| Field Name | Definition |
| action | Action taken for the session; values are alert, allow, deny, drop, drop-all-packets, reset-client, reset-server, reset-both, block-url. |
| action_source | Specifies whether the action taken to allow or block an application was defined in the application or in policy. The actions can be allow, deny, drop, reset- server, reset-client or reset-both for the session. |
| application | Application associated with the session. |
| application_category | The application category specified in the application configuration properties. |
| application_risk | Risk level associated with the application (1=lowest to 5=highest). |
| application_saas | Displays yes if a SaaS application or no if not a SaaS application. |
| application_subcategory | The application subcategory specified in the application configuration properties. |
| application_technology | The application technology specified in the application configuration properties. |
| bytes | Number of total bytes (transmit and receive) for the session. |
| category | Describes the content of a Web page that was visited. |
| contenttype | Refers to an HTTP header field that specifies the type of data contained in the body of an HTTP request or response. Values could be any of the following: jpeg, mpeg, pdf, html, css, etc. |
| datetime | Date time stamp associated with each recrod hit |
| dest_country | Destination country or Internal region for private addresses. |
| dest_ip | Original session destination IP address. |
| dest_zone | Zone the session was destined to. |
| deviceLogType | |
| direction | Indicates the direction of the attack, client-to-server or server-to-client |
| group | Organizational groups are structured in a hierarchical manner, forming a tree-like structure. |
| hit | Number of records (represents a record count) |
| http2_connection | Identifies if traffic used an HTTP/2 Connection or not |
| identity | |
| ip | Original session source IP address. |
| ip_protocol | IP protocol associated with the session. |
| port | Destination port utilized by the session. |
| recordName | |
| referrer | |
| results | |
| rule | Name of the rule that the session matched. |
| severity | |
| source | |
| source_zone | Zone the session was sourced from. |
| threat_category | Describes threat categories used to classify different types of threat signatures. |
| Threat_contenttype | Subtype of the threat and traffic log |
| threat_id | Palo Alto Networks identifier for known and custom threats. |
| type | Specifies the type of log; |
| url | |
| user | Field refers to the information recorded about the user associated with a specific network connection or traffic event. |
| useragent | HTTP header field sent by a web browser or other client software when making a request to a web server. It identifies the client’s software, version, and other relevant information to help the server understand the capabilities and requirements of the client. |