Event fields used to define metadata about network information seen in a typical OSI layer. This includes data from network monitoring device/application (NSM, Firewall, IPS, IDS, etc); cloud NetFlow; and network information from endpoints.
xdm.network.session_id
Description |
Session ID. |
Datatype |
String |
Dataclass |
Scalar |
xdm.network.ip_protocol
Description |
The transport layer in the OSI model. Also known as IP Protocol. |
Datatype |
|
Dataclass |
Scalar |
Examples |
XDM_CONST.IP_PROTOCOL_HOPOPT, XDM_CONST.IP_PROTOCOL_ICMP, XDM_CONST.IP_PROTOCOL_IGMP, XDM_CONST.IP_PROTOCOL_GGP, XDM_CONST.IP_PROTOCOL_IP |
xdm.network.protocol_layers
Description |
The network protocols arranged by layers where the highest layer is last. For example, [IP, TCP, TLS, HTTP, INSTAGRAM]. |
Datatype |
String |
Dataclass |
Array |
xdm.network.application_protocol
Description |
Layer 7 (application) in the OSI model. Use https://applipedia.paloaltonetworks.com/ for app standardization. |
Datatype |
String |
Dataclass |
Scalar |
xdm.network.application_protocol_category
Description |
The category of the Layer 7 (application) protocol. Use https://applipedia.paloaltonetworks.com/ for app standardization. |
Datatype |
String |
Dataclass |
Scalar |
xdm.network.application_protocol_subcategory
Description |
The subcategory of the Layer 7 (application) protocol. Use https://applipedia.paloaltonetworks.com/ for app standardization. |
Datatype |
String |
Dataclass |
Scalar |
xdm.network.rule
Description |
The name or ID of the rule by which the observer decided to act. |
Datatype |
String |
Dataclass |
Scalar |
xdm.network.icmp
Internet Control Message Protocol (ICMP) specific fields.
xdm.network.icmp.type
Description |
The ICMP type. |
Datatype |
Number |
Dataclass |
Scalar |
xdm.network.icmp.code
Description |
The ICMP code. |
Datatype |
Number |
Dataclass |
Scalar |
xdm.network.dhcp
Dynamic Host Configuration Protocol (DHCP) specific fields.
xdm.network.dhcp.ciaddr
Description |
The client IP address. |
Datatype |
IPv4 |
Dataclass |
Scalar |
xdm.network.dhcp.yiaddr
Description |
Your IP address. |
Datatype |
IPv4 |
Dataclass |
Scalar |
xdm.network.dhcp.siaddr
Description |
The IP address of the next bootstrap server. |
Datatype |
IPv4 |
Dataclass |
Scalar |
xdm.network.dhcp.giaddr
Description |
The relay agent IP address. |
Datatype |
IPv4 |
Dataclass |
Scalar |
xdm.network.dhcp.chaddr
Description |
The client hardware address. |
Datatype |
String |
Dataclass |
Scalar |
xdm.network.dhcp.sname
Description |
The server name from which the client wishes to boot. |
Datatype |
String |
Dataclass |
Scalar |
xdm.network.dhcp.message_type
Description |
The DHCP message type. |
Datatype |
|
Dataclass |
Scalar |
Examples |
XDM_CONST.DHCP_MESSAGE_TYPE_DHCPDISCOVER, XDM_CONST.DHCP_MESSAGE_TYPE_DHCPOFFER, XDM_CONST.DHCP_MESSAGE_TYPE_DHCPREQUEST, XDM_CONST.DHCP_MESSAGE_TYPE_DHCPDECLINE, XDM_CONST.DHCP_MESSAGE_TYPE_DHCPACK |
xdm.network.dhcp.lease
Description |
The lease time in seconds. See RFC2132, section 9.2. |
Datatype |
Number |
Dataclass |
Scalar |
xdm.network.dhcp.client_hostname
Description |
The client hostname. See RFC2132, section 3.14. |
Datatype |
String |
Dataclass |
Scalar |
xdm.network.dhcp.requested_address
Description |
The requested IP address. See RFC2132, section 9.1. |
Datatype |
String |
Dataclass |
Scalar |
xdm.network.dhcp.dns_server
Description |
The domain name server. DHCP option 6, See RFC2132. |
Datatype |
String |
Dataclass |
Array |
xdm.network.dhcp.wins_server
Description |
The NetBIOS name server. DHCP option 44. See RFC2132. |
Datatype |
String |
Dataclass |
Array |
xdm.network.dns
Domain Name System (DNS) specific fields.
