Threat CEF style format is different from the description in "Micro Focus Common Event Format Integration Guide" for PAN-OS 10.0.

Threat CEF style format is different from the description in "Micro Focus Common Event Format Integration Guide" for PAN-OS 10.0.

16021
Created On 05/09/22 03:36 AM - Last Modified 05/19/22 08:29 AM


Symptom


CEF Threat style format is different from the description in "Micro Focus Common Event Format Integration Guide" for PAN-OS 10.0.


CEF- style Log Format of "Threat" is described as below in the document.
image.png

The signature ID of "Threat" is $threatid, "cat" extension of "Threat" is "$subtype" in Threat CEF format.

However, the values of the style Log Format of "Threat" are defined differently from the "Prefix Fields”/"Extension Dictionary" descriptions in the document.

Prefix Field says:
image.png
"Signature ID" of "Threat" is $subtype.


Extension Dictionary says:
image.png

"cat" extension of "Threat" is $threatid.

Environment

Cause


This mismatch is a document issue in "Micro Focus Common Event Format Integration Guide" for PAN-OS 10.0 .

The "Threat" CEF- style Log Format in the document is correct.

"Signature ID" of "Threat" in Prefix Fields should be $threatid.
image.png

"cat" extension of "Threat" in Extension Dictionary should be $subtype.
image.png

Resolution


Because the revising of "Micro Focus Common Event Format Integration Guide" is pended for now, this article provides the information as a temporal solution until the release of documentation fix.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000oNrXCAU&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language