Palo Alto Strata Logs

  • Updated on Jun 17, 2025
  • Published on Jun 17, 2025
Prev Next
Self Service Ingestion

Connect this data source on your own, using the Hunters platform.

TL;DR

Supported data types

3rd party detection

Hunters detection

IOC search

Search

Table name

Log format

Collection method

PAN Firewall Threat Strata Logs

pan_firewall_threat

NDJSON

S3-LIST

PAN Firewall Global Protect Strata Logs

pan_firewall_globalprotect

NDJSON

S3-LIST

PAN Firewall Traffic Strata Logs

pan_firewall_traffic

NDJSON

S3-LIST

Overview

imageThis article explains how to connect your Palo Alto Strata Logs.

Strata Logging Service compresses logs using Snappy, and these logs are forwarded to AWS S3 in JSON format. The logs are compressed using Snappy for efficient storage and transfer. It’s an important key here - the decompression and processing of the JSON data are handled by the user, and not by Hunters.

Strata data is sent compressed using the “Snappy” algorithm. Today, this algorithm is not supported by Hunters. What our customers can do is stream the information to a bucket, and use a lambda function to decompress it and send it to the actual S3 bucket Hunters reads from.

We will update all of our customers on this page, once Snappy compression would be natively supported in the Hunters portal in the near future (Beginning of 2026).

Palo Alto Networks Strata Logging Service provides cloud-based, centralized log storage and aggregation for your on premise, virtual (private cloud and public cloud) firewalls, for Prisma Access, and for cloud-delivered services such as Cortex XDR.

Strata Logging Service is secure, resilient, and fault-tolerant, and it ensures your logging data is up-to-date and available when you need it. It provides a scalable logging infrastructure that alleviates the need for you to plan and deploy Log Collectors to meet your log retention needs. If you already have on premise Log Collectors, the new Strata Logging Service can easily complement your existing setup. You can augment your existing log collection infrastructure with the cloud-based Strata Logging Service to expand operational capacity.

Strata Logging Service interacts with several different products. Some products send logs to Strata Logging Service, while others use it to view and analyze the log data.

Integrating PAN Strata into Hunters allows the collection and ingestion of key data types into the data lake. Furthermore, alerts will be created over the logs, auto-investigated, and correlated to other related signals.

Strata Logging Service

Supported data types

PAN Firewall Threat Strata Logs

Overview

Table name: pan_firewall_threat

PAN Firewall Threat Strata Logs are security event records generated by Palo Alto Networks' Next-Generation Firewall (NGFW) platform, part of the Strata product line. These logs capture detailed information about malicious activity detected in network traffic, including exploits, malware, spyware, and command-and-control communications. By inspecting and analyzing data at the application and content level, Threat Strata Logs enable precise threat identification and policy enforcement across the network. The logs integrate seamlessly with Hunters’ SIEM and threat intelligence platform, supporting real-time visibility, forensic investigations, and incident response. With granular insights and customizable logging policies, PAN Firewall Threat Strata Logs empower organizations to detect, block, and remediate advanced threats while maintaining robust network security.

Send data to Hunters

PAN Firewall Threat Strata Logs

To connect PAN Firewall Threat Strata Logs :

  1. Please follow these:

    📘Note

    When performing the last part of the process (Provide information to Hunters), follow these steps:

    1. Navigate to Data > Data Sources, and then click + Connect Data Sources.

    2. Search for Palo Alto Networks and click Connect.

    3. From the side-menu, click + More Integrations and then select PAN VIA S3 LIST → PAN Firewall Threat Decoded Strata By Snappy


    📘Note

    When setting up the connection on the Hunters platform, in the Bucket name field insert the Storage path provided in the Cortex console, without the gs:// prefix.

    For example, if the storage path value on your PAN Firewall GlobalProtect console is:

    gs://pan-strata-de-abcdefghijk-event-forwarding

    then you should enter

    pan-strata-de-abcdefghijk-event-forwarding

    into the Bucket name field on the Hunters portal.

Expected format

Logs are expected in JSON format.

