Palo Alto Networks · Schema
WildfireLogPayload
Schema for a forwarded PAN-OS WildFire submission log entry. WildFire logs record the results of file analysis by the WildFire cloud-based sandbox malware analysis service, providing verdicts and analysis report links for detected threats.
Cloud SecurityCybersecurityFirewallNetwork SecuritySASESOARThreat IntelligenceXDR
Properties
| Name | Type | Description |
|---|---|---|
| receive_time | string | Timestamp when the WildFire log entry was received by Strata Logging Service. |
| serial | string | Serial number of the Palo Alto Networks device that submitted the file to WildFire and generated this log entry. |
| type | string | Log type identifier, always WILDFIRE for WildFire log entries. |
| src | string | Source IP address of the session from which the file was captured. |
| dst | string | Destination IP address of the session from which the file was captured. |
| app | string | Application identified by App-ID in the session from which the file was captured. |
| filename | string | Name of the file that was submitted to WildFire for analysis. |
| filetype | string | File type of the submitted file (e.g., PE, PDF, APK, Adobe Flash, Microsoft Office, script, Java Applet). |
| file_hash | string | SHA-256 cryptographic hash of the submitted file, used as the unique file identifier in the WildFire cloud database. |
| file_size | integer | Size of the submitted file in bytes. |
| verdict | string | WildFire analysis verdict for the submitted file indicating whether it is benign, malicious malware, potentially unwanted grayware, a phishing document, or pending analysis completion. |
| action | string | Action applied to the file by the WildFire security profile based on the analysis verdict. |
| report_url | string | URL to the full WildFire analysis report in the Palo Alto Networks WildFire portal, providing detailed behavioral analysis results. |
| src_user | string | Source user identity if User-ID is enabled. |
| rule_name | string | Name of the security policy rule under which the file was captured and submitted to WildFire. |
| device_name | string | Hostname of the firewall that captured the file and generated this WildFire log entry. |
| vsys | string | Virtual system name or identifier on the firewall. |
| log_forwarding_profile | string | Name of the log forwarding profile that forwarded this log entry. |
| output_format | string | Output format in which this log entry was forwarded. |
JSON Schema
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"title": "WildfireLogPayload",
"description": "Schema for a forwarded PAN-OS WildFire submission log entry. WildFire logs record the results of file analysis by the WildFire cloud-based sandbox malware analysis service, providing verdicts and analysis report links for detected threats.\n",
"$id": "https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-schema/strata-logging-forwarding-wildfire-log-payload-schema.json",
"type": "object",
"properties": {
"receive_time": {
"type": "string",
"format": "date-time",
"description": "Timestamp when the WildFire log entry was received by Strata Logging Service.\n"
},
"serial": {
"type": "string",
"description": "Serial number of the Palo Alto Networks device that submitted the file to WildFire and generated this log entry.\n"
},
"type": {
"type": "string",
"enum": [
"WILDFIRE"
],
"description": "Log type identifier, always WILDFIRE for WildFire log entries.\n"
},
"src": {
"type": "string",
"description": "Source IP address of the session from which the file was captured."
},
"dst": {
"type": "string",
"description": "Destination IP address of the session from which the file was captured.\n"
},
"app": {
"type": "string",
"description": "Application identified by App-ID in the session from which the file was captured.\n"
},
"filename": {
"type": "string",
"description": "Name of the file that was submitted to WildFire for analysis."
},
"filetype": {
"type": "string",
"description": "File type of the submitted file (e.g., PE, PDF, APK, Adobe Flash, Microsoft Office, script, Java Applet).\n"
},
"file_hash": {
"type": "string",
"description": "SHA-256 cryptographic hash of the submitted file, used as the unique file identifier in the WildFire cloud database.\n"
},
"file_size": {
"type": "integer",
"description": "Size of the submitted file in bytes."
},
"verdict": {
"type": "string",
"enum": [
"benign",
"malware",
"grayware",
"phishing",
"pending"
],
"description": "WildFire analysis verdict for the submitted file indicating whether it is benign, malicious malware, potentially unwanted grayware, a phishing document, or pending analysis completion.\n"
},
"action": {
"type": "string",
"enum": [
"allow",
"block"
],
"description": "Action applied to the file by the WildFire security profile based on the analysis verdict.\n"
},
"report_url": {
"type": "string",
"format": "uri",
"description": "URL to the full WildFire analysis report in the Palo Alto Networks WildFire portal, providing detailed behavioral analysis results.\n"
},
"src_user": {
"type": "string",
"description": "Source user identity if User-ID is enabled."
},
"rule_name": {
"type": "string",
"description": "Name of the security policy rule under which the file was captured and submitted to WildFire.\n"
},
"device_name": {
"type": "string",
"description": "Hostname of the firewall that captured the file and generated this WildFire log entry.\n"
},
"vsys": {
"type": "string",
"description": "Virtual system name or identifier on the firewall."
},
"log_forwarding_profile": {
"type": "string",
"description": "Name of the log forwarding profile that forwarded this log entry.\n"
},
"output_format": {
"type": "string",
"enum": [
"CSV",
"LEEF",
"CEF",
"JSON",
"PARQUET"
],
"description": "Output format in which this log entry was forwarded."
}
}
}