Skip to content Skip to main navigation Skip to footer

Palo Alto Data Source Field Definitions

Field NameDefinition
actionAction taken for the session; values are alert, allow, deny, drop, drop-all-packets, reset-client, reset-server, reset-both, block-url.
action_sourceSpecifies whether the action taken to allow or block an application was defined in the application or in policy. The actions can be allow, deny, drop, reset- server, reset-client or reset-both for the session.
applicationApplication associated with the session.
application_categoryThe application category specified in the application configuration properties.
application_riskRisk level associated with the application (1=lowest to 5=highest).
application_saasDisplays yes if a SaaS application or no if not a SaaS application.
application_subcategoryThe application subcategory specified in the application configuration properties.
application_technologyThe application technology specified in the application configuration properties.
bytesNumber of total bytes (transmit and receive) for the session.
categoryDescribes the content of a Web page that was visited.
contenttypeRefers to an HTTP header field that specifies the type of data contained in the body of an HTTP request or response. Values could be any of the following: jpeg, mpeg, pdf, html, css, etc.
datetimeDate time stamp associated with each recrod hit
dest_countryDestination country or Internal region for private addresses.
dest_ipOriginal session destination IP address.
dest_zoneZone the session was destined to.
directionIndicates the direction of the attack, client-to-server or server-to-client
groupOrganizational groups are structured in a hierarchical manner, forming a tree-like structure.
hitNumber of records (represents a record count)
http2_connectionIdentifies if traffic used an HTTP/2 Connection or not
ipOriginal session source IP address.
ip_protocolIP protocol associated with the session.
portDestination port utilized by the session.
ruleName of the rule that the session matched.
source_zoneZone the session was sourced from.
threat_categoryDescribes threat categories used to classify different types of threat signatures.
Threat_contenttypeSubtype of the threat and traffic log
threat_idPalo Alto Networks identifier for known and custom threats.
typeSpecifies the type of log;
userField refers to the information recorded about the user associated with a specific network connection or traffic event.
useragentHTTP header field sent by a web browser or other client software when making a request to a web server. It identifies the client’s software, version, and other relevant information to help the server understand the capabilities and requirements of the client.