Palo Alto Networks · JSON Structure

Cortex Xsiam Data Ingestion Log Data Payload Structure

The payload structure for raw log data ingestion via the XSIAM HTTP collector. Contains routing metadata to direct the log to the correct parsing pipeline, the raw log content, and optional event identification fields.

Type: object Properties: 8 Required: 8
Cloud SecurityCybersecurityFirewallNetwork SecuritySASESOARThreat IntelligenceXDR

LogDataPayload is a JSON Structure definition published by Palo Alto Networks, describing 8 properties, of which 8 are required. It conforms to the https://json-structure.org/meta/core/v0/# meta-schema.

Properties

dataset vendor product log_type raw_log timestamp tenant_id event_id

Meta-schema: https://json-structure.org/meta/core/v0/#

JSON Structure

Raw ↑ 
{
  "$schema": "https://json-structure.org/meta/core/v0/#",
  "$id": "https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-structure/cortex-xsiam-data-ingestion-log-data-payload-structure.json",
  "name": "LogDataPayload",
  "description": "The payload structure for raw log data ingestion via the XSIAM HTTP collector. Contains routing metadata to direct the log to the correct parsing pipeline, the raw log content, and optional event identification fields.\n",
  "type": "object",
  "properties": {
    "dataset": {
      "type": "string",
      "description": "The target XSIAM dataset name that this log data should be indexed into. Dataset names correspond to XSIAM data lake tables and determine the schema applied during normalization.\n"
    },
    "vendor": {
      "type": "string",
      "description": "The name of the vendor that produced the log data. Used in combination with product and log_type to identify the correct parsing rule for normalizing the raw log content.\n"
    },
    "product": {
      "type": "string",
      "description": "The name of the specific product or component that generated the log. Used in combination with vendor and log_type to route the log to the appropriate XSIAM parsing pipeline.\n"
    },
    "log_type": {
      "type": "string",
      "description": "The log type identifier that classifies the nature of the log content, such as traffic, threat, authentication, or syslog. Used to select the correct normalization schema.\n"
    },
    "raw_log": {
      "type": "string",
      "description": "The raw log content in its original format as produced by the source system. May be a syslog message, CSV line, JSON string, CEF record, or any other log format supported by the configured XSIAM parsing rules.\n"
    },
    "timestamp": {
      "type": "datetime",
      "description": "The ISO 8601 date-time string indicating when this log event occurred at the source. If not provided, the ingestion receipt time is used as the event timestamp.\n"
    },
    "tenant_id": {
      "type": "string",
      "description": "The XSIAM tenant identifier that this log data belongs to. Used for multi-tenant environments to route data to the correct tenant data lake partition.\n"
    },
    "event_id": {
      "type": "string",
      "description": "A unique identifier for this individual log event, generated by the submitting system or the XSIAM ingestion service. Used for deduplication and event correlation tracking.\n"
    }
  },
  "required": [
    "dataset",
    "vendor",
    "product",
    "log_type",
    "raw_log",
    "timestamp",
    "tenant_id",
    "event_id"
  ]
}