Field Name | Definition |
action | Action taken for the session; values are alert, allow, deny, drop, drop-all-packets, reset-client, reset-server, reset-both, block-url. |
action_source | Specifies whether the action taken to allow or block an application was defined in the application or in policy. The actions can be allow, deny, drop, reset- server, reset-client or reset-both for the session. |
application | Application associated with the session. |
application_category | The application category specified in the application configuration properties. |
application_risk | Risk level associated with the application (1=lowest to 5=highest). |
application_saas | Displays yes if a SaaS application or no if not a SaaS application. |
application_subcategory | The application subcategory specified in the application configuration properties. |
application_technology | The application technology specified in the application configuration properties. |
bytes | Number of total bytes (transmit and receive) for the session. |
category | Describes the content of a Web page that was visited. |
contenttype | Refers to an HTTP header field that specifies the type of data contained in the body of an HTTP request or response. Values could be any of the following: jpeg, mpeg, pdf, html, css, etc. |
datetime | Date time stamp associated with each recrod hit |
dest_country | Destination country or Internal region for private addresses. |
dest_ip | Original session destination IP address. |
dest_zone | Zone the session was destined to. |
deviceLogType | |
direction | Indicates the direction of the attack, client-to-server or server-to-client |
group | Organizational groups are structured in a hierarchical manner, forming a tree-like structure. |
hit | Number of records (represents a record count) |
http2_connection | Identifies if traffic used an HTTP/2 Connection or not |
identity | |
ip | Original session source IP address. |
ip_protocol | IP protocol associated with the session. |
port | Destination port utilized by the session. |
recordName | |
referrer | |
results | |
rule | Name of the rule that the session matched. |
severity | |
source | |
source_zone | Zone the session was sourced from. |
threat_category | Describes threat categories used to classify different types of threat signatures. |
Threat_contenttype | Subtype of the threat and traffic log |
threat_id | Palo Alto Networks identifier for known and custom threats. |
type | Specifies the type of log; |
url | |
user | Field refers to the information recorded about the user associated with a specific network connection or traffic event. |
useragent | HTTP header field sent by a web browser or other client software when making a request to a web server. It identifies the client’s software, version, and other relevant information to help the server understand the capabilities and requirements of the client. |