General System Event
Vendor Documentation
Classification
| Rule Name | Rule Type | Classification | Common Event |
|---|---|---|---|
| General System Event | Base Rule | Information | General System Message |
Mapping with LogRhythm Schema
Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
|---|---|---|---|
| N/A | N/A | N/A | deviceVendor |
| N/A | N/A | N/A | deviceProduct |
| N/A | N/A | N/A | Version |
| N/A | N/A | N/A | LogType |
| N/A | <vmid> | Text/String | SubType |
| N/A | <severity> | Number | deviceSeverity |
| ProfileToken | N/A | N/A | N/A |
| dtz | N/A | N/A | N/A |
| rt | N/A | N/A | Time the log was received in Cortex Data Lake. This is populated by the platform |
| deviceExternalId | <serialnumber> | Text/String/Number | ID that uniquely identifies the source of the log. If the source is a firewall, this is its serial number. If the source is TMS, this is the trapsId |
| PanOSConfigVersion | N/A | N/A | Config version converted to string represented as major.minor.patch.build in value and as hex in id |
| PanOSAgentContentVersion | N/A | N/A | Version of the agent content that is installed on the endpoint |
| PanOSAgentDataCollectionStatus | N/A | N/A | Indicates whether data related to another product (for example, EDR) is being collected by the agent |
| PanOSAgentID | N/A | N/A | Unique identifier for the agent at the endpoint |
| PanOSAgentIsolationStatus | <result> | Text/String | Indicates whether the agent is isolated. Usually, agents are isolated if they have been compromised |
| PanOSAgentStatus | <status> | Text/String | The protection status set for the endpoint |
| PanOSAgentTimeZoneOffset | N/A | N/A | Effective endpoint time zone offset from UTC, in minutes |
| PanOSAgentVersion | N/A | N/A | Version of the agent at the endpoint |
| PanOSEndpointCPUArchitecture | N/A | N/A | The architecture of the OS type that the endpoint is running |
| PanOSEndpointDeviceDomain | N/A | N/A | Domain to which the endpoint belongs |
| PanOSEndpointDeviceName | N/A | N/A | Hostname of the endpoint on which the event was logged |
| PanOSEndpointIPaddress | <dip> | IP Address | IP address of the source of the event |
| PanOSEndpointOSType | N/A | N/A | The operating system on which the endpoint is running |
| PanOSEndpointOSVersion | N/A | N/A | The version of the operating system running on the endpoint |
| PanOSEndpointUserDomain | <domainimpacted> | Text/String | Domain of the user who was logged into the endpoint at the time of the system event |
| PanOSEndpointUserName | <account> | Text/String | The name of the user logged into the endpoint at the time of the system event |
| PanOSEndpointUserUUID | N/A | N/A | The endpoint user's unique ID |
| PanOSIsDuplicateLog | N/A | N/A | Indicates whether this log data is available in multiple locations, such as from Cortex Data Lake as well as from an on-premise log collector |
| PanOSIsPrismaNetwork | N/A | N/A | If set to 1, the log was generated on a cloud-based firewall. If 0, the firewall was running on-premise |
| PanOSIsPrismaUsers | N/A | N/A | If set to 1, the log record was generated using a cloud-based GlobalProtect instance. If 0, GlobalProtect was hosted on-premise |
| cat | <vendorinfo> | Text/String | The log category |
| PanOSLogExported | N/A | N/A | Indicates if this log was exported from the firewall using the firewall's log export function |
| PanOSLogForwarded | N/A | N/A | Indicates if the log is being forwarded |
| PanOSLogSource | N/A | N/A | Identifies the origin of the data. That is, the system that produced the data |
| PanOSLogSourceTimeZoneOffset | N/A | N/A | Time Zone offset from GMT of the source of the log |
| PanOSSeverity | N/A | N/A | Severity as defined by the platform |
| PanOSCortexDataLakeTenantID | N/A | N/A | The ID that uniquely identifies the Cortex Data Lake instance which received this log record |
| PanOSVDIEndpoint | N/A | N/A | Indicates whether the endpoint is a virtual desktop infrastructure (VDI). 0—The endpoint is not a VDI, 1—The endpoint is a VDI |
| PanOSVirtualSystemID | N/A | N/A | A unique identifier for a virtual system on a Palo Alto Networks firewall |
| PanOSEventTime | N/A | N/A | Time when the log was generated on the firewall's data plane. This string contains a timestamp value that is the number of microseconds since the Unix epoch |
| cs3 | N/A | N/A | String representation of the unique identifier for a virtual system on a Palo Alto Networks firewall |
| cs3Label | N/A | N/A | N/A |
| act | <action> | Text/String | Name of the system event |
| fname | <object> | Text/String | The component associated with the event. For example, the object from a firewall |
| msg | <subject> | Text/String | Description of the system event |
| externalId | N/A | N/A | The log entry identifier, which is incremented sequentially. Each log type has a unique number space |
| PanOSDGHierarchyLevel1 | N/A | N/A | A sequence of identification numbers that indicate the device group’s location within a device group hierarchy |
| PanOSDGHierarchyLevel2 | N/A | N/A | A sequence of identification numbers that indicate the device group’s location within a device group hierarchy |
| PanOSDGHierarchyLevel3 | N/A | N/A | A sequence of identification numbers that indicate the device group’s location within a device group hierarchy |
| PanOSDGHierarchyLevel4 | N/A | N/A | A sequence of identification numbers that indicate the device group’s location within a device group hierarchy |
| PanOSVirtualSystemName | N/A | N/A | The name of the virtual system associated with the network traffic |
| dvchost | N/A | N/A | Name of the source of the log. If the source is a firewall, this is the device_name value. If the source is TMS, this is either the customer or tenant name |
| PanOSDeviceGroup | N/A | N/A | The ID and the name of the device group the firewall is in |
| PanOSTemplate | N/A | N/A | The ID and name of the template/template stack to which the firewall belonged where the log was generated |
| PanOSTimeGeneratedHighResolution | N/A | N/A | Time the log was generated in data plane with millisec granularity in format YYYY-MM-DDTHHMMSS[.DDDDDD]Z |