{ "$schema": "https://json-schema.org/draft/2020-12/schema", "title": "ThreatLogPayload", "description": "Schema for a forwarded PAN-OS threat log entry. Threat logs capture security events detected by the firewall's threat prevention engines, providing detailed information about malware, exploits, spyware, command-and-control traffic, and other detected threats.\n", "$id": "https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-schema/strata-logging-forwarding-threat-log-payload-schema.json", "type": "object", "properties": { "receive_time": { "type": "string", "format": "date-time", "description": "Timestamp when the threat log entry was received by Strata Logging Service.\n" }, "serial": { "type": "string", "description": "Serial number of the Palo Alto Networks device that generated this threat log entry.\n" }, "type": { "type": "string", "enum": [ "THREAT" ], "description": "Log type identifier, always THREAT for threat log entries.\n" }, "subtype": { "type": "string", "enum": [ "virus", "spyware", "vulnerability", "url", "wildfire", "wildfire-virus", "data", "file", "scan", "flood" ], "description": "Threat log subtype indicating which threat prevention engine or signature category generated the detection event.\n" }, "src": { "type": "string", "description": "Source IP address of the session in which the threat was detected." }, "dst": { "type": "string", "description": "Destination IP address of the session in which the threat was detected.\n" }, "sport": { "type": "integer", "description": "Source port number of the session." }, "dport": { "type": "integer", "description": "Destination port number of the session." }, "proto": { "type": "string", "description": "IP protocol of the session." }, "app": { "type": "string", "description": "Application identified by App-ID in the threat session." }, "threat_name": { "type": "string", "description": "Name of the detected threat as defined in the Palo Alto Networks threat database and threat vault.\n" }, "severity": { "type": "string", "enum": [ "informational", "low", "medium", "high", "critical" ], "description": "Severity level of the detected threat as defined by the threat signature or detection engine.\n" }, "action": { "type": "string", "enum": [ "alert", "allow", "deny", "drop", "reset-client", "reset-server", "reset-both", "block-url", "block-ip", "sinkhole" ], "description": "Action taken by the threat prevention engine in response to the detected threat.\n" }, "direction": { "type": "string", "enum": [ "client-to-server", "server-to-client" ], "description": "Direction of the detected attack relative to the network session flow.\n" }, "threat_id": { "type": "string", "description": "Unique numeric identifier for the threat signature from the Palo Alto Networks threat vault. Used for threat intelligence lookup and signature reference.\n" }, "rule_name": { "type": "string", "description": "Name of the security policy rule that matched the session in which the threat was detected.\n" }, "src_zone": { "type": "string", "description": "Source security zone of the threat session." }, "dst_zone": { "type": "string", "description": "Destination security zone of the threat session." }, "src_user": { "type": "string", "description": "Source user identity if User-ID is enabled." }, "url_or_filename": { "type": "string", "description": "URL or filename associated with the detected threat, depending on the threat subtype.\n" }, "device_name": { "type": "string", "description": "Hostname of the firewall that generated this threat log entry." }, "vsys": { "type": "string", "description": "Virtual system name or identifier on the firewall." }, "log_forwarding_profile": { "type": "string", "description": "Name of the log forwarding profile that forwarded this log entry.\n" }, "output_format": { "type": "string", "enum": [ "CSV", "LEEF", "CEF", "JSON", "PARQUET" ], "description": "Output format in which this log entry was forwarded." } } }