Palo Alto Networks · JSON Structure

Strata Logging Forwarding Threat Log Payload Structure

Schema for a forwarded PAN-OS threat log entry. Threat logs capture security events detected by the firewall's threat prevention engines, providing detailed information about malware, exploits, spyware, command-and-control traffic, and other detected threats.

Type: object Properties: 24
Cloud SecurityCybersecurityFirewallNetwork SecuritySASESOARThreat IntelligenceXDR

ThreatLogPayload is a JSON Structure definition published by Palo Alto Networks, describing 24 properties. It conforms to the https://json-structure.org/meta/core/v0/# meta-schema.

Properties

receive_time serial type subtype src dst sport dport proto app threat_name severity action direction threat_id rule_name src_zone dst_zone src_user url_or_filename device_name vsys log_forwarding_profile output_format

Meta-schema: https://json-structure.org/meta/core/v0/#

JSON Structure

Raw ↑ 
{
  "$schema": "https://json-structure.org/meta/core/v0/#",
  "$id": "https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-structure/strata-logging-forwarding-threat-log-payload-structure.json",
  "name": "ThreatLogPayload",
  "description": "Schema for a forwarded PAN-OS threat log entry. Threat logs capture security events detected by the firewall's threat prevention engines, providing detailed information about malware, exploits, spyware, command-and-control traffic, and other detected threats.\n",
  "type": "object",
  "properties": {
    "receive_time": {
      "type": "datetime",
      "description": "Timestamp when the threat log entry was received by Strata Logging Service.\n"
    },
    "serial": {
      "type": "string",
      "description": "Serial number of the Palo Alto Networks device that generated this threat log entry.\n"
    },
    "type": {
      "type": "string",
      "description": "Log type identifier, always THREAT for threat log entries.\n",
      "enum": [
        "THREAT"
      ]
    },
    "subtype": {
      "type": "string",
      "description": "Threat log subtype indicating which threat prevention engine or signature category generated the detection event.\n",
      "enum": [
        "virus",
        "spyware",
        "vulnerability",
        "url",
        "wildfire",
        "wildfire-virus",
        "data",
        "file",
        "scan",
        "flood"
      ]
    },
    "src": {
      "type": "string",
      "description": "Source IP address of the session in which the threat was detected."
    },
    "dst": {
      "type": "string",
      "description": "Destination IP address of the session in which the threat was detected.\n"
    },
    "sport": {
      "type": "int32",
      "description": "Source port number of the session."
    },
    "dport": {
      "type": "int32",
      "description": "Destination port number of the session."
    },
    "proto": {
      "type": "string",
      "description": "IP protocol of the session."
    },
    "app": {
      "type": "string",
      "description": "Application identified by App-ID in the threat session."
    },
    "threat_name": {
      "type": "string",
      "description": "Name of the detected threat as defined in the Palo Alto Networks threat database and threat vault.\n"
    },
    "severity": {
      "type": "string",
      "description": "Severity level of the detected threat as defined by the threat signature or detection engine.\n",
      "enum": [
        "informational",
        "low",
        "medium",
        "high",
        "critical"
      ]
    },
    "action": {
      "type": "string",
      "description": "Action taken by the threat prevention engine in response to the detected threat.\n",
      "enum": [
        "alert",
        "allow",
        "deny",
        "drop",
        "reset-client",
        "reset-server",
        "reset-both",
        "block-url",
        "block-ip",
        "sinkhole"
      ]
    },
    "direction": {
      "type": "string",
      "description": "Direction of the detected attack relative to the network session flow.\n",
      "enum": [
        "client-to-server",
        "server-to-client"
      ]
    },
    "threat_id": {
      "type": "string",
      "description": "Unique numeric identifier for the threat signature from the Palo Alto Networks threat vault. Used for threat intelligence lookup and signature reference.\n"
    },
    "rule_name": {
      "type": "string",
      "description": "Name of the security policy rule that matched the session in which the threat was detected.\n"
    },
    "src_zone": {
      "type": "string",
      "description": "Source security zone of the threat session."
    },
    "dst_zone": {
      "type": "string",
      "description": "Destination security zone of the threat session."
    },
    "src_user": {
      "type": "string",
      "description": "Source user identity if User-ID is enabled."
    },
    "url_or_filename": {
      "type": "string",
      "description": "URL or filename associated with the detected threat, depending on the threat subtype.\n"
    },
    "device_name": {
      "type": "string",
      "description": "Hostname of the firewall that generated this threat log entry."
    },
    "vsys": {
      "type": "string",
      "description": "Virtual system name or identifier on the firewall."
    },
    "log_forwarding_profile": {
      "type": "string",
      "description": "Name of the log forwarding profile that forwarded this log entry.\n"
    },
    "output_format": {
      "type": "string",
      "description": "Output format in which this log entry was forwarded.",
      "enum": [
        "CSV",
        "LEEF",
        "CEF",
        "JSON",
        "PARQUET"
      ]
    }
  }
}