|
Field Name
|
Type
|
General Field
|
Description
|
Example
|
Products
|
|
act
|
|
-
|
The action
|
|
|
|
action
|
|
-
|
The traffic processing action
|
|
|
|
app
|
|
-
|
The network protocol
|
|
|
|
application
|
|
-
|
The name of the requested application
|
|
|
|
archFiles
|
|
-
|
The file information extracted from detected files
|
|
|
|
authType
|
|
-
|
The authentication method
|
|
|
|
azId
|
|
-
|
The Availability Zone ID
|
|
|
|
bytes
|
|
-
|
The number of transmitted data bytes
|
|
|
|
clientGroup
|
|
-
|
The client IP network group
|
|
|
|
clientHost
|
|
-
|
The client IP hostname
|
|
|
|
clientIp
|
|
|
The endpoint IP
|
|
|
|
clientMAC
|
|
-
|
The client MAC address
|
|
|
|
clientPort
|
|
|
The client port
|
|
|
|
clientProtocol
|
|
-
|
The client protocol
|
|
|
|
clientTls
|
|
-
|
The transport layer security of the client
|
|
|
|
cloudAccountId
|
|
-
|
The owner AWS account ID of the source network interface (account-id)
|
|
|
|
cloudAppCat
|
|
-
|
The category of the event in Cloud Reputation Service
|
|
|
|
companyName
|
|
-
|
The company name
|
|
|
|
contentEncoding
|
|
-
|
The content encoding of the request or the response
|
|
|
|
dUser1
|
|
|
The latest sign-in user of the destination
|
|
|
|
detectionType
|
|
-
|
The traffic detection type
|
|
|
|
deviceGUID
|
|
-
|
The non-endpoint object such as a network appliance
|
|
|
|
dhost
|
|
|
The destination hostname
|
|
|
|
direction
|
|
-
|
The object transfer direction
|
|
|
|
dnsQueryType
|
|
-
|
The record type requested by the DNS protocol
|
|
|
|
dpt
|
|
|
The service destination port of the private application server (dstport)
|
|
|
|
dst
|
|
|
The destination IP (dstaddr)
|
|
|
|
dstLocation
|
|
-
|
The destination country
|
|
|
|
duration
|
|
-
|
The time it took the scanner to complete the scan (in milliseconds)
|
|
|
|
duser
|
|
|
The email recipient
|
|
|
|
dvc
|
|
-
|
The IP address of the Deep Discovery Inspector or Virtual Network Sensor appliance
|
|
|
|
dvchost
|
|
-
|
The network device hostname
|
|
|
|
e2eLatency
|
|
-
|
The end-to-end traffic latency time (in milliseconds)
|
|
|
|
endpointGuid
|
|
|
The device GUID
|
|
|
|
endpointHostName
|
|
|
The hostname of the device on which the event was detected
|
|
|
|
eventId
|
|
-
|
The event ID
|
|
|
|
eventName
|
|
-
|
The name of the log event
|
|
|
|
eventSubName
|
|
-
|
The Zero Trust Secure Access - Internet Access cloud app action or the Palo Alto Networks
firewall log sub-type
|
|
|
|
eventTime
|
|
-
|
The time the agent or product detected the event
|
|
|
|
failedHTTPSInspection
|
|
-
|
Whether something failed HTTPS traffic inspection
|
|
|
|
fileHash
|
|
|
The SHA-1 of the file that violated the policy
|
|
|
|
fileHashSha256
|
|
|
The SHA-256 of the file that violated the policy
|
|
|
|
fileName
|
|
|
The name of the file that violated the policy
|
|
|
|
fileSize
|
|
-
|
The size of the file that is violating the policy
|
|
|
|
fileType
|
|
-
|
The type of file which is violating the policy
|
|
|
|
filterRiskLevel
|
|
-
|
The top-level risk level of the event
|
|
|
|
flowDirection
|
|
-
|
The network interface traffic direction
|
|
|
|
flowId
|
|
-
|
The network analysis flow ID
|
|
|
|
flowType
|
|
-
|
The type of traffic (type)
|
|
|
|
ftpTrans
|
|
-
|
The transaction information of the FTP protocol
|
|
|
|
groupId
|
|
-
|
The group ID for the management scope filter
|
|
|
|
hostName
|
|
|
The hostname
|
|
|
|
httpLocation
|
|
|
The HTTP location header
|
|
|
|
httpReferer
|
|
|
The HTTP referrer header
|
|
|
|
httpXForwardedFor
|
|
-
|
The HTTP X-Forwarded-For header
|
|
|
|
httpXForwardedForGroup
|
|
-
|
The X-Forwarded-For IP network group
|
|
|
|
httpXForwardedForHost
|
|
-
|
The X-Forwarded-For IP hostname
|
|
|
|
httpXForwardedForIp
|
|
|
The X-Forwarded-For IP used by the network appliance
|
|
|
|
instanceId
|
|
-
|
The instance ID
|
|
|
|
ipProto
|
|
-
|
The protocol number (protocol)
|
|
|
|
isPrivateApp
|
|
-
|
Whether the requested application is private
|
|
|
|
isRetroScan
|
|
-
|
Whether the event matches the Security Analytics Engine filter
|
|
|
|
ja3Hash
|
|
-
|
The JA3 hash
|
|
|
|
ja3sHash
|
|
-
|
The JA3S hash
|
|
|
|
logReceivedTime
|
|
-
|
The time when the XDR log was received
|
|
|
|
logStatus
|
|
-
|
The VPC Flow Log status
|
|
|
|
mailMsgSubject
|
|
|
The email subject
|
|
|
|
malName
|
|
-
|
The name of the detected malware
|
-
|
|
|
mimeType
|
|
-
|
The MIME type or content type of the response body
|
|
|
|
msgId
|
|
|
The service provider message ID
|
|
|
|
networkInterfaceId
|
|
-
|
The network interface ID (interface-id)
|
|
|
|
objectId
|
|
-
|
The UUID of the Zero Trust Secure Access private access application
|
|
|
|
objectIps
|
|
|
The IP address resolved by the DNS protocol
|
|
|
|
originEventSourceType
|
|
-
|
The source type of the original event which matches the Security Analytics Engine
filter
|
|
|
|
originUUID
|
|
-
|
The UUID of the original event which matches the Security Analytics Engine filter
|
|
|
|
osName
|
|
-
|
The host OS name
|
|
|
|
overSsl
|
|
-
|
Whether there is SSL protocol connection
|
|
|
|
packets
|
|
-
|
The number of transmitted data packets
|
|
|
|
pktDstAddr
|
|
|
The packet level destination IP
|
|
|
|
pktDstCloudServiceName
|
|
-
|
The subset IP address range name for cloud service destination IP (pkt-dst-aws-service)
|
|
|
|
pktSrcAddr
|
|
|
The packet level source IP
|
|
|
|
pktSrcCloudServiceName
|
|
-
|
The subset IP address range name for cloud service source IP (pkt-src-aws-service)
|
|
|
|
pname
|
|
-
|
The product name
|
|
|
|
policyTemplate
|
|
-
|
The Data Loss Prevention template name
|
|
|
|
policyTreePath
|
|
-
|
The policy tree path (endpoint only)
|
|
|
|
policyUuid
|
|
-
|
The policy UUID
|
|
|
|
principalName
|
|
|
The User Principal Name
|
|
|
|
productCode
|
|
-
|
The internal product code
|
|
|
|
profile
|
|
-
|
The name of the triggered Threat Protection template or Data Loss Prevention profile
|
-
|
|
|
pver
|
|
-
|
The product version
|
|
|
|
regionCode
|
|
-
|
The network interface AWS Region
|
|
|
|
reqAppVersion
|
|
-
|
The client application version number
|
|
|
|
reqDataSize
|
|
-
|
The data volume transmitted over the transport layer by the client (in bytes)
|
|
|
|
reqScannedBytes
|
|
-
|
The data volume transmitted by the client (in bytes)
|
|
|
|
request
|
|
|
The destination URL that the user is accessing
|
|
|
|
requestBase
|
|
|
The URL domain
|
|
|
|
requestClientApplication
|
|
-
|
The HTTP user agent
|
|
|
|
requestDate
|
|
-
|
The HTTP date header
|
|
|
|
requestHeaders
|
|
-
|
The list of all HTTP headers without sensitive information
|
|
|
|
requestMethod
|
|
-
|
The network protocol request method
|
|
|
|
requestMimeType
|
|
-
|
The type of request content
|
|
|
|
requestSize
|
|
-
|
The request length
|
|
|
|
requests
|
|
|
The URLs of the request
|
|
|
|
resolvedUrlGroup
|
|
-
|
The IP address FQDN network group
|
|
|
|
resolvedUrlIp
|
|
|
The IP address of the FQDN
|
|
|
|
resolvedUrlPort
|
|
|
The HTTP server port
|
|
|
|
respAppVersion
|
|
-
|
The server application version number
|
|
|
|
respArchFiles
|
|
-
|
