Palo Alto Networks · Schema
ThreatLogPayload
Schema for a forwarded PAN-OS threat log entry. Threat logs capture security events detected by the firewall's threat prevention engines, providing detailed information about malware, exploits, spyware, command-and-control traffic, and other detected threats.
Cloud SecurityCybersecurityFirewallNetwork SecuritySASESOARThreat IntelligenceXDR
Properties
| Name | Type | Description |
|---|---|---|
| receive_time | string | Timestamp when the threat log entry was received by Strata Logging Service. |
| serial | string | Serial number of the Palo Alto Networks device that generated this threat log entry. |
| type | string | Log type identifier, always THREAT for threat log entries. |
| subtype | string | Threat log subtype indicating which threat prevention engine or signature category generated the detection event. |
| src | string | Source IP address of the session in which the threat was detected. |
| dst | string | Destination IP address of the session in which the threat was detected. |
| sport | integer | Source port number of the session. |
| dport | integer | Destination port number of the session. |
| proto | string | IP protocol of the session. |
| app | string | Application identified by App-ID in the threat session. |
| threat_name | string | Name of the detected threat as defined in the Palo Alto Networks threat database and threat vault. |
| severity | string | Severity level of the detected threat as defined by the threat signature or detection engine. |
| action | string | Action taken by the threat prevention engine in response to the detected threat. |
| direction | string | Direction of the detected attack relative to the network session flow. |
| threat_id | string | Unique numeric identifier for the threat signature from the Palo Alto Networks threat vault. Used for threat intelligence lookup and signature reference. |
| rule_name | string | Name of the security policy rule that matched the session in which the threat was detected. |
| src_zone | string | Source security zone of the threat session. |
| dst_zone | string | Destination security zone of the threat session. |
| src_user | string | Source user identity if User-ID is enabled. |
| url_or_filename | string | URL or filename associated with the detected threat, depending on the threat subtype. |
| device_name | string | Hostname of the firewall that generated this threat log entry. |
| vsys | string | Virtual system name or identifier on the firewall. |
| log_forwarding_profile | string | Name of the log forwarding profile that forwarded this log entry. |
| output_format | string | Output format in which this log entry was forwarded. |