|
Field Name
|
Type
|
General Field
|
Description
|
Example
|
Products
|
||||||
|
act
|
|
-
|
The action
|
|
|
||||||
|
action
|
|
-
|
The traffic processing action
|
|
|
||||||
|
app
|
|
-
|
The network protocol
|
|
|
||||||
|
application
|
|
-
|
The name of the requested application
|
|
|
||||||
|
archFiles
|
|
-
|
The file information extracted from detected files
|
|
|
||||||
|
authType
|
|
-
|
The authentication method
|
|
|
||||||
|
azId
|
|
-
|
The Availability Zone ID
|
|
|
||||||
|
bytes
|
|
-
|
The number of transmitted data bytes
|
|
|
||||||
|
clientGroup
|
|
-
|
The client IP network group
|
|
|
||||||
|
clientHost
|
|
-
|
The client IP hostname
|
|
|
||||||
|
clientIp
|
|
|
The endpoint IP
|
|
|
||||||
|
clientMAC
|
|
-
|
The client MAC address
|
|
|
||||||
|
clientPort
|
|
|
The client port
|
|
|
||||||
|
clientProtocol
|
|
-
|
The client protocol
|
|
|
||||||
|
clientTls
|
|
-
|
The transport layer security of the client
|
|
|
||||||
|
cloudAccountId
|
|
-
|
The owner AWS account ID of the source network interface (account-id)
|
|
|
||||||
|
cloudAppCat
|
|
-
|
The category of the event in Cloud Reputation Service
|
|
|
||||||
|
cnt
|
|
-
|
The total number of logs
|
|
|
||||||
|
companyName
|
|
-
|
The company name
|
|
|
||||||
|
contentEncoding
|
|
-
|
The content encoding of the request or the response
|
|
|
||||||
|
dOSName
|
|
-
|
The destination OS
|
|
|
||||||
|
dUser1
|
|
|
The latest sign-in user of the destination
|
|
|
||||||
|
detectionType
|
|
-
|
The traffic detection type
|
|
|
||||||
|
deviceGUID
|
|
-
|
The non-endpoint object such as a network appliance
|
|
|
||||||
|
dhost
|
|
|
The destination hostname
|
|
|
||||||
|
direction
|
|
-
|
The object transfer direction
|
|
|
||||||
|
dmac
|
|
-
|
The destination MAC address
|
|
|
||||||
|
dnsQueryType
|
|
-
|
The record type requested by the DNS protocol
|
|
|
||||||
|
dpt
|
|
|
The service destination port of the private application server (dstport)
|
|
|
||||||
|
dst
|
|
|
The destination IP (dstaddr)
|
|
|
||||||
|
dstLocation
|
|
-
|
The destination country
|
|
|
||||||
|
dstZone
|
|
-
|
The destination zone of the Palo Alto Networks firewall session
|
|
|
||||||
|
duration
|
|
-
|
The time the scanner took to complete the scan (in milliseconds)
|
|
|
||||||
|
duser
|
|
|
The email recipient
|
|
|
||||||
|
dvc
|
|
-
|
The IP address of the Deep Discovery Inspector or Virtual Network Sensor appliance
|
|
|
||||||
|
dvchost
|
|
-
|
The network device hostname
|
|
|
||||||
|
e2eLatency
|
|
-
|
The end-to-end traffic latency time (in milliseconds)
|
|
|
||||||
|
endpointGuid
|
|
|
The device GUID
|
|
|
||||||
|
endpointHostName
|
|
|
The host name of the device on which the event was detected
|
|
|
||||||
|
eventId
|
|
-
|
The event ID
|
|
|
||||||
|
eventName
|
|
-
|
The name of the log event
|
|
|
||||||
|
eventSubName
|
|
-
|
The Zero Trust Secure Access - Internet Access cloud app action or the Palo Alto Networks
firewall log sub-type
|
|
|
||||||
|
eventTime
|
|
-
|
The time the agent or product detected the event
|
|
|
||||||
|
failedHTTPSInspection
|
|
-
|
Whether the hypertext transfer protocol secure (HTTPS) traffic inspection failed
|
|
|
||||||
|
fileHash
|
|
|
The SHA-1 of the file that violated the policy
|
|
|
||||||
|
fileHashSha256
|
|
|
The SHA-256 of the file that violated the policy
|
|
|
||||||
|
fileName
|
|
|
The name of the file that violated the policy
|
|
|
||||||
|
fileSize
|
|
-
|
The size of the file that is violating the policy
|
|
|
||||||
|
fileType
|
|
-
|
The type of file which is violating the policy
|
|
|
||||||
|
filterRiskLevel
|
|
-
|
The top-level risk level of the event
|
|
|
||||||
|
flowDirection
|
|
-
|
The network interface traffic direction
|
|
|
||||||
|
flowId
|
|
-
|
The network analysis flow ID
|
|
|
||||||
|
flowType
|
|
-
|
The type of traffic (type)
|
|
|
||||||
|
ftpTrans
|
|
-
|
The transaction information of the FTP protocol
|
|
|
||||||
|
groupId