{"TimeReceived":"2025-05-29T05:27:26.000000Z","DeviceSN":"no-serial","LogType":"THREAT","Subtype":"spyware","ConfigVersion":"10.2","TimeGenerated":"2025-05-29T05:27:14.000000Z","SourceAddress":"10.10.161.97","DestinationAddress":"10.10.161.1","NATSource":"","NATDestination":"","Rule":"Mobile users - internal dns ping - no log","SourceUser":"matone\\aalderweireldt","DestinationUser":null,"Application":"dns-base","VirtualLocation":"vsys1","FromZone":"trust","ToZone":"trust","InboundInterface":"tunnel.1","OutboundInterface":"tunnel.1","LogSetting":"Log_only_threats_to_panorama","SessionID":1606508,"RepeatCount":1,"SourcePort":52982,"DestinationPort":53,"NATSourcePort":0,"NATDestinationPort":0,"Protocol":"udp","Action":"alert","FileName":"www.tr.news","ThreatID":"Parked:tr.news(109010003)","VendorSeverity":"Informational","DirectionOfAttack":"client to server","SequenceNo":7487050375535530027,"SourceLocation":"Materialise-Leuven","DestinationLocation":"Materialise-Leuven","PacketID":0,"FileHash":null,"ApplianceOrCloud":null,"URLCounter":0,"FileType":null,"SenderEmail":null,"EmailSubject":null,"RecipientEmail":null,"ReportID":0,"DGHierarchyLevel1":302,"DGHierarchyLevel2":0,"DGHierarchyLevel3":0,"DGHierarchyLevel4":0,"VirtualSystemName":"","DeviceName":"GP cloud service","SourceUUID":null,"DestinationUUID":null,"IMSI":0,"IMEI":null,"ParentSessionID":0,"ParentStarttime":"1970-01-01T00:00:00.000000Z","Tunnel":"N/A","ThreatCategory":"dns-parked","ContentVersion":"0","SigFlags":"0x0","RuleUUID":"8cb7fe52-dc38-41f8-86d9-4ec972fdaa58","HTTP2Connection":0,"DynamicUserGroupName":null,"X-Forwarded-ForIP":null,"SourceDeviceCategory":null,"SourceDeviceProfile":null,"SourceDeviceModel":null,"SourceDeviceVendor":null,"SourceDeviceOSFamily":null,"SourceDeviceOSVersion":null,"SourceDeviceHost":null,"SourceDeviceMac":null,"DestinationDeviceCategory":null,"DestinationDeviceProfile":null,"DestinationDeviceModel":null,"DestinationDeviceVendor":null,"DestinationDeviceOSFamily":null,"DestinationDeviceOSVersion":null,"DestinationDeviceHost":null,"DestinationDeviceMac":null,"ContainerID":null,"ContainerNameSpace":null,"ContainerName":null,"SourceEDL":"edl-matone-users-vpn","DestinationEDL":null,"HostID":null,"EndpointSerialNumber":null,"DomainEDL":null,"SourceDynamicAddressGroup":null,"DestinationDynamicAddressGroup":null,"PartialHash":0,"TimeGeneratedHighResolution":"2025-05-29T05:27:14.983000Z","NSSAINetworkSliceType":null}

PAN Firewall Global Protect Strata Logs

Overview

Table name: pan_firewall_globalprotect

PAN Firewall GlobalProtect Strata Logs are security and connectivity logs generated by Palo Alto Networks' GlobalProtect VPN, integrated within the Strata firewall platform. These logs provide detailed visibility into remote user activity, authentication events, tunnel establishment, and endpoint posture assessments. By recording events such as successful and failed VPN connections, gateway selection, user login attempts, and compliance status, GlobalProtect logs help organizations monitor secure access to internal resources. They also support correlation with threat and traffic logs for enhanced context during incident investigations. With native integration into centralized - Hunters’ SIEM Platform, GlobalProtect Strata Logs enable security teams to enforce access policies, detect anomalies in remote access behavior, and ensure a secure hybrid work environment.

Send data to Hunters

Hunters supports the collection of PAN Firewall Global Protect Strata Logs using S3 LIST.

