|
Field Name
|
Type
|
General Field
|
Description
|
Example
|
Products
|
|
act
|
|
-
|
The action
|
|
|
|
actResult
|
|
-
|
The result of an action
|
|
|
|
action
|
|
-
|
The traffic processing action
|
|
|
|
actionName
|
|
-
|
The user or service action
|
|
|
|
additionalEventData
|
|
-
|
The additional event information that was not part of the request or response
|
|
|
|
alertCategories
|
|
-
|
The list of alert categories
|
|
|
|
alertTitle
|
|
-
|
The alert title
|
|
|
|
apiVersion
|
|
-
|
The API version associated with the AwsApiCall eventType value
|
|
|
|
app
|
|
-
|
The network protocol
|
|
|
|
appPkgName
|
|
-
|
The app package name (if the subject is an app)
|
|
|
|
application
|
|
-
|
The name of the requested application
|
|
|
|
applicationId
|
|
-
|
The application ID
|
|
|
|
attachmentFileHashSha256s
|
|
|
The SHA-256 hash of the email attachment
|
|
|
|
attachmentFileHashes
|
|
|
The SHA-1 of the email attachment
|
|
|
|
attachmentFileName
|
|
|
The file name of an attachment
|
|
|
|
attachmentMd5
|
|
|
The MD5 hash of the email attachment
|
|
|
|
attachmentUrls
|
|
-
|
The URLs and URL sources extracted from the email attachment
|
-
|
|
|
awsRegion
|
|
-
|
The AWS region the request was made to
|
|
|
|
azId
|
|
-
|
The Availability Zone ID
|
|
|
|
bytes
|
|
-
|
The number of transmitted data bytes
|
|
|
|
category
|
|
-
|
The event category
|
|
|
|
cloudAccountId
|
|
-
|
The owner AWS account ID of the source network interface (account-id)
|
|
|
|
cloudTrailEventId
|
|
-
|
The GUID generated by AWS CloudTrail to identify events
|
|
|
|
clusterId
|
|
-
|
The cluster ID of the container
|
|
|
|
clusterName
|
|
-
|
The cluster name of the container
|
|
|
|
cnt
|
|
-
|
The total number of logs
|
|
|
|
containerId
|
|
-
|
The Kubernetes container ID
|
|
|
|
containerImage
|
|
-
|
The Kubernetes container image
|
|
|
|
containerImageDigest
|
|
-
|
The Kubernetes container image digest
|
|
|
|
containerName
|
|
-
|
The Kubernetes container name
|
|
|
|
cves
|
|
-
|
The CVEs associated with this filter
|
|
|
|
dOSName
|
|
-
|
The destination OS
|
|
|
|
dUser1
|
|
|
The latest sign-in user of the destination
|
|
|
|
dhost
|
|
|
The destination hostname
|
|
|
|
direction
|
|
-
|
The direction
|
|
|
|
dmac
|
|
-
|
The destination MAC address
|
|
|
|
dnsQueryType
|
|
-
|
The record type requested by the DNS protocol
|
|
|
|
dpt
|
|
|
The destination port
|
|
|
|
dst
|
|
|
The destination IP
|
|
|
|
dstEndpointGuid
|
|
-
|
The destination host GUID on which the event was detected
|
|
|
|
dstEndpointHostName
|
|
|
The hostname of the destination device on which the event was detected
|
|
|
|
dstIpType
|
|
-
|
The destination IP type
|
|
|
|
dstLocation
|
|
-
|
The destination country
|
|
|
|
dstZone
|
|
-
|
The destination zone of the session
|
|
|
|
duser
|
|
|
The email recipient
|
|
|
|
dvc
|
|
-
|
The device IP
|
-
|
|
|
dvchost
|
|
-
|
The network device hostname
|
|
|
|
ecsTaskArn
|
|
-
|
The list of ECS task ARNs
|
|
|
|
ecsTaskId
|
|
-
|
The ECS task ID
|
|
|
|
endpointGuid
|
|
-
|
The host endpoint GUID on which the event was detected
|
|
|
|
endpointHostName
|
|
|
The host name of the device on which the event was detected
|
|
|
|
endpointIp
|
|
|
The IP address of the endpoint on which the event was detected
|
|
|
|
errorCode
|
|
-
|
The AWS service error code
|
|
|
|
errorMessage
|
|
-
|
The error description
|
|
|
|
eventCase
|
|
-
|
The AWS service that the request was made to
|
|
|
|
eventCategory
|
|
-
|
The event category used in LookupEvents calls
|
|
|
|
eventDataLogonType
|
|
-
|
The sign-in type of Windows Event 4624 (successful sign-in attempt)
|
|
|
|
eventId
|
|
-
|
The event ID
|
|
|
|
eventName
|
|
-
|
The log type
|
|
|
|
eventSource
|
|
-
|
The AWS service the request was made to
|
|
|
|
eventSubName
|
|
-
|
The event type sub-name
|
|
|
|
eventTime
|
|
-
|
The time the agent or product detected the event
|
|
|
|
eventType
|
|
-
|
The type of event that generated the event record
|
|
|
|
eventVersion
|
|
-
|
The log event format version
|
|
|
|
fileHash
|
|
|
The SHA-1 of the file
|
|
|
|
fileHashMd5
|
|
|
The MD5 of the file
|
|
|
|
fileHashSha256
|
|
|
The SHA-256 of the file
|
|
|
|
fileName
|
|
|
The file name
|
|
|
|
fileOriginIP
|
|
-
|
The IP address from where the file was downloaded
|
|
|
|
fileOriginUrl
|
|
-
|
The URL from where the file was downloaded
|
|
|
|
filePath
|
|
|
The file path
|
|
|
|
fileSize
|
|
-
|
The file size
|
|
|
|
fileType
|
|
-
|
The file type
|
|
|
|
filterRiskLevel
|
|
-
|
The top level filter risk of the event
|
|
|
|
flowDirection
|
|
-
|
The network interface traffic direction
|
|
|
|
flowId
|
|
-
|
The connection ID
|
|
|
|
flowType
|
|
-
|
The type of traffic (type)
|
|
|
|
fullPath
|
|
|
The full file path
|
|
|
|
groupId
|
|
-
|
The group ID for the management scope filter
|
|
|
|
hostName
|
|
|
The hostname
|
|
|
|
httpReferer
|
|
|
The HTTP referer
|
|
|
|
httpRespContentType
|
|
-
|
The HTTP response data content type
|
|
|
|
httpXForwardedFor
|
|
-
|
The HTTP X-Forwarded-For header
|
|
|
|
idpName
|
|
-
|
The identity provider
|
|
|
|
initiatedByUserIpAddress
|
|
|
The client IP of the user
|
|
|
|
initiatedByUserPrincipalName
|
|
|
The User Principal Name of the user
|
|
|
|
instanceId
|
|
-
|
The instance ID
|
|
|
|
ipProto
|
|
-
|
The protocol number (protocol)
|
|
|
|
isLocalAdmin
|
|
-
|
Whether the user is a local administrator on the device
|
|
|
|
k8sNamespace
|
|
-
|
The Kubernetes namespace of the container
|
|
|
|
k8sPodId
|
|
-
|
The Kubernetes pod ID of the container
|
|
|
|
k8sPodName
|
|
-
|
The Kubernetes pod name of the container
|
|
|
|
logReceivedTime
|
|
-
|
The time when the XDR log was received
|
|
|
|
logStatus
|
|
-
|
The VPC Flow Log status
|
|
|
|
logonUser
|
|
|
The sign-in user name
|
|
|
|
mailBccAddresses
|
|
|
The BCC address in the email header
|
|
|
|
mailCcAddresses
|
|
|
The CC address in the email header
|
|
|
|
mailDirection
|
|
-
|
The email traffic direction
|
|
|
|
mailFromAddresses
|
|
|
The Mail From address in the email header
|
|
|
|
mailMsgId
|
|
|
The internet message ID of the email
|
|
|
|
mailMsgSubject
|
|
|
The email subject
|
|
|
|
mailToAddresses
|
|
|
The Mail To address in the email header
|
|
|
|
mailUrlsRealLink
|
|
|
The URL extracted from the email content
|
|
|
|
mailUrlsVisibleLink
|
|
|
The URL extracted from the email content
|
|
|
|
mailbox
|
|
-
|
The target or primary email address
|
|
|
|
malFamily
|
|
-
|
The threat family
|
|
|
|
malName
|
|
-
|
The name of the detected malware
|
|
|
|
managementEvent
|
|
-
|
The management event
|
|
|
|
monitoringLevel
|
|
-
|
The cloud activity monitoring level
|
|
|
|
networkInterfaceId
|
|
-
|
The network interface ID (interface-id)
|
|
|
|
objectAppLabel
|
|
-
|
The app name
|
|
|
|
objectAppPackageName
|
|
-
|
The app package name
|
|
|
|
objectCmd
|
|
|
The command line entry of the target process
|
|
|
|
objectFileHashMd5
|
|
|
The MD5 of the target file
|
|
|
|
objectFileHashSha1
|
|
|
The SHA-1 hash of the target process image or target file
|
|
|
|
objectFileHashSha256
|
|
|
The SHA-256 hash of the target process image or target file
|
|
|
|
objectFileName
|
|
|
The object file name
|
|
|
|
objectFilePath
|
|
|
The file path of the target process image or target file
|
|
|
|
objectIps
|
|
|
The IP address resolved by the DNS protocol
|
|
|
|
objectPid
|
|
-
|
The object process PID
|
|
|
|
objectRegistryData
|
|
|
The registry data contents
|
|
|
|
objectRegistryKeyHandle
|
|
|
The registry key path
|
|
|
|
objectRegistryOriginalData
|
|
-
|
The original registry value data before modification
|
|
|
|
objectRegistryOriginalKeyHandle
|
|
-
|
The original registry key before modification
|
|
|
|
objectRegistryOriginalValue
|
|
-
|
The original registry value name before modification
|
|
|
|
objectRegistryValue
|
|
|
The registry value name
|
|
|
|
objectRegistryValueType
|
|
-
|
The Windows Registry Type ID
|
|
|
|
objectSessionIp
|
|
|
The remote device IP address
|
|
|
|
objectSigner
|
|
-
|
The list of object process signers
|
|
|
|
objectSignerValid
|
|
-
|
Whether each signer of the object process is valid
|
|
|
|
objectType
|
|
-
|
The object type
|
|
|
|
objectUser
|
|
|
The user name of the target process which is launched by current running process
|
|
|
|
objectUserDomain
|
|
-
|
The owner domain of the target process which is launched by current running process
|
|
|
|
objectVersionInfoOriginalFileName
|
|
|
The original file name from the version information of the object image
|
|
|
|
oldFileHash
|
|
|
The old file hash
|
|
|
|
pComp
|
|
-
|
The component that made the detection
|
|
|
|
packets
|
|
-
|
The number of transmitted data packets
|
|
|
|
parentCmd
|
|
|
The command line entry of the parent process
|
|
|
|
parentFileName
|
|
-
|
The parent process name
|
|
|
|
parentPid
|
|
-
|
The PID of the parent process
|
|
|
|
pktDstAddr
|
|
|
The packet level destination IP
|
|
|
|
pktDstCloudServiceName
|
|
-
|
The subset IP address range name for the cloud service destination IP (pkt-dst-aws-service)
|
|
|
|
pktSrcAddr
|
|
|
The packet level source IP
|
|
|
|
pktSrcCloudServiceName
|
|
-
|
The subset IP address range name for the cloud service source IP (pkt-src-aws-service)
|
|
|
|
pname
|
|
-
|
The product name
|
|
|
|
policyName
|
|
-
|
The name of the triggered policy
|
|
|
|
policyTreePath
|
|
-
|
The policy tree path
|
|
|
|
policyUuid
|
|
-
|
The policy UUID
|
|
|
|
previousObjectFileName
|
|
|
The previous object file name
|
|
|
|
previousObjectFilePath
|
|
|
The previous file path of the target process image or target file
|
|
|
|
principalName
|
|
-
|
The user principal name used to sign in to the proxy
|
|
|
|
processCmd
|
|
|
The subject process command line
|
|
|
|
processFileHashMd5
|
|
|
The MD5 hash of the subject process image
|
|
|
|
processFileHashSha1
|
|
|
The SHA-1 of the subject process
|
|
|
|
processFileHashSha256
|
|
|
The SHA-256 of the subject process image file
|
|
|
|
processFileName
|
|
-
|
The file name of the subject process
|
|
|
|
processFilePath
|
|
|
The file path of the subject process
|
|
|
|
processFileRemoteAccess
|
|
-
|
Whether there was remote access to the process file
|
|
|
|
processName
|
|
|
The image name of the process that triggered the event
|
|
|
|
processPid
|
|
-
|
The PID of the subject process
|
|
|
|
processRemoteSessionDeviceName
|
|
-
|
The remote device name of the process
|
|
|
|
processRemoteSessionIp
|
|
|
The remote device IP address of the process
|
|
|
|
processSigner
|
|
-
|
The list of process signers in an endpoint or container
|
|
|
|
processUser
|
|
|
The user name of the process or the file creator
|
|
|
|
processUserDomain
|
|
-
|
The owner domain of the subject process image
|
|
|
|
processVersionInfoOriginalFileName
|
|
|
The original file name from the version information of the process image
|
|
|
|
productCode
|
|
-
|
The internal product code
|
|
|
|
profile
|
|
-
|
The name of the triggered Threat Protection template or Data Loss Prevention profile
|
|
|
|
proto
|
|
-
|
The transport network protocol
|
|
|
|
pver
|
|
-
|
The product version
|
|
|
|
quarantineFilePath
|
|
|
The file path of the quarantined object
|
|
|
|
quarantineFileSha256
|
|
|
The SHA-256 of the quarantined object
|
|
|
|
rating
|
|
-
|
The credibility level
|
|
|
|
readOnly
|
|
-
|
Whether the operation is read-only
|
|
|
|
recipientAccountId
|
|
-
|
The Account ID that received the event
|
|
|
|
regionCode
|
|
-
|
The network interface AWS Region
|
|
|
|
reqDataSize
|
|
-
|
The data volume transmitted over the transport layer by the client (in bytes)
|
|
|
|
requestClientApplication
|
|
-
|
The HTTP user agent
|
|
|
|
requestID
|
|
-
|
The request ID generated by the service this value)
|
|
|
|
requestMethod
|
|
-
|
The network protocol request method
|
|
|
|
requestParameters
|
|
-
|
The parameters sent with the request
|
|
|
|
requests
|
|
|
The URLs of the request
|
|
|
|
resources
|
|
-
|
The resources accessed in the event
|
|
|
|
respDataSize
|
|
-
|
The data volume transmitted over the transport layer by the server (in bytes)
|
|
|
|
responseElements
|
|
-
|
The response elements for create, update, and delete actions
|
|
|
|
ruleId
|
|
-
|
The rule ID
|
|
|
|
ruleName
|
|
-
|
The name of the rule that triggered the event
|
|
|
|
sOSName
|
|
-
|
The source OS
|
|
|
|
sUser1
|
|
|
The latest sign-in user of the source
|
|
|
|
samUser
|
|
-
|
The user name of the SAM account
|
|
|
|
service
|
|
-
|
The Microsoft 365 service where the activity occurred
|
|
|
|
serviceEventDetails
|
|
-
|
The service event details
|
|
|
|
sessionEnd
|
|
-
|
The session end time (in seconds)
|
|
|
|
sessionEndReason
|
|
-
|
The reason why a session was terminated
|
|
|
|
sessionStart
|
|
-
|
The session start name (in seconds)
|
|
|
|
severity
|
|
-
|
The severity of the event
|
|
|
|
sharedEventID
|
|
-
|