|
|
-
|
The group ID for the management scope filter
|
|
|
||||||
|
hostName
|
|
|
The hostname
|
|
|
||||||
|
httpLocation
|
|
|
The HTTP location header
|
|
|
||||||
|
httpReferer
|
|
|
The HTTP referrer header
|
|
|
||||||
|
httpXForwardedFor
|
|
-
|
The HTTP X-Forwarded-For header
|
|
|
||||||
|
httpXForwardedForGroup
|
|
-
|
The X-Forwarded-For IP network group
|
|
|
||||||
|
httpXForwardedForHost
|
|
-
|
The X-Forwarded-For IP hostname
|
|
|
||||||
|
httpXForwardedForIp
|
|
|
The X-Forwarded-For IP used by the network appliance
|
|
|
||||||
|
instanceId
|
|
-
|
The instance ID
|
|
|
||||||
|
ipProto
|
|
-
|
The protocol number (protocol)
|
|
|
||||||
|
isPrivateApp
|
|
-
|
Whether the requested application is private
|
|
|
||||||
|
isRetroScan
|
|
-
|
Whether the event matches the Security Analytics Engine filter
|
|
|
||||||
|
ja3Hash
|
|
-
|
The JA3 hash
|
|
|
||||||
|
ja3sHash
|
|
-
|
The JA3S hash
|
|
|
||||||
|
logReceivedTime
|
|
-
|
The time when the XDR log was received
|
|
|
||||||
|
logStatus
|
|
-
|
The VPC Flow Log status
|
|
|
||||||
|
mailMsgSubject
|
|
|
The email subject
|
|
|
||||||
|
malName
|
|
-
|
The name of the detected malware
|
-
|
|
||||||
|
mimeType
|
|
-
|
The MIME type or content type of the response body
|
|
|
||||||
|
msgId
|
|
|
The service provider message ID
|
|
|
||||||
|
networkInterfaceId
|
|
-
|
The network interface ID (interface-id)
|
|
|
||||||
|
objectId
|
|
-
|
The UUID of the Zero Trust Secure Access private access application
|
|
|
||||||
|
objectIps
|
|
|
The IP address resolved by the DNS protocol
|
|
|
||||||
|
originEventSourceType
|
|
-
|
The source type of the original event which matches the Security Analytics Engine
filter
|
|
|
||||||
|
originUUID
|
|
-
|
The UUID of the original event which matches the Security Analytics Engine filter
|
|
|
||||||
|
osName
|
|
-
|
The host OS name
|
|
|
||||||
|
overSsl
|
|
-
|
The SSL protocol connection
|
|
|
||||||
|
packets
|
|
-
|
The number of transmitted data packets
|
|
|
||||||
|
pktDstAddr
|
|
|
The packet level destination IP
|
|
|
||||||
|
pktDstCloudServiceName
|
|
-
|
The subset IP address range name for cloud service destination IP (pkt-dst-aws-service)
|
|
|
||||||
|
pktSrcAddr
|
|
|
The packet level source IP
|
|
|
||||||
|
pktSrcCloudServiceName
|
|
-
|
The subset IP address range name for cloud service source IP (pkt-src-aws-service)
|
|
|
||||||
|
pname
|
|
-
|
The product name
|
|
|
||||||
|
policyName
|
|
-
|
The name of the triggered policy
|
|
|
||||||
|
policyTemplate
|
|
-
|
The Data Loss Prevention template name
|
|
|
||||||
|
policyTreePath
|
|
-
|
The policy tree path (endpoint only)
|
|
|
||||||
|
policyUuid
|
|
-
|
The policy UUID
|
|
|
||||||
|
principalName
|
|
|
The User Principal Name
|
|
|
||||||
|
productCode
|
|
-
|
The internal product code
|
|
|
||||||
|
profile
|
|
-
|
The name of the triggered Threat Protection template or Data Loss Prevention profile
|
-
|
|
||||||
|
pver
|
|
-
|
The product version
|
|
|
||||||
|
regionCode
|
|
-
|
The network interface AWS Region
|
|
|
||||||
|
reqAppVersion
|
|
-
|
The client application version number
|
|
|
||||||
|
reqDataSize
|
|
-
|
The data volume transmitted over the transport layer by the client (in bytes)
|
|
|
||||||
|
reqScannedBytes
|
|
-
|
The data volume transmitted by the client (in bytes)
|
|
|
||||||
|
request
|
|
|
The destination URL that the user is accessing
|
|
|
||||||
|
requestBase
|
|
|
The URL domain
|
|
|
||||||
|
requestClientApplication
|
|
-
|
The HTTP user agent
|
|
|
||||||
|
requestDate
|
|
-
|
The HTTP date header
|
|
|
||||||
|
requestHeaders
|
|
-
|
The list of all HTTP headers without sensitive information
|
|
|
||||||
|
requestMethod
|
|
-
|
The network protocol request method
|
|
|
||||||
|
requestMimeType
|
|
-
|
The type of request content
|
|
|
||||||
|
requestSize
|
|
-
|
The request length
|
|
|
||||||
|
requests
|
|
|
The URLs of the request
|
|
|
||||||
|
resolvedUrlGroup
|
|
-
|
The IP address FQDN network group
|
|
|
||||||
|
resolvedUrlIp
|
|
|
The IP address of the FQDN
|
|
|
||||||
|
resolvedUrlPort
|
|
|
The HTTP server port
|
|
|
||||||
|
respAppVersion
|
|
-
|
The server application version number
|
|
|
||||||
|
respArchFiles
|
|
-
|
The file information extracted from files detected in response direction
|
|
|
||||||
|
respCode
|
|
-
|
The network protocol response code
|
|
|
||||||
|
respDataSize
|
|
-
|
The data volume transmitted over the transport layer by the server (in bytes)
|
|
|
||||||
|
respDate
|
|
-
|
The HTTP response date header
|
|
|
||||||
|
respFileHash
|
|
|
The SHA-1 of the file detected in the response direction
|
|
|
||||||
|
respFileHashSha256
|
|
|
The SHA-256 of the file detected in the response direction
|
|
|
||||||
|
respFileType
|
|
-
|
The file type detected in the response direction
|
|
|
||||||
|
respHeaders
|
|
-
|
The list of all HTTP response headers without sensitive information
|
|
|
||||||
|
respMethod
|
|
-
|
The response method
|
|
|
||||||
|
respScannedBytes
|
|
-
|
The data volume transmitted by the server (in bytes)
|
|
|
||||||
|
responseSize
|
|
-
|
The response length
|
|
|
||||||
|
ruleName
|
|
-
|
The name of the triggered cloud access rule
|
|
|
||||||
|
ruleUuid
|
|
-
|
The risk assessment and control design that is defined by Zero Trust Secure Access
risk control rules
|
|
|
||||||
|
sOSName
|
|
-
|
The source OS
|
|
|
||||||
|
sUser1
|
|
|
The latest sign-in user of the source
|
|
|
||||||
|
sender
|
|
-
|
The Zero Trust Internet Access gateway location
|
|
|
||||||
|
serverGroup
|
|
-
|
The server IP network group
|
|
|
||||||
|
serverHost
|
|
-
|
The server IP hostname
|
|
|
||||||
|
serverIp
|
|
|
The server IP
|
|
|
||||||
|
serverMAC
|
|
-
|
The server MAC address
|
|
|
||||||
|
serverPort
|
|
|
The server port
|
|
|
||||||
|
serverProtocol
|
|
-
|
The version of the HTTP protocol between the Service Gateway and server/website
|
|
|
||||||
|
serverRespTime
|
|
-
|
The time the server took to respond to the request (in milliseconds)
|
|
|
||||||
|
serverTls
|
|
-
|
The TLS version between the Service Gateway and server/website
|
|
|
||||||
|
sessionEnd
|
|
-
|
The session end time (in seconds)
|
|
|
||||||
|
sessionEndReason
|
|
-
|
The reason why a session was terminated
|
|
|
||||||
|
sessionStart
|
|
-
|
The session start time (in seconds)
|
|
|
||||||
|
shost
|
|
|
The source hostname
|
|
|
||||||
|
smac
|
|
-
|
The source MAC address
|
|
|
||||||
|
spt
|
|
|
The virtual port of the source assigned to the Secure Access Module (srcport)
|
|
|
||||||
|
src
|
|
|
The source IP (srcaddr)
|
|
|
||||||
|
srcLocation
|
|
-
|
The source country
|
|
|
||||||
|
srcZone
|
|
-
|
The source zone of the Palo Alto Networks firewall session
|
|
|
||||||
|
sslCertCommonName
|
|
|
The certificate common name
|
|
|
||||||
|
sslCertFingerprint
|
|
-
|
The certificate fingerprint
|
|
|
||||||
|
sslCertIssuer
|
|
-
|
The issuer of the certificate
|
|
|
||||||
|
sslCertSANs
|
|
-
|
The Subject Alternative Name of the certificate
|
|
|
||||||
|
sslCertSerialNumber
|
|
-
|
The certificate serial number
|
|
|
||||||
|
sslCertValidFrom
|
|
-
|
The certificate validity start time
|
|
|
||||||
|
sslCertValidUntil
|
|
-
|
The certificate validity end time
|
|
|
||||||
|
status
|
|
-
|
The network analysis flow session status
|
|
|
||||||
|
subLocationId
|
|
-
|
The sub-location ID
|
|
|
||||||
|
subLocationType
|
|
-
|
The sub-location type
|
|
|
||||||
|
subnetId
|
|
-
|
The subnet ID
|
|
|
||||||
|
suid
|
|
|
The user name or IP address (IPv4)
|
|
|
||||||
|
suser
|
|
|
The email sender
|
|
|
||||||
|
tags
|
|
|
The detected technique ID based on the alert filter
|
|
|
||||||
|
tcpFlags
|
|
-
|
The bitmask value of the FIN/SYN/RST/SYN-ACK TCP flags
|
|
|
||||||
|
tlsJA3Fingerprint
|
|
-
|
The JA3 fingerprint
|
-
|
|
||||||
|
tlsJA3SFingerprint
|
|
-
|
The raw JA3S
|
|
|
||||||
|
tlsSelectedCipher
|
|
-
