Vendor Documentation
Classification
|
Rule Name |
Rule Type |
Classification |
Common Event |
|---|---|---|---|
|
Authentication Event |
Base Rule |
Other Audit |
General Authentication Event |
Mapping with LogRhythm Schema
|
Device Key in Log Message |
LogRhythm Schema |
Data Type |
Schema Description |
|---|---|---|---|
|
N/A |
N/A |
N/A |
deviceVendor |
|
N/A |
N/A |
N/A |
deviceProduct |
|
N/A |
N/A |
N/A |
Version |
|
N/A |
<vmid> |
Text/String |
LogType |
|
N/A |
N/A |
N/A |
SubType |
|
N/A |
<severity> |
Number |
deviceSeverity |
|
ProfileToken |
N/A |
N/A |
N/A |
|
dtz |
N/A |
N/A |
N/A |
|
rt |
N/A |
N/A |
Time the log was received in Cortex Data Lake. This string contains a timestamp value that is the number of microseconds since the Unix epoch. |
|
deviceExternalId |
<serialnumber> |
Text/String/Number |
ID that uniquely identifies the source of the log. That is, the serial number of the firewall that generated the log. |
|
PanOSConfigVersion |
N/A |
N/A |
Version number of the firewall operating system that wrote this log record. |
|
PanOSAuthenticatedUserDomain |
<domainorigin> |
Text/String |
Domain to which the user who is being authenticated belongs. |
|
PanOSAuthenticatedUserName |
<login> |
Text/String |
Name of the user who is being authenticated. |
|
PanOSAuthenticatedUserUUID |
N/A |
N/A |
Unique identifier assigned to the user who is being authenticated. |
|
PanOSClientTypeName |
N/A |
N/A |
Type of client used to complete authentication. |
|
PanOSCortexDataLakeTenantID |
N/A |
N/A |
The ID that uniquely identifies the Cortex Data Lake instance which received this log record. |
|
PanOSIsDuplicateLog |
N/A |
N/A |
Indicates whether this log data is available in multiple locations, such as from the Logging Service and also from an on-premise log collector. |
|
PanOSIsPrismaNetworks |
N/A |
N/A |
Internal-use field. If set to 1, the log was generated on a cloud-based firewall. If 0, the firewall was running on-premise. |
|
PanOSIsPrismaUsers |
N/A |
N/A |
Internal use field. If set to 1, the log record was generated using a cloud-based GlobalProtect instance. If 0, GlobalProtect was hosted on-premise. |
|
PanOSLogExported |
N/A |
N/A |
Indicates if this log was exported from the firewall using the firewall's log export function. |
|
PanOSLogForwarded |
N/A |
N/A |
Internal-use field that indicates if the log is being forwarded. |
|
PanOSLogSource |
N/A |
N/A |
Identifies the origin of the data. That is, the system that produced the data. |
|
PanOSLogSourceTimeZoneOffset |
N/A |
N/A |
Time Zone offset from GMT of the source of the log. |
|
PanOSRule |
N/A |
N/A |
Name of the security policy rule that the network traffic matched. |
|
start |
N/A |
N/A |
Time when the log was generated on the firewall's data plane. This string contains a timestamp value that is the number of microseconds since the Unix epoch. |
|
cs3 |
N/A |
N/A |
String representation of the unique identifier for a virtual system on a Palo Alto Networks firewall. |
|
cs3Label |
N/A |
N/A |
N/A |
|
c6a2 |
<sip> |
IP Address |
Source IPv6 Address |
|
c6a2Label |
N/A |
N/A |
N/A |
|
c6a3 |
<dip> |
IP Address |
Destination IPv6 Address |
|
c6a3Label |
N/A |
N/A |
N/A |
|
dusername |
N/A |
N/A |
End user being authenticated. |
|
cs2 |
N/A |
N/A |
Normalized version of the username being authenticated (such as appending a domain name to the username). |
|
cs2Label |
N/A |
N/A |
N/A |
|
fname |
N/A |
N/A |
Name of the object associated with the system event. |
|
cs4 |
<policy> |
Text/String |
Policy invoked for authentication before allowing access to a protected resource. |
|
cs4Label |
N/A |
N/A |
N/A |
|
cnt |
N/A |
