Document toolboxDocument toolbox

cef0.paloAltoNetworks

Owned by Former user (Deleted)
Last updated: Jun 04, 2024 by Juan Tomás Alonso Nieto (Deactivated)
1 min read
[ 1 Introduction ] [ 2 Tag structure ] [ 3 How is the data sent to Devo? ] [ 4 Table structure ]

Introduction

The tags beginning with cef0.paloAltoNetworks identify events in CEF format generated by Palo Alto.

Tag structure

Events in CEF format don’t have a specific tag structure, as explained in Technologies supported in CEF syslog format. They are always sent to a table with the structure cef0.deviceVendor.deviceProduct.

In this case, the valid data tables are:

Tags

Data tables

Tags

Data tables

cef0.paloAltoNetworks.cortexXdr

cef0.paloAltoNetworks.cortexXdr

cef0.paloAltoNetworks.cortexXdrAgent

cef0.paloAltoNetworks.cortexXdrAgent

cef0.paloAltoNetworks.cortexXsoar

cef0.paloAltoNetworks.cortexXsoar

cef0.paloAltoNetworks.lf

cef0.paloAltoNetworks.lf

cef0.paloAltoNetworks.paloAltoNetworksCortexXsoar

cef0.paloAltoNetworks.paloAltoNetworksCortexXsoar

cef0.paloAltoNetworks.panOs

cef0.paloAltoNetworks.panOs

cef0.paloaltonetworks.panwiot

cef0.paloaltonetworks.panwiot

How is the data sent to Devo?

Learn more about CEF syslog format and how Devo tags these events in Technologies supported in CEF syslog format.

Table structure

These are the fields displayed in this table:

cef0.paloAltoNetworks.cortexXdr

Field

Type

Source field name

Extra fields

Field

Type

Source field name

Extra fields

eventdate

timestamp

 

 

hostname

str

 

 

priorityCode

str

 

 

cefTag

str

 

 

cefVersion

str

 

 

embDeviceVendor

str

 

 

embDeviceProduct

str

 

 

deviceVersion

str

 

 

signatureID

str

 

 

name

str

 

 

severity

str

 

 

_cefVer

str

 

 

act

str

 

 

app

str

 

 

cat

str

 

 

cs1Label

str

 

 

cs1

str

 

 

cs2Label

str

 

 

cs2

str

 

 

cs3Label

str

 

 

cs3

str

 

 

cs4Label

str

 

 

cs4

str

 

 

cs5Label

str

 

 

cs5

str

 

 

cs6Label

str

 

 

cs6

str

 

 

dst

ip4

 

 

dpt

str

 

 

end

timestamp

 

 

deviceFacility

str

 

 

externalId

int8

 

 

fileHash

str

 

 

filePath

str

 

 

request

str

 

 

shost

str

 

 

src

ip4

 

 

spt

int4

 

 

suser

str

 

 

CSPaccountname

str

 

 

cgoSha256

str

 

 

incident

str

 

 

initiatorPath

str

 

 

initiatorSha256

str

 

 

osParentCmd

str

 

 

osParentName

str

 

 

osParentSha256

str

 

 

osParentSignature

str

 

 

osParentSigner

str

 

 

targetprocesscmd

str

 

 

targetprocessname

str

 

 

targetprocesssha256

str

 

 

targetprocesssignature

str

 

 

tenantCDLid

str

 

 

tenantname

str

 

 

hostchain

str

 

✓

tag

str

cefTag

✓

rawMessage

str

 

✓

cef0.paloAltoNetworks.cortexXdrAgent

Field

Type

Source field name

Extra fields

Field

Type

Source field name

Extra fields

eventdate

timestamp

 

 

hostname

str

 

 

priorityCode

str

 

 

cefTag

str

 

 

cefVersion

str

 

 

embDeviceVendor

str

 

 

embDeviceProduct

str

 

 

deviceVersion

str

 

 

signatureID

str

 

 

name

str

 

 

severity

str

 

 

dvchost

str

 

 

shost

str

 

 

cat

str

 

 

end

timestamp

 

 

rt

timestamp

 