|
The selected cipher of the TLS protocol
|
|
|
||||||
|
trafficPath
|
|
-
|
The egress traffic path number
|
|
|
||||||
|
trafficType
|
|
-
|
The Zero Trust Internet Access gateway service mode
|
|
|
||||||
|
userDepartment
|
|
-
|
The user department request method
|
|
|
||||||
|
userDomain
|
|
|
The Microsoft Entra ID domain or the domain of the Trend Micro Anti-Spam administrator
portal user name
|
|
|
||||||
|
uuid
|
|
-
|
The unique key of the log
|
|
|
||||||
|
vpcId
|
|
-
|
The VPC ID
|
|
|
||||||
|
vsysName
|
|
-
|
The Palo Alto Networks virtual system of the session
|
|
|
act
|
string |
-
|
The action
|
|
|
|
action
|
string |
-
|
The traffic processing action
|
|
XDR for Cloud - AWS VPC Flow Logs
|
||||||
|
app
|
string |
-
|
The network protocol
|
HTTP |
|
||||||
|
application
|
string |
-
|
The name of the requested application
|
|
|
||||||
|
archFiles
|
ArchFileInfo[] |
-
|
The file information extracted from detected files
|
- |
|
||||||
|
authType
|
string |
-
|
The authorization type
|
Cookie |
Trend Vision One Zero Trust Secure Access Internet Access
|
||||||
|
azId
|
string |
-
|
The Availability Zone ID
|
apse2-az3 |
XDR for Cloud - AWS VPC Flow Logs
|
||||||
|
bytes
|
int64 |
-
|
The number of transmitted data bytes
|
15044 |
XDR for Cloud - AWS VPC Flow Logs
|
||||||
|
clientGroup
|
string |
-
|
The client internet protocol (IP) network group
|
|
|
||||||
|
clientHost
|
string |
-
|
The client IP hostname
|
|
Virtual Network Sensor
|
||||||
|
clientIp
|
string |
|
The endpoint IP
|
10.64.23.45 |
|
||||||
|
clientMAC
|
string |
-
|
The client media access control address
|
00-08-e3-ff-fd-90 |
|
||||||
|
clientPort
|
uint32 |
Port
|
The client port
|
5566 |
|
||||||
|
clientProtocol
|
string |
-
|
The client protocol
|
HTTP/1.1 |
Trend Vision One Zero Trust Secure Access Internet Access
|
||||||
|
clientTls
|
string |
-
|
The transport layer security (TLS) of the client
|
TLS 1.2 |
Trend Vision One Zero Trust Secure Access Internet Access
|
||||||
|
cloudAccountId
|
string |
-
|
The owner Amazon Web Services (AWS( account ID of the source network interface (account-id)
|
123456789012 |
XDR for Cloud - AWS VPC Flow Logs
|
||||||
|
cloudAppCat
|
string |
-
|
The category of the event in Cloud Reputation Service
|
|
Trend Vision One Zero Trust Secure Access Internet Access
|
||||||
|
cnt
|
int64 |
-
|
The total number of logs
|
|
Palo Alto Networks Next-Generation Firewalls
|
||||||
|
companyName
|
string |
-
|
The company name
|
Trend Micro |
Trend Vision One Zero Trust Secure Access Private Access
|
||||||
|
contentEncoding
|
string |
-
|
The content encoding of the request or the response
|
gzip |
Trend Vision One Zero Trust Secure Access Internet Access
|
||||||
|
dOSName
|
string |
-
|
The destination operating system (OS)
|
Windows |
Palo Alto Networks Next-Generation Firewalls
|
||||||
|
dUser1
|
string |
UserAccount
|
The latest sign-in user of the destination
|
|
Palo Alto Networks Next-Generation Firewalls
|
||||||
|
detectionType
|
string |
-
|
The scan type
|
|
|
||||||
|
deviceGUID
|
string |
-
|
The non-endpoint object such as a network appliance
|
d1142f61-5bdf-4a48-bee8-b35f7b6c2376 |
|
||||||
|
dhost
|
string |
DomainName
|
The destination hostname
|
|
Palo Alto Networks Next-Generation Firewalls
|
||||||
|
direction
|
string |
-
|
The object transfer direction
|
Download |
|
||||||
|
dmac
|
string |
-
|
The destination MAC address
|
a8:d0:e5:5c:cb:c5 |
Palo Alto Networks Next-Generation Firewalls
|
||||||
|
dnsQueryType
|
string |
-
|
The record type requested by the domain name system (DNS) protocol
|
A |
|
||||||
|
dpt
|
int32 |
Port
|
The service destination port of the private application server (dstport)
|
443 |
|
||||||
|
dst
|
string |
|
The destination IP (dstaddr)
|
|
|
||||||
|
dstLocation
|
string |
-
|
The destination country
|
Japan |
Palo Alto Networks Next-Generation Firewalls
|
||||||
|
dstZone
|
string |
-
|
The destination zone of the Palo Alto Networks firewall session
|
LAB-Small |
Palo Alto Networks Next-Generation Firewalls
|
||||||
|
duration
|
int64 |
-
|
The time it took the scanner to complete the scan (in milliseconds)
|
1599465660123 |
Trend Vision One Zero Trust Secure Access Internet Access
|
||||||
|
duser
|
string[] |
EmailRecipient
|
The email recipient
|
p1234567@xxxxxx.tw |
|
||||||
|
dvc
|
string[] |
-
|
The Deep Discovery Inspector or Virtual Network Sensor appliance IP
|
|
|
||||||
|
dvchost
|
string |
-
|
The network device hostname
|
|
|
||||||
|
e2eLatency
|
int64 |
-
|
The end-to-end traffic latency time (in milliseconds)
|
10000 |
Trend Vision One Zero Trust Secure Access Internet Access
|
||||||
|
endpointGuid
|
string |
EndpointID
|
The device globally unique identifier (GUID)
|
|
|
||||||
|
endpointHostName
|
string |
EndpointName
|
The hostname of the device on which the event was detected
|
|
|
||||||
|
eventId
|
string |
-
|
The event ID
|
|
|
||||||
|
eventName
|
string |
-
|
The name of the log event
|
|
|
||||||
|
eventSubName
|
string |
-
|
The Zero Trust Secure Access - Internet Access cloud app action or the Palo Alto Networks
firewall log sub-type
|
|
|
||||||
|
eventTime
|
int64 |
-
|
The time the agent or product detected the event
|
1657135700000 |
|
||||||
|
failedHTTPSInspection
|
bool |
-
|
Whether the hypertext transfer protocol secure (HTTPS) traffic inspection failed
|
true |
Trend Vision One Zero Trust Secure Access Internet Access
|
||||||
|
fileHash
|
string |
FileSHA1
|
The secure hash algorithm 1 (SHA-1) of the file that violated the policy
|
1e15bf99022a9164708cebb3eace8fd61ad45cba |
|
||||||
|
fileHashSha256
|
string |
FileSHA2
|
The SHA-256 of the file that violated the policy
|
ba9edecdd09de1307714564c24409bd25508e22fe11c768053a08f173f263e93 |
|
||||||
|
fileName
|
string |
|
The name of the file that violated the policy
|
word.doc |
|
||||||
|
fileSize
|
int64 |
-
|
The size of the file that is violating the policy
|
12134 |
|
||||||
|
fileType
|
string |
-
|
The type of file which is violating the policy
|
Microsoft Words |
|
||||||
|
filterRiskLevel
|
string |
-
|
The top-level risk level of the event
|
|
Security Analytics Engine
|
||||||
|
flowDirection
|
string |
-
|
The network interface traffic direction
|
|
XDR for Cloud - AWS VPC Flow Logs
|
||||||
|
flowId
|
string |
-
|
The network analysis flow ID
|
6837014561409730558 |
|
||||||
|
flowType
|
string |
-
|
The type of traffic (type)
|
|
XDR for Cloud - AWS VPC Flow Logs
|
||||||
|
ftpTrans
|
FTPTrans[] |
-
|
The transaction information of the file transfer protocol (FTP)
|
- |
|
||||||
|
hostName
|
string |
|
The hostname
|
NJ-EFFY-ZHAO1 |
|
||||||
|
httpLocation
|
string |
URL
|
The HTTP location header
|
http://www.google.com.tw |
|
||||||
|
httpReferer
|
string |
URL
|
The HTTP referer header
|
http://www.google.com.tw |
|
||||||
|
httpXForwardedFor
|
string |
-
|
The HTTP X-Forwarded-For header
|
192.168.1.103, 192.168.1.104, 192.168.1.106 |
|
||||||
|
httpXForwardedForGroup
|
string |
-
|
The X-Forwarded-For IP network group
|
|
|
||||||
|
httpXForwardedForHost
|
string |
-
|
The X-Forwarded-For IP hostname
|
|
Virtual Network Sensor
|
||||||
|
httpXForwardedForIp
|
string |
|
The X-Forwarded-For IP used by the network appliance
|
192.168.1.103 |
|
||||||
|
instanceId
|
string |
-
|
The instance ID
|
i-0c50d5961bcb2d47b |
XDR for Cloud - AWS VPC Flow Logs
|
||||||
|
ipProto
|
int32 |
-
|
The protocol number (protocol)
|
|
XDR for Cloud - AWS VPC Flow Logs
|
||||||
|
isPrivateApp
|
bool |
-
|
Whether the requested application is private
|
|
Trend Vision One Zero Trust Secure Access Internet Access
|
||||||
|
isRetroScan
|
bool |
-
|
Whether the event matches the Security Analytics Engine filter
|
true |
Security Analytics Engine
|
||||||
|
ja3Hash
|
string |
-
|
The JA3 hash
|
478e74fad764c966f19c5232c7cdfc5a |
|
||||||
|
ja3sHash
|
string |
-
|
The JA3S hash
|
6d37fb1b3306d6e9f875650d8eb74b4f |
|
||||||
|
logReceivedTime
|
int64 |
-
|
The time when the Extended Detection and Response (XDR) log was received
|
1656324260000 |
Security Analytics Engine
|
||||||
|
logStatus
|
string |
-
|
The virtual private cloud (VPC) Flow Log status
|
|
XDR for Cloud - AWS VPC Flow Logs
|
||||||
|
mailMsgSubject
|
string |
EmailSubject
|
The email subject
|
test |
|
||||||
|
malName
|
string |
-
|
The name of the detected malware
|
-
|
Trend Vision One Zero Trust Secure Access Internet Access
|
||||||
|
mimeType
|
string |
-
|
The multipurpose internet mail extension (MIME) type or content type of the response
body
|
text/html |
|
||||||
|
msgId
|
string |
EmailMessageID
|
The service provider message ID
|
<b03cf177d9bf4e2f834cd3a005b2cc4b@12345.com.tw> |
|
||||||
|
networkInterfaceId
|
string |
-
|
The network interface ID (interface-id)
|
eni-1235b8ca123456789 |
XDR for Cloud - AWS VPC Flow Logs
|
||||||
|
objectId
|
string |
-
|
The universally unique identifier (UUID) of the Zero Trust Secure Access private access
application
|
6f1fe071-9636-4c99-9a4d-c9f6d409a4c8 |
Trend Vision One Zero Trust Secure Access Private Access
|
||||||
|
objectIps
|
string[] |
|
The IP address resolved by the DNS protocol
|
|
|
||||||
|
originEventSourceType
|
string |
-
|
The source type of the original event which matches the Security Analytics Engine
filter
|
EVENT_SOURCE_NETWORK_ACTIVITY |
Security Analytics Engine
|
||||||
|
originUUID
|
string[] |
-
|
The UUID of the original event which matches the Security Analytics Engine filter
|
5b3a70cb-f338-40fe-b17b-ab8f9aeedee7 |
Security Analytics Engine
|
||||||
|
osName
|
string |
-
|
The host OS name
|
|
|
||||||
|
overSsl
|
string |
-
|
The secure socket layer (SSL) protocol connection
|
YES |
|
||||||
|
packets
|
int64 |
-
|
The number of transmitted data packets
|
14 |
XDR for Cloud - AWS VPC Flow Logs
|
||||||
|
pktDstAddr
|
string |
|
The packet level destination IP
|
10.0.0.71 |
XDR for Cloud - AWS VPC Flow Logs
|
||||||
|
pktDstCloudServiceName
|
string |
-
|
The subset IP address range name for the cloud service destination IP (pkt-dst-aws-service)
|
|
XDR for Cloud - AWS VPC Flow Logs
|
||||||
|
pktSrcAddr
|
string |
|
The packet level source IP
|
52.95.128.179 |
XDR for Cloud - AWS VPC Flow Logs
|
||||||
|
pktSrcCloudServiceName
|
string |
-
|
The subset IP address range name for the cloud service source IP (pkt-src-aws-service)
|
|
XDR for Cloud - AWS VPC Flow Logs
|
||||||
|
pname
|
string |
-
|
The product name
|
|
|
||||||
|
policyName
|
string |
-
|
The name of the triggered policy
|
|
Palo Alto Networks Next-Generation Firewalls
|
||||||
|
policyTemplate
|
string[] |
-
|
The Data Loss Prevention template name
|
Australia, New Zealand: Healthcare Template,Germany: Banking and Financial Information |
Trend Vision One Zero Trust Secure Access Internet Access
|
||||||
|
policyTreePath
|
string |
-
|
The policy tree path (endpoint only)
|
policyname1/policyname2/policyname3 |
Security Analytics Engine
|
||||||
|
policyUuid
|
string |
-
|
The policy UUID
|
afef0518-abd7-43e1-9b73-2f55c4c95a8e |
|
||||||
|
principalName
|
string |
UserAccount
|
The User Principal Name
|
|
|
||||||
|
productCode
|
string |
-
|
The internal product code
|
|
|
||||||
|
profile
|
string |
-
|
The name of the triggered Threat Protection template or Data Loss Prevention profile
|
-
|
Trend Vision One Zero Trust Secure Access Internet Access
|
||||||
|
pver
|
string |
-
|
The product version
|
1 |
|
||||||
|
regionCode
|
string |
-
|
The network interface AWS Region
|
ap-southeast-2 |
XDR for Cloud - AWS VPC Flow Logs
|
||||||
|
reqAppVersion
|
string |
-
|
The client application version number
|
SSH-2.0-OPENSSH_9.0 |
Virtual Network Sensor
|
||||||
|
reqDataSize
|
uint64 |
-
|
The data volume transmitted over the transport layer by the client (in bytes)
|
15688 |
|
||||||
|
reqScannedBytes
|
uint64 |
-
|
The data volume transmitted by the client (in bytes)