xdm.network.dns.is_response
Description |
Whether the event is a DNS response. See QR field from RFC1035. |
Datatype |
Boolean |
Dataclass |
Scalar |
xdm.network.dns.opcode
Description |
The DNS OpCode used to specify the type of DNS query (e.g. QUERY, IQUERY, STATUS, etc.). |
Datatype |
Number |
Dataclass |
Scalar |
xdm.network.dns.authoritative
Description |
Other DNS header flags. See RFC1035, section 4.1.1. |
Datatype |
Boolean |
Dataclass |
Scalar |
xdm.network.dns.is_truncated
Description |
Whether the DNS response is truncated. |
Datatype |
Boolean |
Dataclass |
Scalar |
xdm.network.dns.response_code
Description |
Response code. See RCODE from RFC1035. |
Datatype |
|
Dataclass |
Scalar |
Examples |
XDM_CONST.DNS_RESPONSE_CODE_NO_ERROR, XDM_CONST.DNS_RESPONSE_CODE_FORMAT_ERROR, XDM_CONST.DNS_RESPONSE_CODE_SERVER_FAILURE, XDM_CONST.DNS_RESPONSE_CODE_NON_EXISTENT_DOMAIN, XDM_CONST.DNS_RESPONSE_CODE_NOT_IMPLEMENTED |
xdm.network.dns.dns_question
A DNS query is a demand for information sent from a user'scomputer (DNS client) to a DNS server.
xdm.network.dns.dns_question.name
Description |
The domain name. |
Datatype |
String |
Dataclass |
Scalar |
xdm.network.dns.dns_question.type
Description |
The code specifying the type of query. |
Datatype |
|
Dataclass |
Scalar |
Examples |
XDM_CONST.DNS_RECORD_TYPE_A, XDM_CONST.DNS_RECORD_TYPE_AAAA, XDM_CONST.DNS_RECORD_TYPE_AFSDB, XDM_CONST.DNS_RECORD_TYPE_APL, XDM_CONST.DNS_RECORD_TYPE_CAA |
xdm.network.dns.dns_question.class
Description |
The code specifying the class of the query. |
Datatype |
Number |
Dataclass |
Scalar |
xdm.network.dns.dns_resource_record
A resource record, commonly referred to as an RR,is the unit of information entry in DNS zone files; RRs are the basic building blocks ofhost name and IP information and are used to resolve all DNS queries. Resource records comein a fairly wide variety of types in order to provide extended name-resolution services.
xdm.network.dns.dns_resource_record.name
Description |
The domain name. |
Datatype |
String |
Dataclass |
Scalar |
xdm.network.dns.dns_resource_record.type
Description |
The code specifying the type of query. |
Datatype |
|
Dataclass |
Scalar |
Examples |
XDM_CONST.DNS_RECORD_TYPE_A, XDM_CONST.DNS_RECORD_TYPE_AAAA, XDM_CONST.DNS_RECORD_TYPE_AFSDB, XDM_CONST.DNS_RECORD_TYPE_APL, XDM_CONST.DNS_RECORD_TYPE_CAA |
xdm.network.dns.dns_resource_record.class
Description |
The code specifying the class of the query. |
Datatype |
Number |
Dataclass |
Scalar |
xdm.network.dns.dns_resource_record.value
Description |
The payload or response to the DNS question. |
Datatype |
String |
Dataclass |
Scalar |
xdm.network.http
Hypertext Transfer Protocol (HTTP) specific fields.
