|
| |
source_username |
|
| |
cs_paccountname |
|
| |
tenant_cd_lid |
|
| |
tenantname |
|
| |
hostchain |
|
| ✓ |
tag |
| cef_tag | ✓ |
rawMessage |
|
| ✓ |
cef0.paloAltoNetworks.lf
Field | Type | Source field name | Extra fields |
|---|---|---|---|
eventdate |
|
| |
hostname |
|
| |
priorityCode |
|
| |
cefTag |
|
| |
cefVersion |
|
| |
embDeviceVendor |
|
| |
embDeviceProduct |
|
| |
deviceVersion |
|
| |
signatureID |
|
| |
name |
|
| |
severity |
|
| |
_cefVer |
|
| |
act |
|
| |
app |
|
| |
cat |
|
| |
c6a1Label |
|
| |
c6a1 |
|
| |
cn1Label |
|
| |
cn1 |
|
| |
cn2Label |
|
| |
cn2 |
|
| |
cn3Label |
|
| |
cn3 |
|
| |
cnt |
|
| |
cs1Label |
|
| |
cs1 |
|
| |
cs2Label |
|
| |
cs2 |
|
| |
cs3Label |
|
| |
cs3 |
|
| |
cs4Label |
|
| |
cs4 |
|
| |
cs5Label |
|
| |
cs5 |
|
| |
cs6Label |
|
| |
cs6 |
|
| |
destinationServiceName |
|
| |
destinationTranslatedAddress |
|
| |
destinationTranslatedPort |
|
| |
deviceExternalId |
|
| |
deviceInboundInterface |
|
| |
deviceOutboundInterface |
|
| |
dhost |
|
| |
dst |
|
| |
dpt |
|
| |
duser |
|
| |
dvchost |
|
| |
end |
|
| |
externalId |
|
| |
fileId |
|
| |
fname |
|
| |
in |
|
| |
msg |
|
| |
out |
|
| |
proto |
|
| |
reason |
|
| |
requestClientApplication |
|
| |
requestMethod |
|
| |
requestContext |
|
| |
request |
|
| |
rt |
|
| |
dtz |
|
| |
shost |
|
| |
sourceTranslatedAddress |
|
| |
sourceTranslatedPort |
|
| |
src |
|
| |
spt |
|
| |
start |
|
| |
suser |
|
| |
flexString2 |
|
| |
flexString2Label |
|
| |
PanOSAttemptedGateways |
|
| |
PanOSAuthMethod |
|
| |
PanOSBytes |
|
| |
PanOSChunksReceived |
|
| |
PanOSChunksSent |
|
| |
PanOSChunksTotal |
|
| |
PanOSConfigVersion |
|
| |
PanOSConnectionError |
|
| |
PanOSConnectionErrorID |
|
| |
PanOSConnectionMethod |
|
| |
PanOSContainerID |
|
| |
PanOSContainerName |
|
| |
PanOSContainerNameSpace |
|
| |
PanOSContentVersion |
|
| |
PanOSCountOfRepeats |
|
| |
PanOSDescription |
|
| |
PanOSDestinationDeviceCategory |
|
| |
PanOSDestinationDeviceHost |
|
| |
PanOSDestinationDeviceMac |
|
| |
PanOSDestinationDeviceModel |
|
| |
PanOSDestinationDeviceOSFamily |
|
| |
PanOSDestinationDeviceOSVersion |
|
| |
PanOSDestinationDeviceProfile |
|
| |
PanOSDestinationDeviceVendor |
|
| |
PanOSDestinationDynamicAddressGroup |
|
| |
PanOSDestinationEDL |
|
| |
PanOSDestinationLocation |
|
| |
PanOSDestinationUUID |
|
| |
PanOSDeviceGroup |
|
| |
PanOSDeviceName |
|
| |
PanOSDeviceSN |
|
| |
PanOSDGHierarchyLevel1 |
|
| |
PanOSDGHierarchyLevel2 |
|
| |
PanOSDGHierarchyLevel3 |
|
| |
PanOSDGHierarchyLevel4 |
|
| |
PanOSDynamicUserGroupName |
|
| |
PanOSEndpointAssociationID |
|
| |
PanOSEndpointDeviceName |
|
| |
PanOSEndpointOSType |
|
| |
PanOSEndpointOSVersion |
|
| |
PanOSEndpointSerialNumber |
|
| |
PanOSEndpointSN |
|
| |
PanOSEventDescription |
|
| |
PanOSEventIDValue |
|
| |
PanOSEventResult |
|
| |
PanOSEventStatus |
|
| |
PanOSEventTime |
|
| |
PanOSGateway |
|
| |
PanOSGatewayPriority |
|
| |
PanOSGatewaySelectionType |
|
| |
PanOSGlobalProtectClientVersion |
|
| |
PanOSGlobalProtectGatewayLocation |
|
| |
PanOSGPHostID |
|
| |
PanOSHASessionOwner |
|
| |
PanOSHipMatchType |
|
| |
PanOSHostID |
|
| |
PanOSHTTP2Connection |
|
| |
PanOSHTTPHeaders |
|
| |