To connect PAN Firewall Global Protect Strata Alerts:

  1. Navigate to Data > Data Sources, and then click + Connect Data Sources.

  2. Search for Palo Alto Networks and click Connect.

  3. From the side-menu, click + More Integrations and then select PAN VIA S3 LIST → PAN Firewall Threat Decoded Strata By Snappy.

  4. Provide the information you’ve acquired from PAN GlobalProtect bucket and complete the connection process.

📘Note

When setting up the connection on the Hunters platform, in the Bucket name field insert the Storage path provided in the Cortex console, without the gs:// prefix.

For example, if the storage path value on your PAN Firewall GlobalProtect console is:

gs://pan-strata-de-abcdefghijk-event-forwarding

then you should enter

pan-strata-de-abcdefghijk-event-forwarding

into the Bucket name field on the Hunters portal.

Expected format

Logs are expected in JSON format.

{"TimeReceived":"2025-05-29T01:35:58.000000Z","DeviceSN":"no-serial","LogType":"GLOBALPROTECT","Subtype":"globalprotect","LogSubtype":"globalprotect","ConfigVersion":"10.2","TimeGenerated":"2025-05-29T01:35:45.000000Z","VirtualSystem":"vsys1","EventIDValue":"gateway-tunnel-latency","Stage":"tunnel","AuthMethod":null,"TunnelType":null,"SourceUserName":"nikafifsholihi.rohaidi@materialise.com.my","SourceRegion":"MY","EndpointDeviceName":"KLUL-7JW0BG3","PublicIPv4":"202.186.93.7","PublicIPv6":"","PrivateIPv4":"202.186.93.7","PrivateIPv6":"","HostID":"a95e03bf-7e43-4acc-ae6b-e7907b2bbcf4","EndpointSN":"7JW0BG3","GlobalProtectClientVersion":"5.1.7","EndpointOSType":"any","EndpointOSVersion":null,"RepeatCount":1,"CountOfRepeats":1,"QuarantineReason":null,"ConnectionError":null,"Description":"Pre-tunnel latency: 36ms, Post-tunnel latency: 1ms","EventStatus":"success","GlobalProtectGatewayLocation":null,"LoginDuration":0,"ConnectionMethod":null,"ConnectionErrorID":0,"Portal":"GlobalProtect_External_Gateway","SequenceNo":7486897122491977975,"TimeGeneratedHighResolution":"2025-05-29T01:35:45.193000Z","GatewaySelectionType":"","SSLResponseTime":-1,"GatewayPriority":null,"AttemptedGateways":null,"Gateway":null,"DGHierarchyLevel1":302,"DGHierarchyLevel2":0,"DGHierarchyLevel3":0,"DGHierarchyLevel4":0,"VirtualSystemName":"","DeviceName":"GPGW_1563464_ap-southeast-1_mat","VirtualSystemID":1}

PAN Firewall Traffic Strata Logs

Overview

Table name: pan_firewall_traffic

PAN Firewall Traffic Strata Logs are foundational records generated by Palo Alto Networks' Strata firewalls that document the flow of network sessions across the enterprise. Unlike threat or system logs, Traffic Logs focus on permitted and denied connections, capturing essential metadata such as source and destination IPs, ports, applications, zones, user identities, session durations, and bytes transferred. These logs provide a comprehensive baseline for understanding normal versus anomalous traffic behavior, supporting both performance monitoring and security auditing.

By offering rich visibility into application-layer traffic—regardless of port or protocol—Traffic Strata Logs help organizations enforce granular policy controls, validate segmentation strategies, and identify shadow IT or misconfigurations. When combined with threat and URL logs, they enable full-spectrum context for incident investigation. Seamless export to Hunter's’ SIEM ensures scalable monitoring, making Traffic Strata Logs a cornerstone for both proactive security and operational oversight.

Send data to Hunters

Hunters supports the collection of PAN Firewall Traffic Strata Logs using S3-LIST.