xdm.network.http.referrer
Description |
The HTTP request referrer address. |
Datatype |
String |
Dataclass |
Scalar |
xdm.network.http.url
Description |
The URL address of this HTTP request. |
Datatype |
String |
Dataclass |
Scalar |
xdm.network.http.url_category
Description |
The URL category. See https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm5hCAC |
Datatype |
|
Dataclass |
Scalar |
Examples |
XDM_CONST.URL_CATEGORY_ABORTION, XDM_CONST.URL_CATEGORY_ABUSED_DRUGS, XDM_CONST.URL_CATEGORY_ADULT, XDM_CONST.URL_CATEGORY_ALCOHOL_AND_TOBACCO, XDM_CONST.URL_CATEGORY_AUCTIONS |
xdm.network.http.domain
Description |
The domain this HTTP request is accessing. |
Datatype |
String |
Dataclass |
Scalar |
xdm.network.http.content_type
Description |
The content type of this HTTP request. |
Datatype |
String |
Dataclass |
Scalar |
Examples |
application/json |
xdm.network.http.browser
Description |
The browser from which the HTTP request originated. |
Datatype |
String |
Dataclass |
Scalar |
xdm.network.http.tld
Description |
The top level domain that this HTTP request is accessing. |
Datatype |
String |
Dataclass |
Scalar |
xdm.network.http.method
Description |
The HTTP method that this request is using. |
Datatype |
|
Dataclass |
Scalar |
Examples |
XDM_CONST.HTTP_METHOD_ACL, XDM_CONST.HTTP_METHOD_BASELINE_CONTROL, XDM_CONST.HTTP_METHOD_BIND, XDM_CONST.HTTP_METHOD_CHECKIN, XDM_CONST.HTTP_METHOD_CHECKOUT |
xdm.network.http.response_code
Description |
The HTTP request response code. |
Datatype |
|
Dataclass |
Scalar |
Examples |
XDM_CONST.HTTP_RSP_CODE_CONTINUE, XDM_CONST.HTTP_RSP_CODE_SWITCHING_PROTOCOLS, XDM_CONST.HTTP_RSP_CODE_PROCESSING, XDM_CONST.HTTP_RSP_CODE_EARLY_HINTS, XDM_CONST.HTTP_RSP_CODE_OK |
xdm.network.http.http_header
An HTTP header.
xdm.network.http.http_header.header
Description |
The HTTP header name. |
Datatype |
String |
Dataclass |
Scalar |
xdm.network.http.http_header.value
Description |
The HTTP header value. |
Datatype |
String |
Dataclass |
Scalar |
xdm.network.tls
Transport Layer Security (TLS) specific fields.
xdm.network.tls.client_certificate
The client certificate.
xdm.network.tls.client_certificate.version
Description |
The version of the client certificate. |
Datatype |
String |
Dataclass |
Scalar |
xdm.network.tls.client_certificate.subject
Description |
The subject of the client certificate. |
Datatype |
String |
Dataclass |
Scalar |
xdm.network.tls.client_certificate.issuer
Description |
The issuer of the client certificate. |
Datatype |
String |
Dataclass |
Scalar |
xdm.network.tls.client_certificate.serial
Description |
Unique identifier assigned to the certificate when it is issued. Used to distinguish the certificate from other certificates issued by the same certificate authority. The serial number is usually a positive integer encoded as an ASN.1 INTEGER value. |
Datatype |
String |
Dataclass |
Scalar |
Examples |
10:e6:fc:62:b7:41:8a:d5:00:5e:45:b6 |
xdm.network.tls.client_certificate.md5
Description |
The MD5 hash of the client certificate. |
Datatype |
MD5 |
Dataclass |
Scalar |
xdm.network.tls.client_certificate.sha256
Description |
The SHA256 hash of the client certificate. |
Datatype |
SHA256 |
Dataclass |
Scalar |
xdm.network.tls.client_certificate.not_before
Description |
Indicates when the client certificate is first valid. |
Datatype |
Timestamp |
Dataclass |
Scalar |
xdm.network.tls.client_certificate.not_after
Description |
Indicates when the client certificate is no longer valid. |
Datatype |
Timestamp |
Dataclass |
Scalar |
xdm.network.tls.client_certificate.algorithm
Description |
The algorithm of the client certificate. |
Datatype |
String |
Dataclass |
Scalar |
Examples |
MD5withRSA, SHA1withRSA, SHA256withRSA, SHA256withECDSA |
xdm.network.tls.client_ja3
Description |
The JA3 hash from the Client Hello packet. |
Datatype |
String |
Dataclass |
Scalar |
xdm.network.tls.server_name
Description |
The host name of the server to which the client is connecting. |
Datatype |
String |
Dataclass |
Scalar |
xdm.network.tls.server_certificate
The server certificate.
xdm.network.tls.server_certificate.version
Description |
The version of the server certificate. |
Datatype |
String |
Dataclass |
Scalar |
xdm.network.tls.server_certificate.subject
Description |
The subject of the server certificate. |
Datatype |
String |
Dataclass |
Scalar |
xdm.network.tls.server_certificate.issuer
Description |
The issuer of the server certificate. |
Datatype |
String |
Dataclass |
Scalar |
xdm.network.tls.server_certificate.serial
Description |
Unique identifier assigned to the certificate when it is issued. Used to distinguish the certificate from other certificates issued by the same certificate authority. The serial number is usually a positive integer encoded as an ASN.1 INTEGER value. |
Datatype |
String |
Dataclass |
Scalar |
Examples |
10:e6:fc:62:b7:41:8a:d5:00:5e:45:b6 |
xdm.network.tls.server_certificate.md5
Description |
The MD5 hash of the server certificate. |
Datatype |
MD5 |
Dataclass |
Scalar |
xdm.network.tls.server_certificate.sha256
Description |
The SHA256 hash of the server certificate. |
Datatype |
SHA256 |
Dataclass |
Scalar |
xdm.network.tls.server_certificate.not_before
Description |
Indicates when the server certificate is first valid. |
Datatype |
Timestamp |
Dataclass |
Scalar |
xdm.network.tls.server_certificate.not_after
Description |
Indicates when the server certificate is no longer valid. |
Datatype |
Timestamp |
Dataclass |
Scalar |
xdm.network.tls.server_certificate.algorithm
Description |
The algorithm of the server certificate. |
Datatype |
String |
Dataclass |
Scalar |
Examples |
MD5withRSA, SHA1withRSA, SHA256withRSA, SHA256withECDSA |
xdm.network.tls.server_ja3
Description |
The JA3 hash from Server Hello packet. |
Datatype |
String |
Dataclass |
Scalar |
xdm.network.tls.cipher
Description |
The Cipher used during the connection. |
Datatype |
String |
Dataclass |
Scalar |
xdm.network.tls.protocol_version
Description |
The TLS version. |
Datatype |
String |
Dataclass |
Scalar |
xdm.network.dcerpc
DCE/RPC (Distributed Computing Environment/Remote Procedure Calls) specific fields
xdm.network.dcerpc.operation
Description |
The RPC operation used. A combination of UUID and OpNum. |
Datatype |
|
Dataclass |
Scalar |
Examples |
XDM_CONST.DCERPC_OPERATION_NETR_JOB_ADD, XDM_CONST.DCERPC_OPERATION_SERVER_ALIVE, XDM_CONST.DCERPC_OPERATION_GET_OBJECT |
xdm.network.dcerpc.interface_uuid
Description |
The UUID of the RPC interface used. |
Datatype |
String |
Dataclass |
Scalar |
xdm.network.dcerpc.opnum
Description |
The RPC operation number used. |
Datatype |
Number |
Dataclass |
Scalar |
xdm.network.dcerpc.svcctl_buffer
Description |
The buffer sent via SMB svcctl MSRPC Interface. |
Datatype |
String |
Dataclass |
Scalar |
xdm.network.ldap
LDAP (Lightweight Directory Access Protocol) specific fields.
xdm.network.ldap.operation
Description |
The LDAP operation type. |
Datatype |
|
Dataclass |
Scalar |
Examples |
XDM_CONST.LDAP_OPERATION_BIND_REQUEST, XDM_CONST.LDAP_OPERATION_BIND_RESPONSE, XDM_CONST.LDAP_OPERATION_UNBIND_REQUEST, XDM_CONST.LDAP_OPERATION_SEARCH_REQUEST, XDM_CONST.LDAP_OPERATION_SEARCH_RESULT_ENTRY |
xdm.network.ldap.scope
Description |
The search scope in which this operation is performed. |
Datatype |
|
Dataclass |
Scalar |
Examples |
XDM_CONST.LDAP_SCOPE_BASE_OBJECT, XDM_CONST.LDAP_SCOPE_SINGLE_LEVEL, XDM_CONST.LDAP_SCOPE_WHOLE_SUBTREE |
xdm.network.ldap.filter
Description |
The filter defining the criteria used to identify entries in search requests. |
Datatype |
String |
Dataclass |
Scalar |
xdm.network.ldap.attributes
Description |
The search attributes related to the operation. |
Datatype |
String |
Dataclass |
Array |
xdm.network.ldap.returned_entries
Description |
The number of result entries returned by the operation. |
Datatype |
Number |
Dataclass |
Scalar |
xdm.network.ldap.bind_auth_type
Description |
The authentication type used for the bind operation. |
Datatype |
|
Dataclass |
Scalar |
Examples |
XDM_CONST.LDAP_BIND_AUTH_TYPE_SIMPLE, XDM_CONST.LDAP_BIND_AUTH_TYPE_SASL |
xdm.network.vpn
VPN fields.
xdm.network.vpn.allocated_ipv4
Description |
The IPv4 address that is allocated to the source by the VPN server. |
Datatype |
IPv4 |
Dataclass |
Scalar |
xdm.network.vpn.allocated_ipv6
Description |
The IPv6 address that is allocated to the source by the VPN server. |
Datatype |
IPv6 |
Dataclass |
Scalar |