 

cs1Label

str

 

 

cs1

str

 

 

cs2Label

str

 

 

cs2

str

 

 

cs3Label

str

 

 

cs3

str

 

 

cs4Label

str

 

 

cs4

str

 

 

msg

str

 

 

tenantname

str

 

 

tenantCDLid

str

 

 

CSPaccountname

str

 

 

hostchain

str

 

✓

tag

str

cefTag

✓

rawMessage

str

 

✓

cef0.paloAltoNetworks.cortexXsoar

Field

Type

Source field name

Extra fields

Field

Type

Source field name

Extra fields

eventdate

timestamp

 

 

machine

str

 

 

priority_code

str

 

 

cef_tag

str

 

 

cef_version

str

 

 

emb_device_vendor

str

 

 

emb_device_product

str

 

 

device_version

str

 

 

signature_id

str

 

 

name

str

 

 

severity

str

 

 

device_custom_string_1_label

str

 

 

device_custom_string_1

str

 

 

device_custom_string_2_label

str

 

 

device_custom_string_2

str

 

 

device_custom_string_3_label

str

 

 

device_custom_string_3

str

 

 

device_custom_string_4_label

str

 

 

device_custom_string_4

str

 

 

end

timestamp

 

 

external_id

int8

 

 

message

str

 

 

source_username

str

 

 

cs_paccountname

str

 

 

tenant_cd_lid

str

 

 

tenantname

str

 

 

hostchain

str

 

✓

tag

str

cef_tag

✓

rawMessage

str

 

✓

cef0.paloAltoNetworks.lf

Field

Type

Source field name

Extra fields

Field

Type

Source field name

Extra fields

eventdate

timestamp

 

 

hostname

str

 

 

priorityCode

str

 

 

cefTag

str

 

 

cefVersion

str

 

 

embDeviceVendor

str

 

 

embDeviceProduct

str

 

 

deviceVersion

str

 

 

signatureID

str

 

 

name

str

 

 

severity

str

 

 

_cefVer

str

 

 

act

str

 

 

app

str

 

 

cat

str

 

 

c6a1Label

str

 

 

c6a1

str

 

 

cn1Label

str

 

 

cn1

int8

 

 

cn2Label

str

 

 

cn2

int8

 

 

cn3Label

str

 

 

cn3

int8

 

 

cnt

int4

 

 

cs1Label

str

 

 

cs1

str

 

 

cs2Label

str

 

 

cs2

str

 

 

cs3Label

str

 

 

cs3

str

 

 

cs4Label

str

 

 

cs4

str

 

 

cs5Label

str

 

 

cs5

str

 

 

cs6Label

str

 

 

cs6

str

 

 

destinationServiceName

str

 

 

destinationTranslatedAddress

ip4

 

 

destinationTranslatedPort

int4

 

 

deviceExternalId

str

 

 

deviceInboundInterface

str

 

 

deviceOutboundInterface

str

 

 

dhost

str

 

 

dst

ip4

 

 

dpt

int4

 

 

duser

str

 

 

dvchost

str

 

 

end

timestamp

 

 

externalId

int8

 

 

fileId

str

 

 

fname

str

 

 

in

int8

 

 

msg

str

 

 

out

int8

 

 

proto

str

 

 

reason

str

 

 

requestClientApplication

str

 

 

requestMethod

str

 

 

requestContext

str

 

 

request

str

 

 

rt

timestamp

 

 

dtz

str

 

 

shost

str

 

 

sourceTranslatedAddress

ip4

 

 

sourceTranslatedPort

int4

 

 

src

ip4

 

 

spt

int4

 

 

start

timestamp

 

 

suser

str

 

 

flexString2

str

 

 

flexString2Label

str

 

 

PanOSAttemptedGateways

str

 

 

PanOSAuthMethod

str

 

 

PanOSBytes

str

 

 

PanOSChunksReceived

str

 

 

PanOSChunksSent

str

 

 

PanOSChunksTotal

str

 

 

PanOSConfigVersion

str

 

 

PanOSConnectionError

str

 

 

PanOSConnectionErrorID

str

 

 

PanOSConnectionMethod

str

 

 

PanOSContainerID

str

 

 

PanOSContainerName

str

 

 

PanOSContainerNameSpace

str

 

 

PanOSContentVersion

str

 

 

PanOSCountOfRepeats

str

 

 

PanOSDescription

str

 

 

PanOSDestinationDeviceCategory

str

 

 

PanOSDestinationDeviceHost

str

 

 

PanOSDestinationDeviceMac

str

 

 

PanOSDestinationDeviceModel

str

 

 

PanOSDestinationDeviceOSFamily

str

 

 

PanOSDestinationDeviceOSVersion

str

 

 

PanOSDestinationDeviceProfile

str

 

 

PanOSDestinationDeviceVendor

str

 

 

PanOSDestinationDynamicAddressGroup

str

 

 

PanOSDestinationEDL

str

 

 

PanOSDestinationLocation

str

 

 

PanOSDestinationUUID

str

 

 

PanOSDeviceGroup

str

 

 

PanOSDeviceName

str

 

 

PanOSDeviceSN

str

 

 

PanOSDGHierarchyLevel1

str

 

 

PanOSDGHierarchyLevel2

str

 

 

PanOSDGHierarchyLevel3

str

 

 

PanOSDGHierarchyLevel4

str

 

 

PanOSDynamicUserGroupName

str

 

 

PanOSEndpointAssociationID

str

 

 

PanOSEndpointDeviceName

str

 

 

PanOSEndpointOSType

str

 

 

PanOSEndpointOSVersion

str

 

 

PanOSEndpointSerialNumber

str

 

 

PanOSEndpointSN

str

 

 

PanOSEventDescription

str

 

 

PanOSEventIDValue

str

 

 

PanOSEventResult

str

 

 

PanOSEventStatus

str

 

 

PanOSEventTime

timestamp

 

 

PanOSGateway

str

 

 

PanOSGatewayPriority

str

 

 

PanOSGatewaySelectionType

str

 

 

PanOSGlobalProtectClientVersion

str

 

 

PanOSGlobalProtectGatewayLocation

str

 

 

PanOSGPHostID

str

 

 

PanOSHASessionOwner

str

 

 

PanOSHipMatchType

str

 

 

PanOSHostID

str

 

 

PanOSHTTP2Connection

str

 

 

PanOSHTTPHeaders

str

 

 

PanOSIMEI

str

 

 

PanOSIMSI

str

 

 

PanOSInlineMLVerdict

str

 

 

PanOSLinkChangeCount

str

 

 

PanOSLinkSwitches

str

 

 

PanOSLoginDuration

str

 

 

PanOSNSSAINetworkSliceDifferentiator

str

 

 

PanOSNSSAINetworkSliceType

str

 

 

PanOSPacketsReceived

str

 

 

PanOSPacketsSent

str

 

 

PanOSParentSessionID

str

 

 

PanOSParentStarttime

timestamp

 

 

PanOSPortal

str

 

 

PanOSPrivateIPv4

ip4

 

 

PanOSPrivateIPv6

str

 

 

PanOSPublicIPv4

ip4

 

 

PanOSPublicIPv6

str

 

 

PanOSQuarantineReason

str

 

 

PanOSReferer

str

 

 

PanOSRuleUUID

str

 

 

PanOSSDWANCluster

str

 

 

PanOSSDWANClusterType

str

 

 

PanOSSDWANDeviceType

str

 

 

PanOSSDWANPolicyName

str

 

 

PanOSSDWANSite

str

 

 

PanOSSequenceNo

str

 

 

PanOSSessionStartTime

timestamp

 

 

PanOSSigFlags

str

 

 

PanOSSource

str

 

 

PanOSSourceDeviceCategory

str

 

 

PanOSSourceDeviceHost

str

 

 

PanOSSourceDeviceMac

str

 

 

PanOSSourceDeviceModel

str

 

 

PanOSSourceDeviceOSFamily

str

 

 

PanOSSourceDeviceOSVersion

str

 

 

PanOSSourceDeviceProfile

str

 

 

PanOSSourceDeviceVendor

str

 

 

PanOSSourceDynamicAddressGroup

str

 

 

PanOSSourceEDL

str

 

 

PanOSSourceLocation

str

 

 

PanOSSourceRegion

str

 

 

PanOSSourceUser

str

 

 

PanOSSourceUserName

str

 

 

PanOSSourceUUID

str

 

 

PanOSSSLResponseTime

str

 

 

PanOSStage

str

 

 

PanOSTag

str

 

 

PanOSTemplate

str

 

 

PanOSThreatID

str

 

 

PanOSThreatCategory

str

 

 

PanOSTimeGeneratedHighResolution

str

 

 

PanOSTimestampDeviceIdentification

str

 

 

PanOSTunnel

str

 

 

PanOSTunnelType

str

 

 

PanOSUGFlags

str

 

 

PanOSURLCategoryList

str

 

 

PanOSURLCounter

str

 

 

PanOSUserIdentifiedBySource

str

 

 

PanOSVirtualSystem

str

 

 

PanOSVirtualSystemID

str

 

 

PanOSVirtualSystemName

str

 

 

PanOSXForwardedFor

str

 

 

PanOSXForwardedForIP

ip4

 

 

hostchain

str

 

✓

tag

str

cefTag

✓

rawMessage

str

 

✓

cef0.paloAltoNetworks.paloAltoNetworksCortexXsoar

Field

Type

Source field name

Extra fields

Field

Type

Source field name

Extra fields

eventdate

timestamp

 

 

hostname

str

 

 

priorityCode

str

 

 

cefTag

str

 

 

cefVersion

str

 

 

embDeviceVendor

str

 

 

embDeviceProduct

str

 

 

deviceVersion

str

 

 

signatureID

str

 

 

name

str

 

 

severity

str

 

 

_cefVer

str

 

 

cs1Label

str

 

 

cs1

str

 

 

cs2Label

str

 

 

cs2

str

 

 

suser

str

 

 

startTime

timestamp

 

 

hostchain

str

 

✓

tag

str

cefTag

✓

rawMessage

str

 

✓

cef0.paloAltoNetworks.panOs

Field

Type

Source field name

Extra fields

Field

Type

Source field name

Extra fields

eventdate

timestamp

 

 

hostname

str

 

 

priorityCode

str

 

 

cefTag

str

 

 

cefVersion

str

 

 

embDeviceVendor

str

 

 

embDeviceProduct

str

 

 

deviceVersion

str

 

 

signatureID

str

 

 

name

str

 

 

severity

str

 

 

_cefVer

str

 

 

act

str

 

 

app

str

 

 

cat

str

 

 

cn1Label

str

 

 

cn1

int8

 

 

cn2Label

str

 

 

cn2

int8

 

 

cn3Label

str

 

 

cn3

int8

 

 

cnt

int4

 

 

cs1Label

str

 

 

cs1

str

 

 

cs2Label

str

 

 

cs2

str

 

 

cs3Label

str

 

 

cs3

str

 

 

cs4Label

str

 

 

cs4

str

 

 

cs5Label

str

 

 

cs5

str

 

 

cs6Label

str

 

 

cs6

str

 

 

destinationTranslatedAddress

ip4

 

 

destinationTranslatedPort

int4

 

 

deviceExternalId

str

 

 

deviceInboundInterface

str

 

 

deviceOutboundInterface

str

 

 

dst

ip4

 

 

duser

str

 

 

dvchost

str

 

 

dvc

ip4

 

 

externalId

str

 

 

filePath

str

 

 

fileType

str

 

 

fname

str

 

 

in

int8

 

 

msg

str

 

 

out

int8

 

 

proto

str

 

 

request

str

 

 

rt

timestamp

 

 

sourceTranslatedAddress

ip4

 

 

sourceTranslatedPort

int4

 

 

spt

int4

 

 

src

ip4

 

 

start

timestamp

 

 

suser

str

 

 

agt

ip4

 

 

ahost

str

 

 

aid

str

 

 

arcSightEventPath

str

 

 

art

str

 

 

assetCriticality

int4

 

 

at

str

 

 

atz

str

 

 

av

str

 

 

catdt

str

 

 

categoryBehavior

str

 

 

categoryDeviceGroup

str

 

 

categoryObject

str

 

 

categoryOutcome

str

 

 

customerID

str

 

 

customerURI

str

 

 

destinationAssetId

str

 

 

destinationGeoCountryCode

str

 

 

destinationGeoLocationInfo

str

 

 

destinationGeoPostalCode

str

 

 

destinationGeoRegionCode

str

 

 

destinationZoneExternalID

str

 

 

destinationZoneID

str

 

 

destinationZoneURI

str

 

 

deviceAssetId

str

 

 

deviceFacility

str

 

 

deviceSeverity

str

 

 

deviceZoneID

str

 

 

deviceZoneURI

str

 

 

dlat

float8

 

 

dlong

float8

 

 

dpt

int4

 

 

dtz

str

 

 

eventAnnotationAuditTrail

str

 

 

eventAnnotationEndTime

timestamp

 

 

eventAnnotationEventId

str

 

 

eventAnnotationFlags

str

 

 

eventAnnotationManagerReceiptTime

timestamp

 

 

eventAnnotationModificationTime

timestamp

 

 

eventAnnotationStageID

str

 

 

eventAnnotationStageUpdateTime

timestamp

 

 

eventAnnotationStageURI

str

 

 

eventAnnotationVersion

int4

 

 

eventId

str

 

 

flexNumber1

int4

 

 

flexNumber1Label

str

 

 

flexString1

str

 

 

flexString1Label

str

 

 

flexString2

str

 

 

flexString2Label

str

 

 

generatorID

str

 

 

locality

int4

 

 

modelConfidence

int4

 

 

mrt

timestamp

 

 

priority

int4

 

 

relevance

int4

 

 

slat

float8

 

 

slong

float8

 

 

sourceAssetId

str

 

 

sourceGeoCountryCode

str

 

 

sourceGeoLocationInfo

str

 

 

sourceGeoPostalCode

str

 

 

sourceGeoRegionCode

str

 

 

sourceTranslatedZoneExternalID

str

 

 

sourceTranslatedZoneID

str

 

 

sourceTranslatedZoneURI

str

 

 

sourceZoneExternalID

str

 

 

sourceZoneID

str

 

 

sourceZoneURI

str

 

 

type

int4

 

 

tag

str

cefTag

✓

rawMessage

str

 

✓

hostchain

str

 

✓

cef0.paloaltonetworks.panwiot

Field

Type

Source field name

Extra fields

Field

Type

Source field name

Extra fields

eventdate

timestamp

 

 

hostname

str

 

 

priority_code

str

 

 

cef_tag

str

 

 

cef_version

str

 

 

emb_device_vendor

str

 

 

emb_device_product

str

 

 

device_version

str

 

 

signature_id

str

 

 

name

str

 

 

severity

str

 

 

device_custom_string_1_label

str

 

 

device_custom_string_1

str

 

 

device_custom_string_2_label

str

 

 

device_custom_string_2

str

 

 

device_custom_string_3_label

str

 

 

device_custom_string_3

str

 

 

device_custom_string_4_label

str

 

 

device_custom_string_4

str

 

 

device_hostname

str

 

 

device_ip

ip4

 

 

device_mac

str

 

 

device_custom_string_10

str

 

 

device_custom_string_10_label

str

 

 

device_custom_string_15

str

 

 

device_custom_string_15_label

str

 

 

device_custom_string_16

str

 

 

device_custom_string_16_label

str

 

 

device_custom_string_17

str

 

 

device_custom_string_17_label

str

 

 

device_custom_string_22

str

 

 

device_custom_string_22_label

str

 

 

device_custom_string_44

str

 

 

device_custom_string_44_label

str

 

 

device_custom_string_7

str

 

 

device_custom_string_7_label

str

 

 

device_custom_string_8

str

 

 

device_custom_string_8_label

str

 

 

device_custom_string_9

str

 

 

device_custom_string_9_label

str

 

 

hostchain

str

 

✓

tag

str

cef_tag

✓

rawMessage

str

 

✓