The file information extracted from files detected in response direction
|
|
|
|
respCode
|
|
-
|
The network protocol response code
|
|
|
|
respDataSize
|
|
-
|
The data volume transmitted over the transport layer by the server (in bytes)
|
|
|
|
respDate
|
|
-
|
The HTTP response date header
|
|
|
|
respFileHash
|
|
|
The SHA-1 of the file detected in the response direction
|
|
|
|
respFileHashSha256
|
|
|
The SHA-256 of the file detected in the response direction
|
|
|
|
respFileType
|
|
-
|
The file type detected in the response direction
|
|
|
|
respHeaders
|
|
-
|
The list of all HTTP response headers without sensitive information
|
|
|
|
respMethod
|
|
-
|
The response method
|
|
|
|
respScannedBytes
|
|
-
|
The data volume transmitted by the server (in bytes)
|
|
|
|
responseSize
|
|
-
|
The response length
|
|
|
|
ruleName
|
|
-
|
The name of the triggered cloud access rule
|
|
|
|
ruleUuid
|
|
-
|
The risk assessment and control design that is defined by Zero Trust Secure Access
risk control rules
|
|
|
|
sUser1
|
|
|
The latest sign-in user of the source
|
|
|
|
sender
|
|
-
|
The Zero Trust Internet Access gateway location
|
|
|
|
serverGroup
|
|
-
|
The server IP network group
|
|
|
|
serverHost
|
|
-
|
The server IP hostname
|
|
|
|
serverIp
|
|
|
The server IP
|
|
|
|
serverMAC
|
|
-
|
The server MAC address
|
|
|
|
serverPort
|
|
|
The server port
|
|
|
|
serverProtocol
|
|
-
|
The version of the HTTP protocol between the Service Gateway and server/website
|
|
|
|
serverRespTime
|
|
-
|
The time the server took to respond to the request (in milliseconds)
|
|
|
|
serverTls
|
|
-
|
The TLS version between the Service Gateway and server/website
|
|
|
|
sessionEnd
|
|
-
|
The session end time (in seconds)
|
|
|
|
sessionEndReason
|
|
-
|
The reason why a session was terminated
|
|
|
|
sessionStart
|
|
-
|
The session start time (in seconds)
|
|
|
|
shost
|
|
|
The source hostname
|
|
|
|
spt
|
|
|
The virtual port of the source assigned to the Secure Access Module (srcport)
|
|
|
|
src
|
|
|
The source IP (srcaddr)
|
|
|
|
srcLocation
|
|
-
|
The source country
|
|
|
|
sslCertCommonName
|
|
|
The certificate common name
|
|
|
|
sslCertFingerprint
|
|
-
|
The certificate fingerprint
|
|
|
|
sslCertIssuer
|
|
-
|
The issuer of the certificate
|
|
|
|
sslCertSANs
|
|
-
|
The Subject Alternative Name of the certificate
|
|
|
|
sslCertSerialNumber
|
|
-
|
The certificate serial number
|
|
|
|
sslCertValidFrom
|
|
-
|
The certificate validity start time
|
|
|
|
sslCertValidUntil
|
|
-
|
The certificate validity end time
|
|
|
|
status
|
|
-
|
The network analysis flow session status
|
|
|
|
subLocationId
|
|
-
|
The sub-location ID
|
|
|
|
subLocationType
|
|
-
|
The sub-location type
|
|
|
|
subnetId
|
|
-
|
The subnet ID
|
|
|
|
suid
|
|
|
The user name or IP address (IPv4)
|
|
|
|
suser
|
|
|
The email sender
|
|
|
|
tags
|
|
|
The detected technique ID based on the alert filter
|
|
|
|
tcpFlags
|
|
-
|
The bitmask value of the FIN/SYN/RST/SYN-ACK TCP flags
|
|
|
|
tlsJA3Fingerprint
|
|
-
|
The JA3 fingerprint
|
-
|
|
|
tlsJA3SFingerprint
|
|
-
|
The raw JA3S
|
|
|
|
tlsSelectedCipher
|
|
-
|
The selected cipher of the TLS protocol
|
|
|
|
trafficPath
|
|
-
|
The egress traffic path number
|
|
|
|
trafficType
|
|
-
|
The Zero Trust Internet Access gateway service mode
|
|
|
|
userDepartment
|
|
-
|
The user department request method
|
|
|
|
userDomain
|
|
|
The Active Directory domain or the user domain for the TMAS admin portal
|
|
|
|
uuid
|
|
-
|
The unique key of the log
|
|
|
|
vpcId
|
|
-
|
The VPC ID
|
|
|
Views: