Palo Alto Networks · Schema
ThreatLogPayload
Schema for a forwarded PAN-OS threat log entry. Threat logs capture security events detected by the firewall's threat prevention engines, providing detailed information about malware, exploits, spyware, command-and-control traffic, and other detected threats.
Cloud SecurityCybersecurityFirewallNetwork SecuritySASESOARThreat IntelligenceXDR
Properties
| Name | Type | Description |
|---|---|---|
| receive_time | string | Timestamp when the threat log entry was received by Strata Logging Service. |
| serial | string | Serial number of the Palo Alto Networks device that generated this threat log entry. |
| type | string | Log type identifier, always THREAT for threat log entries. |
| subtype | string | Threat log subtype indicating which threat prevention engine or signature category generated the detection event. |
| src | string | Source IP address of the session in which the threat was detected. |
| dst | string | Destination IP address of the session in which the threat was detected. |
| sport | integer | Source port number of the session. |
| dport | integer | Destination port number of the session. |
| proto | string | IP protocol of the session. |
| app | string | Application identified by App-ID in the threat session. |
| threat_name | string | Name of the detected threat as defined in the Palo Alto Networks threat database and threat vault. |
| severity | string | Severity level of the detected threat as defined by the threat signature or detection engine. |
| action | string | Action taken by the threat prevention engine in response to the detected threat. |
| direction | string | Direction of the detected attack relative to the network session flow. |
| threat_id | string | Unique numeric identifier for the threat signature from the Palo Alto Networks threat vault. Used for threat intelligence lookup and signature reference. |
| rule_name | string | Name of the security policy rule that matched the session in which the threat was detected. |
| src_zone | string | Source security zone of the threat session. |
| dst_zone | string | Destination security zone of the threat session. |
| src_user | string | Source user identity if User-ID is enabled. |
| url_or_filename | string | URL or filename associated with the detected threat, depending on the threat subtype. |
| device_name | string | Hostname of the firewall that generated this threat log entry. |
| vsys | string | Virtual system name or identifier on the firewall. |
| log_forwarding_profile | string | Name of the log forwarding profile that forwarded this log entry. |
| output_format | string | Output format in which this log entry was forwarded. |
JSON Schema
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"title": "ThreatLogPayload",
"description": "Schema for a forwarded PAN-OS threat log entry. Threat logs capture security events detected by the firewall's threat prevention engines, providing detailed information about malware, exploits, spyware, command-and-control traffic, and other detected threats.\n",
"$id": "https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-schema/strata-logging-forwarding-threat-log-payload-schema.json",
"type": "object",
"properties": {
"receive_time": {
"type": "string",
"format": "date-time",
"description": "Timestamp when the threat log entry was received by Strata Logging Service.\n"
},
"serial": {
"type": "string",
"description": "Serial number of the Palo Alto Networks device that generated this threat log entry.\n"
},
"type": {
"type": "string",
"enum": [
"THREAT"
],
"description": "Log type identifier, always THREAT for threat log entries.\n"
},
"subtype": {
"type": "string",
"enum": [
"virus",
"spyware",
"vulnerability",
"url",
"wildfire",
"wildfire-virus",
"data",
"file",
"scan",
"flood"
],
"description": "Threat log subtype indicating which threat prevention engine or signature category generated the detection event.\n"
},
"src": {
"type": "string",
"description": "Source IP address of the session in which the threat was detected."
},
"dst": {
"type": "string",
"description": "Destination IP address of the session in which the threat was detected.\n"
},
"sport": {
"type": "integer",
"description": "Source port number of the session."
},
"dport": {
"type": "integer",
"description": "Destination port number of the session."
},
"proto": {
"type": "string",
"description": "IP protocol of the session."
},
"app": {
"type": "string",
"description": "Application identified by App-ID in the threat session."
},
"threat_name": {
"type": "string",
"description": "Name of the detected threat as defined in the Palo Alto Networks threat database and threat vault.\n"
},
"severity": {
"type": "string",
"enum": [
"informational",
"low",
"medium",
"high",
"critical"
],
"description": "Severity level of the detected threat as defined by the threat signature or detection engine.\n"
},
"action": {
"type": "string",
"enum": [
"alert",
"allow",
"deny",
"drop",
"reset-client",
"reset-server",
"reset-both",
"block-url",
"block-ip",
"sinkhole"
],
"description": "Action taken by the threat prevention engine in response to the detected threat.\n"
},
"direction": {
"type": "string",
"enum": [
"client-to-server",
"server-to-client"
],
"description": "Direction of the detected attack relative to the network session flow.\n"
},
"threat_id": {
"type": "string",
"description": "Unique numeric identifier for the threat signature from the Palo Alto Networks threat vault. Used for threat intelligence lookup and signature reference.\n"
},
"rule_name": {
"type": "string",
"description": "Name of the security policy rule that matched the session in which the threat was detected.\n"
},
"src_zone": {
"type": "string",
"description": "Source security zone of the threat session."
},
"dst_zone": {
"type": "string",
"description": "Destination security zone of the threat session."
},
"src_user": {
"type": "string",
"description": "Source user identity if User-ID is enabled."
},
"url_or_filename": {
"type": "string",
"description": "URL or filename associated with the detected threat, depending on the threat subtype.\n"
},
"device_name": {
"type": "string",
"description": "Hostname of the firewall that generated this threat log entry."
},
"vsys": {
"type": "string",
"description": "Virtual system name or identifier on the firewall."
},
"log_forwarding_profile": {
"type": "string",
"description": "Name of the log forwarding profile that forwarded this log entry.\n"
},
"output_format": {
"type": "string",
"enum": [
"CSV",
"LEEF",
"CEF",
"JSON",
"PARQUET"
],
"description": "Output format in which this log entry was forwarded."
}
}
}