|
4655 |
|
||||||
|
request
|
string |
URL
|
The destination URL that the user is accessing
|
|
|
||||||
|
requestBase
|
string |
|
The URL domain
|
|
|
||||||
|
requestClientApplication
|
string |
-
|
The HTTP user agent
|
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100
Safari/537.36 |
|
||||||
|
requestDate
|
string |
-
|
The HTTP date header
|
Fri, 20 Oct 2017 06:02:09 GMT |
|
||||||
|
requestHeaders
|
string |
-
|
The list of all HTTP headers without sensitive information
|
Host: 192.168.1.201:8080 User-Agent: curl/7.78.0 Accept: */* |
|
||||||
|
requestMethod
|
string |
-
|
The network protocol request method
|
POST |
|
||||||
|
requestMimeType
|
string |
-
|
The type of request content
|
application/json; charset=utf-8 |
|
||||||
|
requestSize
|
int64 |
-
|
The request length
|
1324 |
Trend Vision One Zero Trust Secure Access Internet Access
|
||||||
|
requests
|
string[] |
URL
|
The URLs of the request
|
|
|
||||||
|
resolvedUrlGroup
|
string |
-
|
The IP address fully qualified domain name (FQDN) network group
|
|
|
||||||
|
resolvedUrlIp
|
string |
|
The IP address of the FQDN
|
142.251.43.3 |
|
||||||
|
resolvedUrlPort
|
uint32 |
Port
|
The HTTP server port
|
443 |
|
||||||
|
respAppVersion
|
string |
-
|
The server application version number
|
SSH-2.0-OPENSSH_8.7 |
Virtual Network Sensor
|
||||||
|
respArchFiles
|
ArchFileInfo[] |
-
|
The file information extracted from files detected in response direction
|
- |
|
||||||
|
respCode
|
string |
-
|
The network protocol response code
|
|
|
||||||
|
respDataSize
|
uint64 |
-
|
The data volume transmitted over the transport layer by the server (in bytes)
|
7856 |
|
||||||
|
respDate
|
string |
-
|
The HTTP response date header
|
Fri, 20 Oct 2017 06:02:09 GMT |
|
||||||
|
respFileHash
|
string |
FileSHA1
|
The SHA-1 of the file detected in the response direction
|
f17d9c55dea88f9aec8f74363f01e918cffb4142 |
|
||||||
|
respFileHashSha256
|
string |
FileSHA2
|
The SHA-256 of the file detected in the response direction
|
5ad4396d67f0c9d54572f051e28e9e62f4010c269a953d25259b17ad5fab4fd5 |
|
||||||
|
respFileType
|
string |
-
|
The file type detected in the response direction
|
PKZIP |
|
||||||
|
respHeaders
|
string |
-
|
The list of all HTTP response headers without sensitive information
|
Accept-Ranges: bytes Content-Length: 68 Content-Type: - text/plain; charset=utf-8
Last-Modified: Thu, 19 Aug 2021 06:23:54 GMT Date: Thu, 19 Aug 2021 06:24:00 GMT |
|
||||||
|
respMethod
|
string |
-
|
The response method
|
|
|
||||||
|
respScannedBytes
|
uint64 |
-
|
The data volume transmitted by the server (in bytes)
|
6654 |
|
||||||
|
responseSize
|
int64 |
-
|
The response length
|
1324 |
Trend Vision One Zero Trust Secure Access Internet Access
|
||||||
|
ruleName
|
string |
-
|
The name of the triggered cloud access rule
|
|
|
||||||
|
ruleUuid
|
string |
-
|
The risk assessment and control design that is defined by Zero Trust Secure Access
risk control rules
|
12340518-abd7-43e1-9b73-2f55c4c95a8e |
Trend Vision One Zero Trust Secure Access Private Access
|
||||||
|
sOSName
|
string |
-
|
The source OS
|
Windows 10 |
Palo Alto Networks Next-Generation Firewalls
|
||||||
|
sUser1
|
string |
UserAccount
|
The latest sign-in user of the source
|
|
Palo Alto Networks Next-Generation Firewalls
|
||||||
|
sender
|
string |
-
|
The roaming users or Trend Micro Web Security gateway where the web traffic passed
|
ETL VPN |
Trend Vision One Zero Trust Secure Access Internet Access
|
||||||
|
serverGroup
|
string |
-
|
The server IP network group
|
|
|
||||||
|
serverHost
|
string |
-
|
The server IP hostname
|
|
Virtual Network Sensor
|
||||||
|
serverIp
|
string |
|
The server IP
|
104.210.35.94 |
|
||||||
|
serverMAC
|
string |
-
|
The server MAC address
|
58-35-d9-de-4a-42 |
|
||||||
|
serverPort
|
uint32 |
Port
|
The server port
|
443 |
|
||||||
|
serverProtocol
|
string |
-
|
The version of the HTTP protocol between the Service Gateway and server/website