To connect PAN Firewall Traffic logs:

  1. Navigate to Data > Data Sources, and then click + Connect Data Sources.

  2. Search for Palo Alto Networks and click Connect.

  3. From the side-menu, click + More Integrations and then select PAN VIA S3 LIST → PAN Firewall Traffic Decoded Strata By Snappy.





📘Note

When setting up the connection on the Hunters platform, in the Bucket name field insert the Storage path provided in the Cortex console, without the gs:// prefix.

For example, if the storage path value on your PAN Firewall GlobalProtect console is:

gs://pan-strata-de-abcdefghijk-event-forwarding

then you should enter

pan-strata-de-abcdefghijk-event-forwarding

into the Bucket name field on the Hunters portal.

Expected format

Logs are expected in JSON format.

{"TimeReceived":"2025-05-29T04:04:36.000000Z","DeviceSN":"no-serial","LogType":"TRAFFIC","Subtype":"end","ConfigVersion":"10.2","TimeGenerated":"2025-05-29T04:04:29.000000Z","SourceAddress":"10.10.161.97","DestinationAddress":"48.209.164.47","NATSource":"208.127.123.5","NATDestination":"48.209.164.47","Rule":"Mobile users - internet access apps full check","SourceUser":"matone\\aalderweireldt","DestinationUser":null,"Application":"ssl","VirtualLocation":"vsys1","FromZone":"trust","ToZone":"untrust","InboundInterface":"tunnel.1","OutboundInterface":"ethernet1/1","LogSetting":"Log_To_Cortex","SessionID":288188,"RepeatCount":1,"SourcePort":57949,"DestinationPort":443,"NATSourcePort":29843,"NATDestinationPort":443,"Protocol":"tcp","Action":"allow","Bytes":14629,"BytesSent":4629,"BytesReceived":10000,"PacketsTotal":34,"SessionStartTime":"2025-05-29T04:04:09.000000Z","SessionDuration":0,"URLCategory":"computer-and-internet-info","SequenceNo":7487050375595088135,"SourceLocation":"Materialise-Leuven","DestinationLocation":"EU","PacketsSent":17,"PacketsReceived":17,"SessionEndReason":"tcp-fin","DGHierarchyLevel1":302,"DGHierarchyLevel2":0,"DGHierarchyLevel3":0,"DGHierarchyLevel4":0,"VirtualSystemName":"","DeviceName":"GP cloud service","ActionSource":"from-policy","SourceUUID":null,"DestinationUUID":null,"IMSI":0,"IMEI":null,"ParentSessionID":0,"ParentStarttime":"1970-01-01T00:00:00.000000Z","Tunnel":"N/A","EndpointAssociationID":72057594037927936,"ChunksTotal":0,"ChunksSent":0,"ChunksReceived":0,"RuleUUID":"8df4b318-272b-4b52-8ce5-2e93632f2021","HTTP2Connection":0,"LinkChangeCount":0,"SDWANPolicyName":null,"LinkSwitches":null,"SDWANCluster":null,"SDWANDeviceType":null,"SDWANClusterType":null,"SDWANSite":null,"DynamicUserGroupName":null,"X-Forwarded-ForIP":null,"SourceDeviceCategory":null,"SourceDeviceProfile":null,"SourceDeviceModel":null,"SourceDeviceVendor":null,"SourceDeviceOSFamily":null,"SourceDeviceOSVersion":null,"SourceDeviceHost":null,"SourceDeviceMac":null,"DestinationDeviceCategory":null,"DestinationDeviceProfile":null,"DestinationDeviceModel":null,"DestinationDeviceVendor":null,"DestinationDeviceOSFamily":null,"DestinationDeviceOSVersion":null,"DestinationDeviceHost":null,"DestinationDeviceMac":null,"ContainerID":null,"ContainerNameSpace":null,"ContainerName":null,"SourceEDL":null,"DestinationEDL":null,"GPHostID":null,"EndpointSerialNumber":null,"SourceDynamicAddressGroup":null,"DestinationDynamicAddressGroup":null,"HASessionOwner":null,"TimeGeneratedHighResolution":"2025-05-29T04:04:29.590000Z","NSSAINetworkSliceType":null,"NSSAINetworkSliceDifferentiator":null}