Vendor Documentation
Classification
|
Rule Name |
Rule Type |
Classification |
Common Event |
|---|---|---|---|
|
General System Event |
Base Rule |
Information |
General System Message |
Mapping with LogRhythm Schema
|
Device Key in Log Message |
LogRhythm Schema |
Data Type |
Schema Description |
|---|---|---|---|
|
N/A |
N/A |
N/A |
deviceVendor |
|
N/A |
N/A |
N/A |
deviceProduct |
|
N/A |
N/A |
N/A |
Version |
|
N/A |
N/A |
N/A |
LogType |
|
N/A |
<vmid> |
Text/String |
SubType |
|
N/A |
<severity> |
Number |
deviceSeverity |
|
ProfileToken |
N/A |
N/A |
N/A |
|
dtz |
N/A |
N/A |
N/A |
|
rt |
N/A |
N/A |
Time the log was received in Cortex Data Lake. This is populated by the platform |
|
deviceExternalId |
<serialnumber> |
Text/String/Number |
ID that uniquely identifies the source of the log. If the source is a firewall, this is its serial number. If the source is TMS, this is the trapsId |
|
PanOSConfigVersion |
N/A |
N/A |
Config version converted to string represented as major.minor.patch.build in value and as hex in id |
|
PanOSAgentContentVersion |
N/A |
N/A |
Version of the agent content that is installed on the endpoint |
|
PanOSAgentDataCollectionStatus |
N/A |
N/A |
Indicates whether data related to another product (for example, EDR) is being collected by the agent |
|
PanOSAgentID |
N/A |
N/A |
Unique identifier for the agent at the endpoint |
|
PanOSAgentIsolationStatus |
<result> |
Text/String |
Indicates whether the agent is isolated. Usually, agents are isolated if they have been compromised |
|
PanOSAgentStatus |
<status> |
Text/String |
The protection status set for the endpoint |
|
PanOSAgentTimeZoneOffset |
N/A |
N/A |
Effective endpoint time zone offset from UTC, in minutes |
|
PanOSAgentVersion |
N/A |
N/A |
Version of the agent at the endpoint |
|
PanOSEndpointCPUArchitecture |
N/A |
N/A |
The architecture of the OS type that the endpoint is running |
|
PanOSEndpointDeviceDomain |
N/A |
N/A |
Domain to which the endpoint belongs |
|
PanOSEndpointDeviceName |
N/A |
N/A |
Hostname of the endpoint on which the event was logged |
|
PanOSEndpointIPaddress |
<dip> |
IP Address |
IP address of the source of the event |
|
PanOSEndpointOSType |
N/A |
N/A |
The operating system on which the endpoint is running |
|
PanOSEndpointOSVersion |
N/A |
N/A |
The version of the operating system running on the endpoint |
|
PanOSEndpointUserDomain |
<domainimpacted> |
Text/String |
Domain of the user who was logged into the endpoint at the time of the system event |
|
PanOSEndpointUserName |
<account> |
Text/String |
The name of the user logged into the endpoint at the time of the system event |
|
PanOSEndpointUserUUID |
N/A |
N/A |
The endpoint user's unique ID |
|
PanOSIsDuplicateLog |
N/A |
N/A |
Indicates whether this log data is available in multiple locations, such as from Cortex Data Lake as well as from an on-premise log collector |
|
PanOSIsPrismaNetwork |
N/A |
N/A |
If set to 1, the log was generated on a cloud-based firewall. If 0, the firewall was running on-premise |
|
PanOSIsPrismaUsers |
N/A |
N/A |
If set to 1, the log record was generated using a cloud-based GlobalProtect instance. If 0, GlobalProtect was hosted on-premise |
|
cat |
<vendorinfo> |
Text/String |
The log category |
|
PanOSLogExported |
N/A |
N/A |
Indicates if this log was exported from the firewall using the firewall's log export function |
|
PanOSLogForwarded |
N/A |
N/A |
Indicates if the log is being forwarded |
|
PanOSLogSource |
N/A |
N/A |
Identifies the origin of the data. That is, the system that produced the data |
|
PanOSLogSourceTimeZoneOffset |
N/A |
N/A |
Time Zone offset from GMT of the source of the log |
|
PanOSSeverity |
N/A |
N/A |
Severity as defined by the platform |
|
PanOSCortexDataLakeTenantID |
N/A |
N/A |
The ID that uniquely identifies the Cortex Data Lake instance which received this log record |
|
PanOSVDIEndpoint |
N/A |
N/A |
Indicates whether the endpoint is a virtual desktop infrastructure (VDI). 0—The endpoint is not a VDI, 1—The endpoint is a VDI |
|
PanOSVirtualSystemID |
N/A |
N/A |
A unique identifier for a virtual system on a Palo Alto Networks firewall |
|
PanOSEventTime |
N/A |
N/A |
Time when the log was generated on the firewall's data plane. This string contains a timestamp value that is the number of microseconds since the Unix epoch |
|
cs3 |
N/A |
N/A |
String representation of the unique identifier for a virtual system on a Palo Alto Networks firewall |
|
cs3Label |
N/A |
N/A |
N/A |
|
act |
<action> |
Text/String |
Name of the system event |
|
fname |
<object> |
Text/String |
The component associated with the event. For example, the object from a firewall |
|
msg |
<subject> |
Text/String |
Description of the system event |
|
externalId |
N/A |
N/A |
The log entry identifier, which is incremented sequentially. Each log type has a unique number space |
|
PanOSDGHierarchyLevel1 |
N/A |
N/A |
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy |
|
PanOSDGHierarchyLevel2 |
N/A |
N/A |
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy |
|
PanOSDGHierarchyLevel3 |
N/A |
N/A |
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy |
|
PanOSDGHierarchyLevel4 |
N/A |
N/A |
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy |
|
PanOSVirtualSystemName |
N/A |
N/A |
The name of the virtual system associated with the network traffic |
|
dvchost |
N/A |
N/A |
Name of the source of the log. If the source is a firewall, this is the device_name value. If the source is TMS, this is either the customer or tenant name |
|
PanOSDeviceGroup |
N/A |
N/A |
The ID and the name of the device group the firewall is in |
|
PanOSTemplate |
N/A |
N/A |
The ID and name of the template/template stack to which the firewall belonged where the log was generated |
|
PanOSTimeGeneratedHighResolution |
N/A |
N/A |
Time the log was generated in data plane with millisec granularity in format YYYY-MM-DDTHHMMSS[.DDDDDD]Z |