PanOSIMEI |
|
| |
PanOSIMSI |
|
| |
PanOSInlineMLVerdict |
|
| |
PanOSLinkChangeCount |
|
| |
PanOSLinkSwitches |
|
| |
PanOSLoginDuration |
|
| |
PanOSNSSAINetworkSliceDifferentiator |
|
| |
PanOSNSSAINetworkSliceType |
|
| |
PanOSPacketsReceived |
|
| |
PanOSPacketsSent |
|
| |
PanOSParentSessionID |
|
| |
PanOSParentStarttime |
|
| |
PanOSPortal |
|
| |
PanOSPrivateIPv4 |
|
| |
PanOSPrivateIPv6 |
|
| |
PanOSPublicIPv4 |
|
| |
PanOSPublicIPv6 |
|
| |
PanOSQuarantineReason |
|
| |
PanOSReferer |
|
| |
PanOSRuleUUID |
|
| |
PanOSSDWANCluster |
|
| |
PanOSSDWANClusterType |
|
| |
PanOSSDWANDeviceType |
|
| |
PanOSSDWANPolicyName |
|
| |
PanOSSDWANSite |
|
| |
PanOSSequenceNo |
|
| |
PanOSSessionStartTime |
|
| |
PanOSSigFlags |
|
| |
PanOSSource |
|
| |
PanOSSourceDeviceCategory |
|
| |
PanOSSourceDeviceHost |
|
| |
PanOSSourceDeviceMac |
|
| |
PanOSSourceDeviceModel |
|
| |
PanOSSourceDeviceOSFamily |
|
| |
PanOSSourceDeviceOSVersion |
|
| |
PanOSSourceDeviceProfile |
|
| |
PanOSSourceDeviceVendor |
|
| |
PanOSSourceDynamicAddressGroup |
|
| |
PanOSSourceEDL |
|
| |
PanOSSourceLocation |
|
| |
PanOSSourceRegion |
|
| |
PanOSSourceUser |
|
| |
PanOSSourceUserName |
|
| |
PanOSSourceUUID |
|
| |
PanOSSSLResponseTime |
|
| |
PanOSStage |
|
| |
PanOSTag |
|
| |
PanOSTemplate |
|
| |
PanOSThreatID |
|
| |
PanOSThreatCategory |
|
| |
PanOSTimeGeneratedHighResolution |
|
| |
PanOSTimestampDeviceIdentification |
|
| |
PanOSTunnel |
|
| |
PanOSTunnelType |
|
| |
PanOSUGFlags |
|
| |
PanOSURLCategoryList |
|
| |
PanOSURLCounter |
|
| |
PanOSUserIdentifiedBySource |
|
| |
PanOSVirtualSystem |
|
| |
PanOSVirtualSystemID |
|
| |
PanOSVirtualSystemName |
|
| |
PanOSXForwardedFor |
|
| |
PanOSXForwardedForIP |
|
| |
hostchain |
|
| ✓ |
tag |
| cefTag | ✓ |
rawMessage |
|
| ✓ |
cef0.paloAltoNetworks.paloAltoNetworksCortexXsoar
Field | Type | Source field name | Extra fields |
|---|---|---|---|
eventdate |
|
| |
hostname |
|
| |
priorityCode |
|
| |
cefTag |
|
| |
cefVersion |
|
| |
embDeviceVendor |
|
| |
embDeviceProduct |
|
| |
deviceVersion |
|
| |
signatureID |
|
| |
name |
|
| |
severity |
|
| |
_cefVer |
|
| |
cs1Label |
|
| |
cs1 |
|
| |
cs2Label |
|
| |
cs2 |
|
| |
suser |
|
| |
startTime |
|
| |
hostchain |
|
| ✓ |
tag |
| cefTag | ✓ |
rawMessage |
|
| ✓ |
cef0.paloAltoNetworks.panOs
Field | Type | Source field name | Extra fields |
|---|---|---|---|
eventdate |
|
| |
hostname |
|
| |
priorityCode |
|
| |
cefTag |
|
| |
cefVersion |
|
| |
embDeviceVendor |
|
| |
embDeviceProduct |
|
| |
deviceVersion |
|
| |
signatureID |
|
| |
name |
|
| |
severity |
|
| |
_cefVer |
|
| |
act |
|
| |
app |
|
| |
cat |
|
| |
cn1Label |
|
| |
cn1 |
|
| |
cn2Label |
|
| |
cn2 |
|
| |
cn3Label |
|
| |
cn3 |
|
| |
cnt |
|
| |
cs1Label |
|
| |
cs1 |
|
| |
cs2Label |
|
| |
cs2 |
|
| |
cs3Label |
|
| |
cs3 |
|
| |
cs4Label |
|
| |
cs4 |
|
| |
cs5Label |
|
| |
cs5 |
|
| |
cs6Label |
|
| |
cs6 |
|
| |
destinationTranslatedAddress |
|
| |
destinationTranslatedPort |
|
| |
deviceExternalId |
|
| |
deviceInboundInterface |
|
| |
deviceOutboundInterface |
|
| |
dst |
|
| |
duser |
|
| |
dvchost |
|
| |
dvc |
|
| |
externalId |
|
| |
filePath |
|
| |
fileType |
|
| |
fname |
|
| |
in |
|
| |
msg |
|
