Configuration Messages
Vendor Documentation
Classification
Rule Name | Rule Type | Classification | Common Event |
|---|---|---|---|
| Configuration Messages | Base Rule | Configuration | Configuration Modified : System |
Mapping with LogRhythm Schema
Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
|---|---|---|---|
| N/A | N/A | N/A | deviceVendor |
| N/A | N/A | N/A | deviceProduct |
| N/A | N/A | N/A | Version |
| N/A | <vmid> | Text/String | LogType |
| N/A | N/A | N/A | SubType |
| N/A | <severity> | Number | deviceSeverity |
| ProfileToken | N/A | N/A | N/A |
| dtz | N/A | N/A | N/A |
| rt | N/A | N/A | Time the log was received in Cortex Data Lake. This is populated by the platform. |
| deviceExternalId | <serialnumber> | Text/String/Number | ID that uniquely identifies the source of the log. If the source is a firewall, this is its serial number. If the source is TMS, this is the trapsID. |
| PanOSEventTime | N/A | N/A | Time when the log was generated on the firewall's data plane. This string contains a timestamp value that is the number of microseconds since the Unix epoch. |
| dusername | N/A | N/A | Username of the administrator performing the configuration. |
| dntdom | <domainorigin> | Text/String | Domain to which the admin user belongs. |
| duid | <login> | Text/String | The admin user's unique ID. |
| PanOSEventDetails | N/A | N/A | Identifies the firewall's configuration prior to and immediately after the configuration change. |
| PanOSIsDuplicateLog | N/A | N/A | Indicates whether this log data is available in multiple locations, such as from Cortex Data Lake as well as from an on-premise log collector. |
| PanOSIsPrismaNetwork | N/A | N/A | If set to 1, the log was generated on a cloud-based firewall. If 0, the firewall was running on-premise. |
| PanOSIsPrismaUsers | N/A | N/A | If set to 1, the log record was generated using a cloud-based GlobalProtect instance. If 0, GlobalProtect was hosted on-premise. |
| cat | <vendorinfo> | Text/String | The log category. |
| PanOSLogExported | N/A | N/A | Indicates if this log was exported from the firewall using the firewall's log export function. |
| PanOSLogSource | N/A | N/A | Identifies the origin of the data. That is, the system that produced the data. |
| PanOSLogSourceTimeZoneOffset | N/A | N/A | Time Zone offset from GMT of the source of the log. |
| PanOSSeverity | N/A | N/A | Severity as defined by the platform. |
| PanOSTenantID | N/A | N/A | The ID that uniquely identifies the Cortex Data Lake instance which received this log record. |
| PanOSVirtualSystemID | N/A | N/A | A unique identifier for a virtual system on a Palo Alto Networks firewall. |
| src | <sip> | IP Address | Hostname or IP address of the client. |
| cs3 | N/A | N/A | String representation of the unique identifier for a virtual system on a Palo Alto Networks firewall. |
| cs3Label | N/A | N/A | N/A |
| act | <command> | Text/String | Name of the system event. |
duser0 or dusername0 | <account> | Text/String | Name of the user who created the configuration change. |
| destinationServiceName | <process> | Text/String | Client used by the administrator who is performing the configuration. |
| PanOSEventResult | <result> | Text/String | Result of the configuration action. |
| msg | <object> | Text/String | The path of the configuration command issued. |
| externalId | N/A | N/A | The log entry identifier, which is incremented sequentially. Each log type has a unique number space. |
| PanOSDGHierarchyLevel1 | N/A | N/A | A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. |
| PanOSDGHierarchyLevel2 | N/A | N/A | A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. |
| PanOSDGHierarchyLevel3 | N/A | N/A | A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. |
| PanOSDGHierarchyLevel4 | N/A | N/A | A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. |
| PanOSVirtualSystemName | N/A | N/A | The name of the virtual system associated with the network traffic. |
| dvchost | N/A | N/A | Name of the source of the log. If the source is a firewall, this is the device_name value. If the source is TMS, this is either the customer or tenant name. |
| PanOSEventDescription | N/A | N/A | Description of the system event. If the source is a firewall, this is opaque. If the source is TMS, this is the msgTextEn field. |
| PanOSTimeGeneratedHighResolution | N/A | N/A | Time the log was generated in data plane with millisec granularity in format YYYY-MM-DDTHH. |
| PanOSVendorSeverity | N/A | N/A | Severity associated with the event. |
| PanOSTemplate | N/A | N/A | The ID and name of the template/template stack to which the firewall belonged where the log was generated. |
| PanOSConfigVersion | N/A | N/A | Config version converted to string represented as major.minor.patch.build in value and as hex in ID. |
| PanOSDeviceGroup | N/A | N/A | The ID and the name of the device group the firewall is in. |