Vendor Documentation
Classification
|
Rule Name |
Rule Type |
Classification |
Common Event |
|---|---|---|---|
|
Configuration Messages |
Base Rule |
Configuration |
Configuration Modified : System |
Mapping with LogRhythm Schema
|
Device Key in Log Message |
LogRhythm Schema |
Data Type |
Schema Description |
|---|---|---|---|
|
N/A |
N/A |
N/A |
deviceVendor |
|
N/A |
N/A |
N/A |
deviceProduct |
|
N/A |
N/A |
N/A |
Version |
|
N/A |
<vmid> |
Text/String |
LogType |
|
N/A |
N/A |
N/A |
SubType |
|
N/A |
<severity> |
Number |
deviceSeverity |
|
ProfileToken |
N/A |
N/A |
N/A |
|
dtz |
N/A |
N/A |
N/A |
|
rt |
N/A |
N/A |
Time the log was received in Cortex Data Lake. This is populated by the platform. |
|
deviceExternalId |
<serialnumber> |
Text/String/Number |
ID that uniquely identifies the source of the log. If the source is a firewall, this is its serial number. If the source is TMS, this is the trapsID. |
|
PanOSEventTime |
N/A |
N/A |
Time when the log was generated on the firewall's data plane. This string contains a timestamp value that is the number of microseconds since the Unix epoch. |
|
dusername |
N/A |
N/A |
Username of the administrator performing the configuration. |
|
dntdom |
<domainorigin> |
Text/String |
Domain to which the admin user belongs. |
|
duid |
<login> |
Text/String |
The admin user's unique ID. |
|
PanOSEventDetails |
N/A |
N/A |
Identifies the firewall's configuration prior to and immediately after the configuration change. |
|
PanOSIsDuplicateLog |
N/A |
N/A |
Indicates whether this log data is available in multiple locations, such as from Cortex Data Lake as well as from an on-premise log collector. |
|
PanOSIsPrismaNetwork |
N/A |
N/A |
If set to 1, the log was generated on a cloud-based firewall. If 0, the firewall was running on-premise. |
|
PanOSIsPrismaUsers |
N/A |
N/A |
If set to 1, the log record was generated using a cloud-based GlobalProtect instance. If 0, GlobalProtect was hosted on-premise. |
|
cat |
<vendorinfo> |
Text/String |
The log category. |
|
PanOSLogExported |
N/A |
N/A |
Indicates if this log was exported from the firewall using the firewall's log export function. |
|
PanOSLogSource |
N/A |
N/A |
Identifies the origin of the data. That is, the system that produced the data. |
|
PanOSLogSourceTimeZoneOffset |
N/A |
N/A |
Time Zone offset from GMT of the source of the log. |
|
PanOSSeverity |
N/A |
N/A |
Severity as defined by the platform. |
|
PanOSTenantID |
N/A |
N/A |
The ID that uniquely identifies the Cortex Data Lake instance which received this log record. |
|
PanOSVirtualSystemID |
N/A |
N/A |
A unique identifier for a virtual system on a Palo Alto Networks firewall. |
|
src |
<sip> |
IP Address |
Hostname or IP address of the client. |
|
cs3 |
N/A |
N/A |
String representation of the unique identifier for a virtual system on a Palo Alto Networks firewall. |
|
cs3Label |
N/A |
N/A |
N/A |
|
act |
<command> |
Text/String |
Name of the system event. |
|
duser0 or dusername0 |
<account> |
Text/String |
Name of the user who created the configuration change. |
|
destinationServiceName |
<process> |
Text/String |
Client used by the administrator who is performing the configuration. |
|
PanOSEventResult |
<result> |
Text/String |
Result of the configuration action. |
|
msg |
<object> |
Text/String |
The path of the configuration command issued. |
|
externalId |
N/A |
N/A |
The log entry identifier, which is incremented sequentially. Each log type has a unique number space. |
|
PanOSDGHierarchyLevel1 |
N/A |
N/A |
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. |
|
PanOSDGHierarchyLevel2 |
N/A |
N/A |
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. |
|
PanOSDGHierarchyLevel3 |
N/A |
N/A |
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. |
|
PanOSDGHierarchyLevel4 |
N/A |
N/A |
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. |
|
PanOSVirtualSystemName |
N/A |
N/A |
The name of the virtual system associated with the network traffic. |
|
dvchost |
N/A |
N/A |
Name of the source of the log. If the source is a firewall, this is the device_name value. If the source is TMS, this is either the customer or tenant name. |
|
PanOSEventDescription |
N/A |
N/A |
Description of the system event. If the source is a firewall, this is opaque. If the source is TMS, this is the msgTextEn field. |
|
PanOSTimeGeneratedHighResolution |
N/A |
N/A |
Time the log was generated in data plane with millisec granularity in format YYYY-MM-DDTHH. |
|
PanOSVendorSeverity |
N/A |
N/A |
Severity associated with the event. |
|
PanOSTemplate |
N/A |
N/A |
The ID and name of the template/template stack to which the firewall belonged where the log was generated. |
|
PanOSConfigVersion |
N/A |
N/A |
Config version converted to string represented as major.minor.patch.build in value and as hex in ID. |
|
PanOSDeviceGroup |
N/A |
N/A |
The ID and the name of the device group the firewall is in. |