|
HTTP/1.1 |
|
||||||
|
serverRespTime
|
int64 |
-
|
The time the server took to respond to the request (in milliseconds)
|
1599465660123 |
Trend Vision One Zero Trust Secure Access Internet Access
|
||||||
|
serverTls
|
string |
-
|
The TLS version between the Service Gateway and server/website
|
TLS 1.2 |
|
||||||
|
sessionEnd
|
int64 |
-
|
The session end time (in seconds)
|
1575462989 |
|
||||||
|
sessionEndReason
|
string |
-
|
The reason why a session was terminated
|
|
Palo Alto Networks Next-Generation Firewalls
|
||||||
|
sessionStart
|
int64 |
-
|
The session start time (in seconds)
|
1575462989 |
|
||||||
|
shost
|
string |
DomainName
|
The source hostname
|
|
Palo Alto Networks Next-Generation Firewalls
|
||||||
|
smac
|
string |
-
|
The source MAC address
|
|
Palo Alto Networks Next-Generation Firewalls
|
||||||
|
spt
|
int32 |
Port
|
The virtual port of the source assigned to the Secure Access Module (srcport)
|
57763 |
|
||||||
|
src
|
string |
|
The source IP (srcaddr)
|
|
|
||||||
|
srcLocation
|
string |
-
|
The source country
|
Japan |
Palo Alto Networks Next-Generation Firewalls
|
||||||
|
srcZone
|
string |
-
|
The source zone of the Palo Alto Networks firewall session
|
LAB-Small |
Palo Alto Networks Next-Generation Firewalls
|
||||||
|
sslCertCommonName
|
string |
|
The certificate common name
|
*.www.yahoo.com |
|
||||||
|
sslCertFingerprint
|
string |
-
|
The certificate fingerprint
|
3914af80223c833f26df001cbf342eff8a31aba1 |
|
||||||
|
sslCertIssuer
|
string |
-
|
The issuer of the certificate
|
/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA |
|
||||||
|
sslCertSANs
|
string[] |
-
|
The Subject Alternative Name of the certificate
|
|
|
||||||
|
sslCertSerialNumber
|
string |
-
|
The certificate serial number
|
0888b1ad2a593310593f47565a5a5a4a |
|
||||||
|
sslCertValidFrom
|
|
-
|
The certificate validity start time
|
|
|
||||||
|
sslCertValidUntil
|
string |
-
|
The certificate validity end time
|
2018-11-21T02:43:28 |
|
||||||
|
status
|
string |
-
|
The network analysis flow session status
|
2 |
|
||||||
|
subLocationId
|
string |
-
|
The sub-location ID
|
|
XDR for Cloud - AWS VPC Flow Logs
|
||||||
|
subLocationType
|
string |
-
|
The sub-location type
|
|
XDR for Cloud - AWS VPC Flow Logs
|
||||||
|
subnetId
|
string |
-
|
The subnet ID
|
subnet-aaaaaaaa012345678 |
XDR for Cloud - AWS VPC Flow Logs
|
||||||
|
suid
|
|
|
The user name or IP address (IPv4)
|
|
|
||||||
|
suser
|
string |
EmailSender
|
The email sender
|
P1234567_C12345@12345.com.tw |
|
||||||
|
tags
|
string[] |
Technique
|
The detected technique ID based on the alert filter
|
|
Security Analytics Engine
|
||||||
|
tcpFlags
|
int32 |
-
|
The bitmask value of the FIN/SYN/RST/SYN-ACK transmission control protocol (TCP) flags
|
|
XDR for Cloud - AWS VPC Flow Logs
|
||||||
|
tlsJA3Fingerprint
|
string |
-
|
The JA3 fingerprint
|
-
|
|
||||||
|
tlsJA3SFingerprint
|
string |
-
|
The raw JA3S
|
771,157,65281-15 |
|
||||||
|
tlsSelectedCipher
|
string |
-
|
The selected cipher of the TLS protocol
|
c02f |
|
||||||
|
trafficPath
|
int32 |
-
|
The egress traffic path number
|
|
XDR for Cloud - AWS VPC Flow Logs
|
||||||
|
trafficType
|
string |
-
|
The traffic type
|
Forward |
Trend Vision One Zero Trust Secure Access Internet Access
|
||||||
|
userDepartment
|
string |
-
|
The user department request method
|
Sales |
Trend Vision One Zero Trust Secure Access Internet Access
|
||||||
|
userDomain
|
string |
|
The Microsoft Entra ID domain or the domain of the Trend Micro Anti-Spam administrator
portal user name
|
etlsystems.com |
|
||||||
|
uuid
|
string |
-
|
The unique key of the log
|
|
Security Analytics Engine
|
||||||
|
vpcId
|
string |
-
|
The VPC ID
|
vpc-abcdefab012345678 |
XDR for Cloud - AWS VPC Flow Logs
|
||||||
|
vsysName
|
string |
-
|
The Palo Alto Networks virtual system of the session
|
vsys1 |
Palo Alto Networks Next-Generation Firewalls
|
Views: