cef0.paloAltoNetworks

[ 1 Introduction ] [ 2 Tag structure ] [ 3 How is the data sent to Devo? ] [ 4 Table structure ]

Introduction

The tags beginning with cef0.paloAltoNetworks identify events in CEF format generated by Palo Alto.

Tag structure

Events in CEF format don’t have a specific tag structure, as explained in Technologies supported in CEF syslog format. They are always sent to a table with the structure cef0.deviceVendor.deviceProduct.

In this case, the valid data tables are:

Tags	Data tables

Tags	Data tables
`cef0.paloAltoNetworks.cortexXdr`	`cef0.paloAltoNetworks.cortexXdr`
`cef0.paloAltoNetworks.cortexXdrAgent`	`cef0.paloAltoNetworks.cortexXdrAgent`
`cef0.paloAltoNetworks.cortexXsoar`	`cef0.paloAltoNetworks.cortexXsoar`
`cef0.paloAltoNetworks.lf`	`cef0.paloAltoNetworks.lf`
`cef0.paloAltoNetworks.paloAltoNetworksCortexXsoar`	`cef0.paloAltoNetworks.paloAltoNetworksCortexXsoar`
`cef0.paloAltoNetworks.panOs`	`cef0.paloAltoNetworks.panOs`
`cef0.paloaltonetworks.panwiot`	`cef0.paloaltonetworks.panwiot`

How is the data sent to Devo?

CEF data can be sent directly to Devo or by using a relay. To use the CEF default relay rule, send to the relay’s port 13000. Learn more about CEF syslog format and how Devo tags these events in Technologies supported in CEF syslog format.

Table structure

These are the fields displayed in this table:

cef0.paloAltoNetworks.cortexXdr
cef0.paloAltoNetworks.cortexXdrAgent
cef0.paloAltoNetworks.cortexXsoar
cef0.paloAltoNetworks.lf
cef0.paloAltoNetworks.paloAltoNetworksCortexXsoar
cef0.paloAltoNetworks.panOs
cef0.paloaltonetworks.panwiot

cef0.paloAltoNetworks.cortexXdr

Field	Type	Source field name	Extra fields

Field	Type	Source field name	Extra fields
eventdate	`timestamp`
hostname	`str`
priorityCode	`str`
cefTag	`str`
cefVersion	`str`
embDeviceVendor	`str`
embDeviceProduct	`str`
deviceVersion	`str`
signatureID	`str`
name	`str`
severity	`str`
_cefVer	`str`
act	`str`
app	`str`
cat	`str`
cs1Label	`str`
cs1	`str`
cs2Label	`str`
cs2	`str`
cs3Label	`str`
cs3	`str`
cs4Label	`str`
cs4	`str`
cs5Label	`str`
cs5	`str`
cs6Label	`str`
cs6	`str`
dst	`ip4`
dpt	`str`
end	`timestamp`
deviceFacility	`str`
externalId	`int8`
fileHash	`str`
filePath	`str`
request	`str`
shost	`str`
src	`ip4`
spt	`int4`
suser	`str`
CSPaccountname	`str`
cgoSha256	`str`
incident	`str`
initiatorPath	`str`
initiatorSha256	`str`
osParentCmd	`str`
osParentName	`str`
osParentSha256	`str`
osParentSignature	`str`
osParentSigner	`str`
targetprocesscmd	`str`
targetprocessname	`str`
targetprocesssha256	`str`
targetprocesssignature	`str`
tenantCDLid	`str`
tenantname	`str`
hostchain	`str`		✓
tag	`str`	cefTag	✓
rawMessage	`str`		✓

cef0.paloAltoNetworks.cortexXdrAgent

Field	Type	Source field name	Extra fields

Field	Type	Source field name	Extra fields
eventdate	`timestamp`
hostname	`str`
priorityCode	`str`
cefTag	`str`
cefVersion	`str`
embDeviceVendor	`str`
embDeviceProduct	`str`
deviceVersion	`str`
signatureID	`str`
name	`str`
severity	`str`
dvchost	`str`
shost	`str`
cat	`str`
end	`timestamp`
rt	`timestamp`
cs1Label	`str`
cs1	`str`
cs2Label	`str`
cs2	`str`
cs3Label	`str`
cs3	`str`
cs4Label	`str`
cs4	`str`
msg	`str`
tenantname	`str`
tenantCDLid	`str`
CSPaccountname	`str`
hostchain	`str`		✓
tag	`str`	cefTag	✓
rawMessage	`str`		✓

cef0.paloAltoNetworks.cortexXsoar

Field	Type	Source field name	Extra fields

Field	Type	Source field name	Extra fields
eventdate	`timestamp`
machine	`str`
priority_code	`str`
cef_tag	`str`
cef_version	`str`
emb_device_vendor	`str`
emb_device_product	`str`
device_version	`str`
signature_id	`str`
name	`str`
severity	`str`