GlobalProtect Status Messages
Vendor Documentation
Classification
| Rule Name | Rule Type | Classification | Common Event |
|---|---|---|---|
| GlobalProtect Status Messages | Base Rule | Other Audit | General Authentication Event |
| Remote Authentication Failure | Sub Rule | Authentication Failure | User Logon Failure |
| Remote Authentication Success | Sub Rule | Authentication Success | User Logon |
| Remote Session Logoff | Sub Rule | Authentication Success | User Logoff |
Mapping with LogRhythm Schema
Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
|---|---|---|---|
| N/A | N/A | N/A | deviceVendor |
| N/A | N/A | N/A | deviceProduct |
| N/A | N/A | N/A | Version |
| N/A | <vmid> | Text/String | LogType |
| N/A | N/A | N/A | SubType |
| N/A | <severity> | Number | deviceSeverity |
| ProfileToken | N/A | N/A | N/A |
| dtz | N/A | N/A | N/A |
| rt | N/A | N/A | Time the log was received in Cortex Data Lake. This string contains a timestamp value that is the number of microseconds since the Unix epoch. |
| PanOSDeviceSN | N/A | N/A | ID that uniquely identifies the source of the log. That is, the serial number of the firewall that generated the log. |
| PanOSConfigVersion | N/A | N/A | Version number of the firewall operating system that wrote this log record. |
| start | N/A | N/A | Time when the log was generated on the firewall's data plane. This string contains a timestamp value that is the number of microseconds since the Unix epoch. |
| PanOSVirtualSystem | N/A | N/A | String representation of the unique identifier for a virtual system on a Palo Alto Networks firewall. |
| PanOSEventIDValue | N/A | N/A | The name of the event. |
| PanOSStage | <status> <tag1> | Text/String | Name of the stage in the GlobalProtect connection workflow. |
| PanOSAuthMethod | N/A | N/A | Authentication method used for the GlobalProtect connection. |
| PanOSTunnelType | N/A | N/A | Tunnel Type i.e. SSL or VPN. |
| PanOSSourceUserName | <login> | Text/String | The username that connected. |
| PanOSSourceRegion | N/A | N/A | Region of the Gateway (or User) that connected. |
| PanOSEndpointDeviceName | <sname> | Text/String | Name of the device that the user used for the connection. |
| PanOSPublicIPv4 | <sip> | IP Address | Public IP address (v4) of the user that connected. |
| PanOSPublicIPv6 | <sip> | IP Address | Public IP address (v6) of the user that connected. |
| PanOSPrivateIPv4 | <snatip> | IP Address | Private IP address (v4) of the user that connected. |
| PanOSPrivateIPv6 | <snatip> | IP Address | Private IP address (v6) of the user that connected. |
| PanOSHostID | N/A | N/A | Unique identifier GlobalProtect has assigned to the host. |
| PanOSEndpointSN | N/A | N/A | ID that uniquely identifies the endpoint on which the GlobalProtect client is deployed. |
| PanOSGlobalProtectClientVersion | <version> | Text/String | GlobalProtect client version number. |
| PanOSEndpointOSType | N/A | N/A | OS type of the endpoint on which the GlobalProtect client is deployed. |
| PanOSEndpointOSVersion | N/A | N/A | OS version of the endpoint on which the GlobalProtect client is deployed. |
| PanOSRepeatCount | N/A | N/A | Number of sessions with same Source IP, Destination IP, Application, and Content/Threat Type seen for the summary interval. |
| PanOSQuarantineReason | <reason> | Text/String | Quarantine reason. |
| PanOSConnectionError | N/A | N/A | Error information for unsuccessful connection. |
| PanOSDescription | <vendorinfo> | Text/String | Additional information regarding the event. |
| PanOSEventStatus | <result> <tag2> | Text/String | The status (success or failure) of the event. |
| PanOSGlobalProtectGatewayLocation | N/A | N/A | Location of the Global Protect Gateway. |
| PanOSLoginDuration | <seconds> | Number | Duration for which the connected user was logged on. |
| PanOSConnectionMethod | N/A | N/A | Identifies how the GlobalProtect app connected to the the Gateway. For example, on-demand or user-logon. |
| PanOSConnectionErrorID | N/A | N/A | Enumeration integer assigned to the connection_error field value. |
| PanOSPortal | N/A | N/A | Global Protect Portal or Gateway that the user connected to. |
| PanOSSequenceNo | <serialnumber> | Number | The log entry identifier, which is incremented sequentially. Each log type has a unique number space. |
| PanOSTimeGeneratedHighResolution | N/A | N/A | Time the log was generated in data plane with millisec granularity in format YYYY-MM-DDTHH |
| PanOSGatewaySelectionType | N/A | N/A | Gateway Selection Method i.e automatic, preferred or manual. |
| PanOSSSLResponseTime | N/A | N/A | SSL Response Time in milliseconds. |
| PanOSGatewayPriority | N/A | N/A | Priority of gateway, retrieved from portal configuration. |
| PanOSAttemptedGateways | N/A | N/A | String of all gateways that were available and attempted for the client location. Contains gateway name, ssl response time, and priority, separated by a semicolon. |
| PanOSGateway | N/A | N/A | Selected Gateway for the connection. |
| PanOSDGHierarchyLevel1 | N/A | N/A | A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. |
| PanOSDGHierarchyLevel2 | N/A | N/A | A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. |
| PanOSDGHierarchyLevel3 | N/A | N/A | A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. |
| PanOSDGHierarchyLevel4 | N/A | N/A | A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. |
| PanOSVirtualSystemName | N/A | N/A | The name of the virtual system associated with the network traffic. |
| PanOSDeviceName | N/A | N/A | Name of the source of the log. That is, the hostname of the firewall that logged the network traffic. |
| PanOSVirtualSystemID | N/A | N/A | A unique identifier for a virtual system on a Palo Alto Networks firewall. |
| PanOSCortexDataLakeTenantID | N/A | N/A | The ID that uniquely identifies the Cortex Data Lake instance which received this log record. |
| PanOSIsDuplicateLog | N/A | N/A | Indicates whether this log data is available in multiple locations, such as from Cortex Data Lake as well as from an on-premise log collector. |
| PanOSLogExported | N/A | N/A | Indicates if this log was exported from the firewall using the firewall's log export function. |
| PanOSLogForwarded | N/A | N/A | Internal-use field that indicates if the log is being forwarded. |
| PanOSIsPrismaNetworks | N/A | N/A | Internal-use field. If set to 1, the log was generated on a cloud-based firewall. If 0, the firewall was running on-premise. |
| PanOSIsPrismaUsers | N/A | N/A | Internal use field. If set to 1, the log record was generated using a cloud-based GlobalProtect instance. If 0, GlobalProtect was hosted on-premise. |
| PanOSLogSource | N/A | N/A | Identifies the origin of the data. That is, the system that produced the data. |
| PanOSLogSourceTimeZoneOffset | N/A | N/A | Time Zone offset from GMT of the source of the log. |
| sntdom | <domainorigin> | Text/String | Domain to which the Source User belongs. |
| suser/susername | <login> | Text/String | The Source User. That is, the username that initiated the network traffic. |
| suid, duid | N/A | N/A | Unique identifier assigned to the Source User. |
| dntdom | <domainimpacted> | Text/String | Domain to which the destination User belongs. |
| dusername | <account> | Text/String | The Destination User. That is, the username to which the network traffic was destined. |
| shost | <sname> | Text/String | Name of the device that the user used for the connection. |