Document toolboxDocument toolbox

cef0.paloAltoNetworks

Owned by Juan Tomás Alonso Nieto (Deactivated)
May 08, 2023
1 min read
[ 1 Introduction ] [ 2 Tag structure ] [ 3 Table structure ] [ 4 How is the data sent to Devo? ]

Introduction

The table cef0.paloAltoNetworks identifies events in CEF format generated by Palo Alto.

Tag structure

Events in CEF format don’t have a specific tag structure, as explained in Technologies supported in CEF syslog format. They are always sent to a table with the structure cef0.deviceVendor.deviceProduct.

Tag

Data table

Tag

Data table

CEF

cef0.paloAltoNetworks.panOs

CEF

cef0.paloAltoNetworks.lf

CEF

cef0.paloAltoNetworks.cortexXdrAgent

CEF

cef0.paloAltoNetworks.paloAltoNetworksCortexXsoar

Table structure

This is the set displayed by these tables.

cef0.paloAltoNetworks.panOs

Field

Type

Extra Label

Field

Type

Extra Label

eventdate

timestamp

-

rawMessage

str

✓

hostchain

str

✓

hostname

str

-

priorityCode

str

-

cefTag

str

-

cefVersion

str

-

embDeviceVendor

str

-

embDeviceProduct

str

-

deviceVersion

str

-

signatureID

str

-

name

str

-

severity

str

-

_cefVer

str

-

act

str

-

app

str

-

cat

str

-

cn1Label

str

-

cn1

int8

-

cn2Label

str

-

cn2

int8

-

cn3Label

str

-

cn3

int8

-

cnt

int4

-

cs1Label

str

-

cs1

str

-

cs2Label

str

-

cs2

str

-

cs3Label

str

-

cs3

str

-

cs4Label

str

-

cs4

str

-

cs5Label

str

-

cs5

str

-

cs6Label

str

-

cs6

str

-

destinationTranslatedAddress

ip4

-

destinationTranslatedPort

int4

-

deviceExternalId

str

-

deviceInboundInterface

str

-

deviceOutboundInterface

str

-

dst

ip4

-

duser

str

-

dvchost

str

-

dvc

ip4

-

externalId

str

-

filePath

str

-

fileType

str

-

fname

str

-

in

int8

-

msg

str

-

out

int8

-

proto

str

-

request

str

-

rt

timestamp

-

sourceTranslatedAddress

ip4

-

sourceTranslatedPort

int4

-

spt

int4

-

src

ip4

-

start

timestamp

-

suser

str

-

agt

ip4

-

ahost

str

-

aid

str

-

arcSightEventPath

str

-

art

str

-

assetCriticality

int4

-

at

str

-

atz

str

-

av

str

-

catdt

str

-

categoryBehavior

str

-

categoryDeviceGroup

str

-

categoryObject

str

-

categoryOutcome

str

-

customerID

str

-

customerURI

str

-

destinationAssetId

str

-

destinationGeoCountryCode

str

-

destinationGeoLocationInfo

str

-

destinationGeoPostalCode

str

-

destinationGeoRegionCode

str

-

destinationZoneExternalID

str

-

destinationZoneID

str

-

destinationZoneURI

str

-

deviceAssetId

str

-

deviceFacility

str

-

deviceSeverity

str

-

deviceZoneID

str

-

deviceZoneURI

str

-

dlat

float8

-

dlong

float8

-

dpt

int4

-

dtz

str

-

eventAnnotationAuditTrail

str

-

eventAnnotationEndTime

timestamp

-

eventAnnotationEventId

str

-

eventAnnotationFlags

str

-

eventAnnotationManagerReceiptTime

timestamp

-

eventAnnotationModificationTime

timestamp

-

eventAnnotationStageID

str

-

eventAnnotationStageUpdateTime

timestamp

-

eventAnnotationStageURI

str

-

eventAnnotationVersion

int4

-

eventId

str

-

flexNumber1

int4

-

flexNumber1Label

str

-

flexString1

str

-

flexString1Label

str

-

flexString2

str

-

flexString2Label

str

-

generatorID

str

-

locality

int4

-

modelConfidence

int4

-

mrt

timestamp

-

priority

int4

-

relevance

int4

-

slat

float8

-

slong

float8

-

sourceAssetId

str

-

sourceGeoCountryCode

str

-

sourceGeoLocationInfo

str

-

sourceGeoPostalCode

str

-

sourceGeoRegionCode

str

-

sourceTranslatedZoneExternalID

str

-

sourceTranslatedZoneID

str

-

sourceTranslatedZoneURI

str

-

sourceZoneExternalID

str

-

sourceZoneID

str

-

sourceZoneURI

str

-

type

int4

-

tag

str

✓

cef0.paloAltoNetworks.lf

Field

Type

Extra Label

Field

Type

Extra Label

eventdate

timestamp

-

hostname

str

-

priorityCode

str

-

cefTag

str

-

cefVersion

str

-

embDeviceVendor

str

-

embDeviceProduct

str

-

deviceVersion

str

-

signatureID

str

-

name

str

-

severity

str

-

_cefVer

str

-

act

str

-

app

str

-

cat

str

-

c6a1Label

str

-

c6a1

str

-

cn1Label

str

-

cn1

int8

-

cn2Label

str

-

cn2

int8

-

cn3Label

str

-

cn3

int8

-

cnt

int4

-

cs1Label

str

-

cs1

str

-

cs2Label

str

-

cs2

str

-

cs3Label

str

-

cs3

str

-

cs4Label

str

-

cs4

str

-

cs5Label

str

-

cs5

str

-

cs6Label

str

-

cs6

str

-

destinationServiceName

str

-

destinationTranslatedAddress

ip4

-

destinationTranslatedPort

int4

-

deviceExternalId

str

-

deviceInboundInterface

str

-

deviceOutboundInterface

str

-

dhost

str

-

dst

ip4

-

dpt

int4

-

duser

str

-

dvchost

str

-

end

timestamp

-

externalId

int8

-

fileId

str

-

fname

str

-

in

int8

-

msg

str

-

out

int8

-

proto

str

-

reason

str

-

requestClientApplication

str

-

requestMethod

str

-

requestContext

str

-

request

str

-

rt

timestamp

-

dtz

str

-

shost

str

-

sourceTranslatedAddress

ip4

-

sourceTranslatedPort

int4

-

src

ip4

-

spt

int4

-

start

timestamp

-

suser

str

-

flexString2

str

-

flexString2Label

str

-

PanOSAttemptedGateways

str

-

PanOSAuthMethod

str

-

PanOSBytes

str

-

PanOSChunksReceived

str

-

PanOSChunksSent

str

-

PanOSChunksTotal

str

-

PanOSConfigVersion

str

-

PanOSConnectionError

str

-

PanOSConnectionErrorID

str

-

PanOSConnectionMethod

str

-

PanOSContainerID

str

-

PanOSContainerName

str

-

PanOSContainerNameSpace

str

-

PanOSContentVersion

str

-

PanOSCountOfRepeats

str

-

PanOSDescription

str

-

PanOSDestinationDeviceCategory

str

-

PanOSDestinationDeviceHost

str

-

PanOSDestinationDeviceMac

str

-

PanOSDestinationDeviceModel

str

-

PanOSDestinationDeviceOSFamily

str

-

PanOSDestinationDeviceOSVersion

str

-

PanOSDestinationDeviceProfile

str

-

PanOSDestinationDeviceVendor

str

-

PanOSDestinationDynamicAddressGroup

str

-

PanOSDestinationEDL

str

-

PanOSDestinationLocation

str

-

PanOSDestinationUUID

str

-

PanOSDeviceGroup

str

-

PanOSDeviceName

str

-

PanOSDeviceSN

str

-

PanOSDGHierarchyLevel1

str

-

PanOSDGHierarchyLevel2

str

-

PanOSDGHierarchyLevel3

str

-

PanOSDGHierarchyLevel4

str

-

PanOSDynamicUserGroupName

str

-

PanOSEndpointAssociationID

str

-

PanOSEndpointDeviceName

str

-

PanOSEndpointOSType

str

-

PanOSEndpointOSVersion

str

-

PanOSEndpointSerialNumber

str

-

PanOSEndpointSN

str

-

PanOSEventDescription

str

-

PanOSEventIDValue

str

-

PanOSEventResult

str

-

PanOSEventStatus

str

-

PanOSEventTime

timestamp

-

PanOSGateway

str

-

PanOSGatewayPriority

str

-

PanOSGatewaySelectionType

str

-

PanOSGlobalProtectClientVersion

str

-

PanOSGlobalProtectGatewayLocation

str

-

PanOSGPHostID

str

-

PanOSHASessionOwner

str

-

PanOSHipMatchType

str

-

PanOSHostID

str

-

PanOSHTTP2Connection

str

-

PanOSHTTPHeaders

str

-

PanOSIMEI

str

-

PanOSIMSI

str

-

PanOSInlineMLVerdict

str

-

PanOSLinkChangeCount

str

-

PanOSLinkSwitches

str

-

PanOSLoginDuration

str

-

PanOSNSSAINetworkSliceDifferentiator

str

-

PanOSNSSAINetworkSliceType

str

-

PanOSPacketsReceived

str

-

PanOSPacketsSent

str

-

PanOSParentSessionID

str

-

PanOSParentStarttime

timestamp

-

PanOSPortal

str

-

PanOSPrivateIPv4

ip4

-

PanOSPrivateIPv6

str

-

PanOSPublicIPv4

ip4

-

PanOSPublicIPv6

str

-

PanOSQuarantineReason

str

-

PanOSReferer

str

-

PanOSRuleUUID

str

-

PanOSSDWANCluster

str

-

PanOSSDWANClusterType

str

-

PanOSSDWANDeviceType

str

-

PanOSSDWANPolicyName

str

-

PanOSSDWANSite

str

-

PanOSSequenceNo

str

-

PanOSSessionStartTime

timestamp

-

PanOSSigFlags

str

-

PanOSSource

str

-

PanOSSourceDeviceCategory

str

-

PanOSSourceDeviceHost

str

-

PanOSSourceDeviceMac

str

-

PanOSSourceDeviceModel

str

-

PanOSSourceDeviceOSFamily

str

-

PanOSSourceDeviceOSVersion

str

-

PanOSSourceDeviceProfile

str

-

PanOSSourceDeviceVendor

str

-

PanOSSourceDynamicAddressGroup

str

-

PanOSSourceEDL

str

-

PanOSSourceLocation

str

-

PanOSSourceRegion

str

-

PanOSSourceUser

str

-

PanOSSourceUserName

str

-

PanOSSourceUUID

str

-

PanOSSSLResponseTime

str

-

PanOSStage

str

-

PanOSTag

str

-

PanOSTemplate

str

-

PanOSThreatID

str

-

PanOSThreatCategory

str

-

PanOSTimeGeneratedHighResolution

str

-

PanOSTimestampDeviceIdentification

str

-

PanOSTunnel

str

-

PanOSTunnelType

str

-

PanOSUGFlags

str

-

PanOSURLCategoryList

str

-

PanOSURLCounter

str

-

PanOSUserIdentifiedBySource

str

-

PanOSVirtualSystem

str

-

PanOSVirtualSystemID

str

-

PanOSVirtualSystemName

str

-

PanOSXForwardedFor

str

-

PanOSXForwardedForIP

ip4

-

hostchain

str

✓

tag

str

✓

rawMessage

str

✓

cef0.paloAltoNetworks.paloAltoNetworksCortexXsoar

Field

Type

Extra Label

Field

Type

Extra Label

eventdate

timestamp

-

hostname

str

-

priorityCode

str

-

cefTag

str

-

cefVersion

str

-

embDeviceVendor

str

-

embDeviceProduct

str

-

deviceVersion

str

-

signatureID

str

-

name

str

-

severity

str

-

_cefVer

str

-

cs1Label

str

-

cs1

str

-

cs2Label

str

-

cs2

str

-

suser

str

-

startTime

timestamp

-

hostchain

str

✓

tag

str

✓

rawMessage

str

-

cef0.paloAltoNetworks.cortexXdrAgent

Field

Type

Extra Label

Field

Type

Extra Label

eventdate

timestamp

-

hostname

str

-

priorityCode

str

-

cefTag

str

-

cefVersion

str

-

embDeviceVendor

str

-

embDeviceProduct

str

-

deviceVersion

str

-

signatureID

str

-

name

str

-

severity

str

-

dvchost

str

-

shost

str

-

cat

str

-

end

timestamp

-

rt

timestamp

-

cs1Label

str

-

cs1

str

-

cs2Label

str

-

cs2

str

-

cs3Label

str

-

cs3

str

-

cs4Label

str

-

cs4

str

-

msg

str

-

tenantname

str

-

tenantCDLid

str

-

CSPaccountname

str

-

hostchain

str

✓

tag

str

✓

rawMessage

str

✓

How is the data sent to Devo?

Learn more about CEF syslog format and how Devo tags these events in  Technologies supported in CEF syslog format.

Â