https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/traffic-log-fields https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClmQCAS Risk Calculation Weights CharacteristicFactor Evasive 3 Excessive Bandwidth Use 1 Used by Malware 4 Capable of File Transfer 3 Known Vulnerabilities 3 Tunnels Other Apps 2 Prone to Misuse 2 Pervasive 1 Total 19 Risk Assignment RiskRange 1 0–3 2 4–6 3 7–9 4 10–13 5 14+ Your example log actually shows which of the risk factors were part of the calculation. internet-utility,general-internet,browser-based,4,"used-by-malware,able-to-transfer-file,has-known-vulnerability,tunnel-other-application,pervasive-use",,web-browsing I believe you would be better served by correlating with DNS records sourced from the original machine, and/or investigating how to have Palo Alto resolve the URL inside the session log. You might actually have that already in the "threat" log entries.
... View more