The AWS CloudTrail GUID (from the same AWS action sent to different AWS accounts)
|
|
|
|
shost
|
|
|
The source hostname
|
|
|
|
smac
|
|
-
|
The source MAC address
|
|
|
|
sourceIPAddress
|
|
|
The request IP address (for service console actions: the customer resource, for AWS
services: the DNS name)
|
|
|
|
spt
|
|
|
The source port
|
|
|
|
src
|
|
|
The source IP
|
|
|
|
srcEndpointGuid
|
|
-
|
The source endpoint GUID on which the event was detected
|
|
|
|
srcEndpointHostName
|
|
|
The hostname of the source device on which the event was detected
|
|
|
|
srcFilePath
|
|
|
The file path which is moved or copied to another path
|
|
|
|
srcIpType
|
|
-
|
The source IP type
|
|
|
|
srcLocation
|
|
-
|
The source country
|
|
|
|
srcZone
|
|
-
|
The source zone of the session
|
|
|
|
sslCertIssuerCommonName
|
|
-
|
The issuer common name
|
|
|
|
subLocationId
|
|
-
|
The sub-location ID
|
|
|
|
subLocationType
|
|
-
|
The sub-location type
|
|
|
|
subnetId
|
|
-
|
The subnet ID
|
|
|
|
suid
|
|
|
The username or mailbox
|
|
|
|
suser
|
|
|
The email sender
|
|
|
|
tacticId
|
|
|
The list of MITRE tactic IDs
|
|
|
|
tags
|
|
|
The detected technique ID based on the alert filter
|
|
|
|
tcpFlags
|
|
-
|
The bitmask value of the FIN/SYN/RST/SYN-ACK TCP flags
|
|
|
|
techniqueId
|
|
|
The technique ID detected by the product agent based on a detection rule
|
|
|
|
tlsDetails
|
|
-
|
The TLS details
|
|
|
|
trafficPath
|
|
-
|
The egress traffic path number
|
|
|
|
urlCat
|
|
-
|
The requested URL category
|
|
|
|
userAgent
|
|
|
The user agent or the agent through which the request was made
|
|
|
|
userDomain
|
|
|
The user domain
|
|
|
|
userIdentity
|
|
-
|
The information about a user who made a request
|
|
|
|
uuid
|
|
-
|
The unique key of the log entry
|
|
|
|
vendor
|
|
-
|
The device vendor
|
|
|
|
vendorDeviceId
|
|
-
|
The device ID
|
|
|
|
vendorLogId
|
|
-
|
The vendor event log ID
|
|
|
|
vendorParsed
|
|
-
|
The normalized event log (JSON format)
|
{"cefHeader": { "cefVersion": "0", "deviceVendor": "Palo Alto Networks","deviceProduct": "PAN-OS","deviceEventClassId": "Machine Learning found virus(599805)"},"cefExtension": "rt":".."}
|
|
|
vendorRaw
|
|
-
|
The original event log string
|
CEF:0|Palo Alto Networks|PAN-OS|10.2.9-h1|end|TRAFFIC|1|rt=Aug 12 2024 15:31:19 GMT deviceExternalId=021201072197 src=10.10.10.10 dst=10.10.10.11 sourceTranslatedAddress=0.0.0.0 destinationTranslatedAddress=0.0.0.0 cs1Label=Rule cs1=TLC-to-nat-trust suser= duser= app=ping cs3Label=Virtual System cs3=vsys1 cs4Label=Source Zone cs4=TLC cs5Label=Destination Zone cs5=nat-trust deviceInboundInterface=ethernet1/6 deviceOutboundInterface=ethernet1/8 cs6Label=LogProfile cs6=PA440_to_Panorama cn1Label=SessionID cn1=19120 cnt=1 spt=0 dpt=0 sourceTranslatedPort=0 destinationTranslatedPort=0 flexString1Label=Flags flexString1=0x100019 proto=icmp act=allow flexNumber1Label=Total bytes flexNumber1=98 in=98 out=0 cn2Label=Packets cn2=1 |
|
|
vpcEndpointId
|
|
-
|
The VPC endpoint in which requests where made from a VPC to another AWS service
|
|
|
|
vpcId
|
|
-
|
The VPC ID
|
|
|
|
vsysName
|
|
-
|
The virtual system of the session
|
|
|
|
winEventId
|
|
-
|
The Windows Event ID
|
|
|
Views: