cef0.paloAltoNetworks
- Former user (Deleted)
- Juan Tomás Alonso Nieto (Deactivated)
Introduction
The tags beginning with cef0.paloAltoNetworks identify events in CEF format generated by Palo Alto.
Tag structure
Events in CEF format don’t have a specific tag structure, as explained in Technologies supported in CEF syslog format. They are always sent to a table with the structure cef0.deviceVendor.deviceProduct.
In this case, the valid data tables are:
Tags | Data tables |
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
How is the data sent to Devo?
Learn more about CEF syslog format and how Devo tags these events in Technologies supported in CEF syslog format.
Table structure
These are the fields displayed in this table:
cef0.paloAltoNetworks.cortexXdr
Field | Type | Source field name | Extra fields |
|---|---|---|---|
eventdate |
|
|
|
hostname |
|
|
|
priorityCode |
|
|
|
cefTag |
|
|
|
cefVersion |
|
|
|
embDeviceVendor |
|
|
|
embDeviceProduct |
|
|
|
deviceVersion |
|
|
|
signatureID |
|
|
|
name |
|
|
|
severity |
|
|
|
_cefVer |
|
|
|
act |
|
|
|
app |
|
|
|
cat |
|
|
|
cs1Label |
|
|
|
cs1 |
|
|
|
cs2Label |
|
|
|
cs2 |
|
|
|
cs3Label |
|
|
|
cs3 |
|
|
|
cs4Label |
|
|
|
cs4 |
|
|
|
cs5Label |
|
|
|
cs5 |
|
|
|
cs6Label |
|
|
|
cs6 |
|
|
|
dst |
|
|
|
dpt |
|
|
|
end |
|
|
|
deviceFacility |
|
|
|
externalId |
|
|
|
fileHash |
|
|
|
filePath |
|
|
|
request |
|
|
|
shost |
|
|
|
src |
|
|
|
spt |
|
|
|
suser |
|
|
|
CSPaccountname |
|
|
|
cgoSha256 |
|
|
|
incident |
|
|
|
initiatorPath |
|
|
|
initiatorSha256 |
|
|
|
osParentCmd |
|
|
|
osParentName |
|
|
|
osParentSha256 |
|
|
|
osParentSignature |
|
|
|
osParentSigner |
|
|
|
targetprocesscmd |
|
|
|
targetprocessname |
|
|
|
targetprocesssha256 |
|
|
|
targetprocesssignature |
|
|
|
tenantCDLid |
|
|
|
tenantname |
|
|
|
hostchain |
|
| ✓ |
tag |
| cefTag | ✓ |
rawMessage |
|
| ✓ |
cef0.paloAltoNetworks.cortexXdrAgent
Field | Type | Source field name | Extra fields |
|---|---|---|---|
eventdate |
|
|
|
hostname |
|
|
|
priorityCode |
|
|
|
cefTag |
|
|
|
cefVersion |
|
|
|
embDeviceVendor |
|
|
|
embDeviceProduct |
|
|
|
deviceVersion |
|
|
|
signatureID |
|
|
|
name |
|
|
|
severity |
|
|
|
dvchost |
|
|
|
shost |
|
|
|
cat |
|
|
|
end |
|
|
|
rt |
|
|
|
cs1Label |
|
|
|
cs1 |
|
|
|
cs2Label |
|
|
|
cs2 |
|
|
|
cs3Label |
|
|
|
cs3 |
|
|
|
cs4Label |
|
|
|
cs4 |
|
|
|
msg |
|
|
|
tenantname |
|
|
|
tenantCDLid |
|
|
|
CSPaccountname |
|
|
|
hostchain |
|
| ✓ |
tag |
| cefTag | ✓ |
rawMessage |
|
| ✓ |
cef0.paloAltoNetworks.cortexXsoar
Field | Type | Source field name | Extra fields |
|---|---|---|---|
eventdate |
|
|
|
machine |
|
|
|
priority_code |
|
|
|
cef_tag |
|
|
|
cef_version |
|
|
|
emb_device_vendor |
|
|
|
emb_device_product |
|
|
|
device_version |
|
|
|
signature_id |
|
|
|
name |
|
|
|
severity |
|
|
|
device_custom_string_1_label |
|
|
|
device_custom_string_1 |
|
|
|
device_custom_string_2_label |
|
|
|
device_custom_string_2 |
|
|
|
device_custom_string_3_label |
|
|
|
device_custom_string_3 |
|
|
|
device_custom_string_4_label |
|
|
|
device_custom_string_4 |
|
|
|
end |
|
|
|
external_id |
|
|
|
message |
|
|
|
source_username |
|
|
|
cs_paccountname |
|
|
|
tenant_cd_lid |
|
|
|
tenantname |
|
|
|
hostchain |
|
| ✓ |
tag |
| cef_tag | ✓ |
rawMessage |
|
| ✓ |
cef0.paloAltoNetworks.lf
Field | Type | Source field name | Extra fields |
|---|---|---|---|
eventdate |
|
|
|
hostname |
|
|
|
priorityCode |
|
|
|
cefTag |
|
|
|
cefVersion |
|
|
|
embDeviceVendor |
|
|
|
embDeviceProduct |
|
|
|
deviceVersion |
|
|
|
signatureID |
|
|
|
name |
|
|
|
severity |
|
|
|
_cefVer |
|
|
|
act |
|
|
|
app |
|
|
|
cat |
|
|
|
c6a1Label |
|
|
|
c6a1 |
|
|
|
cn1Label |
|
|
|
cn1 |
|
|
|
cn2Label |
|
|
|
cn2 |
|
|
|
cn3Label |
|
|
|
cn3 |
|
|
|
cnt |
|
|
|
cs1Label |
|
|
|
cs1 |
|
|
|
cs2Label |
|
|
|
cs2 |
|
|
|
cs3Label |
|
|
|
cs3 |
|
|
|
cs4Label |
|
|
|
cs4 |
|
|
|
cs5Label |
|
|
|
cs5 |
|
|
|
cs6Label |
|
|
|
cs6 |
|
|
|
destinationServiceName |
|
|
|
destinationTranslatedAddress |
|
|
|
destinationTranslatedPort |
|
|
|
deviceExternalId |
|
|
|
deviceInboundInterface |
|
|
|
deviceOutboundInterface |
|
|
|
dhost |
|
|
|
dst |
|
|
|
dpt |
|
|
|
duser |
|
|
|
dvchost |
|
|
|
end |
|
|
|
externalId |
|
|
|
fileId |
|
|
|
fname |
|
|
|
in |
|
|
|
msg |
|
|
|
out |
|
|
|
proto |
|
|
|
reason |
|
|
|
requestClientApplication |
|
|
|
requestMethod |
|
|
|
requestContext |
|
|
|
request |
|
|
|
rt |
|
|
|
dtz |
|
|
|
shost |
|
|
|
sourceTranslatedAddress |
|
|
|
sourceTranslatedPort |
|
|
|
src |
|
|
|
spt |
|
|
|
start |
|
|
|
suser |
|
|
|
flexString2 |
|
|
|
flexString2Label |
|
|
|
PanOSAttemptedGateways |
|
|
|
PanOSAuthMethod |
|
|
|
PanOSBytes |
|
|
|
PanOSChunksReceived |
|
|
|
PanOSChunksSent |
|
|
|
PanOSChunksTotal |
|
|
|
PanOSConfigVersion |
|
|
|
PanOSConnectionError |
|
|
|
PanOSConnectionErrorID |
|
|
|
PanOSConnectionMethod |
|
|
|
PanOSContainerID |
|
|
|
PanOSContainerName |
|
|
|
PanOSContainerNameSpace |
|
|
|
PanOSContentVersion |
|
|
|
PanOSCountOfRepeats |
|
|
|
PanOSDescription |
|
|
|
PanOSDestinationDeviceCategory |
|
|
|
PanOSDestinationDeviceHost |
|
|
|
PanOSDestinationDeviceMac |
|
|
|
PanOSDestinationDeviceModel |
|
|
|
PanOSDestinationDeviceOSFamily |
|
|
|
PanOSDestinationDeviceOSVersion |
|
|
|
PanOSDestinationDeviceProfile |
|
|
|
PanOSDestinationDeviceVendor |
|
|
|
PanOSDestinationDynamicAddressGroup |
|
|
|
PanOSDestinationEDL |
|
|
|
PanOSDestinationLocation |
|
|
|
PanOSDestinationUUID |
|
|
|
PanOSDeviceGroup |
|
|
|
PanOSDeviceName |
|
|
|
PanOSDeviceSN |
|
|
|
PanOSDGHierarchyLevel1 |
|
|
|
PanOSDGHierarchyLevel2 |
|
|
|
PanOSDGHierarchyLevel3 |
|
|
|
PanOSDGHierarchyLevel4 |
|
|
|
PanOSDynamicUserGroupName |
|
|
|
PanOSEndpointAssociationID |
|
|
|
PanOSEndpointDeviceName |
|
|
|
PanOSEndpointOSType |
|
|
|
PanOSEndpointOSVersion |
|
|
|
PanOSEndpointSerialNumber |
|
|
|
PanOSEndpointSN |
|
|
|
PanOSEventDescription |
|
|
|
PanOSEventIDValue |
|
|
|
PanOSEventResult |
|
|
|
PanOSEventStatus |
|
|
|
PanOSEventTime |
|
|
|
PanOSGateway |
|
|
|
PanOSGatewayPriority |
|
|
|
PanOSGatewaySelectionType |
|
|
|
PanOSGlobalProtectClientVersion |
|
|
|
PanOSGlobalProtectGatewayLocation |
|
|
|
PanOSGPHostID |
|
|
|
PanOSHASessionOwner |
|
|
|
PanOSHipMatchType |
|
|
|
PanOSHostID |
|
|
|
PanOSHTTP2Connection |
|
|
|
PanOSHTTPHeaders |
|
|
|
PanOSIMEI |
|
|
|
PanOSIMSI |
|
|
|
PanOSInlineMLVerdict |
|
|
|
PanOSLinkChangeCount |
|
|
|
PanOSLinkSwitches |
|
|
|
PanOSLoginDuration |
|
|
|
PanOSNSSAINetworkSliceDifferentiator |
|
|
|
PanOSNSSAINetworkSliceType |
|
|
|
PanOSPacketsReceived |
|
|
|
PanOSPacketsSent |
|
|
|
PanOSParentSessionID |
|
|
|
PanOSParentStarttime |
|
|
|
PanOSPortal |
|
|
|
PanOSPrivateIPv4 |
|
|
|
PanOSPrivateIPv6 |
|
|
|
PanOSPublicIPv4 |
|
|
|
PanOSPublicIPv6 |
|
|
|
PanOSQuarantineReason |
|
|
|
PanOSReferer |
|
|
|
PanOSRuleUUID |
|
|
|
PanOSSDWANCluster |
|
|
|
PanOSSDWANClusterType |
|
|
|
PanOSSDWANDeviceType |
|
|
|
PanOSSDWANPolicyName |
|
|
|
PanOSSDWANSite |
|
|
|
PanOSSequenceNo |
|
|
|
PanOSSessionStartTime |
|
|
|
PanOSSigFlags |
|
|
|
PanOSSource |
|
|
|
PanOSSourceDeviceCategory |
|
|
|
PanOSSourceDeviceHost |
|
|
|
PanOSSourceDeviceMac |
|
|
|
PanOSSourceDeviceModel |
|
|
|
PanOSSourceDeviceOSFamily |
|
|
|
PanOSSourceDeviceOSVersion |
|
|
|
PanOSSourceDeviceProfile |
|
|
|
PanOSSourceDeviceVendor |
|
|
|
PanOSSourceDynamicAddressGroup |
|
|
|
PanOSSourceEDL |
|
|
|
PanOSSourceLocation |
|
|
|
PanOSSourceRegion |
|
|
|
PanOSSourceUser |
|
|
|
PanOSSourceUserName |
|
|
|
PanOSSourceUUID |
|
|
|
PanOSSSLResponseTime |
|
|
|
PanOSStage |
|
|
|
PanOSTag |
|
|
|
PanOSTemplate |
|
|
|
PanOSThreatID |
|
|
|
PanOSThreatCategory |
|
|
|
PanOSTimeGeneratedHighResolution |
|
|
|
PanOSTimestampDeviceIdentification |
|
|
|
PanOSTunnel |
|
|
|
PanOSTunnelType |
|
|
|
PanOSUGFlags |
|
|
|
PanOSURLCategoryList |
|
|
|
PanOSURLCounter |
|
|
|
PanOSUserIdentifiedBySource |
|
|
|
PanOSVirtualSystem |
|
|
|
PanOSVirtualSystemID |
|
|
|
PanOSVirtualSystemName |
|
|
|
PanOSXForwardedFor |
|
|
|
PanOSXForwardedForIP |
|
|
|
hostchain |
|
| ✓ |
tag |
| cefTag | ✓ |
rawMessage |
|
| ✓ |
cef0.paloAltoNetworks.paloAltoNetworksCortexXsoar
Field | Type | Source field name | Extra fields |
|---|---|---|---|
eventdate |
|
|
|
hostname |
|
|
|
priorityCode |
|
|
|
cefTag |
|
|
|
cefVersion |
|
|
|
embDeviceVendor |
|
|
|
embDeviceProduct |
|
|
|
deviceVersion |
|
|
|
signatureID |
|
|
|
name |
|
|
|
severity |
|
|
|
_cefVer |
|
|
|
cs1Label |
|
|
|
cs1 |
|
|
|
cs2Label |
|
|
|
cs2 |
|
|
|
suser |
|
|
|
startTime |
|
|
|
hostchain |
|
| ✓ |
tag |
| cefTag | ✓ |
rawMessage |
|
| ✓ |
cef0.paloAltoNetworks.panOs
Field | Type | Source field name | Extra fields |
|---|---|---|---|
eventdate |
|
|
|
hostname |
|
|
|
priorityCode |
|
|
|
cefTag |
|
|
|
cefVersion |
|
|
|
embDeviceVendor |
|
|
|
embDeviceProduct |
|
|
|
deviceVersion |
|
|
|
signatureID |
|
|
|
name |
|
|
|
severity |
|
|
|
_cefVer |
|
|
|
act |
|
|
|
app |
|
|
|
cat |
|
|
|
cn1Label |
|
|
|
cn1 |
|
|
|
cn2Label |
|
|
|
cn2 |
|
|
|
cn3Label |
|
|
|
cn3 |
|
|
|
cnt |
|
|
|
cs1Label |
|
|
|
cs1 |
|
|
|
cs2Label |
|
|
|
cs2 |
|
|
|
cs3Label |
|
|
|
cs3 |
|
|
|
cs4Label |
|
|
|
cs4 |
|
|
|
cs5Label |
|
|
|
cs5 |
|
|
|
cs6Label |
|
|
|
cs6 |
|
|
|
destinationTranslatedAddress |
|
|
|
destinationTranslatedPort |
|
|
|
deviceExternalId |
|
|
|
deviceInboundInterface |
|
|
|
deviceOutboundInterface |
|
|
|
dst |
|
|
|
duser |
|
|
|
dvchost |
|
|
|
dvc |
|
|
|
externalId |
|
|
|
filePath |
|
|
|
fileType |
|
|
|
fname |
|
|
|
in |
|
|
|
msg |
|
|
|
out |
|
|
|
proto |
|
|
|
request |
|
|
|
rt |
|
|
|
sourceTranslatedAddress |
|
|
|
sourceTranslatedPort |
|
|
|
spt |
|
|
|
src |
|
|
|
start |
|
|
|
suser |
|
|
|
agt |
|
|
|
ahost |
|
|
|
aid |
|
|
|
arcSightEventPath |
|
|
|
art |
|
|
|
assetCriticality |
|
|
|
at |
|
|
|
atz |
|
|
|
av |
|
|
|
catdt |
|
|
|
categoryBehavior |
|
|
|
categoryDeviceGroup |
|
|
|
categoryObject |
|
|
|
categoryOutcome |
|
|
|
customerID |
|
|
|
customerURI |
|
|
|
destinationAssetId |
|
|
|
destinationGeoCountryCode |
|
|
|
destinationGeoLocationInfo |
|
|
|
destinationGeoPostalCode |
|
|
|
destinationGeoRegionCode |
|
|
|
destinationZoneExternalID |
|
|
|
destinationZoneID |
|
|
|
destinationZoneURI |
|
|
|
deviceAssetId |
|
|
|
deviceFacility |
|
|
|
deviceSeverity |
|
|
|
deviceZoneID |
|
|
|
deviceZoneURI |
|
|
|
dlat |
|
|
|
dlong |
|
|
|
dpt |
|
|
|
dtz |
|
|
|
eventAnnotationAuditTrail |
|
|
|
eventAnnotationEndTime |
|
|
|
eventAnnotationEventId |
|
|
|
eventAnnotationFlags |
|
|
|
eventAnnotationManagerReceiptTime |
|
|
|
eventAnnotationModificationTime |
|
|
|
eventAnnotationStageID |
|
|
|
eventAnnotationStageUpdateTime |
|
|
|
eventAnnotationStageURI |
|
|
|
eventAnnotationVersion |
|
|
|
eventId |
|
|
|
flexNumber1 |
|
|
|
flexNumber1Label |
|
|
|
flexString1 |
|
|
|
flexString1Label |
|
|
|
flexString2 |
|
|
|
flexString2Label |
|
|
|
generatorID |
|
|
|
locality |
|
|
|
modelConfidence |
|
|
|
mrt |
|
|
|
priority |
|
|
|
relevance |
|
|
|
slat |
|
|
|
slong |
|
|
|
sourceAssetId |
|
|
|
sourceGeoCountryCode |
|
|
|
sourceGeoLocationInfo |
|
|
|
sourceGeoPostalCode |
|
|
|
sourceGeoRegionCode |
|
|
|
sourceTranslatedZoneExternalID |
|
|
|
sourceTranslatedZoneID |
|
|
|
sourceTranslatedZoneURI |
|
|
|
sourceZoneExternalID |
|
|
|
sourceZoneID |
|
|
|
sourceZoneURI |
|
|
|
type |
|
|
|
tag |
| cefTag | ✓ |
rawMessage |
|
| ✓ |
hostchain |
|
| ✓ |
cef0.paloaltonetworks.panwiot
Field | Type | Source field name | Extra fields |
|---|---|---|---|
eventdate |
|
|
|
hostname |
|
|
|
priority_code |
|
|
|
cef_tag |
|
|
|
cef_version |
|
|
|
emb_device_vendor |
|
|
|
emb_device_product |
|
|
|
device_version |
|
|
|
signature_id |
|
|
|
name |
|
|
|
severity |
|
|
|
device_custom_string_1_label |
|
|
|
device_custom_string_1 |
|
|
|
device_custom_string_2_label |
|
|
|
device_custom_string_2 |
|
|
|
device_custom_string_3_label |
|
|
|
device_custom_string_3 |
|
|
|
device_custom_string_4_label |
|
|
|
device_custom_string_4 |
|
|
|
device_hostname |
|
|
|
device_ip |
|
|
|
device_mac |
|
|
|
device_custom_string_10 |
|
|
|
device_custom_string_10_label |
|
|
|
device_custom_string_15 |
|
|
|
device_custom_string_15_label |
|
|
|
device_custom_string_16 |
|
|
|
device_custom_string_16_label |
|
|
|
device_custom_string_17 |
|
|
|
device_custom_string_17_label |
|
|
|
device_custom_string_22 |
|
|
|
device_custom_string_22_label |
|
|
|
device_custom_string_44 |
|
|
|
device_custom_string_44_label |
|
|
|
device_custom_string_7 |
|
|
|
device_custom_string_7_label |
|
|
|
device_custom_string_8 |
|
|
|
device_custom_string_8_label |
|
|
|
device_custom_string_9 |
|
|
|
device_custom_string_9_label |
|
|
|
hostchain |
|
| ✓ |
tag |
| cef_tag | ✓ |
rawMessage |
|
| ✓ |