N/A |
Number of sessions with same Source IP, Destination IP, Application, and Content/Threat Type seen for the summary interval. |
|
cn2 |
N/A |
N/A |
Unique ID given across primary authentication and additional (multi-factor) authentication. |
|
cn2Label |
N/A |
N/A |
N/A |
|
PanOSMFAVendor |
N/A |
N/A |
Vendor providing additional factor authentication. |
|
cs6 |
N/A |
N/A |
Log forwarding profile name that was applied to the session. This name was defined by the firewall's administrator. |
|
cs6Label |
N/A |
N/A |
N/A |
|
cs1 |
N/A |
N/A |
Authentication server used for authentication. |
|
cs1Label |
N/A |
N/A |
N/A |
|
PanOSAuthenticationDescription |
N/A |
N/A |
Additional authentication information. |
|
cs5 |
N/A |
N/A |
Type of client used to complete authentication (such as authentication portal). |
|
cs5Label |
N/A |
N/A |
N/A |
|
msg |
<result> |
Text/String |
The authentication event that caused the firewall to create this log record. |
|
cn1 |
N/A |
N/A |
Indicates the use of primary authentication (1) or additional factors (2, 3). |
|
cn1Label |
N/A |
N/A |
N/A |
|
externalId |
N/A |
N/A |
The log entry identifier, which is incremented sequentially. Each log type has a unique number space. |
|
PanOSDGHierarchyLevel1 |
N/A |
N/A |
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. |
|
PanOSDGHierarchyLevel2 |
N/A |
N/A |
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. |
|
PanOSDGHierarchyLevel3 |
N/A |
N/A |
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. |
|
PanOSDGHierarchyLevel4 |
N/A |
N/A |
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. |
|
PanOSVirtualSystemName |
N/A |
N/A |
The name of the virtual system associated with the network traffic. |
|
dvchost |
N/A |
N/A |
Name of the source of the log. That is, the hostname of the firewall that logged the network traffic. |
|
PanOSVirtualSystemID |
N/A |
N/A |
A unique identifier for a virtual system on a Palo Alto Networks firewall. |
|
PanOSAuthenticationProtocol |
<protname> |
Text/String |
Indicates the authentication protocol used by the server. For example, PEAP with GTC. |
|
PanOSRuleUUID |
N/A |
N/A |
Unique identifier for the security policy rule that the network traffic matched. |
|
PanOSTimeGeneratedHighResolution |
N/A |
N/A |
Time the log was generated in data plane with millisec granularity in format YYYY-MM-DDTHH |
|
PanOSSourceDeviceCategory |
N/A |
N/A |
Category of the device from which the session originated. |
|
PanOSSourceDeviceProfile |
N/A |
N/A |
Profile of the device from which the session originated. |
|
PanOSSourceDeviceModel |
N/A |
N/A |
Model of the device from which the session originated. |
|
PanOSSourceDeviceVendor |
N/A |
N/A |
Vendor of the device from which the session originated. |
|
PanOSSourceDeviceOSFamily |
N/A |
N/A |
OS family of the device from which the session originated. |
|
PanOSSourceDeviceOSVersion |
N/A |
N/A |
OS version of the device from which the session originated. |
|
PanOSSourceDeviceHost |
<sname> |
Text/String |
Hostname of the device from which the session originated. |
|
PanOSSourceDeviceMac |
<smac> |
Text/String |
MAC Address of the device from which the session originated. |
|
PanOSAuthCacheServiceRegion |
N/A |
N/A |
Region where the service is deployed. |
|
PanOSUserAgentString |
<useragent> |
Text/String |
The User Agent field specifies the web browser that the user used to access the URL. |
|
PanOSSessionID |
<session> |
Text/String |
Identifies the firewall's internal identifier for a specific network session. |
|
src |
<sip> |
IP Address |
Original source IP address. |
|
dst |
<dip> |
IP Address |
Original destination IP address. |