| |
out |
|
| |
proto |
|
| |
request |
|
| |
rt |
|
| |
sourceTranslatedAddress |
|
| |
sourceTranslatedPort |
|
| |
spt |
|
| |
src |
|
| |
start |
|
| |
suser |
|
| |
agt |
|
| |
ahost |
|
| |
aid |
|
| |
arcSightEventPath |
|
| |
art |
|
| |
assetCriticality |
|
| |
at |
|
| |
atz |
|
| |
av |
|
| |
catdt |
|
| |
categoryBehavior |
|
| |
categoryDeviceGroup |
|
| |
categoryObject |
|
| |
categoryOutcome |
|
| |
customerID |
|
| |
customerURI |
|
| |
destinationAssetId |
|
| |
destinationGeoCountryCode |
|
| |
destinationGeoLocationInfo |
|
| |
destinationGeoPostalCode |
|
| |
destinationGeoRegionCode |
|
| |
destinationZoneExternalID |
|
| |
destinationZoneID |
|
| |
destinationZoneURI |
|
| |
deviceAssetId |
|
| |
deviceFacility |
|
| |
deviceSeverity |
|
| |
deviceZoneID |
|
| |
deviceZoneURI |
|
| |
dlat |
|
| |
dlong |
|
| |
dpt |
|
| |
dtz |
|
| |
eventAnnotationAuditTrail |
|
| |
eventAnnotationEndTime |
|
| |
eventAnnotationEventId |
|
| |
eventAnnotationFlags |
|
| |
eventAnnotationManagerReceiptTime |
|
| |
eventAnnotationModificationTime |
|
| |
eventAnnotationStageID |
|
| |
eventAnnotationStageUpdateTime |
|
| |
eventAnnotationStageURI |
|
| |
eventAnnotationVersion |
|
| |
eventId |
|
| |
flexNumber1 |
|
| |
flexNumber1Label |
|
| |
flexString1 |
|
| |
flexString1Label |
|
| |
flexString2 |
|
| |
flexString2Label |
|
| |
generatorID |
|
| |
locality |
|
| |
modelConfidence |
|
| |
mrt |
|
| |
priority |
|
| |
relevance |
|
| |
slat |
|
| |
slong |
|
| |
sourceAssetId |
|
| |
sourceGeoCountryCode |
|
| |
sourceGeoLocationInfo |
|
| |
sourceGeoPostalCode |
|
| |
sourceGeoRegionCode |
|
| |
sourceTranslatedZoneExternalID |
|
| |
sourceTranslatedZoneID |
|
| |
sourceTranslatedZoneURI |
|
| |
sourceZoneExternalID |
|
| |
sourceZoneID |
|
| |
sourceZoneURI |
|
| |
type |
|
| |
tag |
| cefTag | ✓ |
rawMessage |
|
| ✓ |
hostchain |
|
| ✓ |
cef0.paloaltonetworks.panwiot
Field | Type | Source field name | Extra fields |
|---|---|---|---|
eventdate |
|
| |
hostname |
|
| |
priority_code |
|
| |
cef_tag |
|
| |
cef_version |
|
| |
emb_device_vendor |
|
| |
emb_device_product |
|
| |
device_version |
|
| |
signature_id |
|
| |
name |
|
| |
severity |
|
| |
device_custom_string_1_label |
|
| |
device_custom_string_1 |
|
| |
device_custom_string_2_label |
|
| |
device_custom_string_2 |
|
| |
device_custom_string_3_label |
|
| |
device_custom_string_3 |
|
| |
device_custom_string_4_label |
|
| |
device_custom_string_4 |
|
| |
device_hostname |
|
| |
device_ip |
|
| |
device_mac |
|
| |
device_custom_string_10 |
|
| |
device_custom_string_10_label |
|
| |
device_custom_string_15 |
|
| |
device_custom_string_15_label |
|
| |
device_custom_string_16 |
|
| |
device_custom_string_16_label |
|
| |
device_custom_string_17 |
|
| |
device_custom_string_17_label |
|
| |
device_custom_string_22 |
|
| |
device_custom_string_22_label |
|
| |
device_custom_string_44 |
|
| |
device_custom_string_44_label |
|
| |
device_custom_string_7 |
|
| |
device_custom_string_7_label |
|
| |
device_custom_string_8 |
|
| |
device_custom_string_8_label |
|
| |
device_custom_string_9 |
|
| |
device_custom_string_9_label |
|
| |
hostchain |
|
| ✓ |
tag |
| cef_tag | ✓ |
rawMessage |
| ✓ |