Authentication Event
Vendor Documentation
Classification
Rule Name | Rule Type | Classification | Common Event |
|---|---|---|---|
| Authentication Event | Base Rule | Other Audit | General Authentication Event |
Mapping with LogRhythm Schema
Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
|---|---|---|---|
| N/A | N/A | N/A | deviceVendor |
| N/A | N/A | N/A | deviceProduct |
| N/A | N/A | N/A | Version |
| N/A | <vmid> | Text/String | LogType |
| N/A | N/A | N/A | SubType |
| N/A | <severity> | Number | deviceSeverity |
| ProfileToken | N/A | N/A | N/A |
| dtz | N/A | N/A | N/A |
| rt | N/A | N/A | Time the log was received in Cortex Data Lake. This string contains a timestamp value that is the number of microseconds since the Unix epoch. |
| deviceExternalId | <serialnumber> | Text/String/Number | ID that uniquely identifies the source of the log. That is, the serial number of the firewall that generated the log. |
| PanOSConfigVersion | N/A | N/A | Version number of the firewall operating system that wrote this log record. |
| PanOSAuthenticatedUserDomain | <domainorigin> | Text/String | Domain to which the user who is being authenticated belongs. |
| PanOSAuthenticatedUserName | <login> | Text/String | Name of the user who is being authenticated. |
| PanOSAuthenticatedUserUUID | N/A | N/A | Unique identifier assigned to the user who is being authenticated. |
| PanOSClientTypeName | N/A | N/A | Type of client used to complete authentication. |
| PanOSCortexDataLakeTenantID | N/A | N/A | The ID that uniquely identifies the Cortex Data Lake instance which received this log record. |
| PanOSIsDuplicateLog | N/A | N/A | Indicates whether this log data is available in multiple locations, such as from the Logging Service and also from an on-premise log collector. |
| PanOSIsPrismaNetworks | N/A | N/A | Internal-use field. If set to 1, the log was generated on a cloud-based firewall. If 0, the firewall was running on-premise. |
| PanOSIsPrismaUsers | N/A | N/A | Internal use field. If set to 1, the log record was generated using a cloud-based GlobalProtect instance. If 0, GlobalProtect was hosted on-premise. |
| PanOSLogExported | N/A | N/A | Indicates if this log was exported from the firewall using the firewall's log export function. |
| PanOSLogForwarded | N/A | N/A | Internal-use field that indicates if the log is being forwarded. |
| PanOSLogSource | N/A | N/A | Identifies the origin of the data. That is, the system that produced the data. |
| PanOSLogSourceTimeZoneOffset | N/A | N/A | Time Zone offset from GMT of the source of the log. |
| PanOSRule | N/A | N/A | Name of the security policy rule that the network traffic matched. |
| start | N/A | N/A | Time when the log was generated on the firewall's data plane. This string contains a timestamp value that is the number of microseconds since the Unix epoch. |
| cs3 | N/A | N/A | String representation of the unique identifier for a virtual system on a Palo Alto Networks firewall. |
| cs3Label | N/A | N/A | N/A |
| c6a2 | <sip> | IP Address | Source IPv6 Address |
| c6a2Label | N/A | N/A | N/A |
| c6a3 | <dip> | IP Address | Destination IPv6 Address |
| c6a3Label | N/A | N/A | N/A |
| dusername | N/A | N/A | End user being authenticated. |
| cs2 | N/A | N/A | Normalized version of the username being authenticated (such as appending a domain name to the username). |
| cs2Label | N/A | N/A | N/A |
| fname | N/A | N/A | Name of the object associated with the system event. |
| cs4 | <policy> | Text/String | Policy invoked for authentication before allowing access to a protected resource. |
| cs4Label | N/A | N/A | N/A |
| cnt | N/A | N/A | Number of sessions with same Source IP, Destination IP, Application, and Content/Threat Type seen for the summary interval. |
| cn2 | N/A | N/A | Unique ID given across primary authentication and additional (multi-factor) authentication. |
| cn2Label | N/A | N/A | N/A |
| PanOSMFAVendor | N/A | N/A | Vendor providing additional factor authentication. |
| cs6 | N/A | N/A | Log forwarding profile name that was applied to the session. This name was defined by the firewall's administrator. |
| cs6Label | N/A | N/A | N/A |
| cs1 | N/A | N/A | Authentication server used for authentication. |
| cs1Label | N/A | N/A | N/A |
| PanOSAuthenticationDescription | N/A | N/A | Additional authentication information. |
| cs5 | N/A | N/A | Type of client used to complete authentication (such as authentication portal). |
| cs5Label | N/A | N/A | N/A |
| msg | <result> | Text/String | The authentication event that caused the firewall to create this log record. |
| cn1 | N/A | N/A | Indicates the use of primary authentication (1) or additional factors (2, 3). |
| cn1Label | N/A | N/A | N/A |
| externalId | N/A | N/A | The log entry identifier, which is incremented sequentially. Each log type has a unique number space. |
| PanOSDGHierarchyLevel1 | N/A | N/A | A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. |
| PanOSDGHierarchyLevel2 | N/A | N/A | A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. |
| PanOSDGHierarchyLevel3 | N/A | N/A | A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. |
| PanOSDGHierarchyLevel4 | N/A | N/A | A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. |
| PanOSVirtualSystemName | N/A | N/A | The name of the virtual system associated with the network traffic. |
| dvchost | N/A | N/A | Name of the source of the log. That is, the hostname of the firewall that logged the network traffic. |
| PanOSVirtualSystemID | N/A | N/A | A unique identifier for a virtual system on a Palo Alto Networks firewall. |
| PanOSAuthenticationProtocol | <protname> | Text/String | Indicates the authentication protocol used by the server. For example, PEAP with GTC. |
| PanOSRuleUUID | N/A | N/A | Unique identifier for the security policy rule that the network traffic matched. |
| PanOSTimeGeneratedHighResolution | N/A | N/A | Time the log was generated in data plane with millisec granularity in format YYYY-MM-DDTHH |
| PanOSSourceDeviceCategory | N/A | N/A | Category of the device from which the session originated. |
| PanOSSourceDeviceProfile | N/A | N/A | Profile of the device from which the session originated. |
| PanOSSourceDeviceModel | N/A | N/A | Model of the device from which the session originated. |
| PanOSSourceDeviceVendor | N/A | N/A | Vendor of the device from which the session originated. |
| PanOSSourceDeviceOSFamily | N/A | N/A | OS family of the device from which the session originated. |
| PanOSSourceDeviceOSVersion | N/A | N/A | OS version of the device from which the session originated. |
| PanOSSourceDeviceHost | <sname> | Text/String | Hostname of the device from which the session originated. |
| PanOSSourceDeviceMac | <smac> | Text/String | MAC Address of the device from which the session originated. |
| PanOSAuthCacheServiceRegion | N/A | N/A | Region where the service is deployed. |
| PanOSUserAgentString | <useragent> | Text/String | The User Agent field specifies the web browser that the user used to access the URL. |
| PanOSSessionID | <session> | Text/String | Identifies the firewall's internal identifier for a specific network session. |
| src | <sip> | IP Address | Original source IP address. |
| dst | <dip> | IP Address | Original destination IP address. |