{
  "$schema": "https://json-structure.org/meta/core/v0/#",
  "$id": "https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-structure/strata-logging-forwarding-wildfire-log-payload-structure.json",
  "name": "WildfireLogPayload",
  "description": "Schema for a forwarded PAN-OS WildFire submission log entry. WildFire logs record the results of file analysis by the WildFire cloud-based sandbox malware analysis service, providing verdicts and analysis report links for detected threats.\n",
  "type": "object",
  "properties": {
    "receive_time": {
      "type": "datetime",
      "description": "Timestamp when the WildFire log entry was received by Strata Logging Service.\n"
    },
    "serial": {
      "type": "string",
      "description": "Serial number of the Palo Alto Networks device that submitted the file to WildFire and generated this log entry.\n"
    },
    "type": {
      "type": "string",
      "description": "Log type identifier, always WILDFIRE for WildFire log entries.\n",
      "enum": [
        "WILDFIRE"
      ]
    },
    "src": {
      "type": "string",
      "description": "Source IP address of the session from which the file was captured."
    },
    "dst": {
      "type": "string",
      "description": "Destination IP address of the session from which the file was captured.\n"
    },
    "app": {
      "type": "string",
      "description": "Application identified by App-ID in the session from which the file was captured.\n"
    },
    "filename": {
      "type": "string",
      "description": "Name of the file that was submitted to WildFire for analysis."
    },
    "filetype": {
      "type": "string",
      "description": "File type of the submitted file (e.g., PE, PDF, APK, Adobe Flash, Microsoft Office, script, Java Applet).\n"
    },
    "file_hash": {
      "type": "string",
      "description": "SHA-256 cryptographic hash of the submitted file, used as the unique file identifier in the WildFire cloud database.\n"
    },
    "file_size": {
      "type": "int32",
      "description": "Size of the submitted file in bytes."
    },
    "verdict": {
      "type": "string",
      "description": "WildFire analysis verdict for the submitted file indicating whether it is benign, malicious malware, potentially unwanted grayware, a phishing document, or pending analysis completion.\n",
      "enum": [
        "benign",
        "malware",
        "grayware",
        "phishing",
        "pending"
      ]
    },
    "action": {
      "type": "string",
      "description": "Action applied to the file by the WildFire security profile based on the analysis verdict.\n",
      "enum": [
        "allow",
        "block"
      ]
    },
    "report_url": {
      "type": "uri",
      "description": "URL to the full WildFire analysis report in the Palo Alto Networks WildFire portal, providing detailed behavioral analysis results.\n"
    },
    "src_user": {
      "type": "string",
      "description": "Source user identity if User-ID is enabled."
    },
    "rule_name": {
      "type": "string",
      "description": "Name of the security policy rule under which the file was captured and submitted to WildFire.\n"
    },
    "device_name": {
      "type": "string",
      "description": "Hostname of the firewall that captured the file and generated this WildFire log entry.\n"
    },
    "vsys": {
      "type": "string",
      "description": "Virtual system name or identifier on the firewall."
    },
    "log_forwarding_profile": {
      "type": "string",
      "description": "Name of the log forwarding profile that forwarded this log entry.\n"
    },
    "output_format": {
      "type": "string",
      "description": "Output format in which this log entry was forwarded.",
      "enum": [
        "CSV",
        "LEEF",
        "CEF",
        "JSON",
        "PARQUET"
      ]
    }
  }
}